IETF Logo Mail Archive

Re: [tcpm] poll for adopting draft-gont-tcp-security

" Ilpo Järvinen " <ilpo.jarvinen@helsinki.fi> Mon, 29 June 2009 18:48 UTC

Return-Path: <ilpo.jarvinen@helsinki.fi>
X-Original-To: tcpm@core3.amsl.com
Delivered-To: tcpm@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 97A8F3A6DD2 for <tcpm@core3.amsl.com>; Mon, 29 Jun 2009 11:48:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.19
X-Spam-Level:
X-Spam-Status: No, score=-5.19 tagged_above=-999 required=5 tests=[AWL=1.110, BAYES_00=-2.599, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Nwtz7BhCpMZ1 for <tcpm@core3.amsl.com>; Mon, 29 Jun 2009 11:48:28 -0700 (PDT)
Received: from mail.cs.helsinki.fi (courier.cs.helsinki.fi [128.214.9.1]) by core3.amsl.com (Postfix) with ESMTP id 9D4C73A6A32 for <tcpm@ietf.org>; Mon, 29 Jun 2009 11:48:27 -0700 (PDT)
Received: from svm-3.cs.helsinki.fi (melkinkari.cs.helsinki.fi [128.214.11.43]) (AUTH: PLAIN cs-relay, TLS: TLSv1/SSLv3,256bits,AES256-SHA) by mail.cs.helsinki.fi with esmtp; Mon, 29 Jun 2009 21:48:43 +0300 id 00063E02.4A490C8B.00000935
Received: by svm-3.cs.helsinki.fi (Postfix, from userid 50795) id 83791D4A11; Mon, 29 Jun 2009 21:48:43 +0300 (EEST)
Received: from localhost (localhost [127.0.0.1]) by svm-3.cs.helsinki.fi (Postfix) with ESMTP id 7A667D5629; Mon, 29 Jun 2009 21:48:43 +0300 (EEST)
Date: Mon, 29 Jun 2009 21:48:43 +0300
From: Ilpo Järvinen <ilpo.jarvinen@helsinki.fi>
X-X-Sender: ijjarvin@melkinkari.cs.Helsinki.FI
To: Fernando Gont <fernando@gont.com.ar>
In-Reply-To: <4A490492.3050407@gont.com.ar>
Message-ID: <Pine.LNX.4.64.0906292137340.31833@melkinkari.cs.Helsinki.FI>
References: <C304DB494AC0C04C87C6A6E2FF5603DB2217B28763@NDJSSCC01.ndc.nasa.gov> <fc0ff13d0906241711k44de4f77u8ec825e1ea151a1e@mail.gmail.com> <4A4317ED.1040905@gont.com.ar> <4A48F60A.7020602@gmail.com> <4A490492.3050407@gont.com.ar>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Cc: Matt Mathis <mathis@psc.edu>, tcpm Extensions WG <tcpm@ietf.org>, Matt Mathis <matt.mathis@gmail.com>
Subject: Re: [tcpm] poll for adopting draft-gont-tcp-security
X-BeenThere: tcpm@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: TCP Maintenance and Minor Extensions Working Group <tcpm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tcpm>
List-Post: <mailto:tcpm@ietf.org>
List-Help: <mailto:tcpm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 29 Jun 2009 18:48:29 -0000

On Mon, 29 Jun 2009, Fernando Gont wrote:

> Matt Mathis wrote:
> 
> > > > I read all of 2 pages before I found something that, if significantly
> > > > deployed, would haunt some Internet users for a very very long time (p
> > > > 43, SACK resource exhaustion).
> > >
> > > I guess you are arguing against the proposed limit of 16 for the maximum
> > > number of sack holes? I understand you could argue that this value
> > > could/should be raised. However, IIRC I based my proposal on existing data
> > > on the number of holes.
> [....]
> > > I guess/hope you are not arguing against enforcing limits, but about the
> > > specific value proposed in the I-D. And the reason for submiting this I-D
> > > as a IETF I-D is exactly to discuss these issues and get consensus on
> > > e.g., what the proper/safe value should be for this limit.
> > The current limits are workaround for using inappropriate algorithms for
> > maintaining the  SACK scoreboard.
> 
> It's more than that. If you don't enforce any limits, you could get a system
> to commit lots of memory for the scoreboard. Not enforcing limits is a highway
> to buffer overflows and other type of attacks. You must impose *some* limit.

To me most sensible limit seems to be number of outstanding segments (not 
bytes) divided by two. There should be really very little reason to go 
beyond that. But of course not all implementations can directly 
determinate the number of outstanding segments (and would have to use some 
divided by MSS heurestics).

> > The easy way to implement the scoreboard has cost O(N^2).  However there is
> > at least one OS that uses an O(N*ln(N)) scoreboard, and O(N) might be
> > possible.  (These are the total cost of the worst case recovery at window
> > size N, so O(N) total cost is constant cost per ACK.)
> 
> Could you provide details of the algorithms you mention, references, etc.?

Any linked-list based implementation is basically O(n^2) under 
worst case attack, but they can also end up being that even in 
non-malicious cases too depending on the direction of lookups
and/or loss pattern.

O(n) for normal patterns seems well possible due to rather well 
predictable order of processing, obviously O(n*log n) is necessary
for malicious.

Also similar issues easily exist in the out-of-order segment handling at 
the receiver side.

-- 
 i.

v2.23.0 | Report a Bug | By Email