Re: [tcpm] Q&C regarding tcpsecure-09 recommendations

Andre Oppermann <andre@freebsd.org> Wed, 04 June 2008 23:01 UTC

Return-Path: <tcpm-bounces@ietf.org>
X-Original-To: tcpm-archive@megatron.ietf.org
Delivered-To: ietfarch-tcpm-archive@core3.amsl.com
Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 2BF653A69AD; Wed, 4 Jun 2008 16:01:47 -0700 (PDT)
X-Original-To: tcpm@core3.amsl.com
Delivered-To: tcpm@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id C58A23A69DB for <tcpm@core3.amsl.com>; Wed, 4 Jun 2008 16:01:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.299
X-Spam-Level:
X-Spam-Status: No, score=-2.299 tagged_above=-999 required=5 tests=[AWL=0.300, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nRJE5Cqmd6ng for <tcpm@core3.amsl.com>; Wed, 4 Jun 2008 16:01:44 -0700 (PDT)
Received: from c00l3r.networx.ch (c00l3r.networx.ch [62.48.2.2]) by core3.amsl.com (Postfix) with ESMTP id DBEC93A6938 for <tcpm@ietf.org>; Wed, 4 Jun 2008 16:01:43 -0700 (PDT)
Received: (qmail 1461 invoked from network); 4 Jun 2008 21:58:19 -0000
Received: from localhost (HELO [127.0.0.1]) ([127.0.0.1]) (envelope-sender <andre@freebsd.org>) by c00l3r.networx.ch (qmail-ldap-1.03) with SMTP for <touch@ISI.EDU>; 4 Jun 2008 21:58:19 -0000
Message-ID: <48471EDA.5020504@freebsd.org>
Date: Thu, 05 Jun 2008 01:01:46 +0200
From: Andre Oppermann <andre@freebsd.org>
User-Agent: Thunderbird 1.5.0.14 (Windows/20071210)
MIME-Version: 1.0
To: Joe Touch <touch@ISI.EDU>
References: <48432005.2070201@freebsd.org> <48449321.5000609@isi.edu> <00BC7F35-5CE5-4142-AF30-7EDDB70A29D5@nokia.com> <4846FFFF.9090309@isi.edu> <48470949.3030904@networx.ch> <4847100A.4060003@isi.edu>
In-Reply-To: <4847100A.4060003@isi.edu>
Cc: tcpm@ietf.org
Subject: Re: [tcpm] Q&C regarding tcpsecure-09 recommendations
X-BeenThere: tcpm@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: TCP Maintenance and Minor Extensions Working Group <tcpm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://www.ietf.org/mailman/private/tcpm>
List-Post: <mailto:tcpm@ietf.org>
List-Help: <mailto:tcpm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: tcpm-bounces@ietf.org
Errors-To: tcpm-bounces@ietf.org

Joe Touch wrote:
> Andre Oppermann wrote:
> ...
>>>     2. adding these mitigations complicates the TCP implementation,
>>>     and makes it less robust to legitimate RSTs, esp. in the
>>>     presence of reordering; it can increase the time needed to
>>>     reset a connection by one or more RTTs
>>
>> Agreed for the second part about the potential for the time increase.
>> Not agreed to the first part.  All kinds of mitigations make TCP
>> implementations more complex.  Port randomization does, TCP-MD5 does,
>> IPsec does and so on.  You can trust me on this one. ;-)
> 
> IPsec has nothing to do with the TCP implementation; it may make the 
> stack more complex, but not TCP. Port randomization is a one-time event 
> during SYN creation, and should be easy to factor out as a separate 
> call. TCP MD5 is complex, but already implemented.

Port randomization is complex to implement.

> The complexity I'm referring to is reflected in the exchange on details 
> and corner cases you've posted to this list.

There are just as many corner cases with (true) port randomization.
Have a look at its CVS history in the BSDs.  Or Linux.  Took a couple
iterations.

>> Repeating myself:
>>
>> The extra time it may take in an edge case is not terribly high.  Most
>> RSTs will match and do their thing. 
> 
> Actually, you've already indicated cases where that might not be true; 
> if RSTs are used to shut down typical connections "just in case", if any 
> of the in-transit data was lost, then these will trigger the ACK 
> exchange and extra RTT. This costs extra time, extra packets, and extra 
> processing on both ends - all for a NON MALICIOUS CASE.

Normally the connection is in an idle state.  It is primarily observed
with web servers where either the client or server wants to do persistent
connections and the other end does not.  Or it times out.  There would be
no extra round-trip for the RST to be come effective.

>  > As far as my understanding
>> goes TCP is concerned with reliable transport of data, not absolutely
>> reliable abortions of the same through RSTs and SYNs.  They do play
>> an important role in the functioning of the overall system but they
>> are not sensitive to a delay of a couple of milliseconds.
> 
> Correct; however, just because an endpoint didn't expect a packet does 
> not imply it is an attack either. That's the flaw in this system, IMO - 
> and a reason why bursts of RSTs or SYNs to the same addr/port pair are a 
> fairly clear indication of a problem, the filtering out of which would 
> make these mods completely unnecessary.

I'm all ears on your magic RST/SYN burst filter.

-- 
Andre

_______________________________________________
tcpm mailing list
tcpm@ietf.org
https://www.ietf.org/mailman/listinfo/tcpm