IETF Logo Mail Archive

Re: [Plus] Supporting connection tracking and basic diagnostics: a minimal PLUS

Tommy Pauly <tpauly@apple.com> Sun, 11 December 2016 00:35 UTC

Return-Path: <tpauly@apple.com>
X-Original-To: plus@ietfa.amsl.com
Delivered-To: plus@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EAD91129552 for <plus@ietfa.amsl.com>; Sat, 10 Dec 2016 16:35:26 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.197
X-Spam-Level:
X-Spam-Status: No, score=-7.197 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H2=-0.001, RP_MATCHES_RCVD=-2.896, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=apple.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id C18qFTwTSjDp for <plus@ietfa.amsl.com>; Sat, 10 Dec 2016 16:35:24 -0800 (PST)
Received: from mail-in5.apple.com (mail-out5.apple.com [17.151.62.27]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4D0AA12947E for <plus@ietf.org>; Sat, 10 Dec 2016 16:35:24 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; d=apple.com; s=mailout2048s; c=relaxed/simple; q=dns/txt; i=@apple.com; t=1481416524; h=From:Sender:Reply-To:Subject:Date:Message-id:To:Cc:MIME-version:Content-type: Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-reply-to:References:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=4uyGDk8QrRWNhRVkYDP13ed1dQBz+MlN+aQz7bybCJs=; b=fc3zJFUyvunxtU1Ud/6ER/2OX785z9KFepWFweLeCsnX1tFIwUjeA6pxPNFCeJiv hkhz5EK++1L+4TYCJnZ8NL9ivR4+FbfcKe8RsQCEzXuGwYFLadkjUb3DrXT1aKk/ oKNILtwIq7PNryPpJwTzYwbRPVgEB2vvM8jA4meRS+V8iuqBm9Az3TZFsRCkp9I2 P+8rdp/owKSi67Ye+RwLr/qB3rUi1Pju7BSi1KQTdObvwiQt9GeAR+uzVolqKCN9 lcABj1W/8bct1WtZAcibPyQyyd9y8C4fg09CFsMz50eTmkSK1og8Od1t5ignTqdF jQjfrH7R7Q2qSsTOD35SIw==;
Received: from relay5.apple.com (relay5.apple.com [17.128.113.88]) by mail-in5.apple.com (Apple Secure Mail Relay) with SMTP id F8.D5.22504.B4F9C485; Sat, 10 Dec 2016 16:35:24 -0800 (PST)
X-AuditID: 11973e13-8abfb700000057e8-f0-584c9f4bd781
Received: from nwk-mmpp-sz06.apple.com (nwk-mmpp-sz06.apple.com [17.128.115.234]) by relay5.apple.com (Apple SCV relay) with SMTP id 09.1F.27929.B4F9C485; Sat, 10 Dec 2016 16:35:23 -0800 (PST)
MIME-version: 1.0
Content-type: multipart/alternative; boundary="Boundary_(ID_yHWucY0a6CaFdWvW7bLerA)"
Received: from [17.153.31.41] (unknown [17.153.31.41]) by nwk-mmpp-sz06.apple.com (Oracle Communications Messaging Server 8.0.1.1.0 64bit (built Jun 15 2016)) with ESMTPSA id <0OHZ00DDDWAYLF20@nwk-mmpp-sz06.apple.com>; Sat, 10 Dec 2016 16:35:23 -0800 (PST)
Sender: tpauly@apple.com
From: Tommy Pauly <tpauly@apple.com>
Message-id: <E4BB21D8-9747-409C-BCF7-E62029897282@apple.com>
Date: Sat, 10 Dec 2016 16:35:22 -0800
In-reply-to: <CAKcm_gMzw9Z=XnFy9vYfxOOG+eO6XJ2bSNeboQYjxW+MOUwa9g@mail.gmail.com>
To: Ian Swett <ianswett@google.com>, Brian Trammell <ietf@trammell.ch>
References: <83EEC537-3486-4864-ACA2-911F570D0C57@trammell.ch> <15261501-1F9C-41CA-87D0-4E8FCD862044@trammell.ch> <CAKcm_gMzw9Z=XnFy9vYfxOOG+eO6XJ2bSNeboQYjxW+MOUwa9g@mail.gmail.com>
X-Mailer: Apple Mail (2.3252)
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFrrLLMWRmVeSWpSXmKPExsUi2FAYoesz3yfCYPN+Rouf93ayWmxsecdm 0dyc78DssWBTqceSJT+ZPJ7sn8kSwBzFZZOSmpNZllqkb5fAlbFs8iP2gjVLGSuO79zE1sD4 poOxi5GDQ0LARGLNdI4uRi4OIYG9jBKHZ75m7mLkBIs3vFvHBJE4xCgxp+MCWIJXQFDix+R7 LCA2s0CYxN0pv9ghijqYJNoWNTOBTBUWkJDYvCcRpIZNQEXi+LcNUL02Eqdmz2EFsYUFoiSm rT0ANodFQFVi6eKNYDanQLDEw13fWCHmC0qcnX4ZrFdEwE1i7/+NUAftYpR4OOc3O8SlshIr n25kBUlICExnl7jwq4N5AqPQLCTHzkJy7Cyg+5gF1CWmTMmFCGtLPHl3gRXCVpNY+HsRE7L4 Aka2VYxCuYmZObqZeaZ6iQUFOal6yfm5mxhB8THdTngH4+lVVocYBTgYlXh4XzT6RAixJpYV V+YeYpTmYFES5+118o4QEkhPLEnNTk0tSC2KLyrNSS0+xMjEwSnVwNh6fBfbs2a/urKIw9IP TH99Xy2lH3D1181lK6eLJJxblha65Wzjl6W8TyNZAkzW+WhbvK3aGFs0596UOffUfrXx2vZf XRmW2hXDcez4Ab1D7rUHrm76+sr9/9sM3fmKIUvabXn/me/afNDo8aNzWyRkJVim2Go+4du2 cOaTJzK/omXzjSLW3WpQYinOSDTUYi4qTgQAM4/hVHACAAA=
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFtrMKsWRmVeSWpSXmKPExsUi2FD8Std7vk+EwakWQ4uf93ayWmxsecdm 0dyc78DssWBTqceSJT+ZPJ7sn8kSwBxlbZOWX1SeWJSiUJRcUGKrVJyRmJJfHm9pbGTqkFhQ kJOql5yfq6RvZ5OSmpNZllqEzEqwzlg2+RF7wZqljBXHd25ia2B808HYxcjJISFgItHwbh0T hC0mceHeerYuRi4OIYFDjBJzOi4wgyR4BQQlfky+xwJiMwuESdyd8osdoqiDSaJtUTNQNweH sICExOY9iSA1bAIqEse/bYDqtZE4NXsOK4gtLBAlMW3tAbA5LAKqEksXbwSzOQWCJR7u+sYK MV9Q4uz0y2C9IgJuEnv/b2SC2LWLUeLhnN/sEJfKSqx8upF1AqPALCT3zUJy3yygk5gF1CWm TMmFCGtLPHl3gRXCVpNY+HsRE7L4Aka2VYwCRak5iZWmevDQ3MQIjqXCiB2M/5dZHWIU4GBU 4uF90egTIcSaWFZcmQsMJA5mJRHeWTOAQrwpiZVVqUX58UWlOanFhxj3MwJ9OZFZSjQ5Hxjp eSXxhsYWxpYmFgYGJpZmJoSFTUwMTIyNzYyNzU3MaSmsJM5r4ewdISSQnliSmp2aWpBaBPMC EwenVAPjlOlTXIuqs/lTDLQ65R9M+/113pPz/p8eu4a55ZxREynZbn+gxV7K4NQn7udKyq0K hf9s5y8snLj40tKP+y7eqdSz9z8Wks1wqObvFCMtK6ZVBw4teZiRu2DSnR9BKWcjBB0zagQP WkQcXHO+ruU567NC4zdp2422hSRKSPw9XJPMes/WKi9AiQWY1g21mIuKEwGVhHoARgMAAA==
Archived-At: <https://mailarchive.ietf.org/arch/msg/plus/itgM549GyMtefmG2Xib4UWh5zgY>
Cc: plus@ietf.org
Subject: Re: [Plus] Supporting connection tracking and basic diagnostics: a minimal PLUS
X-BeenThere: plus@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "Discussion of a Path Layer UDP Substrate \(PLUS\) protocol for in-band management of in-network state for UDP-encapsulated transport protocols." <plus.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/plus>, <mailto:plus-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/plus/>
List-Post: <mailto:plus@ietf.org>
List-Help: <mailto:plus-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/plus>, <mailto:plus-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 11 Dec 2016 00:35:27 -0000

I agree with Ian that the first option is probably easier and more viable as a solution. The second option is attractive in how it makes the association and confirmation values less predictable, and thus more trustworthy. However, the extra state required to debug and reconstruct the flow does seem too high if want wide adoption.

When we are looking at the first option, you mentioned strategies to avoid on-path injection attacks of stops. Is there any attack that could be made regarding the PSN? If the attacker can modify PSN values or inject packets with higher PSN values in either direction, what side effects can we see? I'm assuming that the endpoints themselves will be able to validate the authenticity of the fields, but could a middle box that is trying to monitor the plausible-ness of the PSN get thrown off? Or does it only ever adjust its plausibility window when it sees a PSN acknowledged? (To that end, if an acknowledgment value is faked, what does that do?)

—Tommy

> On Dec 9, 2016, at 7:40 AM, Ian Swett <ianswett@google.com> wrote:
> 
> I have been discussing the first option with people for a while, and everyone has indicated it's relatively simple to implement, potentially even in hardware, and provides quite a bit of extra useful information(RTT, approximate bandwidth) over QUIC's status quo.
> 
> I believe packet numbers being in order makes the first case both easier to implement and provides some valuable extra information(it's easy to infer upstream loss and reordering), so I think it's definitely a better approach.
> 
> Also, given an equal number of bytes spent on the echo, I think they both have about the same fuzziness properties.  For example, if 2 bytes were used in the first case, assuming this echo must be monotonically increasing, an ack or packet gap of over 65,000 packets would have to occur for the signal to be misinterpreted.  If we're getting 65,000 packet gaps, we might be outside the realm of QUIC's wire format to help you diagnose your network issues, to put it mildly. 
> 
> 
> 
> On Fri, Dec 9, 2016 at 6:55 AM, Brian Trammell <ietf@trammell.ch <mailto:ietf@trammell.ch>> wrote:
> Greetings, all,
> 
> We were sitting around a whiteboard yesterday, thinking about (1) how to implement the signals required to drive the state machine outlined in the -plus-statefulness-01 draft, and (2) how to provide on-path diagnosability as we're discussing in the thread on Juho's blog post. Indeed, we think these two use cases are by far the most important for PLUS, in that they provide equivalent-to-TCP support for basic operations and troubleshooting practices for encrypted, UDP-encapsulated transports like QUIC, and one could implement either of them in QUIC directly without much disruption.
> 
> We came up with two implementation sketches, both of which use the same header fields to drive the association and confirmation signals as well as basic measurability.
> 
> 
> The simpler one is pretty much the design Jana alluded to in his previous message. It looks kind of like TCP on the wire, and has basically the same properties.It uses three header fields: a connection ID which appears in packets of both directions and is chosen by the connection initiator; a packet serial number (PSN) whose initial value in each direction is chosen randomly by the sender (like the TCP sequence number, and as under discussion for QUIC) and is incremented by one for each packet sent regardless of content or lack thereof (like the QUIC packet number); and a maximum packet serial echo, which is the highest packet number received by the sender before a packet was sent.
> 
> This provides an association signal on the initial echo of the initiator's PSN, and a confirmation signal on the initiator's initial echo of the responder's PSN -- just like the ack numbers on the SYN/ACK and ACK legs of the TCP handshake. The connection ID here simply provides additional bits of protection against completely off-path attempts to force the state machine to tick over. Note there's no need for SYN or ACK flags -- the association and confirmation signals continually demonstrate that each side has seen packets from the other side.
> 
> A stop signal is considered authentic if it has a correct connection ID and a plausible PSN. This is path-verifiable, but provides no protection against on-path or path-side injection attacks against state on middleboxes (though, note that since even unencrypted headers are authenticated, the endpoint can always detect an attempt to inject a stop). A variation of the mechanism described in statefulness-01 would use a two-way stop signal: a stop is only considered valid along the path if one endpoint sends a stop signal in reply to the other endpoint's stop signal. This would make the path-side injection much harder to perform: in order to remove state on a given middlebox (presuming said middlebox isn't stupid about accepting packets from anywhere), the attacker would need to be able to inject packets on the interfaces facing both endpoints.
> 
> One-point measurement of the PSN and echo streams gives you two-sided RTT and upstream loss and reordering. Coordinated two-point analysis gives you a lot more. As noted, though, two-point analysis is far more complex.
> 
> This approach has the advantage of being extremely simple (it meets the "someone with wireshark could reverse-engineer this in an hour or so" requirement), and very close to what's there in QUIC right now. If implemented with a small number of possible header layouts (preferably one) the wire image could be trivially offloaded to hardware.
> 
> It all of the disadvantages as SEQ/ACK tracking in TCP, and of resistance to off-path meddling that TCP sequence numbers do, though it does give better RTT indication on lossy links (since the echo is always the max packet number, not the highest continuous ack), and two-side stop is better than RST at resisting path-side attacks. The definition of "plausible" next PSN or "plausible" echo when seen at a midpoint device is fuzzy, which could lead to difficult to debug problems with middleboxes that try to drop packets with implausible values (as some state-tracking TCP firewalls do now).
> 
> 
> The second one replaces the packet number and the echo with a token and a nonce. The connection initiator chooses an initial random token and a nonce. The connection responder applies a function to the token and nonce to generate its own token, and chooses a random nonce. Each side generates a new token from the token and nonce it receives each time the token it receives changes. Like the simpler implementation, this one provides continual association and confirmation signals. It also provides one-point measurement of RTT, since the token change is an RTT-clocked signal. The RTT clock would also behave odd ways under high-reordering situations, and additional complexity (which involves remembering a few past tokens, but which we didn't work through) would be needed to fix that.
> 
> The token and nonce could be separate from an additional connection ID, or the connection ID and the token could be the same -- though this would require much more state to be kept everywhere in order to allow the connection ID to be useful for NAT rebinding and injection defense purposes.
> 
> The main advantage over the simpler approach is that the fuzziness around plausible PSNs and echoes goes away, as does the predictability of association and confirmation values after the initial connection establishment. However, it does not provide loss measurement without additional information, and it places more state and processing requirements on endpoints.
> 
> 
> Either of these mechanisms could used together with a path-and-endpoint verifiable, on-path and side-path attack resistant stop signal: during connection setup each endpoint generates a random value, and exposes the result of the application of a hash function to that random value as its stop signal proof. To send a stop signal, it reveals the random value as a stop signal verification (this is the essence of PR#20 on QUIC). Any endpoint or on-path device can verify that the hash of the verification is the proof. Of course, devices that don't keep the proof value (or never saw it) can't verify it. The tradeoff here is additional complexity versus additional resistance against path-side injection meddling with state on middleboxes.
> 
> 
> Simple packet number and echo signaling for association and confirmation signaling with two-way stop seems to us like a reasonable "minimal functionality set" at the moment.
> 
> Thoughts?
> 
> Cheers,
> 
> Brian and Mirja
> 
> 
> _______________________________________________
> Plus mailing list
> Plus@ietf.org <mailto:Plus@ietf.org>
> https://www.ietf.org/mailman/listinfo/plus <https://www.ietf.org/mailman/listinfo/plus>
> 
> 
> _______________________________________________
> Plus mailing list
> Plus@ietf.org
> https://www.ietf.org/mailman/listinfo/plus

v2.23.0 | Report a Bug | By Email