Re: [Spud] [Privsec-program] Detecting and Defeating TCP/IP Hypercookie Attacks

Tom Herbert <tom@herbertland.com> Mon, 01 August 2016 20:06 UTC

Return-Path: <tom@herbertland.com>
X-Original-To: spud@ietfa.amsl.com
Delivered-To: spud@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0EBD312D734 for <spud@ietfa.amsl.com>; Mon, 1 Aug 2016 13:06:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=herbertland-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5VEu8iQLQ94k for <spud@ietfa.amsl.com>; Mon, 1 Aug 2016 13:06:52 -0700 (PDT)
Received: from mail-it0-x22f.google.com (mail-it0-x22f.google.com [IPv6:2607:f8b0:4001:c0b::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DAC6212D649 for <spud@ietf.org>; Mon, 1 Aug 2016 13:06:51 -0700 (PDT)
Received: by mail-it0-x22f.google.com with SMTP id j8so39807501itb.1 for <spud@ietf.org>; Mon, 01 Aug 2016 13:06:51 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=herbertland-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=P/IrvpnC9isJx2tuhxhOHlCmVZGeZ2RsVJhD5PNLPvI=; b=m2BULtwM9k4CSE2Ys/H3okwSO2NtbrbANY11j8OUJZ91bypmNoT2xEOSZHlf3B4YVv 03dZq9m33o5UFYXy1UYah6kKYrrE/TWDSTvv2STrbgcfI+T7klLar7aAG/vC/TZZfbto ilFjnOhDF3I576fP+x5uqMpU8I6/LBuEzjeLrNXH2Kn/eb+ZnNfOBHj77PyURxKrbA9O fuRbpZk+yzOoW03xxHRqmTcA514JaHsSnGpdTNAU6VMzjB33b6A5IOmswZIstq6i6Qfw GD5aG9mqDOLMgrcC5E0DofWRHN94T8NdOKWcupf+QJz1FkPmIg837lVqnIuGbHLCzUHK sk/w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=P/IrvpnC9isJx2tuhxhOHlCmVZGeZ2RsVJhD5PNLPvI=; b=iyqALL8Varq8eLHKVn5uVIyYcVL9C5yyq18n52uDswSaulwkuqjrKutpFPxHoxZoSm fgZpxhphquOZjWSaFkHwS4V8j1yTjRGM0x7qrBRAhFbSSI7djqX7y5UIUR/g/3kic/7W ZEJK9NSSqC7/OzoC/nNFpajKlcdNjmZ3DQeQ1hhTDbhBnHjbfoOrPQ3LeffeUzjckfbs 0qkxwjgSfhP73DoUV0HdiCpBVVwu+rqXfp0sNmZnshwqA+9t3dSIKUejlLRj2HtT6Mqe scVs/hWknGCSEa0mpMWc2aQPo5Hglqf1gH8UhQmW0vC4xDZzfMByVndiho6yYPaKcKis Ej0w==
X-Gm-Message-State: AEkoouvKCKY+xnT5PJLcIEzIXSN3z1XDq5OZBTUgMkBiO6YQxQGNzW+BcwA5hlX68XSXXlUI3cmzQNNe1ayS0A==
X-Received: by 10.36.51.206 with SMTP id k197mr38505410itk.37.1470082011183; Mon, 01 Aug 2016 13:06:51 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.107.21.130 with HTTP; Mon, 1 Aug 2016 13:06:49 -0700 (PDT)
In-Reply-To: <CAKKJt-d02CmE7cW59s=A68SL=EQVTEVYOBzP74bnVXsEmfsY=A@mail.gmail.com>
References: <409B6F52-B637-4333-915B-A8127C80C98B@trammell.ch> <d27266cf-87f6-17b1-3038-e0f614c6c773@cs.tcd.ie> <84F6AEC6-7DE3-4D1F-9014-201279F70E56@tik.ee.ethz.ch> <5194f988-0e25-7f5a-75cf-6ed3646e012d@cs.tcd.ie> <402A30BB-1A20-4D54-95CA-7C50D8C0F26B@tik.ee.ethz.ch> <dc29fa73-88fd-3dc4-7497-f1bd2fa60422@cs.tcd.ie> <8722FE8E-1026-43D5-BE17-1D6B4031C0D8@tik.ee.ethz.ch> <1b261e1e-a543-53df-8a2a-7dddae415a14@cs.tcd.ie> <D2CEDF13-E508-4732-B8F6-98FBBDDC7EE6@tik.ee.ethz.ch> <CALx6S34gVFDJ6mV=GVrfK5doTK2BbRRWXvxeqFUtidfPp5XGKg@mail.gmail.com> <5717b856-eaf9-4142-72fa-7e58b4cd61a5@artdecode.de> <CALx6S36zv4=S8tgRNqwee0j973Y_gJ7RBnnnV+0vBq_4kn7PVw@mail.gmail.com> <aa2afa2c-23d0-bf50-a82e-654fd08f373a@cisco.com> <CALx6S375si8km=8NhMfgWAtqE09Xju3CH1k3ktuae6gi8XT5ww@mail.gmail.com> <a2426583-22d7-85a1-e7a5-791c755f9209@cisco.com> <CALx6S37Ni=qA-BcnNQepRwe3ZC48RNmirRVjCe1fv2bT3gQnWw@mail.gmail.com> <CAKKJt-d02CmE7cW59s=A68SL=EQVTEVYOBzP74bnVXsEmfsY=A@mail.gmail.com>
From: Tom Herbert <tom@herbertland.com>
Date: Mon, 1 Aug 2016 13:06:49 -0700
Message-ID: <CALx6S36paAxPP317aDGybkrPWtJ9L+ZuTYOHTQ11ejwUgJ7vFg@mail.gmail.com>
To: Spencer Dawkins at IETF <spencerdawkins.ietf@gmail.com>
Content-Type: text/plain; charset=UTF-8
Archived-At: <https://mailarchive.ietf.org/arch/msg/spud/qSI5AwF9ASrCvbWsPi-wH7ZlMds>
Cc: Eliot Lear <lear@cisco.com>, spud <spud@ietf.org>, =?UTF-8?Q?Mirja_K=C3=BChlewind?= <mirja.kuehlewind@tik.ee.ethz.ch>, Stephan Neuhaus <sten@artdecode.de>, Brian Trammell <ietf@trammell.ch>, Stephen Farrell <stephen.farrell@cs.tcd.ie>
Subject: Re: [Spud] [Privsec-program] Detecting and Defeating TCP/IP Hypercookie Attacks
X-BeenThere: spud@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Session Protocol Underneath Datagrams <spud.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spud>, <mailto:spud-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spud/>
List-Post: <mailto:spud@ietf.org>
List-Help: <mailto:spud-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spud>, <mailto:spud-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 01 Aug 2016 20:06:53 -0000

On Mon, Aug 1, 2016 at 12:56 PM, Spencer Dawkins at IETF
<spencerdawkins.ietf@gmail.com>; wrote:
> Hi, Tom,
>
> On Mon, Aug 1, 2016 at 10:56 AM, Tom Herbert <tom@herbertland.com>; wrote:
>>
>> > On 8/1/16 4:59 PM, Tom Herbert wrote:
>> >> If that [99.999%] number it is correct it is only because home routers
>> >> have
>> >> ossified the Internet in that regard
>> >
>> > I realize that people have ossification on the head, but I'm sure you
>> > recognize that the right answer here is that most people only have a
>> > single connection into their homes.  For those who have more than one,
>>
>> Well, I'm sitting here in my home looking at my Nexus 6 and I can
>> confirm that it is attached to Internet my via Comcast wifi as well as
>> Verizon's mobile network. So my smart phone is definitely a multihomed
>> and I definitely have multiple connections into my home. Right now I'm
>> using the wifi link, but if I walk into my backyard out of range then
>> I don't want the device to have to restart all my TCP connections when
>> switching to the mobile network. Neither do I want to have to create
>> 2x connections like in MP-TCP just because I might at some point walk
>> into my back yard (it's kind of gloomy right now so I don't think I'll
>> be doing this anyway).
>
>
> I'm not going to guess what wireshark would show on your home network or on
> Verizon's, but I'm having a hard idea understanding how a TCP connection
> identified by a 5-tuple that includes a local address from your wifi routed
> through Comcast stays active when you get in a car and drive away, so that
> the only active interface on your smart phone now has a local address that
> is routed through Verizon.
>
TOU will negotiate a session identifier (similar to connection
identifier) in QUIC. With this the TCP endpoints no longer use the
5-tuple to identifier the connection, they use the session identifier.
This provides unambiguous connection identification that is
independent of addresses or encapsulating UDP ports (the most
immediate problem this resolves is NAT state remapping). Strong
security is required to prevent connection hijacking and there are a
couple of other caveats. Please look as section 3 in
draft-herbert-transports-over-udp for details.

Tom