IETF Logo Mail Archive

Re: [tcpm] On the implementation of TCP urgent data (IETF Internet Draft)

Bill Squier <groo@old-ones.com> Fri, 27 February 2009 23:12 UTC

Return-Path: <groo@old-ones.com>
X-Original-To: tcpm@core3.amsl.com
Delivered-To: tcpm@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 6B4C43A68A4 for <tcpm@core3.amsl.com>; Fri, 27 Feb 2009 15:12:51 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7qY5tFvQUmkb for <tcpm@core3.amsl.com>; Fri, 27 Feb 2009 15:12:50 -0800 (PST)
Received: from homiemail-a3.dreamhost.com (mailbigip.dreamhost.com [208.97.132.5]) by core3.amsl.com (Postfix) with ESMTP id 69C123A6862 for <tcpm@ietf.org>; Fri, 27 Feb 2009 15:12:50 -0800 (PST)
Received: from [192.168.1.100] (ool-4351bf61.dyn.optonline.net [67.81.191.97]) by homiemail-a3.dreamhost.com (Postfix) with ESMTP id 23D0AC54C3; Fri, 27 Feb 2009 15:13:12 -0800 (PST)
Message-Id: <F2BD5C91-4566-487A-8CC0-D180C30B0058@old-ones.com>
From: Bill Squier <groo@old-ones.com>
To: christos@zoulas.com
In-Reply-To: <20090227222910.4AAF55654E@rebar.astron.com>
Content-Type: text/plain; charset="US-ASCII"; format="flowed"; delsp="yes"
Content-Transfer-Encoding: 7bit
Mime-Version: 1.0 (Apple Message framework v930.3)
Date: Fri, 27 Feb 2009 18:13:11 -0500
References: <20090227222910.4AAF55654E@rebar.astron.com>
X-Mailer: Apple Mail (2.930.3)
X-Mailman-Approved-At: Sun, 01 Mar 2009 18:38:37 -0800
Cc: groo@netbsd.org, James Chacon <jmc@netbsd.org>, tcpm@ietf.org, Fernando Gont <fernando@gont.com.ar>, Jerry Leichter <leichter@lrw.com>
Subject: Re: [tcpm] On the implementation of TCP urgent data (IETF Internet Draft)
X-BeenThere: tcpm@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: TCP Maintenance and Minor Extensions Working Group <tcpm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tcpm>
List-Post: <mailto:tcpm@ietf.org>
List-Help: <mailto:tcpm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 27 Feb 2009 23:16:43 -0000

On Feb 27, 2009, at 5:29 PM, Christos Zoulas wrote:

> In article <49A83600.9090807@gont.com.ar> you write:
>> Hello, folks,
>>
>> We have published a revision of our IETF Internet-Draft entitled  
>> "On the
>> implementation of TCP urgent data". The document is available at:
>> http://tools.ietf.org/id/draft-gont-tcpm-urgent-data-01.txt (you can
>> also get the document in other fancy formats, such as PDF, at
>> http://www.gont.com.ar/drafts).
>>
>> This document describes current issues relevant to the implementation
>> and use of TCP urgent data, aims to change the IETF specifications so
>> that they accommodate what virtually all implementations have been  
>> doing
>> wrt urgent data.
>>
>> The TCPM working group of the IETF is currently deciding whether to
>> adopt this document as a working group item, so that your input  
>> will be
>> very much appreciated.
>>
>> To voice your opinion, please send it to tcpm@ietf.org, and CC me
>> (fernando@gont.com.ar), so that I make sure that your post makes it  
>> to
>> the mailing-list, even if you are not subscribed to it.  
>> (Alternatively,
>> you can send me your input, and I could forward it to the tcpm@ietf.org
>> mailing-list).
>
> The behavior on Windows is more complex than this. I think that it  
> maintains
> much more data than a single byte and this can lead to resource  
> exhaustion.
> This behavior is used and required to be present by SQL Server, so  
> Microsoft
> is unwilling to change it. Bill Squier <groo@netbsd.org> discovered  
> this and
> can provide you with details.

I haven't had time to read the article completely, but I did skim the  
Windows section, and Christos is correct.  Windows exhausts a non- 
paged fixed size pool of kernel memory (leading to a crash) whenever  
the receiver does not drain OOB data.  Thus, any Windows TCP receiver  
which does not expect OOB data is an avenue of attack.  For example,  
the NetBIOS listener.  I refer here to Windows versions <= XP.  I have  
not performed any testing on Vista and later.  Microsoft has been  
aware of this issue for years.  Jerry and James can speak to whether  
they have ever addressed it.

Further, I noticed that some of your analysis discusses OOB data  
bleeding in-line.  This is almost certainly caused by an interaction  
(on the _sender_) of Nagle and the fact that TCP defines only a single  
OOB pointer.  The receiver is not returning bytes which it knows to be  
OOB bytes inline, the _sender_ is accidentally placing more than a  
single byte of OOB in each packet that it sends.

The receiver has no way to know that, as the only means of  
communication about OOB data between sender and receiver is a single  
pointer.

I have added James and Jerry to this thread as well.

[note to tcpm@ietf.org; we are not subscribers, please preserve the  
cc: if you wish to solicit our feedback]

-wps

v2.23.0 | Report a Bug | By Email