IETF Logo Mail Archive

Re: [Spud] SPUD's open/close are unconvincing

Christian Huitema <huitema@microsoft.com> Wed, 08 April 2015 19:28 UTC

Return-Path: <huitema@microsoft.com>
X-Original-To: spud@ietfa.amsl.com
Delivered-To: spud@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 896C41B355A for <spud@ietfa.amsl.com>; Wed, 8 Apr 2015 12:28:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.602
X-Spam-Level:
X-Spam-Status: No, score=-0.602 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_ILLEGAL_IP=1.3, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id H0vOlbMigeYd for <spud@ietfa.amsl.com>; Wed, 8 Apr 2015 12:28:38 -0700 (PDT)
Received: from na01-by2-obe.outbound.protection.outlook.com (mail-by2on0125.outbound.protection.outlook.com [207.46.100.125]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6E3BA1B3553 for <spud@ietf.org>; Wed, 8 Apr 2015 12:28:38 -0700 (PDT)
Received: from DM2PR0301MB0655.namprd03.prod.outlook.com (0.160.96.17) by DM2PR0301MB0653.namprd03.prod.outlook.com (0.160.96.15) with Microsoft SMTP Server (TLS) id 15.1.130.23; Wed, 8 Apr 2015 19:28:37 +0000
Received: from DM2PR0301MB0655.namprd03.prod.outlook.com ([0.160.96.17]) by DM2PR0301MB0655.namprd03.prod.outlook.com ([0.160.96.17]) with mapi id 15.01.0130.020; Wed, 8 Apr 2015 19:28:37 +0000
From: Christian Huitema <huitema@microsoft.com>
To: Daniel Kahn Gillmor <dkg@fifthhorseman.net>, "spud@ietf.org" <spud@ietf.org>
Thread-Topic: [Spud] SPUD's open/close are unconvincing
Thread-Index: AQHQcitjyluT4qW5rECm5Hf5sMmnv51DfByw
Date: Wed, 8 Apr 2015 19:28:36 +0000
Message-ID: <DM2PR0301MB06555C7D7F32A69214405D44A8FC0@DM2PR0301MB0655.namprd03.prod.outlook.com>
References: <87iod631nv.fsf@alice.fifthhorseman.net>
In-Reply-To: <87iod631nv.fsf@alice.fifthhorseman.net>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [131.107.192.254]
authentication-results: fifthhorseman.net; dkim=none (message not signed) header.d=none;
x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:DM2PR0301MB0653;
x-o365ent-eop-header: Message processed by - O365_ENT: Allow from ranges (Engineering ONLY)
x-forefront-antispam-report: BMV:1; SFV:NSPM; SFS:(10019020)(6009001)(51704005)(46102003)(2656002)(107886001)(66066001)(2501003)(99286002)(86362001)(106116001)(76576001)(54356999)(76176999)(50986999)(74316001)(92566002)(122556002)(2900100001)(102836002)(87936001)(40100003)(33656002)(77156002)(2950100001)(62966003); DIR:OUT; SFP:1102; SCL:1; SRVR:DM2PR0301MB0653; H:DM2PR0301MB0655.namprd03.prod.outlook.com; FPR:; SPF:None; MLV:sfv; LANG:en;
x-microsoft-antispam-prvs: <DM2PR0301MB06533968C51A07A3D09FAFB5A8FC0@DM2PR0301MB0653.namprd03.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:;
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(601004)(5002010)(5005006); SRVR:DM2PR0301MB0653; BCL:0; PCL:0; RULEID:; SRVR:DM2PR0301MB0653;
x-forefront-prvs: 0540846A1D
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: microsoft.onmicrosoft.com
X-MS-Exchange-CrossTenant-originalarrivaltime: 08 Apr 2015 19:28:36.9218 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM2PR0301MB0653
Archived-At: <http://mailarchive.ietf.org/arch/msg/spud/eM4eC0b_m4Vd0chBqfNMuP1vEgQ>
Subject: Re: [Spud] SPUD's open/close are unconvincing
X-BeenThere: spud@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Session Protocol Underneath Datagrams <spud.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spud>, <mailto:spud-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/spud/>
List-Post: <mailto:spud@ietf.org>
List-Help: <mailto:spud-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spud>, <mailto:spud-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 08 Apr 2015 19:28:39 -0000

> These signals don't seem to provide any useful advantages to me: Open is
> superfluous, and Close is unreliable.

Did you check the "reset middlebox attack" thread? It was threading much of the same ground. The general notion is that passing session state information in a clear text header allows for a set of denial of service attacks "through the middleboxes." The simplest attack is a fake "stop" causing middleboxes to drop their state and thus terminate the session, even if end-to-end authentication protects the end points against that attack.

> Open is superfluous
> -------------------
> 
> Given the existing 5-tuple, on-path equipment trivially knows when a flow starts
> already: it is a 5-tuple that they haven't seen before.  If you want to maintain a
> distinction between a one-side-opened flow and a replied flow, this is also
> traceable by looking at the 5-tuple.  It's not clear that the "open" signal gives on-
> path equipment any additional useful information that it didn't have already
> from the 5-tuple.

Yes. If it did, we would have to be concerned with route changes, which result in the same five-tuple being routed through a new set of middleboxes. The route change would have to be signaled to the end point, so they repeat the additional "open" information for the benefit of new middleboxes. That looks like a big can of worms.

> Close is unreliable
> -------------------
> 
> One of the reasons on-path equipment would like a "close" signal is so that they
> know when to tear down associations that are no longer needed.
> This would reduce memory consumption and make a device more resilient to
> DoS attacks that exhaust its connection table.  Without "close", the on-path
> equipment has to rely on timers to decide when to tear down the connection.
> 
> Unfortunately, we can't rely on endpoints to send Close.  Legitimate endpoints
> crash, run out of power, or have their network connectivity cut.  So on-path
> equipment needs to maintain timers anyway if they're tracking flow state
> instead of just passing IP traffic statelessly.  And in a DoS scenario, it's trival for
> an actively malicious end-point to send lots of "open" messages without ever
> sending a "close", so it doesn't protect against DoS either.

That, and the injection of fake stop packets by whoever can listen to the path and inject from the side.

> Why should SPUD bother with explicitly signalling open and close?

Agree with you, it would be better if it just did not include these indications.

The initial argument for open/close bit relates to "opening ports in the enterprise firewall." That's probably better handled by an explicit signaling protocol like the Port Control Protocol. In the previous thread, Tiru Reddy pointed to the work in progress to add authentication to PCP, and to the use of PCP to reduce the required frequency of keep alives. That seems more robust than unauthenticated bits in a clear text header.

-- Christian Huitema

v2.8.7 | Report a Bug | By Email