IETF Logo Mail Archive

Re: [tcpm] [tcpinc] TCP Stealth - possible interest to the WG

Christian Grothoff <christian@grothoff.org> Thu, 21 August 2014 16:23 UTC

Return-Path: <christian@grothoff.org>
X-Original-To: tcpm@ietfa.amsl.com
Delivered-To: tcpm@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B0E351A03E2; Thu, 21 Aug 2014 09:23:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.85
X-Spam-Level:
X-Spam-Status: No, score=-3.85 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_DE=0.35, RCVD_IN_DNSWL_MED=-2.3] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id a1wh1QwHxBcE; Thu, 21 Aug 2014 09:23:44 -0700 (PDT)
Received: from smtp1.informatik.tu-muenchen.de (mail-out1.informatik.tu-muenchen.de [131.159.0.8]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 028F11A0693; Thu, 21 Aug 2014 09:23:43 -0700 (PDT)
Received: from [IPv6:::1] (fulcrum.net.in.tum.de [131.159.20.52]) by mail.net.in.tum.de (Postfix) with ESMTP id 8997419BF034; Thu, 21 Aug 2014 18:23:40 +0200 (CEST)
Message-ID: <53F61CB2.2090108@grothoff.org>
Date: Thu, 21 Aug 2014 18:22:10 +0200
From: Christian Grothoff <christian@grothoff.org>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Icedove/24.6.0
MIME-Version: 1.0
To: Joe Touch <touch@isi.edu>, "Scheffenegger, Richard" <rs@netapp.com>, "alfiej@fastmail.fm" <alfiej@fastmail.fm>, Jacob Appelbaum <jacob@appelbaum.net>
References: <ecdbe694b6964c159f64b1d3311c8cc6@hioexcmbx02-prd.hq.netapp.com> <CAFggDF2jhQPz0Eez=AU9M-k862wD_=VSyVpXtRAjT4zC6H4tgA@mail.gmail.com> <1408397675.299896.154112109.6F69043F@webmail.messagingengine.com> <8c5f6a1e9f2340e48e25dd151406b7d3@hioexcmbx05-prd.hq.netapp.com> <53F57281.2020302@isi.edu>
In-Reply-To: <53F57281.2020302@isi.edu>
X-Enigmail-Version: 1.6
OpenPGP: id=48426C7E
Content-Type: multipart/signed; micalg="pgp-sha1"; protocol="application/pgp-signature"; boundary="nqkE2hv6xdh2TdLpflMUWH6QC5eDv7JXl"
Archived-At: http://mailarchive.ietf.org/arch/msg/tcpm/Pl3UdO-YGLdkaIGwhG8o0kTTIqw
X-Mailman-Approved-At: Fri, 22 Aug 2014 08:02:05 -0700
Cc: "tcpinc@ietf.org" <tcpinc@ietf.org>, "tcpm (tcpm@ietf.org)" <tcpm@ietf.org>
Subject: Re: [tcpm] [tcpinc] TCP Stealth - possible interest to the WG
X-BeenThere: tcpm@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: TCP Maintenance and Minor Extensions Working Group <tcpm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tcpm>, <mailto:tcpm-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tcpm/>
List-Post: <mailto:tcpm@ietf.org>
List-Help: <mailto:tcpm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 21 Aug 2014 16:23:46 -0000

On 08/21/14 06:16, Joe Touch wrote:
> 
> 
> On 8/18/2014 3:07 PM, Scheffenegger, Richard wrote:
>> Hi Alfie,
>>
>> my concern is with the use of a static ISN for each 4-tuple; this
>> significantly increases the chance of a collision between sessions (ie.
>> when the sender terminates a sluggish earlier session, some segments of
>> that last session will very likely be in-window for a session that was
>> started a short time later).
> 
> +1, and I haven't seen a satisfactory answer to this yet.
> 
> FWIW, the doc refers to TCP MD5, which has been deprecated and replaced
> by TCP-AO. TCP-AO has an experimental extension to support NAT traversal.

Well, several people seem to suggest that making the use of TSval
_mandatory_ with TCP Stealth would solve this and other concerns; so if
we put that into the draft, would you be happy?

> Additionally, responding with a TCP RST isn't the best response if
> you're trying to hide from port knocking. Silence is best in that case.

That depends on what the system does for a closed port.  The draft says
the system should react in the same way as it usually does, and usually
MY servers respond with TCP RST if the port is closed. If you usually
drop, you should drop.  If this is about hiding, the key thing is to not
change the behavior for the stealth-open port in relation to the
behavior of a closed port.

v2.23.0 | Report a Bug | By Email