Re: [tcpm] poll for adopting draft-gont-tcp-security
Fernando Gont <fernando@gont.com.ar> Mon, 29 June 2009 18:14 UTC
Return-Path: <fernando@gont.com.ar>
X-Original-To: tcpm@core3.amsl.com
Delivered-To: tcpm@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 7D2DC3A6BDB for <tcpm@core3.amsl.com>; Mon, 29 Jun 2009 11:14:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.155
X-Spam-Level:
X-Spam-Status: No, score=-3.155 tagged_above=-999 required=5 tests=[AWL=0.444, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dLxEAvsfRSoc for <tcpm@core3.amsl.com>; Mon, 29 Jun 2009 11:14:47 -0700 (PDT)
Received: from smtp1.xmundo.net (smtp1.xmundo.net [201.216.232.80]) by core3.amsl.com (Postfix) with ESMTP id B44983A6A91 for <tcpm@ietf.org>; Mon, 29 Jun 2009 11:14:45 -0700 (PDT)
Received: from venus.xmundo.net (venus.xmundo.net [201.216.232.56]) by smtp1.xmundo.net (Postfix) with ESMTP id 3E30F6B65D7; Mon, 29 Jun 2009 15:15:08 -0300 (ART)
Received: from [192.168.0.156] (148-82-231-201.fibertel.com.ar [201.231.82.148]) (authenticated bits=0) by venus.xmundo.net (8.14.1/8.14.1) with ESMTP id n5TIEmLW026697; Mon, 29 Jun 2009 15:14:53 -0300
Message-ID: <4A490492.3050407@gont.com.ar>
Date: Mon, 29 Jun 2009 17:14:42 -0100
From: Fernando Gont <fernando@gont.com.ar>
User-Agent: Thunderbird 2.0.0.19 (Windows/20081209)
MIME-Version: 1.0
To: Matt Mathis <matt.mathis@gmail.com>
References: <C304DB494AC0C04C87C6A6E2FF5603DB2217B28763@NDJSSCC01.ndc.nasa.gov> <fc0ff13d0906241711k44de4f77u8ec825e1ea151a1e@mail.gmail.com> <4A4317ED.1040905@gont.com.ar> <4A48F60A.7020602@gmail.com>
In-Reply-To: <4A48F60A.7020602@gmail.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Greylist: Sender succeeded SMTP AUTH authentication, not delayed by milter-greylist-3.0 (venus.xmundo.net [201.216.232.56]); Mon, 29 Jun 2009 15:15:07 -0300 (ART)
Cc: Matt Mathis <mathis@psc.edu>, tcpm Extensions WG <tcpm@ietf.org>
Subject: Re: [tcpm] poll for adopting draft-gont-tcp-security
X-BeenThere: tcpm@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: TCP Maintenance and Minor Extensions Working Group <tcpm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tcpm>
List-Post: <mailto:tcpm@ietf.org>
List-Help: <mailto:tcpm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 29 Jun 2009 18:14:48 -0000
Matt Mathis wrote: >> Please read e.g., page 24 (Section 3.6.1) and let me know if this is >> the same mindset. Here's an excerpt of the aforementioned Section: >> >> " These four bits are reserved for future use, and must be zero. As >> with virtually every field, > --Snip-- > Consider sect 4.4.1, SACK-permitted option length must be 2: This > forbids ever extending SACK by adding a subtype, for example to > negotiate non-renege-able SACK, by putting a 1 in an optional sub-type > carried in additional bytes in the SACK-permitted option. Are you sure this would ever work regardless of the advice we are giving? I could check if you want, but I bet most stacks have been performing this type of checks for quite some time now. Also, why not using a different option type for that? > As far as I > know every implementation today correctly parses the option length (e.g. > skips forward by the relevant amount), but ignores the option data, so > such a change would be backwards compatible with all existing > implementations. I will check this and come back to you. >>> I read all of 2 pages before I found something that, if significantly >>> deployed, would haunt some Internet users for a very very long time (p >>> 43, SACK resource exhaustion). >> >> I guess you are arguing against the proposed limit of 16 for the >> maximum number of sack holes? I understand you could argue that this >> value could/should be raised. However, IIRC I based my proposal on >> existing data on the number of holes. [....] >> I guess/hope you are not arguing against enforcing limits, but about >> the specific value proposed in the I-D. And the reason for submiting >> this I-D as a IETF I-D is exactly to discuss these issues and get >> consensus on e.g., what the proper/safe value should be for this limit. > The current limits are workaround for using inappropriate algorithms for > maintaining the SACK scoreboard. It's more than that. If you don't enforce any limits, you could get a system to commit lots of memory for the scoreboard. Not enforcing limits is a highway to buffer overflows and other type of attacks. You must impose *some* limit. > The easy way to implement the > scoreboard has cost O(N^2). However there is at least one OS that uses > an O(N*ln(N)) scoreboard, and O(N) might be possible. (These are the > total cost of the worst case recovery at window size N, so O(N) total > cost is constant cost per ACK.) Could you provide details of the algorithms you mention, references, etc.? > If you have a moderately fast continental scale Ethernet (1500 Byte > MTU, 1 Gb/s, 100 ms RTT), you need a window size of 9000-18000 > packets. Slow start typically loses ever other or every third packet, > so you might hypothetically need to recover from 3000 to 9000 holes > following a slow-start. Telling host implementers that they should > limit the number of holes rather than investing in better algorithms is > pushing them in the wrong direction. As I mentioned above, as a general rule to security problems, you need to enforce limits. We can argue about the specific value, But I don't think you'd want any data structure to be able to grow without bounds these days. You recommend this, somebody implements it, and the next day you have the attack tool posted on bugtraq. > Kludges in existing > implementations, or arguments about typical users are no excuse to tell > implementers that they should not do this correctly for all users, > including users who need the very highest performance. Nobody had brought up this issue of the algorithm. And, again, the reason for publishing the I-D was to provide the means to discuss this stuff within the IETF. If there's anything that can be improved, I'd be happy to do it. > Here is a hint about RFC 2018 (which probably applies to many other > RFCs): Every single SHOULD is a clue that we knew of something that > might be done better than permitted by the document at hand. > Going through a spec and "tightening" it, by changing SHOULDs into MUSTs, is > guaranteed to close of opportunities for improvement (although some > might be closed already for other reasons). In this particular case, we didn't change any SHOULD into a MUST. The only reference to the option length in RFC 2018 is in the option figure. >> I really don't understand this statement. The only standard >> organization involved in this is the IETF. UK CPNI is *NOT* a >> standards organization (please see http://www.cpni.gov.uk). > Yes, but it issued a document full of advice to implementers, that has > the potential to have lasting negative repercussions. If they really > are not high profile, then there is a chance that we can get away with > just ignoring their report. I don't really know what "high profile" is supposed to mean. The motivation for producing this document is explained in the Preface/Introduction of the document. This type of document clearly has an impact on implementations, because it provides help to developers that before this document was only available (if anything) by going through the 100+ papers referenced in this I-D. Many developers have payed attention to this document. We have been in very close contact with the developer community of a number of operating systems, and the document was very welcome. It was felt that such a document was needed. And many of them are working on document. The motivation for bringing this document to the IETF was to further polish the document, and give the IETF the chance to publish something on these issues. Even for things like "SYN floods" or "ICMP attacks", the IETF has provided advice/discussion at least ten or twenty years *later* from when many implementations had to do something about it. There's too much stuff that an implementer of TCP has to figure out by himself. And many of the problems that have been found in real implementations have to do with that. This document simply tries to change that state of affairs. Think about any TCP vulnerability that has ever been discussed in, say, bugtraq or full-disclosure, and I bet at least 95% have been ignored by the IETF (or put another way, nothing was published about them). This is not good. > Once I have had time to actually read the whole thing, I will comment > further. (I am traveling for another couple of days). Thanks! I look forward to your feedback. Kind regards, -- Fernando Gont e-mail: fernando@gont.com.ar || fgont@acm.org PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1
- [tcpm] poll for adopting draft-gont-tcp-security Eddy, Wesley M. (GRC-MS00)[Verizon]
- Re: [tcpm] poll for adopting draft-gont-tcp-secur… Matt Mathis
- Re: [tcpm] poll for adopting draft-gont-tcp-secur… Joe Touch
- Re: [tcpm] poll for adopting draft-gont-tcp-secur… Fernando Gont
- Re: [tcpm] poll for adopting draft-gont-tcp-secur… Fernando Gont
- Re: [tcpm] poll for adopting draft-gont-tcp-secur… Matt Mathis
- Re: [tcpm] poll for adopting draft-gont-tcp-secur… Fernando Gont
- Re: [tcpm] poll for adopting draft-gont-tcp-secur… Alfred Hönes
- Re: [tcpm] poll for adopting draft-gont-tcp-secur… Ilpo Järvinen
- Re: [tcpm] poll for adopting draft-gont-tcp-secur… Fernando Gont
- Re: [tcpm] poll for adopting draft-gont-tcp-secur… Joe Touch
- Re: [tcpm] poll for adopting draft-gont-tcp-secur… Joe Touch
- Re: [tcpm] poll for adopting draft-gont-tcp-secur… Eddy, Wesley M. (GRC-MS00)[Verizon]
- [tcpm] [Fwd: Re: poll for adopting draft-gont-tcp… Fernando Gont
- [tcpm] [Fwd: Re: poll for adopting draft-gont-tcp… Fernando Gont
- Re: [tcpm] poll for adopting draft-gont-tcp-secur… Fernando Gont
- Re: [tcpm] poll for adopting draft-gont-tcp-secur… Fernando Gont
- Re: [tcpm] poll for adopting draft-gont-tcp-secur… Fernando Gont
- Re: [tcpm] poll for adopting draft-gont-tcp-secur… Joe Touch
- Re: [tcpm] poll for adopting draft-gont-tcp-secur… Joe Touch
- Re: [tcpm] poll for adopting draft-gont-tcp-secur… Fernando Gont
- Re: [tcpm] poll for adopting draft-gont-tcp-secur… Christos Zoulas
- Re: [tcpm] poll for adopting draft-gont-tcp-secur… Eddy, Wesley M. (GRC-MS00)[Verizon]
- [tcpm] Handling of malformed options (was: Re: po… Fernando Gont
- Re: [tcpm] Handling of malformed options Joe Touch
- Re: [tcpm] Handling of malformed options Fernando Gont
- Re: [tcpm] poll for adopting draft-gont-tcp-secur… Lloyd Wood
- Re: [tcpm] poll for adopting draft-gont-tcp-secur… Joe Touch
- Re: [tcpm] poll for adopting draft-gont-tcp-secur… Lloyd Wood
- Re: [tcpm] poll for adopting draft-gont-tcp-secur… Joe Touch
- Re: [tcpm] poll for adopting draft-gont-tcp-secur… Fernando Gont
- Re: [tcpm] poll for adopting draft-gont-tcp-secur… Fernando Gont
- Re: [tcpm] poll for adopting draft-gont-tcp-secur… Joe Touch
- Re: [tcpm] poll for adopting draft-gont-tcp-secur… Joe Touch
- Re: [tcpm] poll for adopting draft-gont-tcp-secur… Lloyd Wood
- Re: [tcpm] poll for adopting draft-gont-tcp-secur… Joe Touch
- Re: [tcpm] poll for adopting draft-gont-tcp-secur… Lloyd Wood
- Re: [tcpm] poll for adopting draft-gont-tcp-secur… Joe Touch
- Re: [tcpm] poll for adopting draft-gont-tcp-secur… Lloyd Wood
- Re: [tcpm] poll for adopting draft-gont-tcp-secur… Fernando Gont
- Re: [tcpm] poll for adopting draft-gont-tcp-secur… Joe Touch
- Re: [tcpm] poll for adopting draft-gont-tcp-secur… Joe Touch
- Re: [tcpm] poll for adopting draft-gont-tcp-secur… Lloyd Wood
- Re: [tcpm] poll for adopting draft-gont-tcp-secur… Andrew Yourtchenko
- Re: [tcpm] poll for adopting draft-gont-tcp-secur… Dan Wing
- Re: [tcpm] poll for adopting draft-gont-tcp-secur… David Borman