IETF Logo Mail Archive

Re: [Spud] The reset middleboxes attack

Caitlin Bestler <caitlin.bestler@nexenta.com> Sun, 29 March 2015 18:46 UTC

Return-Path: <caitlin.bestler@nexenta.com>
X-Original-To: spud@ietfa.amsl.com
Delivered-To: spud@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0BDAD1A86E8 for <spud@ietfa.amsl.com>; Sun, 29 Mar 2015 11:46:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.601
X-Spam-Level:
X-Spam-Status: No, score=-2.601 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RJtvFQ0Of2vk for <spud@ietfa.amsl.com>; Sun, 29 Mar 2015 11:46:50 -0700 (PDT)
Received: from mail-pd0-f177.google.com (mail-pd0-f177.google.com [209.85.192.177]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7A7DE1A86E4 for <spud@ietf.org>; Sun, 29 Mar 2015 11:46:50 -0700 (PDT)
Received: by pdbni2 with SMTP id ni2so152321863pdb.1 for <spud@ietf.org>; Sun, 29 Mar 2015 11:46:50 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:message-id:date:from:user-agent:mime-version:to :subject:references:in-reply-to:content-type :content-transfer-encoding; bh=WOqIcLqtfLI7CvrNFmWGthPGbOVSs8bRA5oSr66GOxc=; b=aUEM6S9NPH5uXIN7SAv+wqwVP13PvIb3uAt0bKNQBO2Uwv93H7NK1s/bFGmy8T2sM+ TgSBFxid105dcnGzn87Ycwk84ByzegpkjAnRA5siIoYgX9VWqNmMo4sGTYnXqtdBKaFy fAn/RhBkO2EfpSPhjPW2BlcmPU/6zQmX0I6ibrukRRhTO7/52w7loGaHYonaB+lqY9Jv j6OhRZVcjff9rEaXPkL0oafITivmv1jLxRT77V5ZYnRQuhbLOVVY6djwfkER3ACHQdxU Mfi/ohTd6xv+JwTig4DuPP2bgNcf7HOvQ1ayzpQMsjazXfhmbfvkHsg9KnDY6XevMTp/ pYog==
X-Gm-Message-State: ALoCoQkuJ3PHpNi0+9sIX4rJK39f5luiefJgHdWAqyK5EdcQGPvfTQUnWS/tPCrSCwQV/PpH0PLR
X-Received: by 10.68.182.132 with SMTP id ee4mr20503204pbc.24.1427654810136; Sun, 29 Mar 2015 11:46:50 -0700 (PDT)
Received: from Macintosh-2.local (50-1-59-15.dsl.static.fusionbroadband.com. [50.1.59.15]) by mx.google.com with ESMTPSA id nm1sm8154232pbc.50.2015.03.29.11.46.48 for <spud@ietf.org> (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sun, 29 Mar 2015 11:46:48 -0700 (PDT)
Message-ID: <55184896.70504@nexenta.com>
Date: Sun, 29 Mar 2015 11:46:46 -0700
From: Caitlin Bestler <caitlin.bestler@nexenta.com>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:31.0) Gecko/20100101 Thunderbird/31.5.0
MIME-Version: 1.0
To: spud@ietf.org
References: <DM2PR0301MB0655748F52C0984FB6BF8E93A8F60@DM2PR0301MB0655.namprd03.prod.outlook.com> <33962F88-F1E9-4ED7-863A-97AED7836A75@gmail.com> <CAMm+LwgsuvTzR9yMKZC00U8C+z_qwOL_FhKKNqbd4yxHYZQjQQ@mail.gmail.com> <5789869D-9108-42D1-AA40-79C1BF46464B@gmail.com>
In-Reply-To: <5789869D-9108-42D1-AA40-79C1BF46464B@gmail.com>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 8bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/spud/Y3a_UuPLJZzmK8w_gzLUJZyM3kQ>
Subject: Re: [Spud] The reset middleboxes attack
X-BeenThere: spud@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Session Protocol Underneath Datagrams <spud.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spud>, <mailto:spud-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/spud/>
List-Post: <mailto:spud@ietf.org>
List-Help: <mailto:spud-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spud>, <mailto:spud-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 29 Mar 2015 18:46:52 -0000


On 3/29/15 9:15 AM, Yoav Nir wrote:
> Routing on the internet can change at any time, so you can’t trust that for a particular TCP connection, a UDP flow or a “tube” all packets are going to follow the same path and pass through the same intermediaries.
>
> Fortunately, the stateful intermediaries, such a firewalls, QoS boxes and NATs tend to be placed at such choke points that all packets do flow through them. The exception is when one endpoint gets reconfigured, such as a mobile device moving from one network to another. TCP handles this gracefully by closing the connection (OK, that’s not really “gracefully”), and for UDP it didn’t matter, because there was no meta-data in the packets.
>
> With SPUD the “tube” will have meta-data in the packet, so either we copy TCP’s breakage when something changes, or we do something else. In the BoF we talked about the intermediaries being able to inject packets into the tube. I guess we could have them inject a “need-state” command when they detect what appears to be an already-open tube. In response the endpoints can send a special packet with the parameters needed at the OPEN command, affirming that this is indeed an open tube. endpoints whose address has changed could proactively send such packets to avoid getting blocked for a round-trip.
>
>
If a middlebox is doing something stateful then routing an existing TCP 
connection through it will not work.
That is how middleboxes work today.

I cannot think of why a middlebox would be doing something stateful if 
they were not at some form of
check point. Middleboxes do not take on per-connection state because 
they are bored.

Having a set of middleboxes somehow be aware that they form alternative 
routes to a protected domain,
and automatically share state and responsibility for protecting said 
domain is, to put it mildly, too ambitious
of a project for standardization.

v2.8.7 | Report a Bug | By Email