IETF Logo Mail Archive

Re: [tcpm] [tcpinc] TCP Stealth - possible interest to the WG

"Scheffenegger, Richard" <rs@netapp.com> Tue, 19 August 2014 17:21 UTC

Return-Path: <rs@netapp.com>
X-Original-To: tcpm@ietfa.amsl.com
Delivered-To: tcpm@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EFF0A1A04DC; Tue, 19 Aug 2014 10:21:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.57
X-Spam-Level:
X-Spam-Status: No, score=-7.57 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.668, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id j4XpM3H9wiAz; Tue, 19 Aug 2014 10:21:18 -0700 (PDT)
Received: from mx11.netapp.com (mx11.netapp.com [216.240.18.76]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E71781A048D; Tue, 19 Aug 2014 10:21:17 -0700 (PDT)
X-IronPort-AV: E=Sophos;i="5.01,896,1400050800"; d="scan'208";a="141013171"
Received: from vmwexceht03-prd.hq.netapp.com ([10.106.76.241]) by mx11-out.netapp.com with ESMTP; 19 Aug 2014 10:21:18 -0700
Received: from HIOEXCMBX05-PRD.hq.netapp.com (10.122.105.38) by vmwexceht03-prd.hq.netapp.com (10.106.76.241) with Microsoft SMTP Server (TLS) id 14.3.123.3; Tue, 19 Aug 2014 10:20:21 -0700
Received: from HIOEXCMBX05-PRD.hq.netapp.com (10.122.105.38) by hioexcmbx05-prd.hq.netapp.com (10.122.105.38) with Microsoft SMTP Server (TLS) id 15.0.913.22; Tue, 19 Aug 2014 10:20:20 -0700
Received: from HIOEXCMBX05-PRD.hq.netapp.com ([fe80::f0a5:80a1:86de:fa66]) by hioexcmbx05-prd.hq.netapp.com ([fe80::f0a5:80a1:86de:fa66%21]) with mapi id 15.00.0913.011; Tue, 19 Aug 2014 10:20:20 -0700
From: "Scheffenegger, Richard" <rs@netapp.com>
To: Hagen Paul Pfeifer <hagen@jauu.net>, "alfiej@fastmail.fm" <alfiej@fastmail.fm>
Thread-Topic: [tcpm] [tcpinc] TCP Stealth - possible interest to the WG
Thread-Index: Ac+448Fsl9mI8tJfQO6l37mQPpygtgCOd38AABJQWoAADckrIP//pc+AgAEg4ACAAGEqkA==
Date: Tue, 19 Aug 2014 17:20:19 +0000
Message-ID: <651312c598e44d05af8212c2eb691001@hioexcmbx05-prd.hq.netapp.com>
References: <ecdbe694b6964c159f64b1d3311c8cc6@hioexcmbx02-prd.hq.netapp.com> <CAFggDF2jhQPz0Eez=AU9M-k862wD_=VSyVpXtRAjT4zC6H4tgA@mail.gmail.com> <1408397675.299896.154112109.6F69043F@webmail.messagingengine.com> <8c5f6a1e9f2340e48e25dd151406b7d3@hioexcmbx05-prd.hq.netapp.com> <1408401991.317123.154137701.0A30F30C@webmail.messagingengine.com> <CAPh34meB=EtgNu=_eBS6ekB20fRccAqXFWydkCWG+6VKSa98rg@mail.gmail.com>
In-Reply-To: <CAPh34meB=EtgNu=_eBS6ekB20fRccAqXFWydkCWG+6VKSa98rg@mail.gmail.com>
Accept-Language: de-AT, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.120.60.35]
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Archived-At: http://mailarchive.ietf.org/arch/msg/tcpm/3YSSLEq70qyLw0R60KRgs2D1_d4
Cc: Christian Grothoff <christian@grothoff.org>, "tcpinc@ietf.org" <tcpinc@ietf.org>, "tcpm (tcpm@ietf.org)" <tcpm@ietf.org>, Joe Touch <touch@isi.edu>
Subject: Re: [tcpm] [tcpinc] TCP Stealth - possible interest to the WG
X-BeenThere: tcpm@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: TCP Maintenance and Minor Extensions Working Group <tcpm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tcpm>, <mailto:tcpm-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tcpm/>
List-Post: <mailto:tcpm@ietf.org>
List-Help: <mailto:tcpm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 19 Aug 2014 17:21:19 -0000

Hi Hagen,

> Anyway, I am little bit ambivalent regarding this ID. It may help in some
> situations and reduce the attack vector. Any effort to improve the
> security should be reviewed! I mean if there are no negative
> impacts: why not? ;-)

I'm reluctant to conclude that there are no negative impacts.

As an example, think of a lightweight http server running this on a server, an legimtate client (knowing the secret) running on a similar leightweight client without TSopt and only very few ephemeral ports.

For each http session, the very same ISN will be re-used for every identical source port. In that enviornment the chances for a delayed packet to corrupt a TCP stream are non-negligible any more... ( the inverse of the number of ephemeral source ports available).

Also, the client will have to do a fall-back SYN without TSopt, if an intermediate meddlebox modifies the TSopt in any way; and across normalizers (also not completely uncommon) the scheme breaks down. But then, those meddleboxes shouldn't really be messing around to begin with... :)


I guess what I'm saying is that if some randomness (high order bits) could be maintained even when the 4-tuples are identical, that would at least address this concern (such sessions would still be detectable, by checking if the low order bits are identical; unless there is some clever way to randomly distribute the hash-bits and random bits, perhaps also based on a (different?) hash of the 4-tuple...


Best regards,


Richard Scheffenegger

v2.23.0 | Report a Bug | By Email