IETF Logo Mail Archive

Re: [tcpm] [tcpinc] TCP Stealth - possible interest to the WG

Hagen Paul Pfeifer <hagen@jauu.net> Wed, 20 August 2014 12:03 UTC

Return-Path: <hagen@jauu.net>
X-Original-To: tcpm@ietfa.amsl.com
Delivered-To: tcpm@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 659801A0282 for <tcpm@ietfa.amsl.com>; Wed, 20 Aug 2014 05:03:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.978
X-Spam-Level:
X-Spam-Status: No, score=-1.978 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id U3AzNBX8zCs8 for <tcpm@ietfa.amsl.com>; Wed, 20 Aug 2014 05:03:14 -0700 (PDT)
Received: from mail-lb0-f171.google.com (mail-lb0-f171.google.com [209.85.217.171]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E22491A0277 for <tcpm@ietf.org>; Wed, 20 Aug 2014 05:03:13 -0700 (PDT)
Received: by mail-lb0-f171.google.com with SMTP id l4so6746924lbv.30 for <tcpm@ietf.org>; Wed, 20 Aug 2014 05:03:12 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=fMh6ruEo8cgo7pPezgFMwMuUNss+o5acSVuSTf4Viy8=; b=NFBk+1OHzWMQzUFkwszjZh0sWU1ghCqUwNRPurjIdfRHf7f6zjP5IqeZTcPltsvs3w HFJyqWTvf0JaieTHPwXy8Wjcbz+hhObdVVGIoLDe4dZ9QRD5B2QdKTHS3Dbiow3HDIFz cRwLKoGIUlzoN17QQnwBrieN4wR+1BhgPXrh5PxjvAqsPbO2YGh63s16mzFsKE1lwipU QoFGYGI9GF7vMA6UNHkYMgoYye1uL69ukWMkoKDlzOVJWlnCnaIiNoZQWqFScxxX5BCA rOiUsu8tL0M5Jx0YRgpJmAt1fmlzlGUogpYLjLXJay6QYqvIAu0HjMx/5dbAm/92xmL5 esRw==
X-Gm-Message-State: ALoCoQnqHf4RpCWIN/NzndCjWL1/B4Kf59D2K3UeqQaufBL0XN6zQk6ePWUP3MCfTz8ReDnwyBTQ
MIME-Version: 1.0
X-Received: by 10.112.34.47 with SMTP id w15mr9621926lbi.84.1408536192041; Wed, 20 Aug 2014 05:03:12 -0700 (PDT)
Received: by 10.152.242.42 with HTTP; Wed, 20 Aug 2014 05:03:11 -0700 (PDT)
X-Originating-IP: [80.246.32.33]
In-Reply-To: <817214c2e5b444c7a780c1387e91da15@hioexcmbx05-prd.hq.netapp.com>
References: <ecdbe694b6964c159f64b1d3311c8cc6@hioexcmbx02-prd.hq.netapp.com> <CAFggDF2jhQPz0Eez=AU9M-k862wD_=VSyVpXtRAjT4zC6H4tgA@mail.gmail.com> <1408397675.299896.154112109.6F69043F@webmail.messagingengine.com> <8c5f6a1e9f2340e48e25dd151406b7d3@hioexcmbx05-prd.hq.netapp.com> <1408401991.317123.154137701.0A30F30C@webmail.messagingengine.com> <CAPh34meB=EtgNu=_eBS6ekB20fRccAqXFWydkCWG+6VKSa98rg@mail.gmail.com> <CAFggDF39L+kLQLmiWJR3q6suPOtYmKJiJUqp0kBv7GjUtNVOjA@mail.gmail.com> <CAPh34mdPtKvVJ2FfshPFwrwRDOw9CxxHT4ZTFYZZEVSoKOEq0A@mail.gmail.com> <53F3970D.5080906@grothoff.org> <CAPh34mf2rnNuM=YZ1uin1_PtkB8buOskMtf3NAJMOwdFeMe9MQ@mail.gmail.com> <53F39FAC.9070500@grothoff.org> <817214c2e5b444c7a780c1387e91da15@hioexcmbx05-prd.hq.netapp.com>
Date: Wed, 20 Aug 2014 14:03:11 +0200
Message-ID: <CAPh34mf9+c_W+rg4f-wVVrB8yP+ExOvgaJ4cz9cVG1yPT2CHkQ@mail.gmail.com>
From: Hagen Paul Pfeifer <hagen@jauu.net>
To: "Scheffenegger, Richard" <rs@netapp.com>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: http://mailarchive.ietf.org/arch/msg/tcpm/0IIZsFX4r45EdU0sRI-gRUmXX1M
Cc: "tcpinc@ietf.org" <tcpinc@ietf.org>, "tcpm (tcpm@ietf.org)" <tcpm@ietf.org>, Joe Touch <touch@isi.edu>, Christian Grothoff <christian@grothoff.org>
Subject: Re: [tcpm] [tcpinc] TCP Stealth - possible interest to the WG
X-BeenThere: tcpm@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: TCP Maintenance and Minor Extensions Working Group <tcpm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tcpm>, <mailto:tcpm-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tcpm/>
List-Post: <mailto:tcpm@ietf.org>
List-Help: <mailto:tcpm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 20 Aug 2014 12:03:16 -0000

On 20 August 2014 13:23, Scheffenegger, Richard <rs@netapp.com> wrote:

> If you want undetectable knocking, which authenticates a particular user, why not transport that hash as TSval (or optionally, the unused/empty TSecr; however, that would be detectable to someone with a sniffer, as early Win95 is not really that common any more). That would leave TCP ISN alone  - and as a true core component, arguing for a modification there has to come with very good arguments. Also, it would serve to randomize the TSval - as ISN is supposed to be choosen randomly - thus help close another indirect exploit vector.

Sounds better then messing with the ISN. One show stopper still
exists: the TSval is required to strong monotonicity increasing for
PAWS protection. To lower the barrier one more time: why not just use
TSecr?

This relax just nearly all headaches and 32 bits are still enough for
this mechanism?!

Hagen

v2.23.0 | Report a Bug | By Email