IETF Logo Mail Archive

Re: [tcpm] [Technical Errata Reported] RFC5961 (4772)

Yuchung Cheng <ycheng@google.com> Fri, 12 August 2016 16:54 UTC

Return-Path: <ycheng@google.com>
X-Original-To: tcpm@ietfa.amsl.com
Delivered-To: tcpm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A11C712D859 for <tcpm@ietfa.amsl.com>; Fri, 12 Aug 2016 09:54:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.948
X-Spam-Level:
X-Spam-Status: No, score=-3.948 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RP_MATCHES_RCVD=-1.247, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HWbmcb-rEdL6 for <tcpm@ietfa.amsl.com>; Fri, 12 Aug 2016 09:54:49 -0700 (PDT)
Received: from mail-it0-x22a.google.com (mail-it0-x22a.google.com [IPv6:2607:f8b0:4001:c0b::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 95B6312D840 for <tcpm@ietf.org>; Fri, 12 Aug 2016 09:54:49 -0700 (PDT)
Received: by mail-it0-x22a.google.com with SMTP id f6so19007686ith.0 for <tcpm@ietf.org>; Fri, 12 Aug 2016 09:54:49 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=HwabPsmXNh7L+dPcdwspJVRbSHdSVgyvCle1hgIU+3U=; b=UBePv6L3TRUtp7DMsFMyuleFAxgipyc7hTueeNMQt04tHFUU+ZwhIScIfwjMbXRNcM IJZi9fSubdTscLDDlhZEWEXC5w6wCkKgwZOuOo6DRmmH8wkuHLAD/BpQYBEevCCbF5NX y5eEp9E2BzdNxnrVw/UE89Fq2H/o4R1861gxYos6XpFlrjUNZEAmUoZx+9+YhkxrwjP7 LhP2qKky1ZJzpy7YdG7X3T0VAAK9N+9F02Nnd0xFLsarPQxUItjqMxHdaUWWkz1uv77q ChNz2bt6k6EA21/bMtjjgPLg4yosxMPblUZHwkKOR6pZXXiPcYvz4rITDRqWbrPMAAe2 YMng==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=HwabPsmXNh7L+dPcdwspJVRbSHdSVgyvCle1hgIU+3U=; b=Nxr6/GzgL5RgCBeW1C4Xj2vZ+cqqbLlUaf/eSIEWDV3NiFQta92uBbIjJIKHnRI8kK rPLrrJxhE+fBdZjboDKvHayDerOhGY45eHXoSc4QBsO0x5ndMjTt59LQYtbjF5XfPNfQ dEw1jYuVfDxZnXibo2fUL4AxrYI0wcC3gctJlMX05mxXSS/LnITjCNTHaL4Dhq/wmkqA ZMovcSy2+tTc6fmd5UeKUADDcYiKTYn9tZCLSD0ZwYSV2KAQ5sCRj4KAtXTazdtw6aiI 3ymr4TYhFUwEfquDznC7XVnwxB+VHwqoyZ3KRNpAuMdlejVjGpVyEyk4sHg2tBRJ+nXN Yz6A==
X-Gm-Message-State: AEkoouuzA0j9V1ahnDchKaSXXUxUeWVagmNphthhIY1fTkm+zO4aM0STxkFn6mv+T7tcVMUCg1uGIew+aV6BHtuP
X-Received: by 10.36.73.195 with SMTP id e64mr4296377itd.80.1471020888444; Fri, 12 Aug 2016 09:54:48 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.64.244.103 with HTTP; Fri, 12 Aug 2016 09:54:07 -0700 (PDT)
In-Reply-To: <e8d9584f-a069-ec4f-d6f1-f8e199fdb071@isi.edu>
References: <20160810183654.05358B80C3A@rfc-editor.org> <CAOp4FwTogyBXLYdjHrrnM3-Uz2wpSX31eZg+GJwUP5LBnqu=sQ@mail.gmail.com> <7ac89d58-fc3a-9e12-9d22-0602944f8677@isi.edu> <e8d9584f-a069-ec4f-d6f1-f8e199fdb071@isi.edu>
From: Yuchung Cheng <ycheng@google.com>
Date: Fri, 12 Aug 2016 09:54:07 -0700
Message-ID: <CAK6E8=ewOCUBu7Ko9aK78_e2rmR70G_yvUpZKLm3n0tYdLs=Yw@mail.gmail.com>
To: Joe Touch <touch@isi.edu>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/tcpm/Es_c7yi2YyQVevFrwz5_oXRPXks>
Cc: "tcpm@ietf.org Extensions" <tcpm@ietf.org>
Subject: Re: [tcpm] [Technical Errata Reported] RFC5961 (4772)
X-BeenThere: tcpm@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: TCP Maintenance and Minor Extensions Working Group <tcpm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tcpm>, <mailto:tcpm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tcpm/>
List-Post: <mailto:tcpm@ietf.org>
List-Help: <mailto:tcpm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 12 Aug 2016 16:54:51 -0000

On Thu, Aug 11, 2016 at 12:40 PM, Joe Touch <touch@isi.edu> wrote:
> FWIW, I don't really see the need for this new doc at all.
+1
>
> Everything in 5961 is within the context of a single connection. The
> misreading of this doc doesn't warrant updating, clarifying, etc.
I think an errata on recommending per-connection limit and cite the
research finding is worthy.

>
> The behavior of Linux should be treated simply as the bug that it is and
> corrected, but there's no reason to pollute the RFC stream or increase
> the complexity of TCP requirements on the basis of a bug.
>
> Joe
>
>
> On 8/11/2016 12:36 PM, Joe Touch wrote:
>> FWIW, I see nothing in RFC5961 that implies that ACK throttling - or
>> anything in the doc - should be across connections.
>>
>> This new doc can claim to clarify Sec 7 of that RFC, but I see no reason
>> to deprecate it.
>>
>> Joe
>>
>>
>> On 8/11/2016 9:27 AM, Loganaden Velvindron wrote:
>>> I submitted this draft, yesterday.:
>>>
>>> https://tools.ietf.org/html/draft-lvelvindron-ack-throttling-02
>>>
>>> It's a work-in-progress, but I welcome feedback.
>>>
>>>
>>> On Wed, Aug 10, 2016 at 10:36 PM, RFC Errata System
>>> <rfc-editor@rfc-editor.org> wrote:
>>>> The following errata report has been submitted for RFC5961,
>>>> "Improving TCP's Robustness to Blind In-Window Attacks".
>>>>
>>>> --------------------------------------
>>>> You may review the report below and at:
>>>> http://www.rfc-editor.org/errata_search.php?rfc=5961&eid=4772
>>>>
>>>> --------------------------------------
>>>> Type: Technical
>>>> Reported by: Stéphane Bortzmeyer <bortzmeyer+ietf@nic.fr>
>>>>
>>>> Section: 7
>>>>
>>>> Original Text
>>>> -------------
>>>> [The entire section]
>>>>
>>>> Corrected Text
>>>> --------------
>>>> No suggested text because it requires a much more serious analysis.
>>>> May be adding that the rate-limit counter SHOULD be per-connection,
>>>> in the spirit of RFC 6528?
>>>>
>>>> Notes
>>>> -----
>>>> It appears the section does not specify that the counter for ACK throttling SHOULD be per-connection. In Linux, it is apparently global, which allowed its use as a side channel enabling nasty attacks (CVE-2016-5696 and the paper "Off-Path TCP Exploits: Global Rate Limit Considered Dangerous" <http://www.cs.ucr.edu/~zhiyunq/pub/sec16_TCP_pure_offpath.pdf>)
>>>>
>>>> Instructions:
>>>> -------------
>>>> This erratum is currently posted as "Reported". If necessary, please
>>>> use "Reply All" to discuss whether it should be verified or
>>>> rejected. When a decision is reached, the verifying party (IESG)
>>>> can log in to change the status and edit the report, if necessary.
>>>>
>>>> --------------------------------------
>>>> RFC5961 (draft-ietf-tcpm-tcpsecure-13)
>>>> --------------------------------------
>>>> Title               : Improving TCP's Robustness to Blind In-Window Attacks
>>>> Publication Date    : August 2010
>>>> Author(s)           : A. Ramaiah, R. Stewart, M. Dalal
>>>> Category            : PROPOSED STANDARD
>>>> Source              : TCP Maintenance and Minor Extensions
>>>> Area                : Transport
>>>> Stream              : IETF
>>>> Verifying Party     : IESG
>>>>
>>>>
>>>> _______________________________________________
>>>> tcpm mailing list
>>>> tcpm@ietf.org
>>>> https://www.ietf.org/mailman/listinfo/tcpm
>>>>
>>> _______________________________________________
>>> tcpm mailing list
>>> tcpm@ietf.org
>>> https://www.ietf.org/mailman/listinfo/tcpm
>
> _______________________________________________
> tcpm mailing list
> tcpm@ietf.org
> https://www.ietf.org/mailman/listinfo/tcpm

v2.23.0 | Report a Bug | By Email