Re: [tcpm] Feedback request on draft-ietf-tcpm-tcp-security

"Eddy, Wesley M. (GRC-MS00)[ASRC AEROSPACE CORP]" <wesley.m.eddy@nasa.gov> Mon, 01 March 2010 06:23 UTC

Return-Path: <wesley.m.eddy@nasa.gov>
X-Original-To: tcpm@core3.amsl.com
Delivered-To: tcpm@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 4CC0F28C259 for <tcpm@core3.amsl.com>; Sun, 28 Feb 2010 22:23:48 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.598
X-Spam-Level:
X-Spam-Status: No, score=-6.598 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xmXB4UvIhulL for <tcpm@core3.amsl.com>; Sun, 28 Feb 2010 22:23:41 -0800 (PST)
Received: from ndmsnpf01.ndc.nasa.gov (ndmsnpf01.ndc.nasa.gov [198.117.0.121]) by core3.amsl.com (Postfix) with ESMTP id 6444728C0D9 for <tcpm@ietf.org>; Sun, 28 Feb 2010 22:23:41 -0800 (PST)
Received: from ndjsppt03.ndc.nasa.gov (ndjsppt03.ndc.nasa.gov [198.117.1.102]) by ndmsnpf01.ndc.nasa.gov (Postfix) with ESMTP id 407B9261330; Mon, 1 Mar 2010 00:23:40 -0600 (CST)
Received: from ndjshub05.ndc.nasa.gov (ndjshub05.ndc.nasa.gov [198.117.4.164]) by ndjsppt03.ndc.nasa.gov (8.14.3/8.14.3) with ESMTP id o216Nejk010076; Mon, 1 Mar 2010 00:23:41 -0600
Received: from NDJSSCC01.ndc.nasa.gov ([198.117.4.166]) by ndjshub05.ndc.nasa.gov ([198.117.4.164]) with mapi; Mon, 1 Mar 2010 00:23:39 -0600
From: "Eddy, Wesley M. (GRC-MS00)[ASRC AEROSPACE CORP]" <wesley.m.eddy@nasa.gov>
To: Fernando Gont <fernando@gont.com.ar>, "tcpm@ietf.org" <tcpm@ietf.org>
Date: Mon, 1 Mar 2010 00:23:38 -0600
Thread-Topic: [tcpm] Feedback request on draft-ietf-tcpm-tcp-security
Thread-Index: AcqxwTEKn8/IeFCGQGq1P7hReWVZfAHQ9Qqm
Message-ID: <C304DB494AC0C04C87C6A6E2FF5603DB47DE76AE73@NDJSSCC01.ndc.nasa.gov>
References: <4B7F2881.7000700@gont.com.ar>
In-Reply-To: <4B7F2881.7000700@gont.com.ar>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: multipart/alternative; boundary="_000_C304DB494AC0C04C87C6A6E2FF5603DB47DE76AE73NDJSSCC01ndcn_"
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=fsecure engine=1.12.8161:2.4.5, 1.2.40, 4.0.166 definitions=2010-03-01_04:2010-02-06, 2010-03-01, 2010-02-28 signatures=0
Subject: Re: [tcpm] Feedback request on draft-ietf-tcpm-tcp-security
X-BeenThere: tcpm@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: TCP Maintenance and Minor Extensions Working Group <tcpm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tcpm>
List-Post: <mailto:tcpm@ietf.org>
List-Help: <mailto:tcpm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 01 Mar 2010 06:23:48 -0000

Hi Fernando, here are some comments from me as a WG participant (not a co-chair):

There was mailing list discussion, and seemingly agreement, on Toby's suggestion changing the title to reflect the focus on implementation practices, but the title is not changed.

In section 1.1, I think the first 2 paragraphs can be removed without any loss of context or content.

There is a sentence that can simply be removed without any loss: "For some reason, much of the effort of the security community on the Internet protocols did not result in official documents (RFCs) being issued by the IETF (Internet Engineering Task Force)."  This doesn't consider the fact that protocol specifications in the IETF and many (if not most) other SDOs are focused on producing interoperable specifications with implementation detail left to individual vendors to differentiate their products.  In the case of many of these TCP vulnerabilities under discussion, many clearly fall into the realm of implementation issues rather than protocol issues, and are thus outside the traditional scope of IETF process.  As nearly all of the vendors who have implemented these fixes participate in the IETF, it seems they haven't felt a compelling urge to have their implementation practices codified in RFCs.  At least explaining this seems more valuable than the nebulous "For some reason" which makes it sound like this is just a strange occurence with no clear explanation, though I believe the sentence can just be completely removed without any loss to the document.

In the sentence "Producing a secure TCP/IP implementation ...", I think we should just say "TCP" (and change "protocols" to "protocol and dependencies or extensions".  Also, in this sentence, I'm unclear on what a "security roadmap" would look like; should this really be a "threat and mitigation summary"?

I believe section 1.2 can be entirely eliminated without any loss.  I believe we will cover quite a bit more than just the documents listed in this section anyways.

The paragraph beginning with "This document is the result of a security assessment of the IETF specifications of the Transmission Control Protocol (TCP), from a security point of view.  Possible threats are identified and, where possible, countermeasures are proposed." should be replaced with something to the effect of "This document captures the best current practices in implementation, configuration, and use of TCP and its supporting protocols and extensions and has been produced by the IETF's TCP Maintenance and Minor Extensions Working Group (TCPM)."

Section 2 can be eliminated without any loss.

In section 3, an implementation requirement seems to be laid out with a mix of informal and standards language (it initially uses "should" instead of MUST, SHOULD, MAY, etc, yet later uses a MUST) and it's not included in the requirements section like the 3.1.1 recommendations are:
"""
Therefore, before doing any processing of the TCP header fields, the
   following check should be performed by TCP on the segments handed by
   the internet layer:

                             Segment.Size >= 20
   If a segment does not pass this check, it MUST be dropped.
"""
Further, I believe that if this document is to contain dozens of recommendations, then these should be better identified and individually numbered rather than mixed with prose.

In 3.1.1, I think the requirements should be individually numbered (maybe as R.1a, R.1b, etc. in this section?) so that they can be referenced individually and used in checklists or compliance matrices.

Regarding the requirement:
"""
   If a segment is received with port 0 as
   the Source Port or the Destination Port, a RST segment SHOULD be sent
   in response (provided that the incomming segment does not have the
   RST flag set).
"""
The rationale indicates that this is to mitigate against OS fingerprinting, but no discussion motivates this particular response rather than other alternatives e.g. simply ignoring the segment, sending an ICMP port-unreachable, etc.  If there is a specific reason that this response is the one chosen to make all implementations look the same to a fingerprinting attempt, then we need to explain that,

Regarding the requirement:
"""
   Middle-boxes such as packet filters MUST NOT assume that clients use
   port numbers from only the Dynamic or Registered port ranges.
"""
It's not clear to me how this improves security.


For high-level discussion, some of these comments are based on a desire to shorten, simplify, or clarify the presentation of these recommendations.  Looking at this first batch, it's a mix of things that an implementer may or may not care about depending on their implementation constraints or deployment environments.  For instance, in this first batch alone, some of the recommendations are for basic robustness to bizarre conditions whereas others are for making fingerprinting "attacks" less effective.  We will need some way to distinguish the types of attacks that are relevant to each recommendation, I think, which could easily be done in a set of lists in an appendix if the recommendations were numbered, or could be satisfied by using an outline organized by the things you're trying to protect.  I bring this option up since the prior thread on outlines didn't seem to drive to a clear consensus on what the next outline would look like, and this update left it almost completely unchanged so I think we need to find a way to deal with this type of complexity in mixed relevance of the recommendations going forward or it will be more difficult to sort out later.  But that's just my 2 cents.



________________________________________
From: tcpm-bounces@ietf.org [tcpm-bounces@ietf.org] On Behalf Of Fernando Gont [fernando@gont.com.ar]
Sent: Friday, February 19, 2010 7:10 PM
To: tcpm@ietf.org
Subject: [tcpm] Feedback request on draft-ietf-tcpm-tcp-security

Folks,

I have just posted a revision (-01) of draft-ietf-tcpm-tcp-security. The
document is available at the usual places (including:
http://tools.ietf.org/id/draft-ietf-tcpm-tcp-security-01.txt).

The current plan is discuss each section of the draft piecemeal (it is a
very large document), get consensus on the changes to apply to the
existing text, and then move on to the next section.

Therefore I'm requesting feedback on all the sections through Section
3.1.2.3. -- this includes the introduction sections, the basic
check on the TCP segment size (Section 3) and the discussion of port
numbers (Section 3.1 with all its subsections).

Please review these sections and submit comments by Friday March 5th,
2010, so that we can move on to the next sections in a timely manner.

Thanks!

Kind regards,
--
Fernando Gont
e-mail: fernando@gont.com.ar || fgont@acm.org
PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1




_______________________________________________
tcpm mailing list
tcpm@ietf.org
https://www.ietf.org/mailman/listinfo/tcpm