IETF Logo Mail Archive

Re: [tcpm] poll for adopting draft-gont-tcp-security

Fernando Gont <fernando@gont.com.ar> Mon, 29 June 2009 18:14 UTC

Return-Path: <fernando@gont.com.ar>
X-Original-To: tcpm@core3.amsl.com
Delivered-To: tcpm@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 7D2DC3A6BDB for <tcpm@core3.amsl.com>; Mon, 29 Jun 2009 11:14:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.155
X-Spam-Level:
X-Spam-Status: No, score=-3.155 tagged_above=-999 required=5 tests=[AWL=0.444, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dLxEAvsfRSoc for <tcpm@core3.amsl.com>; Mon, 29 Jun 2009 11:14:47 -0700 (PDT)
Received: from smtp1.xmundo.net (smtp1.xmundo.net [201.216.232.80]) by core3.amsl.com (Postfix) with ESMTP id B44983A6A91 for <tcpm@ietf.org>; Mon, 29 Jun 2009 11:14:45 -0700 (PDT)
Received: from venus.xmundo.net (venus.xmundo.net [201.216.232.56]) by smtp1.xmundo.net (Postfix) with ESMTP id 3E30F6B65D7; Mon, 29 Jun 2009 15:15:08 -0300 (ART)
Received: from [192.168.0.156] (148-82-231-201.fibertel.com.ar [201.231.82.148]) (authenticated bits=0) by venus.xmundo.net (8.14.1/8.14.1) with ESMTP id n5TIEmLW026697; Mon, 29 Jun 2009 15:14:53 -0300
Message-ID: <4A490492.3050407@gont.com.ar>
Date: Mon, 29 Jun 2009 17:14:42 -0100
From: Fernando Gont <fernando@gont.com.ar>
User-Agent: Thunderbird 2.0.0.19 (Windows/20081209)
MIME-Version: 1.0
To: Matt Mathis <matt.mathis@gmail.com>
References: <C304DB494AC0C04C87C6A6E2FF5603DB2217B28763@NDJSSCC01.ndc.nasa.gov> <fc0ff13d0906241711k44de4f77u8ec825e1ea151a1e@mail.gmail.com> <4A4317ED.1040905@gont.com.ar> <4A48F60A.7020602@gmail.com>
In-Reply-To: <4A48F60A.7020602@gmail.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Greylist: Sender succeeded SMTP AUTH authentication, not delayed by milter-greylist-3.0 (venus.xmundo.net [201.216.232.56]); Mon, 29 Jun 2009 15:15:07 -0300 (ART)
Cc: Matt Mathis <mathis@psc.edu>, tcpm Extensions WG <tcpm@ietf.org>
Subject: Re: [tcpm] poll for adopting draft-gont-tcp-security
X-BeenThere: tcpm@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: TCP Maintenance and Minor Extensions Working Group <tcpm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tcpm>
List-Post: <mailto:tcpm@ietf.org>
List-Help: <mailto:tcpm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 29 Jun 2009 18:14:48 -0000

Matt Mathis wrote:

>> Please read e.g., page 24 (Section 3.6.1) and let me know if this is 
>> the same mindset. Here's an excerpt of the aforementioned Section:
>>
>> "  These four bits are reserved for future use, and must be zero.  As
>>    with virtually every field,
> --Snip--
> Consider sect 4.4.1, SACK-permitted option length must be 2:  This 
> forbids ever extending SACK by adding a subtype, for example to 
> negotiate non-renege-able SACK, by putting a 1 in an optional sub-type 
> carried in additional bytes in the SACK-permitted option.  

Are you sure this would ever work regardless of the advice we are 
giving? I could check if you want, but I bet most stacks have been 
performing this type of checks for quite some time now.

Also, why not using a different option type for that?



> As far as I 
> know every implementation today correctly parses the option length (e.g. 
> skips forward by the relevant amount), but ignores the option data, so 
> such a change would be backwards compatible with all existing 
> implementations.

I will check this and come back to you.




>>> I read all of 2 pages before I found something that, if significantly
>>> deployed, would haunt some Internet users for a very very long time (p
>>> 43, SACK resource exhaustion).
>>
>> I guess you are arguing against the proposed limit of 16 for the 
>> maximum number of sack holes? I understand you could argue that this 
>> value could/should be raised. However, IIRC I based my proposal on 
>> existing data on the number of holes.
[....]
>> I guess/hope you are not arguing against enforcing limits, but about 
>> the specific value proposed in the I-D. And the reason for submiting 
>> this I-D as a IETF I-D is exactly to discuss these issues and get 
>> consensus on e.g., what the proper/safe value should be for this limit.
> The current limits are workaround for using inappropriate algorithms for 
> maintaining the  SACK scoreboard.

It's more than that. If you don't enforce any limits, you could get a 
system to commit lots of memory for the scoreboard. Not enforcing limits 
is a highway to buffer overflows and other type of attacks. You must 
impose *some* limit.



> The easy way to implement the 
> scoreboard has cost O(N^2).  However there is at least one OS that uses 
> an O(N*ln(N)) scoreboard, and O(N) might be possible.  (These are the 
> total cost of the worst case recovery at window size N, so O(N) total 
> cost is constant cost per ACK.)

Could you provide details of the algorithms you mention, references, etc.?



> If you have a moderately fast continental  scale Ethernet (1500 Byte 
> MTU, 1 Gb/s, 100 ms RTT), you need a window size of 9000-18000 
> packets.    Slow start typically loses ever other or every third packet, 
> so you might hypothetically need to recover from 3000 to 9000 holes 
> following a slow-start.    Telling host implementers that they should 
> limit the number of holes rather than investing in better algorithms is 
> pushing them in the wrong direction.   

As I mentioned above, as a general rule to security problems, you need 
to enforce limits. We can argue about the specific value, But I don't 
think you'd want any data structure to be able to grow without bounds 
these days. You recommend this, somebody implements it, and the next day 
you have the attack tool posted on bugtraq.



> Kludges in existing 
> implementations, or arguments about typical users are no excuse to tell 
> implementers that they should not do this correctly for all users, 
> including users who need the very highest performance.

Nobody had brought up this issue of the algorithm. And, again, the 
reason for publishing the I-D was to provide the means to discuss this 
stuff within the IETF. If there's anything that can be improved, I'd be 
happy to do it.




> Here is a hint about RFC 2018 (which probably applies to many other 
> RFCs):  Every single SHOULD is a clue that we knew of something that 
> might be done better than permitted by the document at hand.   
> Going through a spec and "tightening" it, by changing SHOULDs into MUSTs, is 
> guaranteed to close of opportunities for improvement (although  some 
> might be closed already for other reasons).

In this particular case, we didn't change any SHOULD into a MUST. The 
only reference to the option length in RFC 2018 is in the option figure.



>> I really don't understand this statement. The only standard 
>> organization involved in this is the IETF. UK CPNI is *NOT* a 
>> standards organization (please see http://www.cpni.gov.uk).
> Yes, but it issued a document full of advice to implementers, that has 
> the potential to have lasting negative repercussions.  If they really 
> are not high profile, then there is a chance that we can get away with 
> just ignoring their report.

I don't really know what "high profile" is supposed to mean. The 
motivation for producing this document is explained in the 
Preface/Introduction of the document. This type of document clearly has 
an impact on implementations, because it provides help to developers 
that before this document was only available (if anything) by going 
through the 100+ papers referenced in this I-D. Many developers have 
payed attention to this document.

We have been in very close contact with the developer community of a 
number of operating systems, and the document was very welcome. It was 
felt that such a document was needed. And many of them are working on 
document.

The motivation for bringing this document to the IETF was to further 
polish the document, and give the IETF the chance to publish something 
on these issues. Even for things like "SYN floods" or "ICMP attacks", 
the IETF has provided advice/discussion at least ten or twenty years 
*later* from when many implementations had to do something about it.

There's too much stuff that an implementer of TCP has to figure out by 
himself. And many of the problems that have been found in real 
implementations have to do with that. This document simply tries to 
change that state of affairs.

Think about any TCP vulnerability that has ever been discussed in, say, 
bugtraq or full-disclosure, and I bet at least 95% have been ignored by 
the IETF (or put another way, nothing was published about them). This is 
not good.


> Once I have had time to actually read the whole thing, I will comment 
> further.   (I am traveling for another couple of days).

Thanks!

I look forward to your feedback.

Kind regards,
-- 
Fernando Gont
e-mail: fernando@gont.com.ar || fgont@acm.org
PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1

v2.23.0 | Report a Bug | By Email