Re: [tcpm] SYN/ACK Payloads, draft 01

"Adam Langley" <agl@imperialviolet.org> Fri, 15 August 2008 17:09 UTC

Return-Path: <tcpm-bounces@ietf.org>
X-Original-To: tcpm-archive@megatron.ietf.org
Delivered-To: ietfarch-tcpm-archive@core3.amsl.com
Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 3781628C1AB; Fri, 15 Aug 2008 10:09:25 -0700 (PDT)
X-Original-To: tcpm@core3.amsl.com
Delivered-To: tcpm@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id F22C53A6879 for <tcpm@core3.amsl.com>; Fri, 15 Aug 2008 10:09:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.525
X-Spam-Level:
X-Spam-Status: No, score=-1.525 tagged_above=-999 required=5 tests=[AWL=0.452, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zHWO8K6BuRw2 for <tcpm@core3.amsl.com>; Fri, 15 Aug 2008 10:09:23 -0700 (PDT)
Received: from rv-out-0506.google.com (rv-out-0506.google.com [209.85.198.239]) by core3.amsl.com (Postfix) with ESMTP id 0B6323A6768 for <tcpm@ietf.org>; Fri, 15 Aug 2008 10:09:22 -0700 (PDT)
Received: by rv-out-0506.google.com with SMTP id b25so899664rvf.49 for <tcpm@ietf.org>; Fri, 15 Aug 2008 10:09:27 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:sender :to:subject:cc:in-reply-to:mime-version:content-type :content-transfer-encoding:content-disposition:references :x-google-sender-auth; bh=zgLSde9FuLVklkZC/BTX3NvtQokv+HWaTsMc7D9G8Sk=; b=N4R/2Qt8bwMUquXsQYpTxmhSrUXzhRQuiUDmuG4M+9wuM4eXduhWrQ6n5XF82RHCJU JFM4O7hI5wSC5zsxlTbr5iR1vUjOVDKJRyEnA6Ei/WHeMEfS2byuJpPOFRxRC9hgqQB/ FThz1ZJ0/n9hKHq20LhFO2S6aDVg6Ut/QgZ9U=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:sender:to:subject:cc:in-reply-to:mime-version :content-type:content-transfer-encoding:content-disposition :references:x-google-sender-auth; b=I4O7Eg9mVAKOQVO4Pe1m7anzeIe7xA24INBVrCF7GyGHAb9lvc5lw2XB+m11sXj/2U +deOjQJeCfUxwJwlKl0AT9z3w8caMYibW4uhvOJsr2JMpIYh11S9Ub1Eg25nqQxtPyfG VkpGqorIIR/qec8rQOfEgEs8PPCsjAQtUl5eo=
Received: by 10.140.164.6 with SMTP id m6mr1647228rve.208.1218820167262; Fri, 15 Aug 2008 10:09:27 -0700 (PDT)
Received: by 10.141.37.3 with HTTP; Fri, 15 Aug 2008 10:09:27 -0700 (PDT)
Message-ID: <396556a20808151009g2e830590ic1b47afbb19084ef@mail.gmail.com>
Date: Fri, 15 Aug 2008 10:09:27 -0700
From: "Adam Langley" <agl@imperialviolet.org>
To: "Caitlin Bestler" <Caitlin.Bestler@neterion.com>
In-Reply-To: <78C9135A3D2ECE4B8162EBDCE82CAD770417B3EE@nekter>
MIME-Version: 1.0
Content-Disposition: inline
References: <396556a20808111035s2b974233o1e9d3671e82e3350@mail.gmail.com> <396556a20808121155h4e3c551aqcf5260d551bcdd4a@mail.gmail.com> <78C9135A3D2ECE4B8162EBDCE82CAD77040E3E2E@nekter> <396556a20808141014m459e07ebh667aaee60e355ac9@mail.gmail.com> <78C9135A3D2ECE4B8162EBDCE82CAD77040E3F07@nekter> <396556a20808141341p5cb6f6b6m59c95094517a142f@mail.gmail.com> <48A563F1.8060607@0x63.nu> <396556a20808150757n576ebcd7ie12f44034cc26321@mail.gmail.com> <48A5B003.5070408@isi.edu> <78C9135A3D2ECE4B8162EBDCE82CAD770417B3EE@nekter>
X-Google-Sender-Auth: a9bc568f36e6746c
Cc: tcpm@ietf.org, Joe Touch <touch@isi.edu>
Subject: Re: [tcpm] SYN/ACK Payloads, draft 01
X-BeenThere: tcpm@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: TCP Maintenance and Minor Extensions Working Group <tcpm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://www.ietf.org/mailman/private/tcpm>
List-Post: <mailto:tcpm@ietf.org>
List-Help: <mailto:tcpm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: tcpm-bounces@ietf.org
Errors-To: tcpm-bounces@ietf.org

On Fri, Aug 15, 2008 at 9:56 AM, Caitlin Bestler
<Caitlin.Bestler@neterion.com> wrote:
> If this were to move forward, the Security Considerations would need
> to document the amplification attack, and probably have SHOULD language
> about a default maximum packet size.

The 01 draft says this in the security considerations:

"  Any payload in a SYNACK packet must be as frugal as possible since a
   host will be transmitting it to an unconfirmed address.  If a 40 byte
   frame could elicit a 1500 byte reply to an attacker controlled
   address, this would be readily used to hide and amplify distributed
   denial of service attacks."

> But this is probably not something that the TCP stack should enforce.
> There are many situations where the system administrator would have
> valid reasons for knowing that a DoS was already blocked by other means.

You're correct here, the current MUST should be downgraded to a
SHOULD. Implementations can make the best decision here.


As for it moving forward, I don't feel that I would ever get consensus
for the current design. (Although I don't really know how these things
work, I believe that's required.) I shall ponder other means this
weekend, but a quick discussion amongst those who (ab)use TCP stacks
for our internal networks didn't come up with anything.


Cheers

AGL

-- 
Adam Langley agl@imperialviolet.org http://www.imperialviolet.org
_______________________________________________
tcpm mailing list
tcpm@ietf.org
https://www.ietf.org/mailman/listinfo/tcpm