Re: [Spud] [Privsec-program] Detecting and Defeating TCP/IP Hypercookie Attacks

Tom Herbert <> Tue, 02 August 2016 17:03 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 6B38F12D0E5 for <>; Tue, 2 Aug 2016 10:03:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id AoF2QNShP0A2 for <>; Tue, 2 Aug 2016 10:03:35 -0700 (PDT)
Received: from ( [IPv6:2607:f8b0:4001:c06::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 116A212D0A6 for <>; Tue, 2 Aug 2016 10:03:34 -0700 (PDT)
Received: by with SMTP id q83so219161363iod.1 for <>; Tue, 02 Aug 2016 10:03:34 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=OoaEtL+UuwX1otuypPXGN7Ci8NQtaHXLHZxoW7bt60U=; b=P1wNh/Q47PD0kvoWq6+Sr1w5BTbn8pMJhu6nSdCdpzJh+NAX3nxB/FPIsWwXmhcZM0 /Av6vHCbXHoTCNktcMjY1jMMs3cTxOIE7hTdz5z43nQI6zPWyL9KpY0PHqdK6yuk+wE4 XMQ2HxCDjT0xjgryJIVG0X/W8TKuZJzQsvdtx1SeY/5U55EPFI6de7VnM8R1btk9bU9h xA2ylmCE5tqpu1efMUMgY5bOq0WLzhdoOGsdfmYhd8PozCOD3IHZR2KegaXiYh1KeDel CuNpxabNy+tLdWTpyW1UIHipoyy4dfnsM1y8uQCMSXFy3J4+SO5/V7d5o5UuZe93IAFc 9Dag==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=OoaEtL+UuwX1otuypPXGN7Ci8NQtaHXLHZxoW7bt60U=; b=gKbzPnYW4izjVq0Km/LY9eLTsp/q9subjxWgnxL3wRnhV0gaLB2p626MsCn8iJhq1E nNq20QfU5jC97rheRjfHCKwnf2VenTFSTdfGITD+wUGitBGoYdT+hCJlHdw8gRV+fv4C aleuCWQ+dCgR5O3k3YxRUzTDy3yvXJ44XitZ5CdjVM8Pu0MuxVQErpjYPyInO2IxuIHO bWB+4hy1IvvB7lpONF8n9ZoyU19gsK4H+K4xDtZ4/QdxQxUwkDvkTqSuUDEnOyKXtGIe 8x6LOUcNtMy4UrG1beJYtIomtl9YxfGDRpshoDSmQqSMN9XjeTAbEPh+cy4u+UankqIo Q4MA==
X-Gm-Message-State: AEkoouvCoJnMyR1vv0kXJ7j9z6DlZyf2mFro4qLe3n2IsnBrvFKPzWS9KNLmjykgOcNVBummGYIhCJLJ9uN1RQ==
X-Received: by with SMTP id 72mr63659271ioz.50.1470157413537; Tue, 02 Aug 2016 10:03:33 -0700 (PDT)
MIME-Version: 1.0
Received: by with HTTP; Tue, 2 Aug 2016 10:03:31 -0700 (PDT)
In-Reply-To: <>
References: <> <> <> <> <> <> <> <> <> <> <> <> <> <> <> <> <> <>
From: Tom Herbert <>
Date: Tue, 2 Aug 2016 10:03:31 -0700
Message-ID: <>
To: Eliot Lear <>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
Archived-At: <>
Cc: spud <>, =?UTF-8?Q?Mirja_K=C3=BChlewind?= <>, Spencer Dawkins at IETF <>, Stephan Neuhaus <>, Brian Trammell <>, Stephen Farrell <>
Subject: Re: [Spud] [Privsec-program] Detecting and Defeating TCP/IP Hypercookie Attacks
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Session Protocol Underneath Datagrams <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 02 Aug 2016 17:03:37 -0000

On Tue, Aug 2, 2016 at 12:47 AM, Eliot Lear <> wrote:
> Hi Tom,
> On 8/1/16 10:06 PM, Tom Herbert wrote:
> TOU will negotiate a session identifier (similar to connection
> identifier) in QUIC. With this the TCP endpoints no longer use the
> 5-tuple to identifier the connection, they use the session identifier.
> This provides unambiguous connection identification that is
> independent of addresses or encapsulating UDP ports (the most
> immediate problem this resolves is NAT state remapping). Strong
> security is required to prevent connection hijacking and there are a
> couple of other caveats. Please look as section 3 in
> draft-herbert-transports-over-udp for details.
> TOU is similar in many ways to what HIP did in the early days, and the HIP
> developers had a pretty cool demo of it.  The threats we faced back then
> were nowhere near as advanced as they are today, nor are they as prevalent.
> There is not a single platform upon which you base your software that hasn't
> been attacked successfully, although some have been attacked more regularly
> than others.
> Let me be as clear as I possibly can be: I view a protocol that doesn't
> offer an answer to the question “who initiated the communication” as unsafe


With that view IP is completely unsafe and shouldn't be deployed since
IP source addresses can and are trivially spoofed. Session identifiers
with security that authenticates the peer provide an unambiguous and
far more trustworthy answer to the question about who initiated a

> to be deployed on the Internet.  I will make another bet with you, that at
> least half of your user base is running on old code with known
> vulnerabilities.  This is even more critical on battery-powered constrained
> devices, where a broad-scaled and sustained DDoS attack could drain those
> batteries and harm a lot of people, in a short period of time.
Yes, we all want DDoS prevention. But my application needs to be able
to run securely on _every_ network on the planet. Unless you can prove
that every one of these networks implements some common standard DDoS
mitigation and other required security mechanisms, then I really have
no choice but to treat the network is an insecure black box, assume my
applications are at risk, and implement all of my own security.

> If there are tradeoffs to be made in mobility design because of this, then
> those tradeoffs should be made.  But before you view it in that light,
> lengthy research has demonstrated that RF requires repeated selection
> queries to determine what is available.  That is the work done by SCTP
> researchers such as Randy Stewart, and so mobility isn't being traded off at
> all.
> You are seeking formal agreement of network behavior.  I am seeking an
> answer to my question.  If we formalize the answer to that question, then
> you have what you want and I have what I want.  I've been told that QUIC has
> such an answer to my question, which is good.
> I'd like to understand how that is accomplished in a secure manner.
> Certainly integrity protecting the 5-tuple and any sequence #s sounds like a
> good idea, to say the least, if it can be efficiently accomplished.

To be clear I am not seeking formal agreement of universal network
behavior (I believe that is supposed to be already covered by
networking layer standards), we are trying to resolve protocol
ossification to move the Internet forward. Protocol ossification
happens in the network when devices anonymous to the endpoints attempt
to interpret transport layer information to some effect and does this
without the auspices of any standard. Usually this is with benevolent
intent, but the problem is that when the end points attempt something
"new" (e.g. TCP fast open, new TCP options, using SCTP, trying sustain
connections between mobile networks) the network can break E2E
communication in a variety of ways because the communication doesn't
match _its_ concept of what a "legal" communication is. Encrypting the
transport layer is the only proposed solution to defeat protocol

I don't believe the PLUS proponents will argue against the rationale
of encrypting the transport layer. Protocol ossification is a real
problem and we can demonstrate several examples where it has thwarted
innovation of transport protocols. What is at question is what
transport layer information hosts are either required or should
voluntarily "give back" once the transport layer is encrypted. IMO,
from the perspective of a large application provider, the default
answer is currently none. If signaling transport layer information
were to be explicit between hosts and network devices, and there is an
established trust relationship with an agreement the spells out the
precise use of the information and the scope of information
propagation-- then I think there is a much better chance to achieve
the cooperation necessary to solve things like the mobile DDoS problem
you mentioned above. I think the mobile guidance draft
(draft-flinck-mobile-throughput-guidance) is on the right track in
this regard, it make signals explicit and non-anonymous (although I
don't like the part where they allow middleboxes to parse and modify
TCP options, IMO this, as well as PLUS, should be using HBH options
for host-network signaling). Explicit non-anonymous signaling can also
adhere to the E2E model if network devices are expressly acting on
behalf of a host with specific directives to do that.

All of this is just my opinion, but it is why I had to hum no at the BOF...


> Eliot