IETF Logo Mail Archive

Re: [tcpm] Q&C regarding tcpsecure-09 recommendations

"Anantha Ramaiah (ananth)" <ananth@cisco.com> Tue, 03 June 2008 03:08 UTC

Return-Path: <tcpm-bounces@ietf.org>
X-Original-To: tcpm-archive@megatron.ietf.org
Delivered-To: ietfarch-tcpm-archive@core3.amsl.com
Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 2A19F3A6860; Mon, 2 Jun 2008 20:08:58 -0700 (PDT)
X-Original-To: tcpm@core3.amsl.com
Delivered-To: tcpm@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 4DC8C3A683F for <tcpm@core3.amsl.com>; Mon, 2 Jun 2008 20:08:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.699
X-Spam-Level:
X-Spam-Status: No, score=-5.699 tagged_above=-999 required=5 tests=[AWL=0.300, BAYES_00=-2.599, J_CHICKENPOX_33=0.6, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UrQJCymIFd62 for <tcpm@core3.amsl.com>; Mon, 2 Jun 2008 20:08:55 -0700 (PDT)
Received: from sj-iport-6.cisco.com (sj-iport-6.cisco.com [171.71.176.117]) by core3.amsl.com (Postfix) with ESMTP id 9ADAC3A6836 for <tcpm@ietf.org>; Mon, 2 Jun 2008 20:08:55 -0700 (PDT)
X-IronPort-AV: E=Sophos;i="4.27,581,1204531200"; d="scan'208";a="107513094"
Received: from sj-dkim-3.cisco.com ([171.71.179.195]) by sj-iport-6.cisco.com with ESMTP; 02 Jun 2008 20:08:58 -0700
Received: from sj-core-4.cisco.com (sj-core-4.cisco.com [171.68.223.138]) by sj-dkim-3.cisco.com (8.12.11/8.12.11) with ESMTP id m5338w28007891; Mon, 2 Jun 2008 20:08:58 -0700
Received: from xbh-sjc-231.amer.cisco.com (xbh-sjc-231.cisco.com [128.107.191.100]) by sj-core-4.cisco.com (8.13.8/8.13.8) with ESMTP id m5338v3q002969; Tue, 3 Jun 2008 03:08:57 GMT
Received: from xmb-sjc-21c.amer.cisco.com ([171.70.151.176]) by xbh-sjc-231.amer.cisco.com with Microsoft SMTPSVC(6.0.3790.1830); Mon, 2 Jun 2008 20:08:57 -0700
X-MimeOLE: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Date: Mon, 02 Jun 2008 20:08:07 -0700
Message-ID: <0C53DCFB700D144284A584F54711EC5805449498@xmb-sjc-21c.amer.cisco.com>
In-Reply-To: <48449321.5000609@isi.edu>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: [tcpm] Q&C regarding tcpsecure-09 recommendations
Thread-Index: AcjFErgKSgprEZYvRGe2FlnLoUalpQAESj7g
References: <48432005.2070201@freebsd.org> <48449321.5000609@isi.edu>
From: "Anantha Ramaiah (ananth)" <ananth@cisco.com>
To: Joe Touch <touch@ISI.EDU>, tcpm@ietf.org
X-OriginalArrivalTime: 03 Jun 2008 03:08:57.0772 (UTC) FILETIME=[29EAF6C0:01C8C527]
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; l=6343; t=1212462538; x=1213326538; c=relaxed/simple; s=sjdkim3002; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version; d=cisco.com; i=ananth@cisco.com; z=From:=20=22Anantha=20Ramaiah=20(ananth)=22=20<ananth@cisco .com> |Subject:=20RE=3A=20[tcpm]=20Q&C=20regarding=20tcpsecure-09 =20recommendations |Sender:=20; bh=W79gfs0tRPaK55FS1r4Z85DQR2Z4gWHm57PpeINFIDo=; b=hNQTgvA85y4HDh7FR+n88cPxES4LvgpbwOkGSBkZDXMzMpGAUmcnB8k4AS 7Cfie3TIxPWUXDkoBVDEVca0oNl8AnSto7lMHvwXmOXgJuX7m7PgFmOhqwo/ Yprk2cgYYH;
Authentication-Results: sj-dkim-3; header.From=ananth@cisco.com; dkim=pass ( sig from cisco.com/sjdkim3002 verified; );
Subject: Re: [tcpm] Q&C regarding tcpsecure-09 recommendations
X-BeenThere: tcpm@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: TCP Maintenance and Minor Extensions Working Group <tcpm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://www.ietf.org/mailman/private/tcpm>
List-Post: <mailto:tcpm@ietf.org>
List-Help: <mailto:tcpm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: tcpm-bounces@ietf.org
Errors-To: tcpm-bounces@ietf.org


> -----Original Message-----
> From: tcpm-bounces@ietf.org [mailto:tcpm-bounces@ietf.org] On 
> Behalf Of Joe Touch
> Sent: Monday, June 02, 2008 5:41 PM
> To: tcpm@ietf.org
> Subject: Re: [tcpm] Q&C regarding tcpsecure-09 recommendations
> 
> Hi, all,

Others can comment, but wanted to offer my perspective as one of the
document's authors. Pl find inline responses..

> 
> This is, IMO, a signal to review the recommendations in 
> Section 1.1. I was always concerned that these mitigations 

tcpsecure-09 has been reviewed and that includes the AS. There have been
some general comments received which will be incorporated in the next
revision.

> would be misinterpreted as applying to hosts in general, 
> which they do not.

Actually this is TCP document and hence these mitigations apply to any
system that thinks it needs those. Also the definition between hosts and
routers have diminished long ago. The AS is in place for the very reason
you wanted it to be, i.e, these mitigations are generally useful for
long lived sessions (SHOULD) than short lived (MAY) sessions. A TCP
stack which caters to multitude of applications (short and long lived)
may want to take the super set approach, IMO. It is purely an
implementation decision.


> 
> The document, IMO, is insufficient in indicating therein that:
> 
> 	- with source port randomization, the mitigations are not needed
> 	(port randomization provides a 2^15 strength amplification),
> 	even presuming source IP addresses are known

Source port randomization is one way of adding robustness and does not
every situation. Also you can't assume everyone is doing src port
randomization. Even then having these mitigations would make the attacks
described in the document harder to accomplish.

> 
> 	- if source IP addresses are not known, the mitigations are not
> 	needed

I think this is very obvious in the document. Right from the intro which
talks about the attack vectors, and what is needed to accomplish the
attack. 


> 
> 	- the mitigations may increase the time needed to respond to
> 	a legitimate RST, incurring extra RTTs or retransmissions
> 	vs. an unmodified system

Yes, this is obvious too due to the challenge ACK being sent.

> 
> 	- the mitigations are not a substitute for network or
> 	transport authentication, either of which obviate the need
> 	for the mitigations (yes, this is noted in the security
> 	considerations, but it's buried w.r.t. applicability)

Oh, the way I read the draft the above fact is mentioned all over the
draft.. I can point out all the places if you want, but we have been
thru this before and I have incorporated the feedback received from you
but I am surprised that you are bringing this one up now.

> 
> 	- the mitigations protect only off-path attacks; on-path
> 	attacks, such as ISPs shutting connections down deliberately,
> 	are not prevented by this mitigation (yes, also noted
> 	in security considerations, but again worth noting in
> 	applicability, and worth adding the ISP example, IMO)

Well, I would think that we generally don't want to repeat the same text
all over the document again and again, but if the work group believes in
this redundancy as you semm to do, I am more than willing to add it. 

-Anantha
> 
> It seems like these ought to be added, in light of the note below.
> 
> Joe
> 
> Andre Oppermann wrote:
> > I'm reworking/refactoring/rewriting the FreeBSD TCP input 
> path (in a 
> > separate perforce tree at the moment) and in that process I'm 
> > evaluating all assumptions and test them against a close 
> reading of all relevant RFCs.
> > 
> > While reading and applying draft-ietf-tcpm-tcpsecure-09.txt 
> I've come 
> > across a couple of inconsistencies and issues that require 
> further clarification:
> > 
> > Section 3.2 Mitigation of Blind RST
> > 
> >   [Real world observation]
> >   Some implementations send the RST not on rcv_nxt but on 
> rcv_nxt-1 or
> >   rcv_nxt+rcv_win.  Thus we accept three small windows of 
> rcv_nxt(+-1),
> >   last_ack_sent(+-1) and rcv_nxt+rcv_win(+-1).
> > 
> >   Of course the challenge ACK should have the same effect 
> at the expense
> >   of another round trip.  While these three (two in case of 
> rcv_nxt == last_ack_sent)
> >   do increase the chances of a succesful attack (only every 
> third seq# has to
> >   be probed plus the average hit rate is increased due to 
> having two/three
> >   different places that match) real world behavior and 
> interop should be
> >   considered and discussed.
> > 
> >   
> http://www.freebsd.org/cgi/cvsweb.cgi/src/sys/netinet/tcp_inpu
> t.c#rev1.316
> >   
> > 
> http://www.freebsd.org/cgi/cvsweb.cgi/src/sys/netinet/tcp_input.c#rev1
> > .259
> > 
> > 
> > Section 4.2 Mitigation of Blind SYN
> > 
> >   [Possible inconsistency in text]
> >   The test in 4.2 eq. 1) is a little different.  In RFC793 it is:
> > 
> >    RCV.NXT =< SEG.SEQ < RCV.NXT+RCV.WND
> > 
> >   in tcpsecure it is described as one byte larger beyond 
> the real window:
> > 
> >    RCV.NXT <= SEG.SEQ <= RCV.NXT+RCV.WND.
> > 
> >   This seems to be incorrectly transcribed.
> > 
> > 
> > Section 5.2 Mitigation of Blind data injection attack
> > 
> >   [Clarification]
> >   Data that doesn't satisfy the new check in first 
> paragraph MUST be discarded
> >   silently. Before RFC793 used to require an ACK to be sent 
> back. This change
> >   is not sufficiently explained and lacks an obvious rationale.
> > 
> >   The second related issue is where this check should be 
> placed relative to
> >   RFC793 ordering?  Before the fifth check, last sentence 
> (page 72) "If the ACK
> >   acks something not yet sent (SEG.ACK > SND.NXT) then send 
> an ACK, drop the
> >   segment, and return." or right after it?  This has 
> implications on the response
> >   as tcpsecure requires to silently discard the segment.  
> If it weren't for the
> >   silent discard the new tcpsecure check could simply 
> replace/extend the fifth
> >   check from RFC793.
> > 
> > 
> > Feedback appreciated.
> > 
> 
> 
_______________________________________________
tcpm mailing list
tcpm@ietf.org
https://www.ietf.org/mailman/listinfo/tcpm

v2.23.0 | Report a Bug | By Email