Re: [tcpm] Faster application handshakes with SYN/ACK payloads (RESEND)

[Matt Mathis <mathis@psc.edu>]

Opps I posted to the wrong thread.   Sorry folks..

Doesn't this create a huge opportunity for a DoS attack, since an attacker can 
send requests with forged from addresses, and the server has to
burn cycles and/or commit memory, when it is never going to see the next 
packet?

I believe that this problem is fundamental to anything that is piggybacked on 
the SYN and has killed every attempt at using the handshake to
eliminate later transactions.  The server wants to know for sure that the 
client is alive and responding before committing more than incidental
resources (e.g. SYN queue, constructing a SYN-cookie, etc) to the connection.

Thanks,
--MM--
-------------------------------------------
Matt Mathis     http://staff.psc.edu/mathis
Work:412.268.3319    Home/Cell:412.654.7529
-------------------------------------------
Evil is defined by mortals who think they know
"The Truth" and use force to apply it to others.

On Thu, 31 Jul 2008, Adam Langley wrote:

> I posted this a while back and it gathered a little discussion:
>
> http://www.ietf.org/internet-drafts/draft-agl-tcpm-sadata-00.txt
> (implementation in [1])
>
> I would like to have this published as Experimental and to get an
> option number assigned.
>
> The spec itself includes a somewhat rambling justification because I
> wanted to decouple the spec, which is more general, from the exact
> reason that I wish to start testing this over the Internet at large.
> However, in order to provoke discussion I think I should explain my
> motivation:
>
> This spec allows for opportunistic encryption of TCP connections with
> no additional round trips. Details of the project can be found at [2],
> however a quick summary follows:
>
> Although SYN/ACK payloads could be used to accelerate many protocols,
> I'm proposing that, for HTTP, the SYN/ACK payload contains an 8-byte
> random nonce and a 32-byte eliptic-curve public value. The client can
> then perform key agreement and send it's own public value, nonce and
> any encrypted payload in the final ACK. (Or in a following packet,
> that works fine too). Data is then encrypted using Salsa20/8 where the
> key is SHA256(diffie-hellman output + server nonce + client nonce) and
> the IVs are 0 and 2**63 for client->server and server->client, resp.
>
> Obviously, this open to both a downgrade and man-in-the-middle attack.
> For a specific user, it offers little real security. However,
> amortised over a large set of users, any ISPs performing these attacks
> on a large scale will be detected. (I plan on building a network of
> hosts probing for large scale attacks.) Thus, eavesdroppers are
> removed from the equation and, against the rest, it can protect most
> of the people, most of the time.
>
> I also plan to sign the resulting packets with TCP-AO at some point,
> if possible. However, given that that is still under development I'm
> going to make that part of the negotiation, above, so that it can be
> deployed without it for now.
>
> Obviously, this system can only prove itself in time. However, it
> can't prove itself with an option number assigned. And thus, I'm
> looking for a consensus that this is an interesting experiment.
>
> Thanks
>
> Having spoken to quite a few people about this, I now have an FAQ on
> the design which is included below:
>
> * Why Elliptic-curves?
>
> The payload must be short otherwise SYN-floods could use this as an
> amplification
> to backscatter DDoS another host.
>
> Also, the reduced computation cost (as compared to Diffie-Hellman over a
> multiplicative finite field) is very nice.
>
> * Why 25519?
>
> It's very fast (2000 ops/sec with my C code. 4000 ops/sec with asm). Also, the
> server's public value must be constant, otherwise an attacker could eat CPU
> time with a SYN flood and curve25519 is designed for that.
>
> Since this is constant for all connections, there is no perfect forward
> secrecy.
>
> * Can't you fit the client's public value in the SYN?
>
> A SYN generally has 20 bytes of free option space these days. (We can't use the
> payload space in a SYN). Since this can't be the last option ever, we need to
> leave 4 bytes spare. 2 bytes for the option header means 14 bytes for the
> public value. The closest prime is 2**112-75.
>
> I'm a bear of little brain and picking my own curve is already a hell of a
> task, but assuming that I can:
>
> The best, general algorithm currently known for breaking the DH problem on
> elliptic curves is Pollard's Rho. The work involved in this attack is sqrt(n),
> which is 2**56 in this case. Critically, once you have solved a single instance
> you can precompute tables to speed up breaking more instances. With a petabyte
> of storage, you could break 112-bit curves in 2**12 operations, which is very
> fast.
>
> * Can't you use a smaller field anyway?
>
> Some speedup could be gained by using an EC with a field size around 200 bits.
> However the effort of defining such a curve is pretty huge. The standard NIST
> curves around that size are slower:
>
> http://www.cacr.math.uwaterloo.ca/techreports/2003/corr2003-18.pdf (table 6)
>
> * Why Salsa20/8?
>
> It encrypts at two cycles per byte on modern CPUs[1]. The best attack on this,
> reduced round, variant is 2**251. It's very unlikely that an attack would ever
> break it to the point that it's easier than performing a downgrade attack.
>
> http://cr.yp.to/streamciphers/phase3speed-20080331.pdf
>
>
>
> [1] http://code.google.com/p/obstcp/source/browse/trunk/patches/synack-payload
> [2] http://code.google.com/p/obstcp/
>
> -- 
> Adam Langley agl@imperialviolet.org http://www.imperialviolet.org
> _______________________________________________
> tcpm mailing list
> tcpm@ietf.org
> https://www.ietf.org/mailman/listinfo/tcpm
>
_______________________________________________
tcpm mailing list
tcpm@ietf.org
https://www.ietf.org/mailman/listinfo/tcpm