IETF Logo Mail Archive

Re: [tcpm] Feedback request on draft-ietf-tcpm-tcp-security (more time to comment!)

"Smith, Donald" <Donald.Smith@qwest.com> Mon, 22 March 2010 19:28 UTC

Return-Path: <Donald.Smith@qwest.com>
X-Original-To: tcpm@core3.amsl.com
Delivered-To: tcpm@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 8F2A93A67A3 for <tcpm@core3.amsl.com>; Mon, 22 Mar 2010 12:28:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.131
X-Spam-Level: *
X-Spam-Status: No, score=1.131 tagged_above=-999 required=5 tests=[BAYES_50=0.001, DNS_FROM_OPENWHOIS=1.13]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id d+OPC9X5sGFG for <tcpm@core3.amsl.com>; Mon, 22 Mar 2010 12:28:19 -0700 (PDT)
Received: from suomp64i.qwest.com (suomp64i.qwest.com [155.70.16.237]) by core3.amsl.com (Postfix) with ESMTP id 0435E3A6901 for <tcpm@ietf.org>; Mon, 22 Mar 2010 12:28:18 -0700 (PDT)
Received: from suomp61i.qintra.com (suomp61i.qintra.com [151.117.69.28]) by suomp64i.qwest.com (8.14.4/8.14.4) with ESMTP id o2MJSV7t015815 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL); Mon, 22 Mar 2010 14:28:32 -0500 (CDT)
Received: from qtdenexhtm20.AD.QINTRA.COM (localhost [127.0.0.1]) by suomp61i.qintra.com (8.14.4/8.14.4) with ESMTP id o2MJSPab005339; Mon, 22 Mar 2010 14:28:26 -0500 (CDT)
Received: from qtdenexmbm24.AD.QINTRA.COM ([151.119.91.226]) by qtdenexhtm20.AD.QINTRA.COM ([151.119.91.229]) with mapi; Mon, 22 Mar 2010 13:28:25 -0600
From: "Smith, Donald" <Donald.Smith@qwest.com>
To: 'Fernando Gont' <fernando@gont.com.ar>, "'tcpm@ietf.org'" <tcpm@ietf.org>
Date: Mon, 22 Mar 2010 13:28:24 -0600
Thread-Topic: [tcpm] Feedback request on draft-ietf-tcpm-tcp-security (more time to comment!)
Thread-Index: AcrCFuCSR1bMYcEKTY62iTz5ulgoGwH1f9eA
Message-ID: <B01905DA0C7CDC478F42870679DF0F10079BF95CD2@qtdenexmbm24.AD.QINTRA.COM>
References: <4B99CA9C.9070807@gont.com.ar>
In-Reply-To: <4B99CA9C.9070807@gont.com.ar>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: "'tcpm-chairs@tools.ietf.org'" <tcpm-chairs@tools.ietf.org>
Subject: Re: [tcpm] Feedback request on draft-ietf-tcpm-tcp-security (more time to comment!)
X-BeenThere: tcpm@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: TCP Maintenance and Minor Extensions Working Group <tcpm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tcpm>
List-Post: <mailto:tcpm@ietf.org>
List-Help: <mailto:tcpm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 22 Mar 2010 19:28:21 -0000

First sorry for the late reply.
My comments are mostly areas I would reword to clarify the meaning since there wasn't a lot of technical content in this version of the draft.

I am providing the diff output to provide the original, some context and my suggested changes/questions.

smitdo@co950g02smitdo /cygdrive/c/cygwin
$ diff -b -c1 draft-ietf-tcpm-tcp-security-01.txt tcp-secure-rfc.txt

*** draft-ietf-tcpm-tcp-security-01.txt Mon Mar 22 13:02:52 2010
--- tcp-secure-rfc.txt  Mon Mar 22 13:09:59 2010



*** 231,243 ****
     The TCP/IP protocol suite was conceived in an environment that was
!    quite different from the hostile environment they currently operate
     in.  However, the effectiveness of the protocols led to their early
!    adoption in production environments, to the point that, to some
!    extent, the current world's economy depends on them.

     While many textbooks and articles have created the myth that the
!    Internet protocols were designed for warfare environments, the top
!    level goal for the DARPA Internet Program was the sharing of large
     service machines on the ARPANET [Clark, 1988].  As a result, many
!    protocol specifications focus only on the operational aspects of the
!    protocols they specify, and overlook their security implications.

--- 231,245 ----
     The TCP/IP protocol suite was conceived in an environment that was
!    a "friendly" openly sharing enviroment primairly composed of education and

! research sites. Which is quite different from the hostile environment they
! currently operate
     in.  However, the effectiveness of the protocols led to their early
!    adoption in commercial production environments, to the point that,
! portions of the current world's economy depends upon them.

     While many textbooks and articles have created the myth that the
!    Internet protocols were designed for warfare environments, the primary
! goal for the DARPA Internet Program was the sharing of large
     service machines on the ARPANET [Clark, 1988].  As a result, many
!    protocol specifications primarily focus on the operational aspects of the
!    protocols they specify, overlooking their security implications.

***************
*** 246,250 ****
     adopted by the ARPANET more than two decades ago.  During the last
!    twenty years, many vulnerabilities have been identified in the TCP/IP
     stacks of a number of systems.  Some of them were based on flaws in
!    some protocol implementations, affecting only a reduced number of
     systems, while others were based in flaws in the protocols
--- 248,252 ----
     adopted by the ARPANET more than two decades ago.  During the last
!    twenty years many vulnerabilities have been identified in the TCP/IP
     stacks of a number of systems.  Some of them were based on flaws in
!    the protocol implementations, affecting only a limited set of
     systems, while others were based in flaws in the protocols
***************
*** 258,264 ****
     Security Incident Response Teams) and vendors, which helped to raise
!    awareness about the threats and the best mitigations known at the
     time the reports were published.  Unfortunately, this also led to the
     documentation of the discovered protocol vulnerabilities being spread
!    among a large number of documents, which are sometimes difficult to
!    identify.

--- 260,267 ----
     Security Incident Response Teams) and vendors, which helped to raise
!    awareness about the threats and mitigations known at the
     time the reports were published.  Unfortunately, this also led to the
     documentation of the discovered protocol vulnerabilities being spread
!    through out  a large number of documentsMaking a holistic view of
! vulnerabilities in this suite of protocols difficult to achieve especially
! for implementation teams.

***************
*** 266,269 ****
     Internet protocols did not result in official documents (RFCs) being
!    issued by the IETF (Internet Engineering Task Force).  This basically
!    led to a situation in which "known" security problems have not always
     been addressed by all vendors.  In addition, in many cases vendors
--- 269,272 ----
     Internet protocols did not result in official documents (RFCs) being
!    issued by the IETF (Internet Engineering Task Force).  This
!    lead to a situation in which "known" security problems have not always
     been addressed by all vendors.  In addition, in many cases vendors
***************
*** 273,275 ****

!    Producing a secure TCP/IP implementation nowadays is a very difficult

--- 276,278 ----

!    Producing a less vulnerable  TCP/IP implementation is a difficult

***************

*** 284,288 ****
     a security roadmap for the protocols.  Implementers are faced with
!    the hard task of identifying relevant documentation and
!    differentiating between that which provides correct advice, and that
!    which provides misleading advice based on inaccurate or wrong
     assumptions.
--- 287,292 ----
     a security roadmap for the protocols.  Implementers are faced with
!    the complex task of identifying relevant documentation and
!    differentiating between those that provide correct advice, and those
!    that provide misleading or incomplete advice based on inaccurate or
! incorrect
     assumptions.
***************
*** 330,331 ****
--- 334,336 ----
        Option" (6 pages)
+ Tcp-AO draft ?? should be included

*** 365,366 ****
--- 370,372 ----

+
  1.3.  Organization of this document
***************
*** 369,374 ****
     contains a discussion of each of the TCP header fields, identifies
!    their security implications, and discusses the possible
     countermeasures.  The second part contains an analysis of the
     security implications of the mechanisms and policies implemented by
!    TCP, and of a number of implementation strategies in use by a number
     of popular TCP implementations.
--- 375,380 ----
     contains a discussion of each of the TCP header fields, identifies
!    their security implications, and discusses possible
     countermeasures.  The second part contains an analysis of the
     security implications of the mechanisms and policies implemented by
!    TCP and of a number of implementation strategies in use by a number
     of popular TCP implementations.
***************

*** 428,430 ****
     original specification.  RFC 2581 [Allman et al, 1999] specifies TCP
!    congestion control and avoidance mechanisms, not present in the
     original specification.  Other documents specify extensions and
--- 434,437 ----
     original specification.  RFC 2581 [Allman et al, 1999] specifies TCP
! mechanisms for
!  control and avoidanceof congestion , not present in the
     original specification.  Other documents specify extensions and
***************
*** 513,517 ****
     in response (provided that the incomming segment does not have the
!    RST flag set).

!    TCP MUST be able to grecefully handle the case where the source end-
     point (IP Source Address, TCP Source Port) is the same as the
--- 520,525 ----
     in response (provided that the incomming segment does not have the
!    RST flag set). (wouldn't this cause the reset to have 0 as the source or
! destination which would cause a reset back, giving us a ping pong effect?

!    TCP MUST be able to gracefully handle the case where the source end-
     point (IP Source Address, TCP Source Port) is the same as the
***************
*** 521,523 ****
     is in the LISTEN or CLOSED states for use as ephemeral ports, as this
!    could allow attackers on the local system to "steal" incomming TCP
     connections.
--- 529,531 ----
     is in the LISTEN or CLOSED states for use as ephemeral ports, as this
!    could allow attackers on the local system to "steal" incoming TCP
     connections.
***************
*** 543,547 ****
     unique (not currently in use by any other transport protocol
!    instance).

     In most of the discussion we refer to client-side (or "ephemeral")
     port-numbers and server-side port numbers, since that distinction is
--- 551,558 ----
     unique (not currently in use by any other transport protocol
!    instance). (then doesn't this need to be 5tuple including ip protocol?)

     In most of the discussion we refer to client-side (or "ephemeral")
+ client side doesn't have to be ephermeral many tcp protocols use the same
+ port for both client and server (trandionally). Ephemeral means short lived
+ (daily).
     port-numbers and server-side port numbers, since that distinction is
***************

*** 562,565 ****

!    port 0, an ephemeral port is selected for the corresponding TCP end-
!    point.  As a result, the TCP port number 0 is never actually used in
     TCP segments.
--- 573,578 ----

!    port 0, an port from the systems "ephemeral port range" is selected for
! the corresponding TCP end-
!    point.  As a result, the TCP port number 0 should never actually be used
! in TCP segments.
***************
*** 570,572 ****
     of 0 are usually employed for remote OS detection via TCP/IP stack
!    fingerprinting [Jones, 2003].

--- 583,586 ----
     of 0 are usually employed for remote OS detection via TCP/IP stack
!    fingerprinting [Jones, 2003]. Additionally ip fragements don't have a port

! number filled in which most systems interpret as port 0/0.

***************
*** 582,587 ****
     an RST (provided these incoming segments do not have the RST bit
!    set).

     Responding with an RST segment to incoming segments that have the RST
!    bit would open the door to RST-war attacks.

--- 596,601 ----
     an RST (provided these incoming segments do not have the RST bit
!    set) or do silent drop?

     Responding with an RST segment to incoming segments that have the RST
!    bit would open the door to infinite RST loop attacks.

***************
*** 595,597 ****
     legitimate scenarios, TCP should nevertheless be able to process them
!    without the need of any "extra" code.

--- 609,612 ----
     legitimate scenarios, TCP should nevertheless be able to process them
!    without the need of any "extra" code.
+ Of course there is "extra" code required you have to do a sanity check.

***************


*** 651,652 ****
--- 666,669 ----
     connection in any state other than the fictional state CLOSED.  This
+ Not fictional maybe incorrectly identifed? And here you use conection id's
+ which I believe is the four-tuple but isn't clearly called out as such.
     can be problematic in scenarios in which a client establishes
***************


(coffee != sleep) & (!coffee == sleep)
Donald.Smith@qwest.com gcia

> -----Original Message-----
> From: tcpm-bounces@ietf.org [mailto:tcpm-bounces@ietf.org] On
> Behalf Of Fernando Gont
> Sent: Thursday, March 11, 2010 10:01 PM
> To: tcpm@ietf.org
> Cc: tcpm-chairs@tools.ietf.org
> Subject: [tcpm] Feedback request on
> draft-ietf-tcpm-tcp-security (more time to comment!)
>
> Folks,
>
> Some of you had expressed interest in providing feedback on the
> aforementioned I-D. However, so far only a one person (Wes) has sent
> feedback.
>
> Given that more comments are needed, and that the last few weeks have
> probably been particularly busy (IETF I-D submission
> cut-off's), we have
> extended the period of time to send comments on
> draft-ietf-tcpm-tcp-security-01.txt
> (http://tools.ietf.org/id/draft-ietf-tcpm-tcp-security-01.txt).
>
> I'm requesting feedback on all the sections through Section
> 3.1.2.3. -- this includes the introduction sections, the basic
> check on the TCP segment size (Section 3) and the discussion of port
> numbers (Section 3.1 with all its subsections).
>
> Please review these sections and submit comments by Monday March 22nd,
> 2010, so that we can move on to the next sections in a timely manner.
>
> Thanks!
> --
> Fernando Gont
> e-mail: fernando@gont.com.ar || fgont@acm.org
> PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1
>
>
>
>
>
> _______________________________________________
> tcpm mailing list
> tcpm@ietf.org
> https://www.ietf.org/mailman/listinfo/tcpm
>

This communication is the property of Qwest and may contain confidential or
privileged information. Unauthorized use of this communication is strictly
prohibited and may be unlawful.  If you have received this communication
in error, please immediately notify the sender by reply e-mail and destroy
all copies of the communication and any attachments.

v2.23.0 | Report a Bug | By Email