IETF Logo Mail Archive

Re: [Spud] SPUD's open/close are unconvincing

Eliot Lear <lear@cisco.com> Thu, 09 April 2015 06:22 UTC

Return-Path: <lear@cisco.com>
X-Original-To: spud@ietfa.amsl.com
Delivered-To: spud@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3B1DD1B2D0F for <spud@ietfa.amsl.com>; Wed, 8 Apr 2015 23:22:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.51
X-Spam-Level:
X-Spam-Status: No, score=-14.51 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id v_Ha-na80zpz for <spud@ietfa.amsl.com>; Wed, 8 Apr 2015 23:22:22 -0700 (PDT)
Received: from aer-iport-2.cisco.com (aer-iport-2.cisco.com [173.38.203.52]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1A9AC1B2CD6 for <spud@ietf.org>; Wed, 8 Apr 2015 23:22:21 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=7440; q=dns/txt; s=iport; t=1428560542; x=1429770142; h=message-id:date:from:mime-version:to:subject:references: in-reply-to; bh=7F7Ddvk3nEPNPhuV2nKS5gbRWKU1ePaVjnRZIJumRqo=; b=LvTiEoMjEf9Ms6aB0xty3CrW5gRb93FTXpPtLh0NLD+STRXLgpIECOFp HJJ20w0pPPz368zlslzvtDFNdfAK9FgvqZfl1KJfrtbmbk26x5kmREKwM MduY+Y2YVbkRvzrF6uwwajlS7Shad97uw7cd75M5F/8ZmfWq2aO0e9160 c=;
X-Files: signature.asc : 481
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0CmBAAEGiZV/xbLJq1ch0vJAQKBcBEBAQEBAQEBfYQfAQEBAwEjVQYLCxgJFgsCAgkDAgECAUUGAQwIAQGIHgi2BJZZAQEBAQEBAQMBAQEBAQEBARqLK4QtVoJogUUBBIYejESBM4ZmhxaNRSKDcTyBMweBOgEBAQ
X-IronPort-AV: E=Sophos;i="5.11,548,1422921600"; d="asc'?scan'208,217";a="422860391"
Received: from aer-iport-nat.cisco.com (HELO aer-core-1.cisco.com) ([173.38.203.22]) by aer-iport-2.cisco.com with ESMTP; 09 Apr 2015 06:22:18 +0000
Received: from [10.61.95.48] (ams3-vpn-dhcp7985.cisco.com [10.61.95.48]) by aer-core-1.cisco.com (8.14.5/8.14.5) with ESMTP id t396MIET020237; Thu, 9 Apr 2015 06:22:18 GMT
Message-ID: <55261A99.5090801@cisco.com>
Date: Thu, 09 Apr 2015 08:22:17 +0200
From: Eliot Lear <lear@cisco.com>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:31.0) Gecko/20100101 Thunderbird/31.6.0
MIME-Version: 1.0
To: Daniel Kahn Gillmor <dkg@fifthhorseman.net>, spud@ietf.org
References: <87iod631nv.fsf@alice.fifthhorseman.net>
In-Reply-To: <87iod631nv.fsf@alice.fifthhorseman.net>
Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="MtNg2mJvNHnL476uQl9kmITbOf9qa5J7k"
Archived-At: <http://mailarchive.ietf.org/arch/msg/spud/SGA7ToEL9OQx3Xba9eq1BxmN0ug>
Subject: Re: [Spud] SPUD's open/close are unconvincing
X-BeenThere: spud@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Session Protocol Underneath Datagrams <spud.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spud>, <mailto:spud-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/spud/>
List-Post: <mailto:spud@ietf.org>
List-Help: <mailto:spud-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spud>, <mailto:spud-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 09 Apr 2015 06:22:25 -0000

Daniel,


On 4/8/15 8:39 PM, Daniel Kahn Gillmor wrote:
> Open is superfluous
> -------------------
>
> Given the existing 5-tuple, on-path equipment trivially knows when a
> flow starts already: it is a 5-tuple that they haven't seen before.  If
> you want to maintain a distinction between a one-side-opened flow and a
> replied flow, this is also traceable by looking at the 5-tuple.  It's
> not clear that the "open" signal gives on-path equipment any additional
> useful information that it didn't have already from the 5-tuple.
Open provides an indication that the flow is not a continuation, that
new state should be instantiated, that any old state of the 5-tuple
should be discarded.  Opens may flow in either direction, but may be
authorized for only some uses.
>
> Close is unreliable
> -------------------
>
> One of the reasons on-path equipment would like a "close" signal is so
> that they know when to tear down associations that are no longer needed.
> This would reduce memory consumption and make a device more resilient to
> DoS attacks that exhaust its connection table.  Without "close", the
> on-path equipment has to rely on timers to decide when to tear down the
> connection.
>
> Unfortunately, we can't rely on endpoints to send Close.  Legitimate
> endpoints crash, run out of power, or have their network connectivity
> cut.

This is by far the exception and not the rule.  Most state is torn down.

>   So on-path equipment needs to maintain timers anyway if they're
> tracking flow state instead of just passing IP traffic statelessly.

This misses the point.  If there is an implicit understanding of the
behavior of the endpoints, firewalls needn't keep state.  It is
sufficient in many cases to know that SYNs should be blocked whereas
SYN|ACK should be passed.  No state retained on the firewall.  There is
no equivalent in UDP without going up the stack.

Moreover, if a firewall is tracking state, it cannot tell if an incoming
packet is a continuation of a <flow/spud/tube> or an initiation if it is
*not* using timers.  This makes both open and close (as well as perhaps
some other gunk) very useful.

>   And
> in a DoS scenario, it's trival for an actively malicious end-point to
> send lots of "open" messages without ever sending a "close", so it
> doesn't protect against DoS either.

In fact, this is precisely the nature of a SYN attack.  Firewalls
regularly detect and block them in TCP.  UDP requires much more effort
and understanding of the higher layers.

Eliot

v2.8.7 | Report a Bug | By Email