Re: [Spud] [Privsec-program] Detecting and Defeating TCP/IP Hypercookie Attacks

Stephan Neuhaus <sten@artdecode.de> Sat, 30 July 2016 18:24 UTC

Return-Path: <sten@artdecode.de>
X-Original-To: spud@ietfa.amsl.com
Delivered-To: spud@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C533A127078 for <spud@ietfa.amsl.com>; Sat, 30 Jul 2016 11:24:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id s_PVm_MLmJrW for <spud@ietfa.amsl.com>; Sat, 30 Jul 2016 11:24:15 -0700 (PDT)
Received: from wp214.webpack.hosteurope.de (wp214.webpack.hosteurope.de [80.237.132.221]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C347312B008 for <spud@ietf.org>; Sat, 30 Jul 2016 11:24:14 -0700 (PDT)
Received: from [31.10.157.197] (helo=mairac.home); authenticated by wp214.webpack.hosteurope.de running ExIM with esmtpsa (TLS1.0:DHE_RSA_AES_128_CBC_SHA1:16) id 1bTYvj-0005mh-Qw; Sat, 30 Jul 2016 20:24:11 +0200
To: Tom Herbert <tom@herbertland.com>, =?UTF-8?Q?Mirja_K=c3=bchlewind?= <mirja.kuehlewind@tik.ee.ethz.ch>
References: <409B6F52-B637-4333-915B-A8127C80C98B@trammell.ch> <d27266cf-87f6-17b1-3038-e0f614c6c773@cs.tcd.ie> <84F6AEC6-7DE3-4D1F-9014-201279F70E56@tik.ee.ethz.ch> <5194f988-0e25-7f5a-75cf-6ed3646e012d@cs.tcd.ie> <402A30BB-1A20-4D54-95CA-7C50D8C0F26B@tik.ee.ethz.ch> <dc29fa73-88fd-3dc4-7497-f1bd2fa60422@cs.tcd.ie> <8722FE8E-1026-43D5-BE17-1D6B4031C0D8@tik.ee.ethz.ch> <1b261e1e-a543-53df-8a2a-7dddae415a14@cs.tcd.ie> <D2CEDF13-E508-4732-B8F6-98FBBDDC7EE6@tik.ee.ethz.ch> <CALx6S34gVFDJ6mV=GVrfK5doTK2BbRRWXvxeqFUtidfPp5XGKg@mail.gmail.com>
From: Stephan Neuhaus <sten@artdecode.de>
Message-ID: <5717b856-eaf9-4142-72fa-7e58b4cd61a5@artdecode.de>
Date: Sat, 30 Jul 2016 20:24:11 +0200
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:45.0) Gecko/20100101 Thunderbird/45.2.0
MIME-Version: 1.0
In-Reply-To: <CALx6S34gVFDJ6mV=GVrfK5doTK2BbRRWXvxeqFUtidfPp5XGKg@mail.gmail.com>
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-bounce-key: webpack.hosteurope.de;sten@artdecode.de;1469903054;2568057f;
Archived-At: <https://mailarchive.ietf.org/arch/msg/spud/TPfiPtJK4Q_JFV025HZrP44UXuY>
Cc: Brian Trammell <ietf@trammell.ch>, Stephen Farrell <stephen.farrell@cs.tcd.ie>, spud <spud@ietf.org>
Subject: Re: [Spud] [Privsec-program] Detecting and Defeating TCP/IP Hypercookie Attacks
X-BeenThere: spud@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Session Protocol Underneath Datagrams <spud.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spud>, <mailto:spud-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spud/>
List-Post: <mailto:spud@ietf.org>
List-Help: <mailto:spud-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spud>, <mailto:spud-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 30 Jul 2016 18:24:17 -0000

On 2016-07-30 19:21, Tom Herbert wrote:
> I this is very debatable. The reason we want to encrypt the transport
> layer in the first place seems to get easily lost in these
> discussions; it is to hide transport layer information *from* the
> network. This prevents intrusiveness of the network in transport
> layers, stops middleboxes from trying to actively participate in
> transport layer protocols, and thus resolves one major source of
> protocol ossification and gets us back to the E2E model.

PLUS offers mostly fields that are set by the endpoints and that are
protected by MACs, so the can't be changed by middleboxes, at least not
without the endpoint finding out. (There are a few fields that are
supposed to enable signaling from the path to the endpoint(s) and these
obviously need to be changeable by the middleboxes. These will be things
such as "tell me the path MTU".)

The PLUS fields will be stuff like "this packet starts a new flow", or
"this packet ends a flow", and the read-only nature of these fields
(unlike what we have now) means that middleboxes can not intrude, and
they can't actively participate. This is exactly what you want, isn't it?

Fun,

Stephan

Full disclosure: I'm working with Brian and Mirja on the MAMI project.