IETF Logo Mail Archive

Re: [tcpinc] TCP Stealth - possible interest to the WG

Alfie John <alfiej@fastmail.fm> Mon, 18 August 2014 21:34 UTC

Return-Path: <alfiej@fastmail.fm>
X-Original-To: tcpinc@ietfa.amsl.com
Delivered-To: tcpinc@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CEF2A1A016A for <tcpinc@ietfa.amsl.com>; Mon, 18 Aug 2014 14:34:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.3
X-Spam-Level:
X-Spam-Status: No, score=-1.3 tagged_above=-999 required=5 tests=[BAYES_05=-0.5, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=unavailable
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id S63KLEIBTTgA for <tcpinc@ietfa.amsl.com>; Mon, 18 Aug 2014 14:34:37 -0700 (PDT)
Received: from out1-smtp.messagingengine.com (out1-smtp.messagingengine.com [66.111.4.25]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1B52D1A0146 for <tcpinc@ietf.org>; Mon, 18 Aug 2014 14:34:37 -0700 (PDT)
Received: from compute3.internal (compute3.nyi.internal [10.202.2.43]) by gateway1.nyi.internal (Postfix) with ESMTP id 2815023290 for <tcpinc@ietf.org>; Mon, 18 Aug 2014 17:34:36 -0400 (EDT)
Received: from web2 ([10.202.2.212]) by compute3.internal (MEProxy); Mon, 18 Aug 2014 17:34:36 -0400
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=fastmail.fm; h= message-id:from:to:cc:mime-version:content-transfer-encoding :content-type:subject:reply-to:date:in-reply-to:references; s= mesmtp; bh=2ikeGNz3vIFi/uwN2Bdy0kWIpeM=; b=llMsvPB0yiWFAZMjiWpcK rBLXGbN9nR5HooWgV2/VFA9iZl59zcJbMhmgRSo6hJ79FLaRi7ppJxILf5dFWXsx oPomxvnbUbSJ3/31o6aD5qFZWNMu/eTJvRbhGSPCZx3/hchyMVaqgrzkHN2C0+iB xk3weCBzaLCh1xqjOEbCMs=
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d= messagingengine.com; h=message-id:from:to:cc:mime-version :content-transfer-encoding:content-type:subject:reply-to:date :in-reply-to:references; s=smtpout; bh=2ikeGNz3vIFi/uwN2Bdy0kWIp eM=; b=IJ8dhWSQgCx+LpEFVDG60WJRBF5FIOYOXko0UnfmgRSHicwsgf7zzcg9k W6m/c1B/eTJQ0lyDEmBdvVsmfq/RHeZJNapbElra4mNdqYjeDgd+/nafg8FJ9zOR Elu1khgsNVy/z63aVKNZm7xYGXREsGvKJRVPDhY/4d50uJhb3w=
Received: by web2.nyi.internal (Postfix, from userid 99) id 0641A540211; Mon, 18 Aug 2014 17:34:36 -0400 (EDT)
Message-Id: <1408397675.299896.154112109.6F69043F@webmail.messagingengine.com>
X-Sasl-Enc: 0mUKHRI1hJp/303iaQwsqJhUK09ryrtHpqowW6PFvXc/ 1408397675
From: Alfie John <alfiej@fastmail.fm>
To: Jacob Appelbaum <jacob@appelbaum.net>, "Scheffenegger, Richard" <rs@netapp.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Type: text/plain
X-Mailer: MessagingEngine.com Webmail Interface - ajax-5f815d4c
Date: Mon, 18 Aug 2014 23:34:35 +0200
In-Reply-To: <CAFggDF2jhQPz0Eez=AU9M-k862wD_=VSyVpXtRAjT4zC6H4tgA@mail.gmail.com>
References: <ecdbe694b6964c159f64b1d3311c8cc6@hioexcmbx02-prd.hq.netapp.com> <CAFggDF2jhQPz0Eez=AU9M-k862wD_=VSyVpXtRAjT4zC6H4tgA@mail.gmail.com>
Archived-At: http://mailarchive.ietf.org/arch/msg/tcpinc/JTFF58ZhvznKQuf72bj2l9pnKdo
Cc: Wesley Eddy <wes@mti-systems.com>, Christian Grothoff <christian@grothoff.org>, tcpinc@ietf.org, "tcpm (tcpm@ietf.org)" <tcpm@ietf.org>, Joe Touch <touch@isi.edu>
Subject: Re: [tcpinc] TCP Stealth - possible interest to the WG
X-BeenThere: tcpinc@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: alfiej@fastmail.fm
List-Id: "Discussion list for adding encryption to TCP." <tcpinc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tcpinc>, <mailto:tcpinc-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tcpinc/>
List-Post: <mailto:tcpinc@ietf.org>
List-Help: <mailto:tcpinc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tcpinc>, <mailto:tcpinc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 18 Aug 2014 21:34:39 -0000

On Mon, Aug 18, 2014, at 02:50 PM, Jacob Appelbaum wrote:
> On 8/15/14, Scheffenegger, Richard <rs@netapp.com> wrote:
> > I just learned about an individual submission, which is probably of
> > interest not only to the members of these two WGs;
> >
> > http://tools.ietf.org/html/draft-kirsch-ietf-tcp-stealth-00
>
> > There seem to be at least two or three major issues that compromise
> > either the working and stability of TCP, or work against the
> > intended "stealthieness" of this modification (making it easy for an
> > attacker to identify such sessions, provided he is able to actively
> > interfere with segments in transit (ie. cause certain segments to be
> > dropped).
>
> Could you expand on these thoughts a bit?
>
> > Nevertheless, it might be beneficial to discuss the generic idea in
> > a wider forum, among brighter minds than me.

Let's look at Richard's concerns:

> compromise either the working and stability of TCP

This RFC only modifies the calculation of the SQN number in order to get
port-knockable services. Every other host between just continues to see
the SQN as a random number as it did before. Unless between hops were to
modify the packet's timestamps, this will be completely backwards
compatible.

> work against the intended "stealthieness" of this modification (making
> it easy for an attacker to identify such sessions, provided he is able
> to actively interfere with segments in transit

This is not about hiding from big brother who is listening on the wire.
This is about minimising your visible footprint to the wider internet.
It's on par to your server's firewall dropping all incoming connections
unless you have the shared secret. But with this RFC, you don't need to
know the source IP address before hand.

I think it's a great idea. Nice work.

Alfie

-- 
  Alfie John
  alfiej@fastmail.fm

v2.23.0 | Report a Bug | By Email