Re: [tcpm] [tcpinc] TCP Stealth - possible interest to the WG
Christian Grothoff <christian@grothoff.org> Thu, 21 August 2014 16:23 UTC
Return-Path: <christian@grothoff.org>
X-Original-To: tcpm@ietfa.amsl.com
Delivered-To: tcpm@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B0E351A03E2; Thu, 21 Aug 2014 09:23:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.85
X-Spam-Level:
X-Spam-Status: No, score=-3.85 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_DE=0.35, RCVD_IN_DNSWL_MED=-2.3] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id a1wh1QwHxBcE; Thu, 21 Aug 2014 09:23:44 -0700 (PDT)
Received: from smtp1.informatik.tu-muenchen.de (mail-out1.informatik.tu-muenchen.de [131.159.0.8]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 028F11A0693; Thu, 21 Aug 2014 09:23:43 -0700 (PDT)
Received: from [IPv6:::1] (fulcrum.net.in.tum.de [131.159.20.52]) by mail.net.in.tum.de (Postfix) with ESMTP id 8997419BF034; Thu, 21 Aug 2014 18:23:40 +0200 (CEST)
Message-ID: <53F61CB2.2090108@grothoff.org>
Date: Thu, 21 Aug 2014 18:22:10 +0200
From: Christian Grothoff <christian@grothoff.org>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Icedove/24.6.0
MIME-Version: 1.0
To: Joe Touch <touch@isi.edu>, "Scheffenegger, Richard" <rs@netapp.com>, "alfiej@fastmail.fm" <alfiej@fastmail.fm>, Jacob Appelbaum <jacob@appelbaum.net>
References: <ecdbe694b6964c159f64b1d3311c8cc6@hioexcmbx02-prd.hq.netapp.com> <CAFggDF2jhQPz0Eez=AU9M-k862wD_=VSyVpXtRAjT4zC6H4tgA@mail.gmail.com> <1408397675.299896.154112109.6F69043F@webmail.messagingengine.com> <8c5f6a1e9f2340e48e25dd151406b7d3@hioexcmbx05-prd.hq.netapp.com> <53F57281.2020302@isi.edu>
In-Reply-To: <53F57281.2020302@isi.edu>
X-Enigmail-Version: 1.6
OpenPGP: id=48426C7E
Content-Type: multipart/signed; micalg="pgp-sha1"; protocol="application/pgp-signature"; boundary="nqkE2hv6xdh2TdLpflMUWH6QC5eDv7JXl"
Archived-At: http://mailarchive.ietf.org/arch/msg/tcpm/Pl3UdO-YGLdkaIGwhG8o0kTTIqw
X-Mailman-Approved-At: Fri, 22 Aug 2014 08:02:05 -0700
Cc: "tcpinc@ietf.org" <tcpinc@ietf.org>, "tcpm (tcpm@ietf.org)" <tcpm@ietf.org>
Subject: Re: [tcpm] [tcpinc] TCP Stealth - possible interest to the WG
X-BeenThere: tcpm@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: TCP Maintenance and Minor Extensions Working Group <tcpm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tcpm>, <mailto:tcpm-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tcpm/>
List-Post: <mailto:tcpm@ietf.org>
List-Help: <mailto:tcpm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 21 Aug 2014 16:23:46 -0000
On 08/21/14 06:16, Joe Touch wrote: > > > On 8/18/2014 3:07 PM, Scheffenegger, Richard wrote: >> Hi Alfie, >> >> my concern is with the use of a static ISN for each 4-tuple; this >> significantly increases the chance of a collision between sessions (ie. >> when the sender terminates a sluggish earlier session, some segments of >> that last session will very likely be in-window for a session that was >> started a short time later). > > +1, and I haven't seen a satisfactory answer to this yet. > > FWIW, the doc refers to TCP MD5, which has been deprecated and replaced > by TCP-AO. TCP-AO has an experimental extension to support NAT traversal. Well, several people seem to suggest that making the use of TSval _mandatory_ with TCP Stealth would solve this and other concerns; so if we put that into the draft, would you be happy? > Additionally, responding with a TCP RST isn't the best response if > you're trying to hide from port knocking. Silence is best in that case. That depends on what the system does for a closed port. The draft says the system should react in the same way as it usually does, and usually MY servers respond with TCP RST if the port is closed. If you usually drop, you should drop. If this is about hiding, the key thing is to not change the behavior for the stealth-open port in relation to the behavior of a closed port.
- [tcpm] TCP Stealth - possible interest to the WG Scheffenegger, Richard
- Re: [tcpm] TCP Stealth - possible interest to the… Hagen Paul Pfeifer
- Re: [tcpm] [tcpinc] TCP Stealth - possible intere… Jacob Appelbaum
- Re: [tcpm] TCP Stealth - possible interest to the… Ted Faber
- Re: [tcpm] [tcpinc] TCP Stealth - possible intere… Scheffenegger, Richard
- Re: [tcpm] [tcpinc] TCP Stealth - possible intere… Alfie John
- Re: [tcpm] [tcpinc] TCP Stealth - possible intere… Alfie John
- Re: [tcpm] [tcpinc] TCP Stealth - possible intere… Hagen Paul Pfeifer
- Re: [tcpm] [tcpinc] TCP Stealth - possible intere… Jacob Appelbaum
- Re: [tcpm] [tcpinc] TCP Stealth - possible intere… Scheffenegger, Richard
- Re: [tcpm] [tcpinc] TCP Stealth - possible intere… Hagen Paul Pfeifer
- Re: [tcpm] [tcpinc] TCP Stealth - possible intere… Jacob Appelbaum
- Re: [tcpm] [tcpinc] TCP Stealth - possible intere… Hagen Paul Pfeifer
- Re: [tcpm] [tcpinc] TCP Stealth - possible intere… Florian Westphal
- Re: [tcpm] [tcpinc] TCP Stealth - possible intere… Florian Westphal
- Re: [tcpm] [tcpinc] TCP Stealth - possible intere… Yoshifumi Nishida
- Re: [tcpm] [tcpinc] TCP Stealth - possible intere… Scheffenegger, Richard
- Re: [tcpm] [tcpinc] TCP Stealth - possible intere… Hagen Paul Pfeifer
- Re: [tcpm] [tcpinc] TCP Stealth - possible intere… Scheffenegger, Richard
- Re: [tcpm] [tcpinc] TCP Stealth - possible intere… Scheffenegger, Richard
- Re: [tcpm] [tcpinc] TCP Stealth - possible intere… Hagen Paul Pfeifer
- Re: [tcpm] [tcpinc] TCP Stealth - possible intere… Jacob Appelbaum
- Re: [tcpm] [tcpinc] TCP Stealth - possible intere… Christian Grothoff
- Re: [tcpm] [tcpinc] TCP Stealth - possible intere… Christian Grothoff
- Re: [tcpm] [tcpinc] TCP Stealth - possible intere… Christian Grothoff
- Re: [tcpm] [tcpinc] TCP Stealth - possible intere… Christian Grothoff
- Re: [tcpm] [tcpinc] TCP Stealth - possible intere… Christian Grothoff
- Re: [tcpm] [tcpinc] TCP Stealth - possible intere… Daniel Borkmann
- Re: [tcpm] [tcpinc] TCP Stealth - possible intere… Jacob Appelbaum
- Re: [tcpm] [tcpinc] TCP Stealth - possible intere… Alfie John
- Re: [tcpm] [tcpinc] TCP Stealth - possible intere… Joe Touch
- Re: [tcpm] [tcpinc] TCP Stealth - possible intere… Joe Touch
- Re: [tcpm] [tcpinc] TCP Stealth - possible intere… Christian Grothoff