Re: [tcpm] End of WGLC for draft-ietf-tcpm-rfc1948bis
"Anantha Ramaiah (ananth)" <ananth@cisco.com> Sun, 26 June 2011 10:48 UTC
Return-Path: <ananth@cisco.com>
X-Original-To: tcpm@ietfa.amsl.com
Delivered-To: tcpm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0E17311E8078 for <tcpm@ietfa.amsl.com>; Sun, 26 Jun 2011 03:48:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.181
X-Spam-Level:
X-Spam-Status: No, score=-10.181 tagged_above=-999 required=5 tests=[AWL=-0.182, BAYES_00=-2.599, J_CHICKENPOX_36=0.6, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IcUV-cXpwKfq for <tcpm@ietfa.amsl.com>; Sun, 26 Jun 2011 03:47:58 -0700 (PDT)
Received: from sj-iport-3.cisco.com (sj-iport-3.cisco.com [171.71.176.72]) by ietfa.amsl.com (Postfix) with ESMTP id 3E26111E8077 for <tcpm@ietf.org>; Sun, 26 Jun 2011 03:47:58 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=ananth@cisco.com; l=5032; q=dns/txt; s=iport; t=1309085278; x=1310294878; h=mime-version:content-transfer-encoding:subject:date: message-id:in-reply-to:references:from:to:cc; bh=MO/XSw9mC5H1qSvprXD5w2OvVsxq0Zi8Go4ukEZLhhw=; b=FtmcnjSKl8vVzXM2BkSkoxQlf6LXk3+WFZnwLVydoif2+jxjhNy4X6ms yn5rjrRecQ15a1aHznWPGfcSJ2Vfm84Twx5177/GJx0WVKpXLKdxSYuE2 HULH6tAIHeG7xpBCbkQSFk5wl6XaJKnKecGgHpzFSZQ1FyLOgU4iR3i66 c=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AvQAAEUNB06rRDoJ/2dsb2JhbABFDpgYjy53rQ6dAoMfgxEEhyyPTotE
X-IronPort-AV: E=Sophos;i="4.65,427,1304294400"; d="scan'208";a="347522773"
Received: from mtv-core-4.cisco.com ([171.68.58.9]) by sj-iport-3.cisco.com with ESMTP; 26 Jun 2011 10:47:58 +0000
Received: from xbh-sjc-221.amer.cisco.com (xbh-sjc-221.cisco.com [128.107.191.63]) by mtv-core-4.cisco.com (8.14.3/8.14.3) with ESMTP id p5QAlv61029110; Sun, 26 Jun 2011 10:47:58 GMT
Received: from xmb-sjc-21c.amer.cisco.com ([171.70.151.176]) by xbh-sjc-221.amer.cisco.com with Microsoft SMTPSVC(6.0.3790.4675); Sun, 26 Jun 2011 03:47:57 -0700
X-MimeOLE: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Date: Sun, 26 Jun 2011 03:47:56 -0700
Message-ID: <0C53DCFB700D144284A584F54711EC580D0E68CD@xmb-sjc-21c.amer.cisco.com>
In-Reply-To: <133D9897FB9C5E4E9DF2779DC91E947C0607BAAA@SLFSNX.rcs.alcatel-research.de>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: [tcpm] End of WGLC for draft-ietf-tcpm-rfc1948bis
Thread-Index: AQHMG8LVtu3LcaoxVUOf5xEU3d1gTZTN1NcggAHAxIA=
References: <133D9897FB9C5E4E9DF2779DC91E947C0607BAAA@SLFSNX.rcs.alcatel-research.de>
From: "Anantha Ramaiah (ananth)" <ananth@cisco.com>
To: "SCHARF, Michael" <Michael.Scharf@alcatel-lucent.com>, TCP Maintenance and Minor Extensions WG <tcpm@ietf.org>
X-OriginalArrivalTime: 26 Jun 2011 10:47:57.0521 (UTC) FILETIME=[82B7AC10:01CC33EE]
Cc: Fernando Gont <fernando@gont.com.ar>
Subject: Re: [tcpm] End of WGLC for draft-ietf-tcpm-rfc1948bis
X-BeenThere: tcpm@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: TCP Maintenance and Minor Extensions Working Group <tcpm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tcpm>, <mailto:tcpm-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tcpm>
List-Post: <mailto:tcpm@ietf.org>
List-Help: <mailto:tcpm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 26 Jun 2011 10:48:02 -0000
Hopefully it is not too late.. The document is good to be shipped but I have some minor comments. [Text is quotes is cut&pasted from original document which is followed by comments.] 1 Introduction "if and only if the Bad Guy already" can sound better if re-worded to : "if and only if the attacker" 2 Generation of Initial Sequence Numbers "This is accomplished by the TIME-WAIT state, and TCP's "quiet time" concept (see Appendix B of [RFC1323])." Actually it is PAWS that is helping discard old segments. "We can prevent sequence number guessing attacks by giving each connection -- that is, each 4-tuple of (localip, localport, remoteip, remoteport) -- a separate sequence number space. Within each space, the initial sequence number is incremented according to [RFC0793]; however, there is no obvious relationship between the numbering in different spaces." Doing above would increase the attack probability since as the number of connections (4tuples or 5tuples) increases the vulnerability to attack increases. It sounds like you are recommending such a scheme esp if storage isn't an issue, but that is just one aspect. 3. Proposed Initial Sequence Number (ISN) generation algorithm "It is vital that F not be computable from the outside," Can we chose a better word than " the outside"? You could say simply that without a seed, it is useless since if the connection 4 tuple can be guessed, also port randomization (RFC xxx) helps a bit here since guessing src port would become difficult. Maybe you can mention that and refer that as well? "It should be noted that while there have been concerns about the security properties of MD5 [RFC6151], the algorithm specified in this document simply aims at reducing the chances of an off-path attacker of guessing the ISN of a new connection, and hence we consider that use of MD5 in the specified algorithm is acceptable." I am surprised at the above. Are we saying "MD5 is ok" or just saying "we don't really care". It is an implementation to chose the desired algorithm. I think we should make this reference a bit generic. Was this reviewed by the security working groups? 4. Security Consideration "Depending on the ISN generators implemented by each of the systems behind the NAT, an attacker might be able to count the number of systems behind a NAT by establishing a number of TCP connections (using the public address of the NAT) and indentifying the number of different sequence number "spaces". [I-D.gont-behave-nat-security] discusses how this and other information leakages at NATs could be mitigated." I don't think this is true, it depends on the PRF chosen and the smartness can be put in there. Also there is going to collisions here and hence not sure how reliably an attacker can identify the end systems. With port randomization, this may become difficult as well (although I haven't really verified that is the case...) Appendix B "This document aims at Standards Track (rather than Informaitonal)." Fix the typo :-) General question :- Middleboxes (TCP proxies) terminate the TCP connection and originate new ones in the middle, wondering whether the scope of this document should extend to such devices as well, w.r.t choosing ISN's.? Or you don't care.? Thanks, -Anantha > -----Original Message----- > From: tcpm-bounces@ietf.org [mailto:tcpm-bounces@ietf.org] On Behalf Of > SCHARF, Michael > Sent: Saturday, June 25, 2011 12:28 AM > To: TCP Maintenance and Minor Extensions WG > Cc: Fernando Gont > Subject: [tcpm] End of WGLC for draft-ietf-tcpm-rfc1948bis > > Dear all, > > there has only been one response during the WGLC. As a result, we will > need a small revision of the draft, but no fundamental change. > > If you should have any further comment but somehow missed the deadline, > please speak up now. We should move forward this small draft. > > Thanks > > Michael > > > -----Original Message----- > From: tcpm-bounces@ietf.org [mailto:tcpm-bounces@ietf.org] On Behalf Of > Borman, David > Sent: Thursday, May 26, 2011 6:35 PM > To: TCP Maintenance and Minor Extensions WG > Cc: tsv-ads@tools.ietf.org; Fernando Gont > Subject: [tcpm] Start of WGLC for draft-ietf-tcpm-rfc1948bis > > The author of draft-ietf-tcpm-rfc1948bis believes that the document is > ready for Working Group Last Call. It has been a month since there was > anything new on the mailing list with regards to > draft-ietf-tcpm-rfc1948bis. > > We are starting the WGLC for this document, to end on Friday, June 10. > Please send any comments on the document to the mailing list and the > author before that time. > > -David Borman & Michael Scharf, TCPM WG > co-chairs > _______________________________________________ > tcpm mailing list > tcpm@ietf.org > https://www.ietf.org/mailman/listinfo/tcpm
- [tcpm] End of WGLC for draft-ietf-tcpm-rfc1948bis SCHARF, Michael
- Re: [tcpm] End of WGLC for draft-ietf-tcpm-rfc194… Anantha Ramaiah (ananth)
- Re: [tcpm] End of WGLC for draft-ietf-tcpm-rfc194… Fernando Gont
- Re: [tcpm] End of WGLC for draft-ietf-tcpm-rfc194… Anantha Ramaiah (ananth)
- Re: [tcpm] End of WGLC for draft-ietf-tcpm-rfc194… Fernando Gont
- Re: [tcpm] End of WGLC for draft-ietf-tcpm-rfc194… Anantha Ramaiah (ananth)