IETF Logo Mail Archive

Re: [Spud] SPUD's open/close are unconvincing

Christian Huitema <huitema@microsoft.com> Wed, 08 April 2015 22:18 UTC

Return-Path: <huitema@microsoft.com>
X-Original-To: spud@ietfa.amsl.com
Delivered-To: spud@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7653A1A905A for <spud@ietfa.amsl.com>; Wed, 8 Apr 2015 15:18:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.602
X-Spam-Level:
X-Spam-Status: No, score=-0.602 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_ILLEGAL_IP=1.3, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id b0SoZvF4Qzb8 for <spud@ietfa.amsl.com>; Wed, 8 Apr 2015 15:18:57 -0700 (PDT)
Received: from na01-bn1-obe.outbound.protection.outlook.com (mail-bn1on0788.outbound.protection.outlook.com [IPv6:2a01:111:f400:fc10::788]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5D4561A9056 for <spud@ietf.org>; Wed, 8 Apr 2015 15:18:56 -0700 (PDT)
Received: from DM2PR0301MB0655.namprd03.prod.outlook.com (0.160.96.17) by DM2PR0301MB0653.namprd03.prod.outlook.com (0.160.96.15) with Microsoft SMTP Server (TLS) id 15.1.130.23; Wed, 8 Apr 2015 22:18:34 +0000
Received: from DM2PR0301MB0655.namprd03.prod.outlook.com ([0.160.96.17]) by DM2PR0301MB0655.namprd03.prod.outlook.com ([0.160.96.17]) with mapi id 15.01.0130.020; Wed, 8 Apr 2015 22:18:34 +0000
From: Christian Huitema <huitema@microsoft.com>
To: Brian Trammell <ietf@trammell.ch>, Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Thread-Topic: [Spud] SPUD's open/close are unconvincing
Thread-Index: AQHQcitjyluT4qW5rECm5Hf5sMmnv51Dq2YAgAABoVA=
Date: Wed, 8 Apr 2015 22:18:34 +0000
Message-ID: <DM2PR0301MB06552514D75986D914ABA0AAA8FC0@DM2PR0301MB0655.namprd03.prod.outlook.com>
References: <87iod631nv.fsf@alice.fifthhorseman.net> <BAF3E36A-3D44-454E-BF3A-A9F9C3B9C4BC@trammell.ch>
In-Reply-To: <BAF3E36A-3D44-454E-BF3A-A9F9C3B9C4BC@trammell.ch>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [2001:4898:80e0:ee43::4]
authentication-results: trammell.ch; dkim=none (message not signed) header.d=none;
x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:DM2PR0301MB0653;
x-forefront-antispam-report: BMV:1; SFV:NSPM; SFS:(10019020)(6009001)(51704005)(2900100001)(50986999)(92566002)(122556002)(74316001)(62966003)(2950100001)(102836002)(87936001)(40100003)(77156002)(33656002)(2656002)(46102003)(106116001)(86362001)(54356999)(76176999)(76576001)(99286002); DIR:OUT; SFP:1102; SCL:1; SRVR:DM2PR0301MB0653; H:DM2PR0301MB0655.namprd03.prod.outlook.com; FPR:; SPF:None; MLV:sfv; LANG:en;
x-microsoft-antispam-prvs: <DM2PR0301MB0653D41C876B2A4341D425D1A8FC0@DM2PR0301MB0653.namprd03.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:;
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(601004)(5002010)(5005006); SRVR:DM2PR0301MB0653; BCL:0; PCL:0; RULEID:; SRVR:DM2PR0301MB0653;
x-forefront-prvs: 0540846A1D
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: microsoft.onmicrosoft.com
X-MS-Exchange-CrossTenant-originalarrivaltime: 08 Apr 2015 22:18:34.5994 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM2PR0301MB0653
Archived-At: <http://mailarchive.ietf.org/arch/msg/spud/_GvKTU33HiSRwmGMgp_-qfgGf4k>
Cc: "spud@ietf.org" <spud@ietf.org>
Subject: Re: [Spud] SPUD's open/close are unconvincing
X-BeenThere: spud@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Session Protocol Underneath Datagrams <spud.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spud>, <mailto:spud-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/spud/>
List-Post: <mailto:spud@ietf.org>
List-Help: <mailto:spud-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spud>, <mailto:spud-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 08 Apr 2015 22:18:58 -0000

> SPUD's ACK (roughly TCP SYN/ACK) is more interesting. A SYN/ACK in proper
> response to a SYN means that someone on the other side of the firewall decided
> a connection could proceed, or more mundanely means there is now actually
> state on the endpoint so any state the network needs should be there too. For
> bidirectional transports (i.e., for every transport one should be running over
> SPUD, since congestion control requires feedback, as does proof of reverse
> reachability to reduce spoofing) it might be that ACK is sufficient to get us what
> we need. (In reviewing that paragraph, we probably also need to name it
> something other than ACK.)

The mapping to actual transport semantics is not entirely clear. Many transport protocols implement some kind of protection against SYN Flooding. One popular such protection is a cookie challenge. So we get a connect/SYN request, a challenge response, a confirmation of the challenge, and only then the actual accept by the server. Which of the server's message map to ACK? The challenge, or the actual confirmation?

> ...
> > So on-path equipment needs to maintain timers anyway if they're
> > tracking flow state instead of just passing IP traffic statelessly.
> 
> Yep. Nobody's saying you can chuck the timers with CLOSE. You can set faster
> timers once you've seen one, and use state space only for the exceptions. Right
> now, just looking at a bare UDP datagram, you can't.

Even that is not obvious. What kind of value do you give to the "fast timer?" What if the mobile client is asleep when the fake CLOSE arrives, and cannot invalidate it quickly by sending more traffic? 

> It is important to note that if CLOSE is done right, and the active tube ID space
> remains sufficiently sparse, then only devices on the path or entities cooperating
> with them -- i.e., those that are in position trivially block or inject traffic -- can
> fake a CLOSE: you have to be able to fake a valid tube ID.

Please take a look at the Quantum attacks, which combine passive listening on the path with injection from the side. There is a difference between "block traffic" and "inject traffic." Only the forwarding agents can effectively block traffic. Passive listeners can inject traffic without cooperating with the forwarding agents.

-- Christian Huitema

v2.8.7 | Report a Bug | By Email