IETF Logo Mail Archive

Re: [Spud] SPUD's open/close are unconvincing

Jana Iyengar <jri@google.com> Fri, 10 April 2015 22:20 UTC

Return-Path: <jri@google.com>
X-Original-To: spud@ietfa.amsl.com
Delivered-To: spud@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6AD411B2DC2 for <spud@ietfa.amsl.com>; Fri, 10 Apr 2015 15:20:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.388
X-Spam-Level:
X-Spam-Status: No, score=-1.388 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bhz0ytGrTB9O for <spud@ietfa.amsl.com>; Fri, 10 Apr 2015 15:20:48 -0700 (PDT)
Received: from mail-ie0-x236.google.com (mail-ie0-x236.google.com [IPv6:2607:f8b0:4001:c03::236]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C85BA1B2DC1 for <spud@ietf.org>; Fri, 10 Apr 2015 15:20:47 -0700 (PDT)
Received: by iebmp1 with SMTP id mp1so28500898ieb.0 for <spud@ietf.org>; Fri, 10 Apr 2015 15:20:47 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=jVE59hUORKdVDVHgG3oNwGUHayFoUO7MCpkZ3pxxcyE=; b=CIN7HFgjVJkr7rmi/9yQ/GQpl+DA3+ll+DZ4oiNAMRzMbOCcvDDuXo7iUOtTT6aVID KorNdzOjA5guZmYNCtxecv5dbZBK0Bh1pMjADgabub9jD9SVrGDZ6AShjEj6SOSmicpI 6pvOAQMuUDBM5ZBcpjSqJq0qskbZSNM0XQ28MXat9r+cP3TskCF3KGtRFCYaCmg70hcB Rh6rUtEynbNjH+6JiMQ/t8/9a69sf/xfPyh96MV/Jo2sJFcO14As6lxDc67NpDIeYdqL Z4LTNDxkJilq0UZDgDf2hQTl4J1gp57U/ncFiIa9Td/CZx8hA0GaxYAGlzQgMN4RR2a8 e15g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=jVE59hUORKdVDVHgG3oNwGUHayFoUO7MCpkZ3pxxcyE=; b=Bghkw+FtlyHIEyPwsyNoZww0CaXQQGVPMOFGoUoWnXhQP21+XhL3+R+JK0uaElvdv/ W+Wm4Zxbxmvna6DPR1rhHFlsEW/EV7k0SjumKvQD78GzqoTE91Kg2hn0updTwqwqQ2Ya OYpLkM1LnMnJH3CG3JeZQGPUqVXQ7CkQt4XAPRwH8Pn8pAVStGRJ5qiFg0TR5h07KwDx 0CyqZ7KWT/bUj1EU/aiwCMIVubj4wPBFYZX8Io8gvOCWww2BSaFOQLKUzjsuxrbTZj4c 3QJ8mQSoZ/k9ItQhgXcjEGY38zL5KsVo6xjL1zoGRKoY+avejZSLqCeR92HDPcxm+lQe tiZQ==
X-Gm-Message-State: ALoCoQlEkDBeR9D9n4e7XII/oC4jsI0jdR3Di/m1MCPJGEQdvZ2ZRjAZuKLJO1CGB595nJ9VQJjp
MIME-Version: 1.0
X-Received: by 10.50.43.130 with SMTP id w2mr1509164igl.30.1428704447061; Fri, 10 Apr 2015 15:20:47 -0700 (PDT)
Received: by 10.50.45.41 with HTTP; Fri, 10 Apr 2015 15:20:46 -0700 (PDT)
In-Reply-To: <55261A99.5090801@cisco.com>
References: <87iod631nv.fsf@alice.fifthhorseman.net> <55261A99.5090801@cisco.com>
Date: Fri, 10 Apr 2015 15:20:46 -0700
Message-ID: <CAGD1bZb1SEFAxBHKxT3f1pewiz7T2aXe4cos2UXpDWb1sutV4w@mail.gmail.com>
From: Jana Iyengar <jri@google.com>
To: Eliot Lear <lear@cisco.com>
Content-Type: multipart/alternative; boundary=089e0103de4e0e8c310513662d15
Archived-At: <http://mailarchive.ietf.org/arch/msg/spud/5laeuP3KxL15i_84YjzPUGHYriA>
Cc: Daniel Kahn Gillmor <dkg@fifthhorseman.net>, "spud@ietf.org" <spud@ietf.org>
Subject: Re: [Spud] SPUD's open/close are unconvincing
X-BeenThere: spud@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Session Protocol Underneath Datagrams <spud.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spud>, <mailto:spud-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/spud/>
List-Post: <mailto:spud@ietf.org>
List-Help: <mailto:spud-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spud>, <mailto:spud-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 10 Apr 2015 22:20:49 -0000

Eliot,

A few responses:

Open provides an indication that the flow is not a continuation, that new
> state should be instantiated, that any old state of the 5-tuple should be
> discarded.  Opens may flow in either direction, but may be authorized for
> only some uses.
>

If used like this, it creates another DoS vector where anyone can trivially
kick someone else's connection off.


>  Close is unreliable
> -------------------
>
> One of the reasons on-path equipment would like a "close" signal is so
> that they know when to tear down associations that are no longer needed.
> This would reduce memory consumption and make a device more resilient to
> DoS attacks that exhaust its connection table.  Without "close", the
> on-path equipment has to rely on timers to decide when to tear down the
> connection.
>
> Unfortunately, we can't rely on endpoints to send Close.  Legitimate
> endpoints crash, run out of power, or have their network connectivity
> cut.
>
>
> This is by far the exception and not the rule.  Most state is torn down.
>

AFAIK, TCP connections are commonly torn down with an RST (not a FIN), and
not infrequently with silence. I would love to know what the truth is -- is
there any data that I can look at to prove myself wrong?

   So on-path equipment needs to maintain timers anyway if they're
> tracking flow state instead of just passing IP traffic statelessly.
>
>
> This misses the point.  If there is an implicit understanding of the
> behavior of the endpoints, firewalls needn't keep state.  It is sufficient
> in many cases to know that SYNs should be blocked whereas SYN|ACK should be
> passed.  No state retained on the firewall.  There is no equivalent in UDP
> without going up the stack.
>
> Moreover, if a firewall is tracking state, it cannot tell if an incoming
> packet is a continuation of a <flow/spud/tube> or an initiation if it is
> *not* using timers.  This makes both open and close (as well as perhaps
> some other gunk) very useful.
>

Why does it need to tell the difference? I'm not sure I see a use case at
the middlebox for using this information.

>   And
> in a DoS scenario, it's trival for an actively malicious end-point to
> send lots of "open" messages without ever sending a "close", so it
> doesn't protect against DoS either.
>
>
> In fact, this is precisely the nature of a SYN attack.  Firewalls
> regularly detect and block them in TCP.  UDP requires much more effort and
> understanding of the higher layers.
>

Why would a DoS attacker set the OPEN bit in SPUD if it will thwart their
attack? That would be silly...

v2.8.7 | Report a Bug | By Email