IETF Logo Mail Archive

Re: [Spud] SPUD's open/close are unconvincing

Eliot Lear <lear@cisco.com> Sat, 11 April 2015 07:25 UTC

Return-Path: <lear@cisco.com>
X-Original-To: spud@ietfa.amsl.com
Delivered-To: spud@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9E8641AC415 for <spud@ietfa.amsl.com>; Sat, 11 Apr 2015 00:25:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.51
X-Spam-Level:
X-Spam-Status: No, score=-14.51 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NBXnqZT9yuwL for <spud@ietfa.amsl.com>; Sat, 11 Apr 2015 00:25:18 -0700 (PDT)
Received: from aer-iport-1.cisco.com (aer-iport-1.cisco.com [173.38.203.51]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 993261AC417 for <spud@ietf.org>; Sat, 11 Apr 2015 00:25:17 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=6104; q=dns/txt; s=iport; t=1428737119; x=1429946719; h=message-id:date:from:mime-version:to:cc:subject: references:in-reply-to; bh=fhTTrMiNt3VOAscCYizcdyyXT69pinLPr33sbj6BMrc=; b=b5ekSe2FH4AytUBYBFB/MCyPUxX5DgW0g/HkQ3I5uTMB6LD9N+jDLKfR 3C66YK/gQ7xCisP5GmfLHWcihnBJQ8JvzvRiaSLzIvbafbrId7b+oSWRG ygb4bb/qdWWkFouiAohQyPNkTQ7mHRX+EgxxzFPa/IyZLtg22VuO6pIAW Q=;
X-Files: signature.asc : 481
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0D5AwCRyyhV/xbLJq1ch0/BTQmHTwKBbRQBAQEBAQEBfYQgAQEEI1UBEAsOCgkWCwICCQMCAQIBRQYNAQcBAYgmt0WWWQEBAQEBAQEBAQEBAQEBAQEBAQEBAReLK4R8B4JogUUBBJJ2gTOGbIcYjVMig3E8gnQBAQE
X-IronPort-AV: E=Sophos;i="5.11,560,1422921600"; d="asc'?scan'208,217";a="444234451"
Received: from aer-iport-nat.cisco.com (HELO aer-core-3.cisco.com) ([173.38.203.22]) by aer-iport-1.cisco.com with ESMTP; 11 Apr 2015 07:25:17 +0000
Received: from [10.61.216.216] ([10.61.216.216]) by aer-core-3.cisco.com (8.14.5/8.14.5) with ESMTP id t3B7PFWf015409; Sat, 11 Apr 2015 07:25:15 GMT
Message-ID: <5528CC5B.4000501@cisco.com>
Date: Sat, 11 Apr 2015 09:25:15 +0200
From: Eliot Lear <lear@cisco.com>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:31.0) Gecko/20100101 Thunderbird/31.6.0
MIME-Version: 1.0
To: Jana Iyengar <jri@google.com>
References: <87iod631nv.fsf@alice.fifthhorseman.net> <55261A99.5090801@cisco.com> <CAGD1bZb1SEFAxBHKxT3f1pewiz7T2aXe4cos2UXpDWb1sutV4w@mail.gmail.com>
In-Reply-To: <CAGD1bZb1SEFAxBHKxT3f1pewiz7T2aXe4cos2UXpDWb1sutV4w@mail.gmail.com>
Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="k7amm7WdtAnwbebGcCwOOF6kSXjbQLNP1"
Archived-At: <http://mailarchive.ietf.org/arch/msg/spud/xp2bQnUmCrfKB1Rur5L-4tq1isM>
Cc: Daniel Kahn Gillmor <dkg@fifthhorseman.net>, "spud@ietf.org" <spud@ietf.org>
Subject: Re: [Spud] SPUD's open/close are unconvincing
X-BeenThere: spud@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Session Protocol Underneath Datagrams <spud.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spud>, <mailto:spud-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/spud/>
List-Post: <mailto:spud@ietf.org>
List-Help: <mailto:spud-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spud>, <mailto:spud-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 11 Apr 2015 07:25:19 -0000


On 4/11/15 12:20 AM, Jana Iyengar wrote:
> Eliot,
>
> A few responses:
>
>     Open provides an indication that the flow is not a continuation,
>     that new state should be instantiated, that any old state of the
>     5-tuple should be discarded.  Opens may flow in either direction,
>     but may be authorized for only some uses.
>
>
> If used like this, it creates another DoS vector where anyone can
> trivially kick someone else's connection off.

Huge vast numbers of devices simply look to see if ACK is set, and if
not, reject most connections, except for a few.  The reason SYN is
needed is so that the firewall simply knows that the host will reject
communications that begin with something else.
>  
> AFAIK, TCP connections are commonly torn down with an RST (not a FIN),
> and not infrequently with silence. I would love to know what the truth
> is -- is there any data that I can look at to prove myself wrong?

I don't know.  But whether one uses RST or FIN is immaterial.  The
concept is roughly similar in terms of signaling state, except that RST
allows for quicker removal of state.
> Why would a DoS attacker set the OPEN bit in SPUD if it will thwart
> their attack? That would be silly...
>  

If it knows that the end point will simply discard the packet without
the OPEN having been seen, it will set it.

Eliot

v2.8.7 | Report a Bug | By Email