Re: [tcpm] tcp-security: Request for feedback on the outline of the document

Joe Touch <touch@ISI.EDU> Thu, 27 August 2009 06:17 UTC

Return-Path: <touch@ISI.EDU>
X-Original-To: tcpm@core3.amsl.com
Delivered-To: tcpm@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 62A333A6A95 for <tcpm@core3.amsl.com>; Wed, 26 Aug 2009 23:17:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.581
X-Spam-Level:
X-Spam-Status: No, score=-2.581 tagged_above=-999 required=5 tests=[AWL=0.018, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wTA3k80387bY for <tcpm@core3.amsl.com>; Wed, 26 Aug 2009 23:17:01 -0700 (PDT)
Received: from vapor.isi.edu (vapor.isi.edu [128.9.64.64]) by core3.amsl.com (Postfix) with ESMTP id 4EDAA3A690A for <tcpm@ietf.org>; Wed, 26 Aug 2009 23:17:01 -0700 (PDT)
Received: from [192.168.1.46] (pool-71-106-88-10.lsanca.dsl-w.verizon.net [71.106.88.10]) by vapor.isi.edu (8.13.8/8.13.8) with ESMTP id n7R6GijF023183; Wed, 26 Aug 2009 23:16:45 -0700 (PDT)
Message-ID: <4A9624CB.6040203@isi.edu>
Date: Wed, 26 Aug 2009 23:16:43 -0700
From: Joe Touch <touch@ISI.EDU>
User-Agent: Thunderbird 2.0.0.23 (Windows/20090812)
MIME-Version: 1.0
To: =?ISO-8859-1?Q?Alfred_=3F?= <ah@tr-sys.de>
References: <200908262238.AAA06336@TR-Sys.de>
In-Reply-To: <200908262238.AAA06336@TR-Sys.de>
X-Enigmail-Version: 0.96.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
X-ISI-4-43-8-MailScanner: Found to be clean
X-MailScanner-From: touch@isi.edu
Cc: tcpm@ietf.org
Subject: Re: [tcpm] tcp-security: Request for feedback on the outline of the document
X-BeenThere: tcpm@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: TCP Maintenance and Minor Extensions Working Group <tcpm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tcpm>
List-Post: <mailto:tcpm@ietf.org>
List-Help: <mailto:tcpm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 27 Aug 2009 06:17:02 -0000

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



Alfred ? wrote:
...
> Regarding document structure:
> 
> The various past reviewers of the original document had
> appreciated the focus on implementer's point of view,...

This is a good point. This isn't just an implementer's guide, however.
Some of the issues are being discussed in detail for the first time in
this doc.

I.e., there are two separate issues:

1) what are the vulnerabilities

2) how to address the vulnerabilities

Some of the ways to address vulnerabilities are choices that the specs
left open to implementers. Some are weaknesses in the protocol itself
that a clever implementation can overcome (e.g. SYN cookies to overcome
the state introduced at SYN receipt). Others are created by inefficient
implementations (e.g., badly implemented TIME-WAIT state lists).

The first two are useful to discuss in a general outline form. The last
can be covered separately, since it's just bad coding to be avoided, and
often there are common causes (buffer overrun, bounds checking,
efficiency of lists).

The original outline I proposed was:

	1 intro
	2 background
	3 control attacks
	4 data attacks
	5 performance
	6 implementation issues
	7 security considerations

Based on the above, I'd update to be more like:

	1 intro
	2 background
	3 attacks
	  a in-band control plane (TCP header/options)
	    i   protocol weaknesses
	    ii  implementer's choice weaknesses
	  b out-of-band control plane (ICMP)
	    i   protocol weaknesses
	    ii  implementer's choice weaknesses
	  c data plane
	    i   protocol weaknesses
	    ii  implementer's choice weaknesses
	  c API
	    i   protocol weaknesses
	    ii  implementer's choice weaknesses
	4 mitigations
	  a in-band control plane (TCP header/options)
	    i   protocol weaknesses
	    ii  implementer's choice weaknesses
	  b out-of-band control plane (ICMP)
	    i   protocol weaknesses
	    ii  implementer's choice weaknesses
	  c data plane
	    i   protocol weaknesses
	    ii  implementer's choice weaknesses
	  c API
	    i   protocol weaknesses
	    ii  implementer's choice weaknesses
	5 implementations to avoid
	  a that create direct vulnerabilities
	  b that create performance vulnerabilities
	6 security issues

The last section (6) includes topics of security interest that are not
specific to a field, e.g., covert channel issues.

...
> BTW: I could not even see where the fundamental basic discussion
> of protocol field properties might be located in the stucture
> Joe proposed.

Protocol fields are part of the header, so they are "control attacks",
and listed among the items that would be covered in section 3.

In the submitted I-D, protocol field properties are covered in sections
3,5,8,9,11,13,14,15. That is the issue the outline I proposed is
intended to address. Note that the outline I proposed didn't leave
things out; it was intended to organize things so that they tended to
fall into expected categories.

Joe
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAkqWJMsACgkQE5f5cImnZruAVACfXkBqsR2WbjB9wAIvuGP6t1Br
1hQAoJdjGqIAXwyKOm7s+tpR2L8Bm2F/
=MEdd
-----END PGP SIGNATURE-----