Re: [tcpm] [tcpinc] TCP Stealth - possible interest to the WG
Alfie John <alfiej@fastmail.fm> Mon, 18 August 2014 22:46 UTC
Return-Path: <alfiej@fastmail.fm>
X-Original-To: tcpm@ietfa.amsl.com
Delivered-To: tcpm@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 806121A86DE for <tcpm@ietfa.amsl.com>; Mon, 18 Aug 2014 15:46:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vnPIMqgw71n8 for <tcpm@ietfa.amsl.com>; Mon, 18 Aug 2014 15:46:34 -0700 (PDT)
Received: from out1-smtp.messagingengine.com (out1-smtp.messagingengine.com [66.111.4.25]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C6A201A8549 for <tcpm@ietf.org>; Mon, 18 Aug 2014 15:46:34 -0700 (PDT)
Received: from compute4.internal (compute4.nyi.internal [10.202.2.44]) by gateway1.nyi.internal (Postfix) with ESMTP id A00E723E4A for <tcpm@ietf.org>; Mon, 18 Aug 2014 18:46:31 -0400 (EDT)
Received: from web2 ([10.202.2.212]) by compute4.internal (MEProxy); Mon, 18 Aug 2014 18:46:32 -0400
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=fastmail.fm; h= message-id:from:to:cc:mime-version:content-transfer-encoding :content-type:reply-to:in-reply-to:references:subject:date; s= mesmtp; bh=1f+4YcDrhfyiPaRRXs5aWyphHJ0=; b=ogOHF1LMdStr8QkPFwIF2 kepMT28iWQEPEvlRWPschPLiLgVCf7SKZnO9TGjg/3tU0az8Yc8n+KbY3+BmSS3Z 5d2JHRObCAGf+HVkvqUhbWAakhesDTM4Tew40RbBarHg+KjAZDHR825WIusSMQ9k ioFZ7835lqS6jD+gPp8lp0=
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d= messagingengine.com; h=message-id:from:to:cc:mime-version :content-transfer-encoding:content-type:reply-to:in-reply-to :references:subject:date; s=smtpout; bh=1f+4YcDrhfyiPaRRXs5aWyph HJ0=; b=uaeKUZO9NSkvhdBTYDlYLiPCDl11UhbvT4kjOiamB5Y0x7jPF+lHUQXe mnLTbves5nC3JdiPBFlSndn9xaajRtYPwkgrLzhlvjvdXfP3rUaSRtlqMngMRIzW vsUP9KurYxkFhf+/qVxl602NPUtSowsj6b0VWV5QjKdBeyfP57w=
Received: by web2.nyi.internal (Postfix, from userid 99) id 68528540211; Mon, 18 Aug 2014 18:46:31 -0400 (EDT)
Message-Id: <1408401991.317123.154137701.0A30F30C@webmail.messagingengine.com>
X-Sasl-Enc: JHBeGcH/f8MHvuuzfKmlgTgCzKpRvZuWu+EKNuwYG5JW 1408401991
From: Alfie John <alfiej@fastmail.fm>
To: "Scheffenegger, Richard" <rs@netapp.com>, Jacob Appelbaum <jacob@appelbaum.net>
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Type: text/plain
X-Mailer: MessagingEngine.com Webmail Interface - ajax-5f815d4c
In-Reply-To: <8c5f6a1e9f2340e48e25dd151406b7d3@hioexcmbx05-prd.hq.netapp.com>
References: <ecdbe694b6964c159f64b1d3311c8cc6@hioexcmbx02-prd.hq.netapp.com> <CAFggDF2jhQPz0Eez=AU9M-k862wD_=VSyVpXtRAjT4zC6H4tgA@mail.gmail.com> <1408397675.299896.154112109.6F69043F@webmail.messagingengine.com> <8c5f6a1e9f2340e48e25dd151406b7d3@hioexcmbx05-prd.hq.netapp.com>
Date: Tue, 19 Aug 2014 00:46:31 +0200
Archived-At: http://mailarchive.ietf.org/arch/msg/tcpm/8JvPI_5ZBqllVhm0fn5k_OpDSKM
X-Mailman-Approved-At: Tue, 19 Aug 2014 08:02:54 -0700
Cc: Christian Grothoff <christian@grothoff.org>, tcpinc@ietf.org, "tcpm (tcpm@ietf.org)" <tcpm@ietf.org>, Joe Touch <touch@isi.edu>
Subject: Re: [tcpm] [tcpinc] TCP Stealth - possible interest to the WG
X-BeenThere: tcpm@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: alfiej@fastmail.fm
List-Id: TCP Maintenance and Minor Extensions Working Group <tcpm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tcpm>, <mailto:tcpm-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tcpm/>
List-Post: <mailto:tcpm@ietf.org>
List-Help: <mailto:tcpm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 18 Aug 2014 22:46:36 -0000
On Tue, Aug 19, 2014, at 12:07 AM, Scheffenegger, Richard wrote: > my concern is with the use of a static ISN for each 4-tuple; this > significantly increases the chance of a collision between sessions > (ie. when the sender terminates a sluggish earlier session, some > segments of that last session will very likely be in-window for a > session that was started a short time later). > > (I understand that an application could use some crude time-based > salt, to address this concern. But that would mean application/socket > level modifications; and additional failure modes - like Kerberos has > with the 5 min time window). > > Of course, the ephemeral source ports (the remaining 3 fields of the 4 > tuple will again be static for a given service) will provide some > protection, as each different source port will have a different ISN. Yeah, unless the client is using a fixed source port for whatever reason, the source port should uniquely identify connections. Maybe this wouldn't be useful from a high-traffic NAT as source port reuse is a possibility, but apart from that I'm still all for this. > OTOH, detection of this knocking scheme will be rather easy by passive > means - currently the probability to two identical ISNs between two > different sessions for the same 4-tuple (IP + ports) will be around > 2^-32; with this, it is 1; and the number of ephemeral ports is > limited so observing a protected web server will be rather straight > forwards. > > Which probably will flag such a service as a primary target for those > adversaries this scheme is supposed to protect against. > > Or am I missing something? I don't think you're understanding it's main use case. Just like with vanilla port knocking, it would completely transparent to someone listening on the wire. But this isn't what it would be used for. It's purpose is to protect services from the common script kiddie, but the NSA. e.g. I wish to setup a web server on my home machine protected by a password. The only user is me, but I don't know where I will be connecting from so I can't firewall because I don't know my source IP address. If this RFC were in place, port 80 would only be available to me since I know the shared secret. Sure anyone listening on the wire can see that I've got a service listening on port 80, but my main concern are the script kiddies who try to find open services and then hammer my home server with common exploits. This RFC completely protects my web server from the script kiddies without me having to setup port knocking (off- topic, but port knocking can sometimes be a pain). Alfie -- Alfie John alfiej@fastmail.fm
- [tcpm] TCP Stealth - possible interest to the WG Scheffenegger, Richard
- Re: [tcpm] TCP Stealth - possible interest to the… Hagen Paul Pfeifer
- Re: [tcpm] [tcpinc] TCP Stealth - possible intere… Jacob Appelbaum
- Re: [tcpm] TCP Stealth - possible interest to the… Ted Faber
- Re: [tcpm] [tcpinc] TCP Stealth - possible intere… Scheffenegger, Richard
- Re: [tcpm] [tcpinc] TCP Stealth - possible intere… Alfie John
- Re: [tcpm] [tcpinc] TCP Stealth - possible intere… Alfie John
- Re: [tcpm] [tcpinc] TCP Stealth - possible intere… Hagen Paul Pfeifer
- Re: [tcpm] [tcpinc] TCP Stealth - possible intere… Jacob Appelbaum
- Re: [tcpm] [tcpinc] TCP Stealth - possible intere… Scheffenegger, Richard
- Re: [tcpm] [tcpinc] TCP Stealth - possible intere… Hagen Paul Pfeifer
- Re: [tcpm] [tcpinc] TCP Stealth - possible intere… Jacob Appelbaum
- Re: [tcpm] [tcpinc] TCP Stealth - possible intere… Hagen Paul Pfeifer
- Re: [tcpm] [tcpinc] TCP Stealth - possible intere… Florian Westphal
- Re: [tcpm] [tcpinc] TCP Stealth - possible intere… Florian Westphal
- Re: [tcpm] [tcpinc] TCP Stealth - possible intere… Yoshifumi Nishida
- Re: [tcpm] [tcpinc] TCP Stealth - possible intere… Scheffenegger, Richard
- Re: [tcpm] [tcpinc] TCP Stealth - possible intere… Hagen Paul Pfeifer
- Re: [tcpm] [tcpinc] TCP Stealth - possible intere… Scheffenegger, Richard
- Re: [tcpm] [tcpinc] TCP Stealth - possible intere… Scheffenegger, Richard
- Re: [tcpm] [tcpinc] TCP Stealth - possible intere… Hagen Paul Pfeifer
- Re: [tcpm] [tcpinc] TCP Stealth - possible intere… Jacob Appelbaum
- Re: [tcpm] [tcpinc] TCP Stealth - possible intere… Christian Grothoff
- Re: [tcpm] [tcpinc] TCP Stealth - possible intere… Christian Grothoff
- Re: [tcpm] [tcpinc] TCP Stealth - possible intere… Christian Grothoff
- Re: [tcpm] [tcpinc] TCP Stealth - possible intere… Christian Grothoff
- Re: [tcpm] [tcpinc] TCP Stealth - possible intere… Christian Grothoff
- Re: [tcpm] [tcpinc] TCP Stealth - possible intere… Daniel Borkmann
- Re: [tcpm] [tcpinc] TCP Stealth - possible intere… Jacob Appelbaum
- Re: [tcpm] [tcpinc] TCP Stealth - possible intere… Alfie John
- Re: [tcpm] [tcpinc] TCP Stealth - possible intere… Joe Touch
- Re: [tcpm] [tcpinc] TCP Stealth - possible intere… Joe Touch
- Re: [tcpm] [tcpinc] TCP Stealth - possible intere… Christian Grothoff