Re: [tcpm] Some comments on tcpsecure

Joe Touch <touch@ISI.EDU> Mon, 07 April 2008 15:40 UTC

Return-Path: <tcpm-bounces@ietf.org>
X-Original-To: tcpm-archive@megatron.ietf.org
Delivered-To: ietfarch-tcpm-archive@core3.amsl.com
Received: from core3.amsl.com (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 6195C3A698B; Mon, 7 Apr 2008 08:40:32 -0700 (PDT)
X-Original-To: tcpm@core3.amsl.com
Delivered-To: tcpm@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id E48AC3A6865 for <tcpm@core3.amsl.com>; Mon, 7 Apr 2008 08:40:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.491
X-Spam-Level:
X-Spam-Status: No, score=-2.491 tagged_above=-999 required=5 tests=[AWL=0.108, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 82tBUHx6BVXR for <tcpm@core3.amsl.com>; Mon, 7 Apr 2008 08:40:28 -0700 (PDT)
Received: from vapor.isi.edu (vapor.isi.edu [128.9.64.64]) by core3.amsl.com (Postfix) with ESMTP id C1EFE3A6B72 for <tcpm@ietf.org>; Mon, 7 Apr 2008 08:40:28 -0700 (PDT)
Received: from [127.0.0.1] (pool-71-105-89-117.lsanca.dsl-w.verizon.net [71.105.89.117]) by vapor.isi.edu (8.13.8/8.13.8) with ESMTP id m37FeDJ1019853 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Mon, 7 Apr 2008 08:40:14 -0700 (PDT)
Message-ID: <47FA4057.7050206@isi.edu>
Date: Mon, 07 Apr 2008 08:40:07 -0700
From: Joe Touch <touch@ISI.EDU>
User-Agent: Thunderbird 2.0.0.12 (Windows/20080213)
MIME-Version: 1.0
To: Fernando Gont <fernando@gont.com.ar>
References: <200804041832.m34IWTC5025090@venus.xmundo.net> <47F68794.6050100@isi.edu> <200804042012.m34KCk8U022643@venus.xmundo.net> <47F68DC7.2050303@isi.edu> <200804050557.m355vAjU013266@venus.xmundo.net> <47F7B43E.6010004@isi.edu> <200804052024.m35KOlmj018418@venus.xmundo.net> <47F7E2D0.8010802@isi.edu> <200804052353.m35NrdO1031661@venus.xmundo.net> <47F82129.2000603@isi.edu> <200804061042.m36AgYGx028003@venus.xmundo.net> <47F92D13.4020809@isi.edu> <200804062241.m36MfGKx010325@venus.xmundo.net> <47F9AB92.80405@isi.edu> <200804071517.m37FHcq4022232@venus.xmundo.net>
In-Reply-To: <200804071517.m37FHcq4022232@venus.xmundo.net>
X-Enigmail-Version: 0.95.6
X-ISI-4-43-8-MailScanner: Found to be clean
X-MailScanner-From: touch@isi.edu
Cc: tcpm@ietf.org
Subject: Re: [tcpm] Some comments on tcpsecure
X-BeenThere: tcpm@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: TCP Maintenance and Minor Extensions Working Group <tcpm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:tcpm@ietf.org>
List-Help: <mailto:tcpm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=subscribe>
Content-Type: multipart/mixed; boundary="===============1068714204=="
Sender: tcpm-bounces@ietf.org
Errors-To: tcpm-bounces@ietf.org


Fernando Gont wrote:
> At 02:05 a.m. 07/04/2008, Joe Touch wrote:
> 
>>> The TCP SEQ check would help a bit in those scenarios in which an 
>>> attacker might be able to spoof an ICMP error message, and cause the 
>>> connection to be stuck for a little while (e.g., by means of causing 
>>> congestion). That is, it would require more packets on the side of 
>>> the attacker.
>>
>> In those cases, I still see the contents of the ICMP to be moot 
>> (w.r.t. window). That info is useful only if:
>>         - ICMPs are known to be returned in a timely fashion
>>         (and there's no way of knowing)
> 
> If anything, isn't this the case for any type of packet? After all, any 
> packet can get queued in a router or be delayed whilie transiting a 
> link....

Routers are supposed to forward packets in a timely fashion, but are 
encouraged to delay control plane event processing when loaded - both 
are in RFC 1812.

I.e., for forwarding this is required, but for ICMP the contrary us 
allowed and encouraged if needed.

>>         OR
>>         - there's some way to differentiate between legitimate
>>         ICMPs and attack ICMPs
>>
>> Since neither is the case, this is a moot issue. I do not agree that 
>> checking the TCP SEQ in the content of an ICMP is ever appropriate.
> 
> Well, I do know that you don't like the idea, but the systems I know of 
> will not consider a packet legitimate unless there's enough reason for 
> that. For ICMPs, the bar for that is the SEQ contained in the payload. 
> That's what everybody has been doing for quite some time.

Again, known implementation bugs aren't the issue - and since seq 
checking isn't required, dropping packets due to that check qualifies 
IMO as an implementation bug.

But this is still somewhat off topic if there's a way to get 95% of the 
way there without doing a seq check, which is what I'm suggesting. That 
would correct the *intent* of the current code without *needing to 
change the current specs* (which is the only way to *require* timely ICMPs).

>>> However, if TCP waits for USER_TIMEOUT to check whether the 
>>> connection is making forward progress, then this is basically the 
>>> "hard errors should be considered to indicate soft errors when 
>>> received for connections in any of the synchronized states" behavior, 
>>> and thus an attacker could not exploit the so-called ICMP hard errors 
>>> to perform reset attacks.
>>
>> Waiting that long defeats the purpose of the errors - to terminate 
>> connections more rapidly than TCP would otherwise. That is, IMO, too far.
>
> Well, that's just a matter of policy. In any case, Clark's RFC on "Fault 
> Isolation and Recovery" and even "The Design of the DARPA..." seem to 
> support this idea: data transfers should work when there is at least a 
> working path to do the transfer.
> As I have seen you have mentioned a number of times, TCP is not supposed 
> to be optimized for any scenario (e.g., multi-path scenarios). So if 
> there's a working path, I think that for robustness sake the connection 
> should not be aborted.

Robustness also allows signalled connection faults to recover quickly, 
rather than on the same timescale as a 'no message' timeout. Yes, 
though, the devil is in the detail of what that timeout would be.

> In any case, I don't think we'd even have to stick to any particular 
> timeout. Particularly, given that we can accommodate existing 
> implementations (hard errors -> soft errors) as a degenerate case of the 
> above.

That's assuming the worst timeout, IMO, which is a particular timeout 
value I disagree with.

>>> (i.e., the "hard errors should be considered to indicate soft errors 
>>> when received for connections in any of the synchronized states" 
>>> becomes a degenerate case of the "checking for progress on the TCP 
>>> connection" when TCP waits for USER_TIMEOUT seconds before concluding 
>>> whether the connection is making progress or not).
>>> (FWIW, the TCP SEQ is of a little bit more of help for PMTUD, as 
>>> during what I called 'Initial Path-MTU Discovery', you probably don't 
>>> want to wait, so that you get a good convergence time for the PMTUD).
>>
>> I'd have to think further to see if this appropriate - i.e., if done 
>> only once during a connection, before a wrap, then the SEQ might be 
>> appropriate to check, but only within that period.
> 
> Most of all, the check is needed once at the beginning of the connection.
> Then, it might be nice to do it after the 10-minute PMTUD timeout when 
> you want to discover the PMTU again. Although at that point (t>10 
> minutes) it wouldn't be much of a problem to just check for progress on 
> the connection (what's most important is to avoid delays at he beginning 
> of the connection, as that would hurt interactive applications)

The first one can easily have a seq num check, since the connection 
isn't open long enough for a legitimate delay. However, the subesquent 
ones don't seem to have that luxury, IMO.

Joe

_______________________________________________
tcpm mailing list
tcpm@ietf.org
https://www.ietf.org/mailman/listinfo/tcpm