Re: [tcpm] WGLC: draft-ietf-tcpm-tcpsecure-10.txt
Ted Faber <faber@ISI.EDU> Mon, 29 September 2008 16:08 UTC
Return-Path: <tcpm-bounces@ietf.org>
X-Original-To: tcpm-archive@megatron.ietf.org
Delivered-To: ietfarch-tcpm-archive@core3.amsl.com
Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 89EBF3A6A58; Mon, 29 Sep 2008 09:08:53 -0700 (PDT)
X-Original-To: tcpm@core3.amsl.com
Delivered-To: tcpm@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id D11673A68C6 for <tcpm@core3.amsl.com>; Mon, 29 Sep 2008 09:08:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.299
X-Spam-Level:
X-Spam-Status: No, score=-2.299 tagged_above=-999 required=5 tests=[AWL=-0.300, BAYES_00=-2.599, J_CHICKENPOX_33=0.6]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qYP3sWjcagy9 for <tcpm@core3.amsl.com>; Mon, 29 Sep 2008 09:08:51 -0700 (PDT)
Received: from boreas.isi.edu (boreas.isi.edu [128.9.160.161]) by core3.amsl.com (Postfix) with ESMTP id CE59A3A6A7A for <tcpm@ietf.org>; Mon, 29 Sep 2008 09:08:51 -0700 (PDT)
Received: from zod.isi.edu (zod.isi.edu [128.9.168.221]) by boreas.isi.edu (8.13.8/8.13.8) with ESMTP id m8TG7OOW012211 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Mon, 29 Sep 2008 09:07:25 -0700 (PDT)
Received: (from faber@localhost) by zod.isi.edu (8.14.3/8.14.2/Submit) id m8TG7Oec060850; Mon, 29 Sep 2008 09:07:24 -0700 (PDT) (envelope-from faber)
Date: Mon, 29 Sep 2008 09:07:24 -0700
From: Ted Faber <faber@ISI.EDU>
To: "Anantha Ramaiah (ananth)" <ananth@cisco.com>
Message-ID: <20080929160724.GD54282@zod.isi.edu>
References: <FE34F27F-8DDF-4C94-BC6E-E2ABF6000309@windriver.com> <B5A5E01F9387F4409E67604C0257C71E409513@NDJSEVS25A.ndc.nasa.gov> <24D2F5D3-93E7-4B64-BA96-2086F3E5754E@windriver.com> <20080906013831.GD2074@zod.isi.edu> <0C53DCFB700D144284A584F54711EC5805DF4359@xmb-sjc-21c.amer.cisco.com>
Mime-Version: 1.0
In-Reply-To: <0C53DCFB700D144284A584F54711EC5805DF4359@xmb-sjc-21c.amer.cisco.com>
User-Agent: Mutt/1.4.2.3i
X-url: http://www.isi.edu/~faber
X-ISI-4-43-8-MailScanner: Found to be clean
X-MailScanner-From: faber@zod.isi.edu
Cc: rrs@cisco.com, tcpm@ietf.org, David Borman <david.borman@windriver.com>, "Mitesh Dalal (mdalal)" <mdalal@cisco.com>
Subject: Re: [tcpm] WGLC: draft-ietf-tcpm-tcpsecure-10.txt
X-BeenThere: tcpm@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: TCP Maintenance and Minor Extensions Working Group <tcpm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://www.ietf.org/mailman/private/tcpm>
List-Post: <mailto:tcpm@ietf.org>
List-Help: <mailto:tcpm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=subscribe>
Content-Type: multipart/mixed; boundary="===============0973761383=="
Sender: tcpm-bounces@ietf.org
Errors-To: tcpm-bounces@ietf.org
On Sun, Sep 28, 2008 at 02:03:55PM -0700, Anantha Ramaiah (ananth) wrote: > > Ted, > Appreciate the detailed comments. Pl see inline responses. My pleasure. > > -----Original Message----- > > From: Ted Faber [mailto:faber@ISI.EDU] > > > > P13: > > > > "...so the chances of successfully injecting data into a > > connection are > > 1 in (2^32/RCV.WND *2)." In describing the RST attacks, we > > spoke in terms of mean number of tries, and I'd be consistent > > here. Similarly I'd do the math all the way: " ... so the > > mean number of tries needed to inject data successfully is > > 2*2^32/RWND = 2^33/RCV.WND." > > Sure, it is good to be consistent. But the math which you depict above > seems incorrect to me. What was said earlier in the document is > (referenced from Watson's paper ) is : > > ============ > "[SITW] demonstrated that > this assumption was incorrect and that instead of [1/2 * 2^32] > packets (assuming a random distribution) [1/2 * (2^32/window)] > packets is required. > > Substituting numbers into this formula we see that for a window size > of 32,768, an average of 65,536 packets would need to be transmitted > in order to "spoof" a TCP segment that would be acceptable to a TCP > receiver. A window size of 65,535 reduces this even further to > 32,768 packets. At today's access bandwidths an attack of that size > is feasible. > > =============== > > So for data injection, this should become 2^32/RCV.WND. (i.e, [1/2 * > 2^32 *2]/window ) The paragraph I'm commenting on reads: A third type of attack is also highlighted by both the RST and SYN attacks. It is also possible to inject data into a TCP connection by simply guessing a sequence number within the current receive window of the victim. The ACK value of any data segment is considered valid as long as it does not acknowledge data ahead of the next segment to send. In other words an ACK value is acceptable if it is ((SND.UNA- (2^31-1)) <= SEG.ACK <= SND.NXT). The (2^31 - 1) in the above inequality takes into account the fact that comparisons on TCP sequence and acknowledgement numbers is done using the modulo 32 bit arithmetic to accommodate the number wraparound. This means that an attacker has to guess two ACK values with every guessed sequence number so that the chances of successfully injecting data into a connection are 1 in ((2^32 / RCV.WND) * 2). I'm saying that, assuming the math is correct, that last expression should be (2^33 / RCV.WND). I didn't check the math. If you also believe the math is wrong, you have a larger edit. :-) On rereading the argument, it does sound like a data injection attack should be harder by a factor of 2 and that they multiplied by the wrong expression (2^32 rather than 2^31). So I think you're correct about the math, and if so the final expression would be 2^32 / RCV.WND. I'd be happier if someone else also looked at this paragraph for technical accuracy. -- Ted Faber http://www.isi.edu/~faber PGP: http://www.isi.edu/~faber/pubkeys.asc Unexpected attachment on this mail? See http://www.isi.edu/~faber/FAQ.html#SIG
_______________________________________________ tcpm mailing list tcpm@ietf.org https://www.ietf.org/mailman/listinfo/tcpm
- [tcpm] WGLC: draft-ietf-tcpm-tcpsecure-10.txt David Borman
- Re: [tcpm] WGLC: draft-ietf-tcpm-tcpsecure-10.txt Joe Touch
- Re: [tcpm] WGLC: draft-ietf-tcpm-tcpsecure-10.txt Fernando Gont
- Re: [tcpm] WGLC: draft-ietf-tcpm-tcpsecure-10.txt Joe Touch
- Re: [tcpm] WGLC: draft-ietf-tcpm-tcpsecure-10.txt Anantha Ramaiah (ananth)
- Re: [tcpm] WGLC: draft-ietf-tcpm-tcpsecure-10.txt Fernando Gont
- Re: [tcpm] WGLC: draft-ietf-tcpm-tcpsecure-10.txt Joe Touch
- Re: [tcpm] WGLC: draft-ietf-tcpm-tcpsecure-10.txt Fernando Gont
- Re: [tcpm] WGLC: draft-ietf-tcpm-tcpsecure-10.txt Anantha Ramaiah (ananth)
- Re: [tcpm] WGLC: draft-ietf-tcpm-tcpsecure-10.txt Ted Faber
- Re: [tcpm] WGLC: draft-ietf-tcpm-tcpsecure-10.txt David Borman
- Re: [tcpm] WGLC: draft-ietf-tcpm-tcpsecure-10.txt Joe Touch
- Re: [tcpm] WGLC: draft-ietf-tcpm-tcpsecure-10.txt David Borman
- Re: [tcpm] WGLC: draft-ietf-tcpm-tcpsecure-10.txt Eddy, Wesley M. (GRC-RCN0)[VZ]
- Re: [tcpm] WGLC: draft-ietf-tcpm-tcpsecure-10.txt Joe Touch
- Re: [tcpm] WGLC: draft-ietf-tcpm-tcpsecure-10.txt David Borman
- Re: [tcpm] WGLC: draft-ietf-tcpm-tcpsecure-10.txt Joe Touch
- Re: [tcpm] WGLC: draft-ietf-tcpm-tcpsecure-10.txt David Borman
- Re: [tcpm] WGLC: draft-ietf-tcpm-tcpsecure-10.txt Joe Touch
- Re: [tcpm] WGLC: draft-ietf-tcpm-tcpsecure-10.txt David Borman
- Re: [tcpm] WGLC: draft-ietf-tcpm-tcpsecure-10.txt Anantha Ramaiah (ananth)
- Re: [tcpm] WGLC: draft-ietf-tcpm-tcpsecure-10.txt David Borman
- Re: [tcpm] WGLC: draft-ietf-tcpm-tcpsecure-10.txt Joe Touch
- Re: [tcpm] WGLC: draft-ietf-tcpm-tcpsecure-10.txt Ted Faber
- Re: [tcpm] WGLC: draft-ietf-tcpm-tcpsecure-10.txt Joe Touch
- Re: [tcpm] WGLC: draft-ietf-tcpm-tcpsecure-10.txt Ted Faber
- Re: [tcpm] WGLC: draft-ietf-tcpm-tcpsecure-10.txt Anantha Ramaiah (ananth)
- Re: [tcpm] WGLC: draft-ietf-tcpm-tcpsecure-10.txt Ted Faber
- Re: [tcpm] WGLC: draft-ietf-tcpm-tcpsecure-10.txt Joe Touch
- Re: [tcpm] WGLC: draft-ietf-tcpm-tcpsecure-10.txt Joe Touch
- Re: [tcpm] WGLC: draft-ietf-tcpm-tcpsecure-10.txt Anantha Ramaiah (ananth)
- Re: [tcpm] WGLC: draft-ietf-tcpm-tcpsecure-10.txt Joe Touch
- Re: [tcpm] WGLC: draft-ietf-tcpm-tcpsecure-10.txt Ted Faber
- Re: [tcpm] WGLC: draft-ietf-tcpm-tcpsecure-10.txt Joe Touch
- Re: [tcpm] WGLC: draft-ietf-tcpm-tcpsecure-10.txt Ted Faber