Re: [tcpm] I-D ACTION:draft-ietf-tcpm-tcpsecure-00.txt
"Randall Stewart (cisco)" <rrs@cisco.com> Wed, 21 April 2004 22:21 UTC
Received: from optimus.ietf.org (optimus.ietf.org [132.151.1.19]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id SAA23138 for <tcpm-archive@odin.ietf.org>; Wed, 21 Apr 2004 18:21:32 -0400 (EDT)
Received: from localhost.localdomain ([127.0.0.1] helo=www1.ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 1BGPoz-0002F9-5J for tcpm-archive@odin.ietf.org; Wed, 21 Apr 2004 18:03:59 -0400
Received: (from exim@localhost) by www1.ietf.org (8.12.8/8.12.8/Submit) id i3LM3v2I008618 for tcpm-archive@odin.ietf.org; Wed, 21 Apr 2004 18:03:57 -0400
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 1BGOh0-0006GH-Rs for tcpm-web-archive@optimus.ietf.org; Wed, 21 Apr 2004 16:51:38 -0400
Received: from ietf-mx (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id QAA13510 for <tcpm-web-archive@ietf.org>; Wed, 21 Apr 2004 16:51:35 -0400 (EDT)
Received: from ietf-mx.ietf.org ([132.151.6.1] helo=ietf-mx) by ietf-mx with esmtp (Exim 4.32) id 1BGOgy-0002jx-RK for tcpm-web-archive@ietf.org; Wed, 21 Apr 2004 16:51:36 -0400
Received: from exim by ietf-mx with spam-scanned (Exim 4.12) id 1BGOfq-0002Xg-00 for tcpm-web-archive@ietf.org; Wed, 21 Apr 2004 16:50:27 -0400
Received: from optimus.ietf.org ([132.151.1.19]) by ietf-mx with esmtp (Exim 4.12) id 1BGOf6-0002Lk-00 for tcpm-web-archive@ietf.org; Wed, 21 Apr 2004 16:49:40 -0400
Received: from localhost.localdomain ([127.0.0.1] helo=www1.ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 1BGOYf-00030u-0B; Wed, 21 Apr 2004 16:43:01 -0400
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 1BGKB0-0007nR-QS for tcpm@optimus.ietf.org; Wed, 21 Apr 2004 12:02:18 -0400
Received: from ietf-mx (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id MAA28850 for <tcpm@ietf.org>; Wed, 21 Apr 2004 12:02:15 -0400 (EDT)
Received: from ietf-mx.ietf.org ([132.151.6.1] helo=ietf-mx) by ietf-mx with esmtp (Exim 4.32) id 1BGKAz-0007fU-JV for tcpm@ietf.org; Wed, 21 Apr 2004 12:02:17 -0400
Received: from exim by ietf-mx with spam-scanned (Exim 4.12) id 1BGK9n-0007Qs-00 for tcpm@ietf.org; Wed, 21 Apr 2004 12:01:04 -0400
Received: from sj-iport-2-in.cisco.com ([171.71.176.71] helo=sj-iport-2.cisco.com) by ietf-mx with esmtp (Exim 4.12) id 1BGK95-000779-00 for tcpm@ietf.org; Wed, 21 Apr 2004 12:00:19 -0400
Received: from sj-core-5.cisco.com (171.71.177.238) by sj-iport-2.cisco.com with ESMTP; 21 Apr 2004 08:10:21 +0000
Received: from mira-sjc5-c.cisco.com (IDENT:mirapoint@mira-sjc5-c.cisco.com [171.71.163.17]) by sj-core-5.cisco.com (8.12.10/8.12.6) with ESMTP id i3LFxl7t027253; Wed, 21 Apr 2004 08:59:47 -0700 (PDT)
Received: from cisco.com (rtp-dial-1-162.cisco.com [10.83.97.162]) by mira-sjc5-c.cisco.com (MOS 3.4.5-GR) with ESMTP id ATF60817; Wed, 21 Apr 2004 08:59:44 -0700 (PDT)
Message-ID: <40869A69.2070607@cisco.com>
Date: Wed, 21 Apr 2004 10:59:37 -0500
From: "Randall Stewart (cisco)" <rrs@cisco.com>
User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.4) Gecko/20031008
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: Anantha Ramaiah <ananth@cisco.com>
CC: sanjay kaniyar <skaniyar@hotmail.com>, tcpm@ietf.org
Subject: Re: [tcpm] I-D ACTION:draft-ietf-tcpm-tcpsecure-00.txt
References: <BAY2-F16690Ss8uaP6w0006beda@hotmail.com> <Pine.GSO.4.58.0404202037010.8940@ananth-u5.cisco.com>
In-Reply-To: <Pine.GSO.4.58.0404202037010.8940@ananth-u5.cisco.com>
Content-Type: text/plain; charset="us-ascii"; format="flowed"
Content-Transfer-Encoding: 7bit
Content-Transfer-Encoding: 7bit
Sender: tcpm-admin@ietf.org
Errors-To: tcpm-admin@ietf.org
X-BeenThere: tcpm@ietf.org
X-Mailman-Version: 2.0.12
Precedence: bulk
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=unsubscribe>
List-Id: TCP Maintenance and Minor Extensions Working Group <tcpm.ietf.org>
List-Post: <mailto:tcpm@ietf.org>
List-Help: <mailto:tcpm-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=subscribe>
X-Spam-Checker-Version: SpamAssassin 2.60 (1.212-2003-09-23-exp) on ietf-mx.ietf.org
X-Spam-Status: No, hits=0.1 required=5.0 tests=AWL autolearn=no version=2.60
Content-Transfer-Encoding: 7bit
Content-Transfer-Encoding: 7bit
Anantha: I agree with you... we need to fix this... but also it may not even be worth the extra code to check these conditions and generate a ACK accordingly.. it is a real real corner case... R Anantha Ramaiah wrote: >Sanjay, > Randall can answer this but we thought about this case it is >one of the *real corner cases* Good eye :) > >Actually B could be reworded as : > >C) If the SYN bit is set and the sequence number(isn) is one less then the >next expected sequence (RCV.NXT) then send an ACK segment with the peer >but subtracting one from RCV.NXT. to the peer. > ie SEG.SEQ = (RCV.NXT - 1) > >By sending a ACK that is less than the RCV.NXT value in case of a spoofed >segment the true peer will drop the ACK as an old duplicate. The restart >case also gets satisfied and the reset would be sent back! > >Most of the TCP stacks treat (RCV.NXT - 1) as an RST of a keepalive packet >and would accept that. Hmm.. we may have a corner case here in case if >the RST gets dropped because of outside window. > >Also the suggestion of sending the RST for an exact match (SEG.SEQ = >TCB.RCVNXT) was thought about, but the idea to squeeze as much as possible >to make the attacker's life harder.. Probably needs more thought to >address this corner case. > >Randall and Mitesh may have more comments here.. > >-Anantha >On Tue, 20 Apr 2004, sanjay kaniyar wrote: > > > >>Hello, >> >>I read through the draft and there might be an issue with how it deals with >>one of the reconnect cases. My question is outlined below: >> >>------------------------------------------------------------------------ >>Let's consider the case where we have server[S] implementing this draft >>and a client[C] which is trying to connect to it and the ISS chosen by >>the client happens to be the same as the next expected sequence number >>on server. >> >>[S] >>Sitting in established state. >>RcvNxt = x >>SndUna = SndNxt = SndMax = y >> >>[C] >>comes up after a reboot, >>tries to reconnect to [S] (chooses the same 4-tuple) >>ISS = x >>Sends a SYN (seq = x, Ack = invalid) >> >>Follwing 3.2 (B), [S] sends back an ACK >> >> If the SYN bit is set and the sequence number is an exact match to >> the next expected sequence (RCV.NXT == SEG.SEQ) then send an ACK >> segment to the peer but before sending the ACK segment subtract >> one from value being acknowledged. >> >>[S] -> [C], ACK (seq = y, Ack = x) >> >>The segment reaches the client. >> >>[C] follows RFC 793 - and does the following: >> >> If the state is SYN-SENT then >> first check the ACK bit >> If the ACK bit is set >> If SEG.ACK =< ISS, or SEG.ACK > SND.NXT, send a reset (unless >> the RST bit is set, if so drop the segment and return) >> <SEQ=SEG.ACK><CTL=RST> >> and discard the segment. Return. >> >>[C] -> [S], RST (seq = x, Ack = invalid) >> >>The Reset reaches the server: >> >>[S] follows (either 793 or the draft 2.2 [A]): >> >> A) If the RST bit is set and the sequence number is outside the >> expected window, silently drop the segment. >> >>.. and drops the RST. >> >> >>The client might/will retry a few times - but each time the sequence of >>events is the same - and this results in a valid connect attempt from >>succeeding - which would not have happened had the server followed RFC 793 >>processing rules. >> >>My suggestion would be to abort the connection at [S] when ISS == RcvNxt. >>That would take care of this problem while not being any easier to exploit >>than just sending a RST is. >> >>Thanks, >>Sanjay >> >>_________________________________________________________________ >>Get rid of annoying pop-up ads with the new MSN Toolbar ? FREE! >>http://toolbar.msn.com/go/onm00200414ave/direct/01/ >> >> >>_______________________________________________ >>tcpm mailing list >>tcpm@ietf.org >>https://www1.ietf.org/mailman/listinfo/tcpm >> >> >> > > > -- Randall R. Stewart ITD - Transport Technologies 815-477-2127(o) or 815-342-5222(c) _______________________________________________ tcpm mailing list tcpm@ietf.org https://www1.ietf.org/mailman/listinfo/tcpm
- [tcpm] I-D ACTION:draft-ietf-tcpm-tcpsecure-00.txt Internet-Drafts
- RE: [tcpm] I-D ACTION:draft-ietf-tcpm-tcpsecure-0… sanjay kaniyar
- RE: [tcpm] I-D ACTION:draft-ietf-tcpm-tcpsecure-0… Anantha Ramaiah
- RE: [tcpm] I-D ACTION:draft-ietf-tcpm-tcpsecure-0… sanjay kaniyar
- Re: [tcpm] I-D ACTION:draft-ietf-tcpm-tcpsecure-0… Randall Stewart (cisco)
- RE: [tcpm] I-D ACTION:draft-ietf-tcpm-tcpsecure-0… Mika Liljeberg
- Re: [tcpm] I-D ACTION:draft-ietf-tcpm-tcpsecure-0… Anantha Ramaiah
- Re: [tcpm] I-D ACTION:draft-ietf-tcpm-tcpsecure-0… Randall Stewart (cisco)