Re: [tcpm] SYN/ACK Payloads, draft 01

"Adam Langley" <> Fri, 15 August 2008 17:09 UTC

Return-Path: <>
Received: from [] (localhost []) by (Postfix) with ESMTP id 3781628C1AB; Fri, 15 Aug 2008 10:09:25 -0700 (PDT)
Received: from localhost (localhost []) by (Postfix) with ESMTP id F22C53A6879 for <>; Fri, 15 Aug 2008 10:09:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.525
X-Spam-Status: No, score=-1.525 tagged_above=-999 required=5 tests=[AWL=0.452, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id zHWO8K6BuRw2 for <>; Fri, 15 Aug 2008 10:09:23 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 0B6323A6768 for <>; Fri, 15 Aug 2008 10:09:22 -0700 (PDT)
Received: by with SMTP id b25so899664rvf.49 for <>; Fri, 15 Aug 2008 10:09:27 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=gamma; h=domainkey-signature:received:received:message-id:date:from:sender :to:subject:cc:in-reply-to:mime-version:content-type :content-transfer-encoding:content-disposition:references :x-google-sender-auth; bh=zgLSde9FuLVklkZC/BTX3NvtQokv+HWaTsMc7D9G8Sk=; b=N4R/2Qt8bwMUquXsQYpTxmhSrUXzhRQuiUDmuG4M+9wuM4eXduhWrQ6n5XF82RHCJU JFM4O7hI5wSC5zsxlTbr5iR1vUjOVDKJRyEnA6Ei/WHeMEfS2byuJpPOFRxRC9hgqQB/ FThz1ZJ0/n9hKHq20LhFO2S6aDVg6Ut/QgZ9U=
DomainKey-Signature: a=rsa-sha1; c=nofws;; s=gamma; h=message-id:date:from:sender:to:subject:cc:in-reply-to:mime-version :content-type:content-transfer-encoding:content-disposition :references:x-google-sender-auth; b=I4O7Eg9mVAKOQVO4Pe1m7anzeIe7xA24INBVrCF7GyGHAb9lvc5lw2XB+m11sXj/2U +deOjQJeCfUxwJwlKl0AT9z3w8caMYibW4uhvOJsr2JMpIYh11S9Ub1Eg25nqQxtPyfG VkpGqorIIR/qec8rQOfEgEs8PPCsjAQtUl5eo=
Received: by with SMTP id m6mr1647228rve.208.1218820167262; Fri, 15 Aug 2008 10:09:27 -0700 (PDT)
Received: by with HTTP; Fri, 15 Aug 2008 10:09:27 -0700 (PDT)
Message-ID: <>
Date: Fri, 15 Aug 2008 10:09:27 -0700
From: Adam Langley <>
To: Caitlin Bestler <>
In-Reply-To: <78C9135A3D2ECE4B8162EBDCE82CAD770417B3EE@nekter>
MIME-Version: 1.0
Content-Disposition: inline
References: <> <> <78C9135A3D2ECE4B8162EBDCE82CAD77040E3E2E@nekter> <> <78C9135A3D2ECE4B8162EBDCE82CAD77040E3F07@nekter> <> <> <> <> <78C9135A3D2ECE4B8162EBDCE82CAD770417B3EE@nekter>
X-Google-Sender-Auth: a9bc568f36e6746c
Cc:, Joe Touch <>
Subject: Re: [tcpm] SYN/ACK Payloads, draft 01
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: TCP Maintenance and Minor Extensions Working Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit

On Fri, Aug 15, 2008 at 9:56 AM, Caitlin Bestler
<> wrote:
> If this were to move forward, the Security Considerations would need
> to document the amplification attack, and probably have SHOULD language
> about a default maximum packet size.

The 01 draft says this in the security considerations:

"  Any payload in a SYNACK packet must be as frugal as possible since a
   host will be transmitting it to an unconfirmed address.  If a 40 byte
   frame could elicit a 1500 byte reply to an attacker controlled
   address, this would be readily used to hide and amplify distributed
   denial of service attacks."

> But this is probably not something that the TCP stack should enforce.
> There are many situations where the system administrator would have
> valid reasons for knowing that a DoS was already blocked by other means.

You're correct here, the current MUST should be downgraded to a
SHOULD. Implementations can make the best decision here.

As for it moving forward, I don't feel that I would ever get consensus
for the current design. (Although I don't really know how these things
work, I believe that's required.) I shall ponder other means this
weekend, but a quick discussion amongst those who (ab)use TCP stacks
for our internal networks didn't come up with anything.



Adam Langley
tcpm mailing list