IETF Logo Mail Archive

Re: [manet-dlep-rg] DLEP session establishment

Teco Boot <teco@inf-net.nl> Tue, 12 November 2013 18:04 UTC

Return-Path: <teco@inf-net.nl>
X-Original-To: manet-dlep-rg@ietfa.amsl.com
Delivered-To: manet-dlep-rg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9C4E011E8163 for <manet-dlep-rg@ietfa.amsl.com>; Tue, 12 Nov 2013 10:04:35 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.763
X-Spam-Level:
X-Spam-Status: No, score=-2.763 tagged_above=-999 required=5 tests=[AWL=-0.560, BAYES_00=-2.599, MIME_QP_LONG_LINE=1.396, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id g-iAXQeWrukO for <manet-dlep-rg@ietfa.amsl.com>; Tue, 12 Nov 2013 10:04:31 -0800 (PST)
Received: from mail-ee0-f44.google.com (mail-ee0-f44.google.com [74.125.83.44]) by ietfa.amsl.com (Postfix) with ESMTP id DB2E611E8104 for <manet-dlep-rg@ietf.org>; Tue, 12 Nov 2013 10:04:30 -0800 (PST)
Received: by mail-ee0-f44.google.com with SMTP id d51so1239751eek.31 for <manet-dlep-rg@ietf.org>; Tue, 12 Nov 2013 10:04:29 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:content-type:mime-version:subject:from :in-reply-to:date:cc:content-transfer-encoding:message-id:references :to; bh=D7g59i2ETJUUoN2dyo+ku+No6fBgFBW3Fk6MiwX5ZnQ=; b=BZ0cDecdwmLH28SAWvCKIKxJlzfWpDZcRYtG/VBE1nsweql5FR86LawiKVeAvKn6uP Fi+WIOd1ZEQIv040592iKdC5hoqlTdXTCEvCnFc60H2tu3PwpW2OQMPQYTWbg9w2OtbU e0UfXyGgmbw6/tt2jla8MIPoUFUpSctvJ5qMJqHoq1S+uc6paHcAdbObpeG0aswN7WBV TFQythTA+SpfWCgU907gNUwgJA/0b5IvXAYBjvt3g37IN1/wVrfsQ3EpcMNAv+QwkWi6 JYWYHPIFSO2Ec2qimgLAL1AJeHxc/ta6nGSj0UEXauFrOlhFmRtzV/hDbOOrvS3t/KKH bBRw==
X-Gm-Message-State: ALoCoQlWIKX7sNSppizdg9xChbT+VE/E8XTW1JWawzYQBYJl/8jHqyD14C7AGPbQqo+MZpPwEkDW
X-Received: by 10.14.214.73 with SMTP id b49mr2984227eep.89.1384279469611; Tue, 12 Nov 2013 10:04:29 -0800 (PST)
Received: from [10.175.173.29] (524A14A4.cm-4-3a.dynamic.ziggo.nl. [82.74.20.164]) by mx.google.com with ESMTPSA id i1sm78494108eeg.0.2013.11.12.10.04.28 for <multiple recipients> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Tue, 12 Nov 2013 10:04:28 -0800 (PST)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 7.0 \(1816\))
From: Teco Boot <teco@inf-net.nl>
In-Reply-To: <B177F831FB91F242972D0C35F6A0733106FB0664@SUCNPTEXM01.com.ad.uk.ds.corp>
Date: Tue, 12 Nov 2013 19:04:27 +0100
Content-Transfer-Encoding: quoted-printable
Message-Id: <F825BC3B-D19C-4C17-A9B2-B12F3A8F1797@inf-net.nl>
References: <72FB622921C13746AD6349E70A8D9F307D9192F7@EXC-MBX03.tsn.tno.nl> <CAK=bVC85XAXR3Zkwq+JwELF-dvgrKwbowWCvwvnjeVn7VStnbw@mail.gmail.com> <72FB622921C13746AD6349E70A8D9F307D9193CD@EXC-MBX03.tsn.tno.nl> <5A8A5085482DA84995F4E70F5093AB50268E6C@XCH-BLV-503.nw.nos.boeing.com> <B2BA430A-F4E6-4DED-A7BB-7282A22802B7@inf-net.nl> <D02397F1-9D1B-4B36-81D0-4585ACDBA34A@gmail.com> <5D184300-2D97-4EC1-8D91-76D4A79B2BDA@inf-net.nl> <DDAE98C5-520E-4F8F-9F9B-2AB9A15A70EF@cisco.com> <0541163b-2d1c-4afd-ad06-ba9a25744310@SUCNPTEXC01.COM.AD.UK.DS.CORP> <B177F831FB91F242972D0C35F6A0733106FB0425@SUCNPTEXM01.com.ad.uk.ds.corp> <a277b38b-4805-407b-a947-789c0edc2ec6@SUCNPTEXC01.COM.AD.UK.DS.CORP> <B177F831FB91F242972D0C35F6A0733106FB05B3@SUCNPTEXM01.com.ad.uk.ds.corp> <2c2cf7a7-8b8f-4f09-9336-02ffc95cb2c9@SUCNPTEXC01.COM.AD.UK.DS.CORP> <B177F831FB91F242972D0C35F6A0733106FB0664@SUCNPTEXM01.com.ad.uk.ds.corp>
To: "Taylor, Rick" <Rick.Taylor@cassidian.com>
X-Mailer: Apple Mail (2.1816)
Cc: "DLEP Research Group (manet-dlep-rg@ietf.org)" <manet-dlep-rg@ietf.org>, Stan Ratliff <sratliff@cisco.com>
Subject: Re: [manet-dlep-rg] DLEP session establishment
X-BeenThere: manet-dlep-rg@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: DLEP Radio Group <manet-dlep-rg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/manet-dlep-rg>, <mailto:manet-dlep-rg-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/manet-dlep-rg>
List-Post: <mailto:manet-dlep-rg@ietf.org>
List-Help: <mailto:manet-dlep-rg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/manet-dlep-rg>, <mailto:manet-dlep-rg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 12 Nov 2013 18:04:35 -0000

TCP 4-tupple is not enough to discard some form of blind TCP connect. There must be some sanity check.

Radio must protect itself against syn attack (no data, locked port).

Teco


Op 12 nov. 2013, om 17:21 heeft Taylor, Rick <Rick.Taylor@cassidian.com> het volgende geschreven:

> I seem to remember SCTP (which I hold in high regard) uses a cookie for its 4-way handshake on the grounds that it stops some types of spoofing attacks.
> 
> I'll re-read their rationale doc if I can find it.  I was just trying to cover some security considerations here, but it might be misplaced.
> 
> I just wonder whether replying to a broadcast with a IP address by blindly connecting to it without some way of checking what your connecting to is what you expect to be there is 'unsafe' - but you do make a good point about the TCP 4-tuple...
> 
> Rick Taylor
> 
>> -----Original Message-----
>> From: Stan Ratliff (sratliff) [mailto:sratliff@cisco.com]
>> Sent: 12 November 2013 16:04
>> To: Taylor, Rick
>> Cc: DLEP Research Group (manet-dlep-rg@ietf.org)
>> Subject: Re: [manet-dlep-rg] DLEP session establishment
>> 
>> Rick,
>> 
>> On Nov 12, 2013, at 10:45 AM, "Taylor, Rick" <Rick.Taylor@cassidian.com>
>> wrote:
>> 
>>> Hmmm... good point about complexity in the radio Stan.
>>> 
>>> I'd be okay with flipping the whole discovery process so the router
>> advertises and the radio connects.  Making the router maintain the extra
>> timer for strobing is probably more sensible.  Obviously some
>> recommendation for timing of the strobes is needed.
>>> 
>>> The handshake still stays 3-way and that covers most of my concerns.
>>> 
>>> Any comment on a cookie in the offer?
>> 
>> What is the cookie used for? I was thinking the TCP 4-tuple (Source
>> IP/Source Port/Destination IP/Destination Port) is sufficient for any
>> correlation.
>> 
>> Regards,
>> Stan
>> 
>>> 
>>> I have double checked with the 04 draft, and you have covered the
>> broadcast or configured unicast UDP address in the text, so I'm happy.
>>> 
>>> Rick Taylor
>>> 
>>>> -----Original Message-----
>>>> From: Stan Ratliff (sratliff) [mailto:sratliff@cisco.com]
>>>> Sent: 12 November 2013 15:17
>>>> To: Taylor, Rick
>>>> Cc: DLEP Research Group (manet-dlep-rg@ietf.org)
>>>> Subject: Re: [manet-dlep-rg] DLEP session establishment
>>>> 
>>>> OK, looks like my opinion is "in the rough" on this one...
>>>> 
>>>> But I'm still concerned about putting the TCP "server" code into the
>>>> (probably more) constrained modem device. So, what if we make the
>> *router*
>>>> issue the Peer Discovery (call it a Peer Advertisement) to an MCAST
>>>> address/well-known port? That Peer Discovery/Peer Advertisement would
>>>> contain the unicast IP address/port for the TCP listener. The modem
>> would
>>>> respond with the TCP SYN...
>>>> 
>>>> The router would continue to periodically "strobe" the Peer
>> Discovery/Peer
>>>> Advertisement ad-nauseum (as much as I hate that approach).
>>>> 
>>>> I'm really concerned about modem-side complexity, based on discussions
>> I
>>>> had a couple of years ago with some radio vendors who were looking at
>>>> implementing.
>>>> 
>>>> Regards,
>>>> Stan
>>>> 
>>>> On Nov 12, 2013, at 7:47 AM, "Taylor, Rick" <Rick.Taylor@cassidian.com>
>>>> wrote:
>>>> 
>>>>> Sorry for the delay, I was out of office yesterday.
>>>>> 
>>>>> My thoughts:
>>>>> 
>>>>>  Router                                        Modem
>>>>>  ===================================================
>>>>> 
>>>>> 1)                                  TCP socket listen()
>>>>> 
>>>>> 2)  <--------------------------- Peer Discovery Message
>>>>>                            UDP unicast or broadcast?
>>>>>                                     + Session Cookie
>>>>>                                   + TCP address/port
>>>>>         + Alternate reliable protocol endpoint infos
>>>>> 
>>>>> 3)  TCP connect()
>>>>> 
>>>>> 4)  Initialize (was Peer Offer) ---------------------->
>>>>>  + Session Cookie
>>>>> 
>>>>> 5)  <----------------------------------- Initialize ACK
>>>>>                                     + Session Cookie
>>>>>                              + Supported metric TLVs
>>>>> 
>>>>> 
>>>>> My reasoning, often agreeing with others:
>>>>> 
>>>>> The Modem 'advertises' its DLEP support, and therefore should
>>>>> be the one that listens for the TCP connect.
>>>>> 
>>>>> A cookie passed between the UDP discovery message and the TCP
>>>>> connection adds a little security (is this the modem I think I am
>>>>> connecting to?)  This could be extended to a full signature TLV
>>>>> in a later RFC.
>>>>> 
>>>>> The Peer Discovery message could carry additional reliable
>>>>> protocol endpoint information for non-TCP transports.
>>>>> 
>>>>> The Initialize ACK is the correct place to put the 'default'
>>>>> metric TLVs, and is sent by the modem.
>>>>> 
>>>>> A 3-way handshake seems safer to me.
>>>>> 
>>>>> I have a question over whether the Peer Discovery message should
>>>>> be unicast to a configured destination, or broadcast to all
>>>>> connected peers on a TBD port.  I prefer broadcast as it is more
>>>>> ZeroConf, but I can see use-cases for unicast to a configured
>>>>> destination for more complex topologies.
>>>>> 
>>>>> Cheers,
>>>>> 
>>>>> Rick Taylor
>>>>> 
>>>>>> -----Original Message-----
>>>>>> From: manet-dlep-rg-bounces@ietf.org [mailto:manet-dlep-rg-
>>>>>> bounces@ietf.org] On Behalf Of Teco Boot
>>>>>> Sent: 11 November 2013 16:29
>>>>>> To: Stan Ratliff
>>>>>> Cc: DLEP Research Group (manet-dlep-rg@ietf.org)
>>>>>> Subject: [manet-dlep-rg] DLEP session establishment
>>>>>> 
>>>>>> 
>>>>>> Op 11 nov. 2013, om 01:55 heeft Stan Ratliff (sratliff)
>>>>>> <sratliff@cisco.com> het volgende geschreven:
>>>>>> 
>>>>>>> Also, as to the Discovery: Here's what I'm writing up as we speak:
>>>>>>> 
>>>>>>> 
>>>>>>> Router
>>>>>> Modem
>>>>>>> ========================================
>>>>>>>                                  <------------------------ Peer
>>>>>> Discovery Message
>>>>>>> Peer Offer with           ------------------------->
>>>>>>> unicast IP addr/
>>>>>>> port for TCP connect
>>>>>> 
>>>>>> So this is multicast reply, telling modem to connect?
>>>>>> Why not TCP connect from router to modem? Makes more sense to me, the
>>>>>> modem is the peer offering a service.
>>>>>> Maybe add a TcpPort TLV in the Peer Discovery, this allows other than
>>>> IANA
>>>>>> assigned ports.
>>>>>> 
>>>>>> 
>>>>>>> 
>>>>>>> *Connect on TCP socket. Router has issued TCP "listen",
>>>>>>> modem issues TCP "connect" (e.g. Modem is the TCP "client",
>>>>>>> router is the TCP "server")
>>>>>>> 
>>>>>>> Now, The modem's UDP socket can be closed.
>>>>>> 
>>>>>> Please don't.
>>>>>> 
>>>>>> 
>>>>>>> Over the TCP
>>>>>>> Socket,
>>>>>>>                                 <------------------------- Peer
>>>>>> Initialization containing
>>>>>>> 
>>>>>> TLVs/default values for ALL
>>>>>>> 
>>>>>> supported metric values - all
>>>>>>> 
>>>>>> meaning the MANDATORY ones,
>>>>>>> 
>>>>>> plus any optional metrics (right now,
>>>>>>> 
>>>>>> just Resources) that are supported.
>>>>>> 
>>>>>> Yes, here the full set TLV exchange takes place. This should not be
>> in
>>>> the
>>>>>> Peer Discovery. That's why I suggested to put this in the Peer Offer.
>>>>>> 
>>>>>> 
>>>>>>> 
>>>>>>> Peer Initialization ACK ---------------------->
>>>>>>> MAY contain optional
>>>>>>> Layer 3 (address) TLVs
>>>>>> 
>>>>>> I'm fine with three way handshake, not with this two way. Or use TCP
>>>>>> disconnect when modem modem is not willing to accept first message
>> from
>>>>>> router.
>>>>>> 
>>>>>> Teco
>>>>>> 
>>>>>>> 
>>>>>>> .... And, everything from there is basically the same as before.
>>>>>> 
>>>>>> _______________________________________________
>>>>>> manet-dlep-rg mailing list
>>>>>> manet-dlep-rg@ietf.org
>>>>>> https://www.ietf.org/mailman/listinfo/manet-dlep-rg
>>>>> The information contained within this e-mail and any files attached to
>>>> this e-mail is private and in addition may include commercially
>> sensitive
>>>> information. The contents of this e-mail are for the intended recipient
>>>> only and therefore if you wish to disclose the information contained
>>>> within this e-mail or attached files, please contact the sender prior
>> to
>>>> any such disclosure. If you are not the intended recipient, any
>>>> disclosure, copying or distribution is prohibited. Please also contact
>> the
>>>> sender and inform them of the error and delete the e-mail, including
>> any
>>>> attached files from your system. Cassidian Limited, Registered Office :
>>>> Quadrant House, Celtic Springs, Coedkernew, Newport, NP10 8FZ Company
>> No:
>>>> 04191036 http://www.cassidian.com
>>> 
>>> The information contained within this e-mail and any files attached to
>> this e-mail is private and in addition may include commercially sensitive
>> information. The contents of this e-mail are for the intended recipient
>> only and therefore if you wish to disclose the information contained
>> within this e-mail or attached files, please contact the sender prior to
>> any such disclosure. If you are not the intended recipient, any
>> disclosure, copying or distribution is prohibited. Please also contact the
>> sender and inform them of the error and delete the e-mail, including any
>> attached files from your system. Cassidian Limited, Registered Office :
>> Quadrant House, Celtic Springs, Coedkernew, Newport, NP10 8FZ Company No:
>> 04191036 http://www.cassidian.com
> 
> The information contained within this e-mail and any files attached to this e-mail is private and in addition may include commercially sensitive information. The contents of this e-mail are for the intended recipient only and therefore if you wish to disclose the information contained within this e-mail or attached files, please contact the sender prior to any such disclosure. If you are not the intended recipient, any disclosure, copying or distribution is prohibited. Please also contact the sender and inform them of the error and delete the e-mail, including any attached files from your system. Cassidian Limited, Registered Office : Quadrant House, Celtic Springs, Coedkernew, Newport, NP10 8FZ Company No: 04191036 http://www.cassidian.com
> _______________________________________________
> manet-dlep-rg mailing list
> manet-dlep-rg@ietf.org
> https://www.ietf.org/mailman/listinfo/manet-dlep-rg

v2.23.0 | Report a Bug | By Email