Re: [Spud] States in draft-trammell-plus-statefulness-00

"Christian Huitema" <> Mon, 14 November 2016 19:01 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 2078C1299A6 for <>; Mon, 14 Nov 2016 11:01:37 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.621
X-Spam-Status: No, score=-2.621 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id SJfzIhJC2dgr for <>; Mon, 14 Nov 2016 11:01:35 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 6E01F1299A4 for <>; Mon, 14 Nov 2016 11:01:35 -0800 (PST)
Received: from ([]) by with esmtps (TLSv1:AES256-SHA:256) (Exim 4.86) (envelope-from <>) id 1c6MVW-0000p5-3K for; Mon, 14 Nov 2016 20:01:34 +0100
Received: from [] ( by with esmtps (TLS-1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.63) (envelope-from <>) id 1c6MV0-0006HM-EJ for; Mon, 14 Nov 2016 14:01:29 -0500
Received: (qmail 22771 invoked from network); 14 Nov 2016 18:56:14 -0000
Received: from unknown (HELO icebox) ([]) (envelope-sender <>) by (qmail-ldap-1.03) with ESMTPA for <>; 14 Nov 2016 18:56:13 -0000
From: "Christian Huitema" <>
To: "'Eliot Lear'" <>, "'Brian Trammell'" <>, "'Dave Dolson'" <>
References: <> <> <03b101d23e9b$7c883540$75989fc0$> <>
In-Reply-To: <>
Date: Mon, 14 Nov 2016 10:56:10 -0800
Message-ID: <013401d23ea8$c4d113f0$4e733bd0$>
MIME-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Mailer: Microsoft Outlook 16.0
Thread-Index: AQKf862m8oZQa9APzsImua+wBtT6LQEXHGdBAvEncUwB9gfkzp8NdbZQ
Content-Language: en-us
X-Filter-ID: s0sct1PQhAABKnZB5plbIVbU93hg6Kq00BjAzYBqWlUcW8ntawmIBRrYFzUH2lbvx1wTMkEUUoeb KIhkyzl2dNEAmMBmHDUmmY+3eqwn6k80HbLcIXRK+rCYHS2Pxr4sUvWQm1ERVuodk8O3ETzMD6v+ Tgijk3LAC5JznZJ001wGCGSYTechvslUb/W6HSHodcmtTcWSOKD5RASVzg27isfnUU8Aq9Xij6e6 U5pAs/95kYwBFjHSX1ySASMY7Q8kVWau65pVsnZkx/s3iU5HXZFVgpT1b21uZVckGp0ccOY/32e+ 5fVqy4sN42wuoCbd0npwMH44Pt2njKMwCMVe5fi885J4uw2WezmviQauN2SLBDMrD7q/cJogwbqz suokuKS3SvBae3MYJkcyURBnFAZIe8Pggnek1xH/TgvWD0MaKXvNWrRcSD72jROfhu6vZJ0Q4x+0 GOxZvoENDONKwZkjGlUCvU6ZAmJB8zrNH9DxX8G2bApANEDRnSX/sJx0Uf5/xO8dap3thvg9e/eV ioOoT5f9zNwjlArtXM+EHVKnG+eTs8kbKBy2XcsLzqKfmJdDwLTy7ggkbtiREBmTEN9TLrF9l3It GfA/WrnALV6YO2/mqpOb7Q80SeXyngcEZA0ovkdUHlhxng/6M5IV+I73x9yTpqy088VxyqIsKLEe bp9tI6dJK7GvNGOBzee8
Authentication-Results:; auth=pass smtp.auth=
X-SpamExperts-Outgoing-Class: unsure
X-SpamExperts-Outgoing-Evidence: Combined (0.31)
X-Classification: unsure/combined
X-Recommended-Action: accept
Archived-At: <>
Subject: Re: [Spud] States in draft-trammell-plus-statefulness-00
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Session Protocol Underneath Datagrams <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 14 Nov 2016 19:01:37 -0000

On Monday, November 14, 2016 9:58 AM, Eliot Lear wrote:
> The nice thing about TCP being stateful, however, is that the middlebox
> has reason to trust how an end device is going to handle something that
> is outside the state machine.  It's really well defined.  That's the
> good part.  The bad part is that then the state machine is ossified.

That's not the only bad part. Looking for SYN/SYN-ACK won't work if packets follow a new path after a route change, as could easily happen with multi-homing. 

Also, the lack of authentication allows for the "spoofed RST" attack, in which injecting a single packet can cause connections to be dropped. That's why I would rather see mechanisms in which the magic packets have to flow in both directions. For example, a middlebox sees "drop me" coming from the left, and simply marks the state as "drop from left requested". If it receives a corresponding "drop me" from the right, the state is dropped. If on the contrary it receives a regular packet from the left, then it suspects spoofing and the state reverts to normal.

-- Christian Huitema