Re: [tcpm] Feedbackt on draft-ietf-tcpm-tcpsecure-13.txt

"Anantha Ramaiah (ananth)" <ananth@cisco.com> Tue, 18 May 2010 20:32 UTC

Return-Path: <ananth@cisco.com>
X-Original-To: tcpm@core3.amsl.com
Delivered-To: tcpm@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id CC3153A6954; Tue, 18 May 2010 13:32:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -8.999
X-Spam-Level:
X-Spam-Status: No, score=-8.999 tagged_above=-999 required=5 tests=[AWL=-1.600, BAYES_50=0.001, J_CHICKENPOX_33=0.6, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9vEGpweb9p8h; Tue, 18 May 2010 13:32:28 -0700 (PDT)
Received: from sj-iport-5.cisco.com (sj-iport-5.cisco.com [171.68.10.87]) by core3.amsl.com (Postfix) with ESMTP id CFEAF3A696C; Tue, 18 May 2010 13:32:25 -0700 (PDT)
Authentication-Results: sj-iport-5.cisco.com; dkim=neutral (message not signed) header.i=none
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AvsEAB+W8kurR7Ht/2dsb2JhbACeBHGlEJluhRAEg0A
X-IronPort-AV: E=Sophos;i="4.53,257,1272844800"; d="scan'208";a="199181216"
Received: from sj-core-1.cisco.com ([171.71.177.237]) by sj-iport-5.cisco.com with ESMTP; 18 May 2010 20:32:18 +0000
Received: from xbh-sjc-211.amer.cisco.com (xbh-sjc-211.cisco.com [171.70.151.144]) by sj-core-1.cisco.com (8.13.8/8.14.3) with ESMTP id o4IKWHHp028477; Tue, 18 May 2010 20:32:18 GMT
Received: from xmb-sjc-21c.amer.cisco.com ([171.70.151.176]) by xbh-sjc-211.amer.cisco.com with Microsoft SMTPSVC(6.0.3790.3959); Tue, 18 May 2010 13:32:18 -0700
X-MimeOLE: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Date: Tue, 18 May 2010 13:32:16 -0700
Message-ID: <0C53DCFB700D144284A584F54711EC5809AB79BB@xmb-sjc-21c.amer.cisco.com>
In-Reply-To: <B01905DA0C7CDC478F42870679DF0F1007C8D4C7F2@qtdenexmbm24.AD.QINTRA.COM>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: [tcpm] Feedbackt on draft-ietf-tcpm-tcpsecure-13.txt
Thread-Index: Acq5q9zzpcVWcYT4S5OmJS6FWMliJg9DCCygAAH3UGA=
References: <201003012159.WAA15069@TR-Sys.de><C80820C2-D74A-49B4-AF22-CE16C46A9A7D@nokia.com><4B8C70C0.8090708@gont.com.ar> <B01905DA0C7CDC478F42870679DF0F1007C8D4C7F2@qtdenexmbm24.AD.QINTRA.COM>
From: "Anantha Ramaiah (ananth)" <ananth@cisco.com>
To: "Smith, Donald" <Donald.Smith@qwest.com>, <tcpm@ietf.org>, "The IESG" <iesg@ietf.org>
X-OriginalArrivalTime: 18 May 2010 20:32:18.0171 (UTC) FILETIME=[359B4CB0:01CAF6C9]
Subject: Re: [tcpm] Feedbackt on draft-ietf-tcpm-tcpsecure-13.txt
X-BeenThere: tcpm@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: TCP Maintenance and Minor Extensions Working Group <tcpm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tcpm>
List-Post: <mailto:tcpm@ietf.org>
List-Help: <mailto:tcpm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 18 May 2010 20:32:30 -0000

Smith,
    Comments inline.. 

> -----Original Message-----
> From: tcpm-bounces@ietf.org [mailto:tcpm-bounces@ietf.org] On 
> Behalf Of Smith, Donald
> Sent: Tuesday, May 18, 2010 12:18 PM
> To: 'tcpm@ietf.org WG'; 'The IESG'
> Subject: Re: [tcpm] Feedbackt on draft-ietf-tcpm-tcpsecure-13.txt
> 
> First throughout this draft the authors refer to sequence 
> number checking where they really mean acknowledgement number 
> checking:( You can't quite do :g/sequence 

Incorrect. RST and SYN mitigtations talk about the sequence number
checking. The ACK number is not relevant as far as the mitigation
themselves are cocnerned. Data mitigation talks about the ACK number. We
had added more text to make sure such ambiguity was removed when the
data mitigation was discussed in response to WG comments.


> number/s//acknowledgement number/g as in a few places it is 
> the senders sequence number they are discussing.
> The authors also use "the exact expected sequence number" a lot.
> I think they mean: last sent sequence number + the data length sent

Nope, exact sequence number is RCV.NXT (which is the exact sequence
number) RCV.NXT + RCV.WND -1 is the right edge.  Any sequence number
which falls in this window is considered valid. These are all
terminology borrowed from RFC 793 and we are not changing those.

> 
> This looks a LOT like gonts draft but may be an attempt to 
> address just one issue identified here.
> 
> http://tools.ietf.org/html/draft-gont-tcp-security-00#section-3.4

What? TCP secure draft was first published in 2004/2005 after which
followed informational RFC on "TCP spoofing attacks" , ICMP attacks,
port randomization and then Gont's draft. TCP secure, FWIW, was an
inspiration to all these drafts (with due acknowledgements to Watson's
"slipping in the window" paper)

Probably Gont's draft should refer this draft if not already doing so.

Were you not really following this document, this has been floating
around for the last 5+ years in the IETF ?

> 
> 
> This is slightly incorrect. In window would include an exact 
> match for rcv.net+rcv.wnd so the right side should be =<.
> The wording for how to do the challenge ack is a bit 
> difficult to follow too.

Why? This has been reviewed by many folks and the way it is : i.e,
quoting the RFC 793 text FIRST and then quoting the mitigations NEXT was
easier to follow. I don't plan to change the WG decision.

> 
> 
> 
>    3) If the RST bit is set and the sequence number does not exactly
>       match the next expected sequence value, yet is within 
> the current
>       receive window (RCV.NXT < SEG.SEQ < RCV.NXT+RCV.WND), TCP MUST
>       send an acknowledgment (challenge ACK):
> 
>       <SEQ=SND.NXT><ACK=RCV.NXT><CTL=ACK>
> 
> Ramaiah, et al.         Expires November 4, 2010              
>   [Page 9]
> Internet-Draft                TCP Security                    
>   May 2010
> 
>       After sending the challenge ACK, TCP MUST drop the unacceptable
>       segment and stop processing the incoming packet 
> further.  Further
>       segments destined to this connection will be processed 
> as normal.
> 
> 
> 
> 
> 
> 
>    3) If the RST bit is set and the sequence number does not exactly
>       match the next expected sequence value, yet is within 
> the current
>       receive window (RCV.NXT < SEG.SEQ =< RCV.NXT+RCV.WND), TCP MUST
>       send an acknowledgment (challenge ACK):

Again this is the RFC 793 language, we haven't changed it. (Pl see RFC
793 page 69, acceptability checks)

> 
>       <SEQ=SND.NXT><ACK=RCV.NXT><CTL=ACK>

The challenge ACK is what matters and you should be looking into.

> 
> 
> 
> 
> 
> 
> 
> Ramaiah, et al.         Expires November 4, 2010              
>   [Page 9]
> 
> Internet-Draft                TCP Security                    
>   May 2010
> 
> 
>       After sending the challenge ACK, TCP MUST silently drop 
> the in window
>       but not exact match segment and stop processing it.  Additional
>       segments destined to this connection MUST be processed 
> as normal.
> 
> That last line is really extraneous. You don't say what 
> happens to the packets before this event I am not sure you 
> have to say handle the next packet per normal behavior;) The 
> authors need to explain exactly what that challenge ACK looks like.
> I think it is the same 4 tuple, ack = last sent ack, seq = 
> last sent seq (no data).

Well, you can go on explaining each and everything, we had chosen to
stick to the RFC 793 language, in other words, the intention is affect
only the portion of RFC 793 and rest is exactly what RFC 793 says. If we
add additional text that would really add to the confusion. This was
atleast the rationale and WG had agreed to such thinking w.r.t this
draft.

> 
> 
> 
> 
> Still on page 9.
> In all states except SYN-SENT, all reset (RST) segments are validated
>    by checking their SEQ-fields [sequence numbers].  A reset 
> is valid if
>    its sequence number exactly matches the next expected sequence
>    number.  If the RST arrives and its sequence number field does NOT
>    match the next expected sequence number but is within the window,
>    then the receiver should generate an ACK.  In all other cases where
>    the SEQ-field does not match and is outside the window, 
> the receiver
>    MUST silently discard the segment.
> 
> 
> Should be:
> In all states except SYN-SENT, all reset (RST) segments are validated
>    by checking their ACK-fields [acknowledgement numbers].  A 

Incorrect. It is the sequence number that needs to be validated first,
please read RFC 793. (Page 37 RFC 793)

> reset is valid if
>    its acknowledgement number exactly matches the last sent 
> sequence number + the data length sent.
>    If the RST arrives and its acknowledgement number field does NOT
>    match the last sent sequence number + the data length sent 
> but is within the window,
>    then the receiver SHOULD (or MUST?) generate an ACK.  In 
> all other cases where
>    the ACK-field does not match and is outside the window, 
> the receiver
>    MUST silently discard the segment.
> 
> 
> 
> (coffee != sleep) & (!coffee == sleep)

Not sure which of the above caused confusion ;-)

-Anantha