IETF Logo Mail Archive

Re: [Spud] [Privsec-program] Detecting and Defeating TCP/IP Hypercookie Attacks

Christian Huitema <huitema@microsoft.com> Mon, 01 August 2016 21:02 UTC

Return-Path: <huitema@microsoft.com>
X-Original-To: spud@ietfa.amsl.com
Delivered-To: spud@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5D23012D890 for <spud@ietfa.amsl.com>; Mon, 1 Aug 2016 14:02:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.022
X-Spam-Level:
X-Spam-Status: No, score=-2.022 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LXrR8mHCzL6O for <spud@ietfa.amsl.com>; Mon, 1 Aug 2016 14:02:54 -0700 (PDT)
Received: from NAM01-BY2-obe.outbound.protection.outlook.com (mail-by2nam01on0110.outbound.protection.outlook.com [104.47.34.110]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2725412B016 for <spud@ietf.org>; Mon, 1 Aug 2016 14:02:54 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=2tEwyI8mQ7xHVVopHf822mcBJNS0dasymQwdSzIyofM=; b=EzyZCU7DTPdneQaCI4yVpMw7IbqTQSFjvXDuP5Otur/Witmfy4cOSUmWWjiQZ3FqGTd+Onn8aNvUMcvlSCXmzLctQ47/FcR+ro/cEJfA2n0gy7LE5r5cw2GsnxPL20mZd9tNuttkiaXiAGJARUNiVCzQtw1AwZsvw/8wDlQ667s=
Received: from BN6PR03MB2675.namprd03.prod.outlook.com (10.173.143.150) by BN6PR03MB2673.namprd03.prod.outlook.com (10.173.143.148) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.1.549.15; Mon, 1 Aug 2016 21:02:51 +0000
Received: from BN6PR03MB2675.namprd03.prod.outlook.com ([10.173.143.150]) by BN6PR03MB2675.namprd03.prod.outlook.com ([10.173.143.150]) with mapi id 15.01.0549.022; Mon, 1 Aug 2016 21:02:51 +0000
From: Christian Huitema <huitema@microsoft.com>
To: Tom Herbert <tom@herbertland.com>
Thread-Topic: [Spud] [Privsec-program] Detecting and Defeating TCP/IP Hypercookie Attacks
Thread-Index: AQHR6o+XeijpweZ3K0OXgZM+Fyi9e6AxZMEAgAJDfwCAAI01AIAAAquAgAANJ4CAAENGAIAAAs2AgAABAgCAAABuYIAACz4AgAAB9VA=
Date: Mon, 01 Aug 2016 21:02:51 +0000
Message-ID: <BN6PR03MB2675609D3C32F40FB0F2641AA8040@BN6PR03MB2675.namprd03.prod.outlook.com>
References: <409B6F52-B637-4333-915B-A8127C80C98B@trammell.ch> <d27266cf-87f6-17b1-3038-e0f614c6c773@cs.tcd.ie> <84F6AEC6-7DE3-4D1F-9014-201279F70E56@tik.ee.ethz.ch> <5194f988-0e25-7f5a-75cf-6ed3646e012d@cs.tcd.ie> <402A30BB-1A20-4D54-95CA-7C50D8C0F26B@tik.ee.ethz.ch> <dc29fa73-88fd-3dc4-7497-f1bd2fa60422@cs.tcd.ie> <8722FE8E-1026-43D5-BE17-1D6B4031C0D8@tik.ee.ethz.ch> <1b261e1e-a543-53df-8a2a-7dddae415a14@cs.tcd.ie> <D2CEDF13-E508-4732-B8F6-98FBBDDC7EE6@tik.ee.ethz.ch> <CALx6S34gVFDJ6mV=GVrfK5doTK2BbRRWXvxeqFUtidfPp5XGKg@mail.gmail.com> <5717b856-eaf9-4142-72fa-7e58b4cd61a5@artdecode.de> <CALx6S36zv4=S8tgRNqwee0j973Y_gJ7RBnnnV+0vBq_4kn7PVw@mail.gmail.com> <aa2afa2c-23d0-bf50-a82e-654fd08f373a@cisco.com> <CALx6S375si8km=8NhMfgWAtqE09Xju3CH1k3ktuae6gi8XT5ww@mail.gmail.com> <a2426583-22d7-85a1-e7a5-791c755f9209@cisco.com> <CALx6S37Ni=qA-BcnNQepRwe3ZC48RNmirRVjCe1fv2bT3gQnWw@mail.gmail.com> <CAKKJt-d02CmE7cW59s=A68SL=EQVTEVYOBzP74bnVXsEmfsY=A@mail.gmail.com> <CALx6S36paAxPP317aDGybkrPWtJ9L+ZuTYOHTQ11ejwUgJ7vFg@mail.gmail.com> <CAKKJt-efM3k5jL6EJmMP-t69SGNUyDxPu_xurvnGNtLSFZ87VQ@mail.gmail.com> <BN6PR03MB26752FBA8655DA802A769450A8040@BN6PR03MB2675.namprd03.prod.outlook.com> <CALx6S34oC+OZuMpdzJ49f8Ew0qEnMOxxKX=mqDsausEsbWt0Ug@mail.gmail.com>
In-Reply-To: <CALx6S34oC+OZuMpdzJ49f8Ew0qEnMOxxKX=mqDsausEsbWt0Ug@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=huitema@microsoft.com;
x-originating-ip: [2001:4898:80e8:8::593]
x-ms-office365-filtering-correlation-id: 4e24e17a-bdc6-438c-233d-08d3ba4f3393
x-microsoft-exchange-diagnostics: 1; BN6PR03MB2673; 6:z5P/MAjXM/QWSgdZaRhobg2FR2JZY4JDPDZWmJrRKLmg/RvLcXIS+CypMCLArSO2tWYkpWSdq0h/ErzD8p3Igas3ELMohSesmwOkKJiOEgvfrT3dTCieId3DhKBaBxNrL0hGRzvuUOaslPmLJ8APPMXGCcRAeD+hhmpMuFfC3/MuXA8IZPdgifG5TYGv422d2T3E1pE5RPe7Go2ecpdeiMRneaYN3ILAXUOvdcQviXB3Qvwg70+c3+cZ+NZfpBOJwLQYd8kYvXc8LfajKTv+O+SXf3ZLkdaMioJIHVLKt9+qPPRxZzOhEO4UU4+0oG08iASTlMrWw1yRDqiLdSpZfg==; 5:BLUfoJa88LhcW0Vz9n+bkjy4GUCmE7muBTGCcuAlE2IiEBqkVY1qESoDbNJegyM9PJt1ecX35r0RaWcnmOE9cDIM9I31UfeKbJqT+I2+fWBY9lPEL+Gkd8Sso6fuYZAAd6ybcTkSsynaPmgAzNmNdw==; 24:U9a3FpHwlW1oEYM2h4i5+1IkkuYzz7hWSRABuc414win1JCiqD/mUz+ebOfkFm5nJy6aXQlV4RONlTDdxbd0LG+TthYFufK8lvFBBiifGec=; 7:KHFxuqiAE6lMY58B9732IJYHeb+AnADA04RJCy4W1a9FUbbXd2L9ese8bCgaQP3NnAq+A716X2g2ACnLnq+MJui/rgbPu3dqUqwSCQnQ9zZT652bqTsqZriOyrgqRQr1+CbDkfED8VPzy8cOaWSSG/aDtmqD3U2hKtqlqhYkubfuvhLNN0zaju1+2/OL6w2b9rXsNUZzJoT2lPMrb6o8A6glvj1Q+DX4AllQeONAsswMt9V5RmC7cdnHqBw25VCq
x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:BN6PR03MB2673;
x-microsoft-antispam-prvs: <BN6PR03MB2673B21871C17B17AA81AF29A8040@BN6PR03MB2673.namprd03.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:;
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(61425038)(601004)(2401047)(5005006)(8121501046)(3002001)(10201501046)(6055026)(61426038)(61427038); SRVR:BN6PR03MB2673; BCL:0; PCL:0; RULEID:; SRVR:BN6PR03MB2673;
x-forefront-prvs: 0021920B5A
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(6009001)(7916002)(189002)(24454002)(199003)(377454003)(74316002)(5002640100001)(7696003)(92566002)(2900100001)(7846002)(7736002)(99286002)(77096005)(305945005)(2950100001)(105586002)(106356001)(106116001)(3280700002)(8676002)(11100500001)(8936002)(76576001)(81156014)(5005710100001)(81166006)(54356999)(86612001)(101416001)(97736004)(68736007)(110136002)(3660700001)(586003)(9686002)(10090500001)(50986999)(76176999)(87936001)(33656002)(10290500002)(10400500002)(2906002)(8990500004)(93886004)(4326007)(86362001)(122556002)(189998001)(6116002)(102836003)(3826002); DIR:OUT; SFP:1102; SCL:1; SRVR:BN6PR03MB2673; H:BN6PR03MB2675.namprd03.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; MX:1; A:1; LANG:en;
received-spf: None (protection.outlook.com: microsoft.com does not designate permitted sender hosts)
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-originalarrivaltime: 01 Aug 2016 21:02:51.7853 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN6PR03MB2673
Archived-At: <https://mailarchive.ietf.org/arch/msg/spud/bSGQS4kmxy_ejVg4NeBs1aRytCI>
Cc: Eliot Lear <lear@cisco.com>, spud <spud@ietf.org>, Mirja Kühlewind <mirja.kuehlewind@tik.ee.ethz.ch>, Spencer Dawkins at IETF <spencerdawkins.ietf@gmail.com>, Brian Trammell <ietf@trammell.ch>, Stephan Neuhaus <sten@artdecode.de>, Stephen Farrell <stephen.farrell@cs.tcd.ie>
Subject: Re: [Spud] [Privsec-program] Detecting and Defeating TCP/IP Hypercookie Attacks
X-BeenThere: spud@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Session Protocol Underneath Datagrams <spud.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spud>, <mailto:spud-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spud/>
List-Post: <mailto:spud@ietf.org>
List-Help: <mailto:spud-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spud>, <mailto:spud-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 01 Aug 2016 21:02:55 -0000

On Monday, August 1, 2016 1:52 PM, Tom Herbert wrote:
>
> The question is also whether we need to send an explicit "end
> connection" signal. Network devices want this to know when to free
> their connection tracking state, but in a multipath Internet I don't
> readily how this would be a useful signal either.

The concern about the "end" signals is potential misuse -- something similar to spoofing TCP RST -- think "man on the side" attacks. The spoofed packets will not fool the endpoint, but they can cause intermediate systems to drop state, and effectively force an ongoing connection to stop. Any design would have to somehow mitigate this spoofing attack.

-- Christian Huitema

v2.23.0 | Report a Bug | By Email