[secdir] secdir review of draft-ietf-tcpm-accurate-ecn-14
"Scott G. Kelly" <scott@hyperthought.com> Tue, 13 April 2021 00:03 UTC
Return-Path: <scott@hyperthought.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C80DA3A17AF for <secdir@ietfa.amsl.com>; Mon, 12 Apr 2021 17:03:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=unavailable autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id C8oF_UtsYPNv for <secdir@ietfa.amsl.com>; Mon, 12 Apr 2021 17:03:25 -0700 (PDT)
Received: from smtp99.iad3a.emailsrvr.com (smtp99.iad3a.emailsrvr.com [173.203.187.99]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3D5043A17B0 for <secdir@ietf.org>; Mon, 12 Apr 2021 17:03:25 -0700 (PDT)
Received: from app3.wa-webapps.iad3a (relay-webapps.rsapps.net [172.27.255.140]) by smtp37.relay.iad3a.emailsrvr.com (SMTP Server) with ESMTP id 11CAC5B0E; Mon, 12 Apr 2021 20:03:24 -0400 (EDT)
Received: from hyperthought.com (localhost.localdomain [127.0.0.1]) by app3.wa-webapps.iad3a (Postfix) with ESMTP id EC288A1EFB; Mon, 12 Apr 2021 20:03:23 -0400 (EDT)
Received: by apps.rackspace.com (Authenticated sender: scott@hyperthought.com, from: scott@hyperthought.com) with HTTP; Mon, 12 Apr 2021 17:03:23 -0700 (PDT)
X-Auth-ID: scott@hyperthought.com
Date: Mon, 12 Apr 2021 17:03:23 -0700
From: "Scott G. Kelly" <scott@hyperthought.com>
To: "secdir@ietf.org" <secdir@ietf.org>, "iesg@ietf.org" <iesg@ietf.org>, draft-ietf-tcpm-accurate-ecn.all@ietf.org
MIME-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Importance: Normal
X-Priority: 3 (Normal)
X-Type: plain
X-Client-IP: 24.23.138.127
Message-ID: <1618272203.965227355@apps.rackspace.com>
X-Mailer: webmail/18.1.26-RC
X-Classification-ID: 98d08108-5b1d-4829-bd34-67ead449e8c4-1-1
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/dCPV35Bo6lnn19jMvMBfLuH6PHs>
Subject: [secdir] secdir review of draft-ietf-tcpm-accurate-ecn-14
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 13 Apr 2021 00:03:28 -0000
I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. The summary of the review is Almost Ready. The title of this draft is, "More Accurate ECN Feedback in TCP". The document specifies a scheme (abbreviated AccECN) to provide more than one feedback signal per RTT in the TCP header. It does this by allocating a reserved header bit that was previously used for the ECN-Nonce (which has now been declared historic), and it overloads the two existing ECN flags in the TCP header. I'm not a TCP or ECN expert, so please take my comments with a proverbial grain of salt. Thinking about this strictly as a security geek, I see three places where this scheme could be tampered with: the sender, the receiver, and the network in between them. The security considerations section starts off by pointing out that there will be consequences to tampering by a middlebox (the network in between), and it describes the impact as limited. A malicious sender is not described, and I'm not sure that any such thing reasonably exists, but I did wonder about this. A malicious receiver (who might be motivated to interfere with AccECN in order to increase its own throughput at the expense of others) is described, and the reader is referred to section 5.3, which describes 3 different potential mitigations for this. There is also mention of the fact that the receiver might simply omit the option, pretending it had been stripped by a middlebox, but there is no known consequence (other than downgrading to plain ECN). There is a TODO in the security considerations which must be addressed (referring to a potential covert channel), and that's why the review summary is "Almost Ready". I suggest that the security AD might want someone both TCP and security expertise to evaluate this. --Scott
- [secdir] secdir review of draft-ietf-tcpm-accurat… Scott G. Kelly
- Re: [secdir] secdir review of draft-ietf-tcpm-acc… Bob Briscoe
- Re: [secdir] secdir review of draft-ietf-tcpm-acc… Scharf, Michael
- Re: [secdir] secdir review of draft-ietf-tcpm-acc… Bob Briscoe