Re: [secdir] Secdir review of draft-ietf-tcpm-tcp-lcd-02

Catherine Meadows <catherine.meadows@nrl.navy.mil> Fri, 27 August 2010 20:01 UTC

Return-Path: <catherine.meadows@nrl.navy.mil>
X-Original-To: secdir@core3.amsl.com
Delivered-To: secdir@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 9EA383A687B; Fri, 27 Aug 2010 13:01:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.554
X-Spam-Level:
X-Spam-Status: No, score=-0.554 tagged_above=-999 required=5 tests=[AWL=0.555, BAYES_05=-1.11, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0Z7ugrgqVqzQ; Fri, 27 Aug 2010 13:01:55 -0700 (PDT)
Received: from fw5540.nrl.navy.mil (fw5540.nrl.navy.mil [132.250.196.100]) by core3.amsl.com (Postfix) with ESMTP id BFE223A6857; Fri, 27 Aug 2010 13:01:55 -0700 (PDT)
Received: from chacs.nrl.navy.mil (sun1.fw5540.net [10.0.0.11]) by fw5540.nrl.navy.mil (8.13.8/8.13.6) with ESMTP id o7RK2Pfg014419; Fri, 27 Aug 2010 16:02:26 -0400 (EDT)
Received: from chacs.nrl.navy.mil (sun1 [10.0.0.11]) by chacs.nrl.navy.mil (8.13.8/8.13.6) with SMTP id o7RK2Ld5005439; Fri, 27 Aug 2010 16:02:25 -0400 (EDT)
Received: from siduri.fw5540.net ([10.0.3.73]) by chacs.nrl.navy.mil (SMSSMTP 4.1.16.48) with SMTP id M2010082716022408406 ; Fri, 27 Aug 2010 16:02:24 -0400
Mime-Version: 1.0 (Apple Message framework v1081)
Content-Type: multipart/alternative; boundary=Apple-Mail-2--310168919
From: Catherine Meadows <catherine.meadows@nrl.navy.mil>
In-Reply-To: <8B3DD996-10E8-431A-90A6-222804931E08@nokia.com>
Date: Fri, 27 Aug 2010 16:08:28 -0400
Message-Id: <B0078A37-6876-4AE6-BAAD-F97481E0BC73@nrl.navy.mil>
References: <AA2DD522-84A2-48BF-AA4A-072CBB41B97A@nrl.navy.mil> <8B3DD996-10E8-431A-90A6-222804931E08@nokia.com>
To: Lars Eggert <lars.eggert@nokia.com>
X-Mailer: Apple Mail (2.1081)
Cc: "draft-ietf-tcpm-tcp-lcd.all@tools.ietf.org" <draft-ietf-tcpm-tcp-lcd.all@tools.ietf.org>, "iesg@ietf.org" <iesg@ietf.org>, "secdir@ietf.org" <secdir@ietf.org>
Subject: Re: [secdir] Secdir review of draft-ietf-tcpm-tcp-lcd-02
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 27 Aug 2010 20:01:57 -0000

Hi Lars:

Thanks for your comments.  I perhaps did not appreciate completely the significance of this being an experimental ID.

Still, I think that the security considerations section could use some improving.
Simply presenting one example of an attack without adequate motivation as to why this
attack is the most relevant one merely confuses the reader (or at least that was the effect on me).
I would suggest that the authors add more motivation such as you give in your email,
namely that the only behavior change required by this protocol is in the response
to ICMP messages, and thus that the only way an attacker could cause a change in behavior
of the protocol is by either causing more or few ICMP messages to be generated than would have
occurred otherwise.  Then you could discuss the goals of the attacker;  I think it is reasonable to assume,
as the authors do, that the only possible goal is denial of service, since the ICMP messages are not used
for authentication or to control access to sensitive information.  But it wouldn't hurt to point this out.
Then you could discuss the contribution of spurious or suppressed ICMP messages to a denial of service attack (minimal).
You could then discuss the problem of spoofing or suppressing ICMP messages, although this may not be necessary
if the effect is minimal.   At any case,  this would give you a more convincing argument that the protocol does not introduce
any security vulnerabilities, and it doesn't require much more than bringing forward and tying together information that is
already in the ID.

Cathy

On Aug 26, 2010, at 1:17 PM, Lars Eggert wrote:

> Hi, authors,
> 
> please respond to the point Catherine raises.
> 
> (Catherine, a few comments from my side are included below.)
> 
> 
> On 2010-8-24, at 1:28, Catherine Meadows wrote:
>> I have reviewed this document as part of the security directorate's
>> ongoing effort to review all IETF documents being processed by the
>> IESG.  These comments were written primarily for the benefit of the
>> security area directors.  Document editors and WG chairs should treat
>> these comments just like any other last call comments.
>> 
>> This document proposes an algorithm to make TCP more robust to long connectivity
>> disruptions.  Currently TCP has no way of distinguishing disruptions due to connectivity
>> loss from disruptions due to congestion.   Thus, TCP will back off when faced with connectivity
>> loss, which will lead to further delays.  The proposed algorithm uses the ICMP destination unreachable
>> messages as indications of a connectivity disruption, and alters the behavior of TCP accordingly.
>> 
>> My impression from reading this draft is that the behavior and utility of this algorithm will depend on
>> further research and experimentation.  There are a number of situations in which it will still be possible
>> to confuse congestion and long connectivity disruptions that may need further exploration.  The authors of the document do a good job of pointing
>> these out, but I would have liked to have seen more evidence that the solutions recommended are the optimal
>> ones, and under what situations.
> 
> The goal of this mechanism is not to be optimal (TCP as a whole is not trying to be optimal). The goal is to improve things in many cases and not cause harm in realistic all cases.
> 
>> This is especially the case for the security issues, although it is not
>> limited to those.  For example, in the discussion of probing frequency in Section 5.4 the authors make a claim
>> that in their belief the approach of their algorithm is preferable to others that would give higher probing
>> frequency, but they need to provide more evidence to back this up.
> 
> I think it is fine for an Experimental document to state a belief and ask people to verify it with experiments. For a standards-track document, yes, we'd absolutely like to see which one is the one to pick.
> 
>> The security considerations section itself is rather sketchy, and doesn't support that authors' assertions
>> that the algorithm is "considered to be secure."  The greatest security threat posed by this
>> algorithm is that an attacker could exploit it to persuade a TCP sender that communication problems
>> due to congestion are actually due to a connectivity problem, leading the sender to further contribute to the
>> congestion.
> 
> Remember that this mechanism only makes a difference during timeout-based loss recovery, i.e., when TCP at most sends a packet or two over often many seconds. And even when it fires, it doesn't result in a flood of packets, all it results in is that a slow-start restart will be attempted earlier than without this mechanism. So the potential for harm is really low.
> 
>> However, the authors mention only one possible attack: forging ICMP destination unreachable
>> messages, which they present only as an "example" of an attack.
> 
> It's presented of an example where even if the attacked could pull it off, the mechanism is still unaffected. 
> 
>>  I would recommend a more complete
>> discussion, considering each of the potential ambiguity cases discussed in the document, and discussing
>> how an attacker could exploit them and how such exploitation could be prevented or mitigated.  You might
>> also want to discuss the opposite problem: how an attacker could convince a sender that a connectivity
>> problem is a congestion problem.  This is less serious, at least for the moment, since in the current
>> situation that is exactly what happens, but it could be more of a threat further down the line if people come
>> to rely more on this ability to disambiguate.
> 
> If the authors can think of any other attacks, they should absolutely include them, but since ICMPs are the only signal the mechanism reacts to, generating fake ones or suppressing real ones are pretty much the only attack angles I can think of.
> 
> Lars
> 
> 
> 
>> 
>> 
>> Catherine Meadows
>> Naval Research Laboratory
>> Code 5543
>> 4555 Overlook Ave., S.W.
>> Washington DC, 20375
>> phone: 202-767-3490
>> fax: 202-404-7942
>> email: catherine.meadows@nrl.navy.mil<mailto:catherine.meadows@nrl.navy.mil>
>> 
> 
> Lars

Catherine Meadows
Naval Research Laboratory
Code 5543
4555 Overlook Ave., S.W.
Washington DC, 20375
phone: 202-767-3490
fax: 202-404-7942
email: catherine.meadows@nrl.navy.mil