Re: [tcpm] WGLC: draft-ietf-tcpm-tcpsecure-10.txt

Ted Faber <faber@ISI.EDU> Mon, 29 September 2008 16:08 UTC

Return-Path: <tcpm-bounces@ietf.org>
X-Original-To: tcpm-archive@megatron.ietf.org
Delivered-To: ietfarch-tcpm-archive@core3.amsl.com
Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 89EBF3A6A58; Mon, 29 Sep 2008 09:08:53 -0700 (PDT)
X-Original-To: tcpm@core3.amsl.com
Delivered-To: tcpm@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id D11673A68C6 for <tcpm@core3.amsl.com>; Mon, 29 Sep 2008 09:08:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.299
X-Spam-Level:
X-Spam-Status: No, score=-2.299 tagged_above=-999 required=5 tests=[AWL=-0.300, BAYES_00=-2.599, J_CHICKENPOX_33=0.6]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qYP3sWjcagy9 for <tcpm@core3.amsl.com>; Mon, 29 Sep 2008 09:08:51 -0700 (PDT)
Received: from boreas.isi.edu (boreas.isi.edu [128.9.160.161]) by core3.amsl.com (Postfix) with ESMTP id CE59A3A6A7A for <tcpm@ietf.org>; Mon, 29 Sep 2008 09:08:51 -0700 (PDT)
Received: from zod.isi.edu (zod.isi.edu [128.9.168.221]) by boreas.isi.edu (8.13.8/8.13.8) with ESMTP id m8TG7OOW012211 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Mon, 29 Sep 2008 09:07:25 -0700 (PDT)
Received: (from faber@localhost) by zod.isi.edu (8.14.3/8.14.2/Submit) id m8TG7Oec060850; Mon, 29 Sep 2008 09:07:24 -0700 (PDT) (envelope-from faber)
Date: Mon, 29 Sep 2008 09:07:24 -0700
From: Ted Faber <faber@ISI.EDU>
To: "Anantha Ramaiah (ananth)" <ananth@cisco.com>
Message-ID: <20080929160724.GD54282@zod.isi.edu>
References: <FE34F27F-8DDF-4C94-BC6E-E2ABF6000309@windriver.com> <B5A5E01F9387F4409E67604C0257C71E409513@NDJSEVS25A.ndc.nasa.gov> <24D2F5D3-93E7-4B64-BA96-2086F3E5754E@windriver.com> <20080906013831.GD2074@zod.isi.edu> <0C53DCFB700D144284A584F54711EC5805DF4359@xmb-sjc-21c.amer.cisco.com>
Mime-Version: 1.0
In-Reply-To: <0C53DCFB700D144284A584F54711EC5805DF4359@xmb-sjc-21c.amer.cisco.com>
User-Agent: Mutt/1.4.2.3i
X-url: http://www.isi.edu/~faber
X-ISI-4-43-8-MailScanner: Found to be clean
X-MailScanner-From: faber@zod.isi.edu
Cc: rrs@cisco.com, tcpm@ietf.org, David Borman <david.borman@windriver.com>, "Mitesh Dalal \(mdalal\)" <mdalal@cisco.com>
Subject: Re: [tcpm] WGLC: draft-ietf-tcpm-tcpsecure-10.txt
X-BeenThere: tcpm@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: TCP Maintenance and Minor Extensions Working Group <tcpm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://www.ietf.org/mailman/private/tcpm>
List-Post: <mailto:tcpm@ietf.org>
List-Help: <mailto:tcpm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=subscribe>
Content-Type: multipart/mixed; boundary="===============0973761383=="
Sender: tcpm-bounces@ietf.org
Errors-To: tcpm-bounces@ietf.org

On Sun, Sep 28, 2008 at 02:03:55PM -0700, Anantha Ramaiah (ananth) wrote:
> 
> Ted,
>   Appreciate the detailed comments. Pl see inline responses.

My pleasure.

> > -----Original Message-----
> > From: Ted Faber [mailto:faber@ISI.EDU] 
> >
> > P13:
> > 
> > "...so the chances of successfully injecting data into a 
> > connection are
> > 1 in (2^32/RCV.WND *2)."  In describing the RST attacks, we 
> > spoke in terms of mean number of tries, and I'd be consistent 
> > here.  Similarly I'd do the math all the way: " ... so the 
> > mean number of tries needed to inject data successfully is  
> > 2*2^32/RWND = 2^33/RCV.WND."
> 
> Sure, it is good to be consistent. But the math which you depict above
> seems incorrect to me. What was said earlier in the document is
> (referenced from Watson's paper ) is :
> 
> ============
>    "[SITW] demonstrated that
>    this assumption was incorrect and that instead of [1/2 * 2^32]
>    packets (assuming a random distribution) [1/2 * (2^32/window)]
>    packets is required.
> 
>    Substituting numbers into this formula we see that for a window size
>    of 32,768, an average of 65,536 packets would need to be transmitted
>    in order to "spoof" a TCP segment that would be acceptable to a TCP
>    receiver.  A window size of 65,535 reduces this even further to
>    32,768 packets.  At today's access bandwidths an attack of that size
>    is feasible.
> 
> ===============
> 
> So for data injection, this should become 2^32/RCV.WND. (i.e, [1/2 *
> 2^32 *2]/window )

The paragraph I'm commenting on reads:

   A third type of attack is also highlighted by both the RST and SYN
   attacks.  It is also possible to inject data into a TCP connection by
   simply guessing a sequence number within the current receive window
   of the victim.  The ACK value of any data segment is considered valid
   as long as it does not acknowledge data ahead of the next segment to
   send.  In other words an ACK value is acceptable if it is ((SND.UNA-
   (2^31-1)) <= SEG.ACK <= SND.NXT).  The (2^31 - 1) in the above
   inequality takes into account the fact that comparisons on TCP
   sequence and acknowledgement numbers is done using the modulo 32 bit
   arithmetic to accommodate the number wraparound.  This means that an
   attacker has to guess two ACK values with every guessed sequence
   number so that the chances of successfully injecting data into a
   connection are 1 in ((2^32 / RCV.WND) * 2).

I'm saying that, assuming the math is correct, that last expression
should be (2^33 / RCV.WND).  I didn't check the math.  If you also
believe the math is wrong, you have a larger edit. :-)

On rereading the argument, it does sound like a data injection attack
should be harder by a factor of 2 and that they multiplied by the wrong
expression (2^32 rather than 2^31).  So I think you're correct about the
math, and if so the final expression would be 2^32 / RCV.WND.

I'd be happier if someone else also looked at this paragraph for
technical accuracy.

-- 
Ted Faber
http://www.isi.edu/~faber           PGP: http://www.isi.edu/~faber/pubkeys.asc
Unexpected attachment on this mail? See http://www.isi.edu/~faber/FAQ.html#SIG
_______________________________________________
tcpm mailing list
tcpm@ietf.org
https://www.ietf.org/mailman/listinfo/tcpm