Re: [tcpm] Feedbackt on draft-ietf-tcpm-tcpsecure-13.txt

"Smith, Donald" <Donald.Smith@qwest.com> Tue, 18 May 2010 21:39 UTC

Return-Path: <Donald.Smith@qwest.com>
X-Original-To: tcpm@core3.amsl.com
Delivered-To: tcpm@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 566203A68FC; Tue, 18 May 2010 14:39:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.006
X-Spam-Level:
X-Spam-Status: No, score=-0.006 tagged_above=-999 required=5 tests=[AWL=-0.421, BAYES_40=-0.185, J_CHICKENPOX_33=0.6]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Kypva4JkrqId; Tue, 18 May 2010 14:39:36 -0700 (PDT)
Received: from sudnp799.qwest.com (sudnp799.qwest.com [155.70.32.99]) by core3.amsl.com (Postfix) with ESMTP id 3CD633A67F5; Tue, 18 May 2010 14:39:31 -0700 (PDT)
Received: from sudnp796.qintra.com (sudnp796.qintra.com [151.116.2.212]) by sudnp799.qwest.com (8.14.4/8.14.4) with ESMTP id o4ILdM8R020782 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL); Tue, 18 May 2010 15:39:22 -0600 (MDT)
Received: from qtdenexhtm22.AD.QINTRA.COM (localhost [127.0.0.1]) by sudnp796.qintra.com (8.14.4/8.14.4) with ESMTP id o4ILdGRW029920; Tue, 18 May 2010 15:39:17 -0600 (MDT)
Received: from qtdenexmbm24.AD.QINTRA.COM ([151.119.91.226]) by qtdenexhtm22.AD.QINTRA.COM ([151.119.91.231]) with mapi; Tue, 18 May 2010 15:39:17 -0600
From: "Smith, Donald" <Donald.Smith@qwest.com>
To: "'Anantha Ramaiah (ananth)'" <ananth@cisco.com>, "'tcpm@ietf.org'" <tcpm@ietf.org>, 'The IESG' <iesg@ietf.org>
Date: Tue, 18 May 2010 15:39:16 -0600
Thread-Topic: [tcpm] Feedbackt on draft-ietf-tcpm-tcpsecure-13.txt
Thread-Index: Acq5q9zzpcVWcYT4S5OmJS6FWMliJg9DCCygAAH3UGAABKS9MA==
Message-ID: <B01905DA0C7CDC478F42870679DF0F1007C8D4C85F@qtdenexmbm24.AD.QINTRA.COM>
References: <201003012159.WAA15069@TR-Sys.de><C80820C2-D74A-49B4-AF22-CE16C46A9A7D@nokia.com><4B8C70C0.8090708@gont.com.ar> <B01905DA0C7CDC478F42870679DF0F1007C8D4C7F2@qtdenexmbm24.AD.QINTRA.COM> <0C53DCFB700D144284A584F54711EC5809AB79BB@xmb-sjc-21c.amer.cisco.com>
In-Reply-To: <0C53DCFB700D144284A584F54711EC5809AB79BB@xmb-sjc-21c.amer.cisco.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Subject: Re: [tcpm] Feedbackt on draft-ietf-tcpm-tcpsecure-13.txt
X-BeenThere: tcpm@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: TCP Maintenance and Minor Extensions Working Group <tcpm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tcpm>
List-Post: <mailto:tcpm@ietf.org>
List-Help: <mailto:tcpm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 18 May 2010 21:39:37 -0000

Won't this break syn cookies since the server doesn't keep state on the original syn's sequence number?


(coffee != sleep) & (!coffee == sleep)
Donald.Smith@qwest.com gcia

> -----Original Message-----
> From: Anantha Ramaiah (ananth) [mailto:ananth@cisco.com]
> Sent: Tuesday, May 18, 2010 2:32 PM
> To: Smith, Donald; tcpm@ietf.org; The IESG
> Subject: RE: [tcpm] Feedbackt on draft-ietf-tcpm-tcpsecure-13.txt
>
> Smith,
>     Comments inline..
>
> > -----Original Message-----
> > From: tcpm-bounces@ietf.org [mailto:tcpm-bounces@ietf.org] On
> > Behalf Of Smith, Donald
> > Sent: Tuesday, May 18, 2010 12:18 PM
> > To: 'tcpm@ietf.org WG'; 'The IESG'
> > Subject: Re: [tcpm] Feedbackt on draft-ietf-tcpm-tcpsecure-13.txt
> >
> > First throughout this draft the authors refer to sequence
> > number checking where they really mean acknowledgement number
> > checking:( You can't quite do :g/sequence
>
> Incorrect. RST and SYN mitigtations talk about the sequence number
> checking. The ACK number is not relevant as far as the mitigation
> themselves are cocnerned. Data mitigation talks about the ACK
> number. We
> had added more text to make sure such ambiguity was removed when the
> data mitigation was discussed in response to WG comments.
>
>
> > number/s//acknowledgement number/g as in a few places it is
> > the senders sequence number they are discussing.
> > The authors also use "the exact expected sequence number" a lot.
> > I think they mean: last sent sequence number + the data length sent
>
> Nope, exact sequence number is RCV.NXT (which is the exact sequence
> number) RCV.NXT + RCV.WND -1 is the right edge.  Any sequence number
> which falls in this window is considered valid. These are all
> terminology borrowed from RFC 793 and we are not changing those.
>
> >
> > This looks a LOT like gonts draft but may be an attempt to
> > address just one issue identified here.
> >
> > http://tools.ietf.org/html/draft-gont-tcp-security-00#section-3.4
>
> What? TCP secure draft was first published in 2004/2005 after which
> followed informational RFC on "TCP spoofing attacks" , ICMP attacks,
> port randomization and then Gont's draft. TCP secure, FWIW, was an
> inspiration to all these drafts (with due acknowledgements to Watson's
> "slipping in the window" paper)
>
> Probably Gont's draft should refer this draft if not already doing so.
>
> Were you not really following this document, this has been floating
> around for the last 5+ years in the IETF ?
>
> >
> >
> > This is slightly incorrect. In window would include an exact
> > match for rcv.net+rcv.wnd so the right side should be =<.
> > The wording for how to do the challenge ack is a bit
> > difficult to follow too.
>
> Why? This has been reviewed by many folks and the way it is : i.e,
> quoting the RFC 793 text FIRST and then quoting the
> mitigations NEXT was
> easier to follow. I don't plan to change the WG decision.
>
> >
> >
> >
> >    3) If the RST bit is set and the sequence number does not exactly
> >       match the next expected sequence value, yet is within
> > the current
> >       receive window (RCV.NXT < SEG.SEQ < RCV.NXT+RCV.WND), TCP MUST
> >       send an acknowledgment (challenge ACK):
> >
> >       <SEQ=SND.NXT><ACK=RCV.NXT><CTL=ACK>
> >
> > Ramaiah, et al.         Expires November 4, 2010
> >   [Page 9]
> > Internet-Draft                TCP Security
> >   May 2010
> >
> >       After sending the challenge ACK, TCP MUST drop the
> unacceptable
> >       segment and stop processing the incoming packet
> > further.  Further
> >       segments destined to this connection will be processed
> > as normal.
> >
> >
> >
> >
> >
> >
> >    3) If the RST bit is set and the sequence number does not exactly
> >       match the next expected sequence value, yet is within
> > the current
> >       receive window (RCV.NXT < SEG.SEQ =<
> RCV.NXT+RCV.WND), TCP MUST
> >       send an acknowledgment (challenge ACK):
>
> Again this is the RFC 793 language, we haven't changed it. (Pl see RFC
> 793 page 69, acceptability checks)
>
> >
> >       <SEQ=SND.NXT><ACK=RCV.NXT><CTL=ACK>
>
> The challenge ACK is what matters and you should be looking into.
>
> >
> >
> >
> >
> >
> >
> >
> > Ramaiah, et al.         Expires November 4, 2010
> >   [Page 9]
> >
> > Internet-Draft                TCP Security
> >   May 2010
> >
> >
> >       After sending the challenge ACK, TCP MUST silently drop
> > the in window
> >       but not exact match segment and stop processing it.
> Additional
> >       segments destined to this connection MUST be processed
> > as normal.
> >
> > That last line is really extraneous. You don't say what
> > happens to the packets before this event I am not sure you
> > have to say handle the next packet per normal behavior;) The
> > authors need to explain exactly what that challenge ACK looks like.
> > I think it is the same 4 tuple, ack = last sent ack, seq =
> > last sent seq (no data).
>
> Well, you can go on explaining each and everything, we had chosen to
> stick to the RFC 793 language, in other words, the intention is affect
> only the portion of RFC 793 and rest is exactly what RFC 793
> says. If we
> add additional text that would really add to the confusion. This was
> atleast the rationale and WG had agreed to such thinking w.r.t this
> draft.
>
> >
> >
> >
> >
> > Still on page 9.
> > In all states except SYN-SENT, all reset (RST) segments are
> validated
> >    by checking their SEQ-fields [sequence numbers].  A reset
> > is valid if
> >    its sequence number exactly matches the next expected sequence
> >    number.  If the RST arrives and its sequence number
> field does NOT
> >    match the next expected sequence number but is within the window,
> >    then the receiver should generate an ACK.  In all other
> cases where
> >    the SEQ-field does not match and is outside the window,
> > the receiver
> >    MUST silently discard the segment.
> >
> >
> > Should be:
> > In all states except SYN-SENT, all reset (RST) segments are
> validated
> >    by checking their ACK-fields [acknowledgement numbers].  A
>
> Incorrect. It is the sequence number that needs to be validated first,
> please read RFC 793. (Page 37 RFC 793)
>
> > reset is valid if
> >    its acknowledgement number exactly matches the last sent
> > sequence number + the data length sent.
> >    If the RST arrives and its acknowledgement number field does NOT
> >    match the last sent sequence number + the data length sent
> > but is within the window,
> >    then the receiver SHOULD (or MUST?) generate an ACK.  In
> > all other cases where
> >    the ACK-field does not match and is outside the window,
> > the receiver
> >    MUST silently discard the segment.
> >
> >
> >
> > (coffee != sleep) & (!coffee == sleep)
>
> Not sure which of the above caused confusion ;-)
>
> -Anantha
>
>

This communication is the property of Qwest and may contain confidential or
privileged information. Unauthorized use of this communication is strictly
prohibited and may be unlawful.  If you have received this communication
in error, please immediately notify the sender by reply e-mail and destroy
all copies of the communication and any attachments.