IETF Logo Mail Archive

Re: [tcpm] Last Call: draft-ietf-tcpm-tcpsecure (Improving TCP's Robustness to Blind In-Window Attacks) to Proposed Standard

Fernando Gont <fernando@gont.com.ar> Mon, 13 April 2009 21:23 UTC

Return-Path: <fernando.gont.netbook.win@gmail.com>
X-Original-To: tcpm@core3.amsl.com
Delivered-To: tcpm@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id B80673A6A5E; Mon, 13 Apr 2009 14:23:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.453
X-Spam-Level:
X-Spam-Status: No, score=-2.453 tagged_above=-999 required=5 tests=[AWL=0.146, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5su+B7esvXYk; Mon, 13 Apr 2009 14:23:51 -0700 (PDT)
Received: from mail-gx0-f163.google.com (mail-gx0-f163.google.com [209.85.217.163]) by core3.amsl.com (Postfix) with ESMTP id 9B8573A67A4; Mon, 13 Apr 2009 14:23:48 -0700 (PDT)
Received: by gxk7 with SMTP id 7so443249gxk.13 for <multiple recipients>; Mon, 13 Apr 2009 14:24:59 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:sender:message-id:date:from :user-agent:mime-version:to:cc:subject:references:in-reply-to :x-enigmail-version:openpgp:content-type:content-transfer-encoding; bh=64Gl+5plokEKTs1Br770HidGNf+oN2DquiyA2hoPf0Y=; b=n8+VOeiomeTJIqrOcTnbPTx6HAAN4H1rgAY1cFWaySFOL1PFM4poQhm6ofRglpVCgy R6L6ck4DarwVxVLPzVELDjw8v3TFA6jp1/pkyVO19ERVgX4j6tF8GIkzVb80nSIAUb0s MQSpe21kvTegq4sx5PGX0lXyCccUnk2tBBqQE=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=sender:message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:x-enigmail-version:openpgp:content-type :content-transfer-encoding; b=ddT1AIabC2yZYxpBGeqVUfja1MQvUMth+TPSfYPWSnDZ6BbmQ3czgDfGHk5ggBmbdz mQ4WDV8Pvg7R9yt/K/2YJGGm1YM+oR4abjCbS3VAM2XYPMF79hYJCtyJy3/akeYVReOr jOXk/PzGwfNzaewWgudG9eTno8v1sN1yTmoHo=
Received: by 10.100.177.10 with SMTP id z10mr243356ane.2.1239657898990; Mon, 13 Apr 2009 14:24:58 -0700 (PDT)
Received: from ?192.168.0.151? (235-131-17-190.fibertel.com.ar [190.17.131.235]) by mx.google.com with ESMTPS id d29sm844100and.14.2009.04.13.14.24.56 (version=TLSv1/SSLv3 cipher=RC4-MD5); Mon, 13 Apr 2009 14:24:58 -0700 (PDT)
Sender: Fernando Gont <fernando.gont.netbook.win@gmail.com>
Message-ID: <49E3ADA4.1090402@gont.com.ar>
Date: Mon, 13 Apr 2009 18:24:52 -0300
From: Fernando Gont <fernando@gont.com.ar>
User-Agent: Thunderbird 2.0.0.21 (Windows/20090302)
MIME-Version: 1.0
To: ietf@ietf.org
References: <20090402150706.EC83D28C222@core3.amsl.com>
In-Reply-To: <20090402150706.EC83D28C222@core3.amsl.com>
X-Enigmail-Version: 0.95.7
OpenPGP: id=D076FFF1
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
Cc: tcpm@ietf.org
Subject: Re: [tcpm] Last Call: draft-ietf-tcpm-tcpsecure (Improving TCP's Robustness to Blind In-Window Attacks) to Proposed Standard
X-BeenThere: tcpm@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: TCP Maintenance and Minor Extensions Working Group <tcpm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tcpm>
List-Post: <mailto:tcpm@ietf.org>
List-Help: <mailto:tcpm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 13 Apr 2009 21:23:52 -0000

Folks,

Some last call comments:

* The document never mentions the fact that this document is
IPR-encumbered. As far as I recall, much of the dicussion within tcpm
with respect to the level of requirements of this document
(MAY/SHOULD/MUST, etc.) had to do with this fact. I believe the document
should include a warning mentioning that there's an IPR on the document,
so that implementers can consider this point in their decision of
whether to implement the described mechanisms or not.

* The document discusses blind attacks, and to some extent assesses the
difficulty in guessing the four-tuple that identifies a TCP connection.
However, it does not even mention port randomization, which is probably
the most simple and straightforward approach for mitigating blind
attacks against TCP. This was raised by me and other quite a few times
in the tcpm wg list, pre and post wglc, but this comment was never
addressed. It's particularly curious that port randomization is not
mentioned when tsvwg is working on it (draft-ietf-tsvwg-port-randomization).

* Among the factors that determine how easy these attacks be exploited
is the window size. This document should provide, at the very least,
pointers with advice on what to do with the tcp window. While quickly
skimming through RFC 4953, it seems it has some advice on the TCP
window. We do offer a lengthy discussion of this and other issues in
draft-gont-tcp-security and
http://www.cpni.gov.uk/Docs/tn-03-09-security-assessment-TCP.pdf

* Yet another factor is TCP ISN randomization. At the very least, this
document could/should a pointer to RFC 1948. We do offer a lengthy
discussion of this and other issues in draft-gont-tcp-security and
http://www.cpni.gov.uk/Docs/tn-03-09-security-assessment-TCP.pdf

* Just of the top of my head: Hadn't the BGP spec been updated so that a
well-known port was not required as the *source* port?

* The counter-measure of for the SYN-based reset attack may have missed
a common heuristics for the handling of SYN segments. See pages 86 and
87 of the UK CPNI paper on TCP security. FWIW, we argue that the
processing of SYN segments proposed in [Ramaiah et al, 2008] should
apply only for connections in any of the synchronized states other than
the TIME-WAIT state.

* When it comes to TCP-based blind-connection reset attacks, there's a
much more trivial -- yet not discussed before? -- alternative. See
Section 11.1.3 and Section 11.1.4 in draft-gont-tcp-security and the
CPNI paper
(http://www.cpni.gov.uk/Docs/tn-03-09-security-assessment-TCP.pdf).
These variants should, at the very least, be mentioned and a pointer
provided to them as, at least in theory, are much easier to exploit.

* When it comes to the data injection attack, Michael Zalewski sketched
another attack vector which may be easier to exploit. We discuss it in
Section 16.2 of draft-gont-tcp-security and the CPNI doc, along with
advice. IMO, this vector should be mentioned, too.

Needless to say, I'm in favor of improving the robustness of TCP and,
IPRs-aside, I'm happy with the implementation of the counter-measures
described in the tcpsecure I-D (all three).

I'm also glad that this doc is getting close to publication. Five years
working on a document is quite a lot of time! (yes, it could have been
worse, some might argue).

Thanks!

Kind regards,
Fernando Gont




The IESG wrote:
> The IESG has received a request from the TCP Maintenance and Minor 
> Extensions WG (tcpm) to consider the following document:
> 
> - 'Improving TCP's Robustness to Blind In-Window Attacks '
>    <draft-ietf-tcpm-tcpsecure-11.txt> as a Proposed Standard
> 
> The IESG plans to make a decision in the next few weeks, and solicits
> final comments on this action.  Please send substantive comments to the
> ietf@ietf.org mailing lists by 2009-04-16. Exceptionally, 
> comments may be sent to iesg@ietf.org instead. In either case, please 
> retain the beginning of the Subject line to allow automated sorting.
> 
> The file can be obtained via
> http://www.ietf.org/internet-drafts/draft-ietf-tcpm-tcpsecure-11.txt
> 
> 
> IESG discussion can be tracked via
> https://datatracker.ietf.org/public/pidtracker.cgi?command=view_id&dTag=11735&rfc_flag=0
> 
> The following IPR Declarations may be related to this I-D:
> 
> https://datatracker.ietf.org/ipr/421/ 
> 
> 
> _______________________________________________
> IETF-Announce mailing list
> IETF-Announce@ietf.org
> https://www.ietf.org/mailman/listinfo/ietf-announce
> 

-- 
Fernando Gont
e-mail: fernando@gont.com.ar || fgont@acm.org
PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1

v2.23.0 | Report a Bug | By Email