Re: [tcpm] Some comments on tcpsecure
Joe Touch <touch@ISI.EDU> Mon, 07 April 2008 15:40 UTC
Return-Path: <tcpm-bounces@ietf.org>
X-Original-To: tcpm-archive@megatron.ietf.org
Delivered-To: ietfarch-tcpm-archive@core3.amsl.com
Received: from core3.amsl.com (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 6195C3A698B; Mon, 7 Apr 2008 08:40:32 -0700 (PDT)
X-Original-To: tcpm@core3.amsl.com
Delivered-To: tcpm@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id E48AC3A6865 for <tcpm@core3.amsl.com>; Mon, 7 Apr 2008 08:40:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.491
X-Spam-Level:
X-Spam-Status: No, score=-2.491 tagged_above=-999 required=5 tests=[AWL=0.108, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 82tBUHx6BVXR for <tcpm@core3.amsl.com>; Mon, 7 Apr 2008 08:40:28 -0700 (PDT)
Received: from vapor.isi.edu (vapor.isi.edu [128.9.64.64]) by core3.amsl.com (Postfix) with ESMTP id C1EFE3A6B72 for <tcpm@ietf.org>; Mon, 7 Apr 2008 08:40:28 -0700 (PDT)
Received: from [127.0.0.1] (pool-71-105-89-117.lsanca.dsl-w.verizon.net [71.105.89.117]) by vapor.isi.edu (8.13.8/8.13.8) with ESMTP id m37FeDJ1019853 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Mon, 7 Apr 2008 08:40:14 -0700 (PDT)
Message-ID: <47FA4057.7050206@isi.edu>
Date: Mon, 07 Apr 2008 08:40:07 -0700
From: Joe Touch <touch@ISI.EDU>
User-Agent: Thunderbird 2.0.0.12 (Windows/20080213)
MIME-Version: 1.0
To: Fernando Gont <fernando@gont.com.ar>
References: <200804041832.m34IWTC5025090@venus.xmundo.net> <47F68794.6050100@isi.edu> <200804042012.m34KCk8U022643@venus.xmundo.net> <47F68DC7.2050303@isi.edu> <200804050557.m355vAjU013266@venus.xmundo.net> <47F7B43E.6010004@isi.edu> <200804052024.m35KOlmj018418@venus.xmundo.net> <47F7E2D0.8010802@isi.edu> <200804052353.m35NrdO1031661@venus.xmundo.net> <47F82129.2000603@isi.edu> <200804061042.m36AgYGx028003@venus.xmundo.net> <47F92D13.4020809@isi.edu> <200804062241.m36MfGKx010325@venus.xmundo.net> <47F9AB92.80405@isi.edu> <200804071517.m37FHcq4022232@venus.xmundo.net>
In-Reply-To: <200804071517.m37FHcq4022232@venus.xmundo.net>
X-Enigmail-Version: 0.95.6
X-ISI-4-43-8-MailScanner: Found to be clean
X-MailScanner-From: touch@isi.edu
Cc: tcpm@ietf.org
Subject: Re: [tcpm] Some comments on tcpsecure
X-BeenThere: tcpm@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: TCP Maintenance and Minor Extensions Working Group <tcpm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:tcpm@ietf.org>
List-Help: <mailto:tcpm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=subscribe>
Content-Type: multipart/mixed; boundary="===============1068714204=="
Sender: tcpm-bounces@ietf.org
Errors-To: tcpm-bounces@ietf.org
Fernando Gont wrote: > At 02:05 a.m. 07/04/2008, Joe Touch wrote: > >>> The TCP SEQ check would help a bit in those scenarios in which an >>> attacker might be able to spoof an ICMP error message, and cause the >>> connection to be stuck for a little while (e.g., by means of causing >>> congestion). That is, it would require more packets on the side of >>> the attacker. >> >> In those cases, I still see the contents of the ICMP to be moot >> (w.r.t. window). That info is useful only if: >> - ICMPs are known to be returned in a timely fashion >> (and there's no way of knowing) > > If anything, isn't this the case for any type of packet? After all, any > packet can get queued in a router or be delayed whilie transiting a > link.... Routers are supposed to forward packets in a timely fashion, but are encouraged to delay control plane event processing when loaded - both are in RFC 1812. I.e., for forwarding this is required, but for ICMP the contrary us allowed and encouraged if needed. >> OR >> - there's some way to differentiate between legitimate >> ICMPs and attack ICMPs >> >> Since neither is the case, this is a moot issue. I do not agree that >> checking the TCP SEQ in the content of an ICMP is ever appropriate. > > Well, I do know that you don't like the idea, but the systems I know of > will not consider a packet legitimate unless there's enough reason for > that. For ICMPs, the bar for that is the SEQ contained in the payload. > That's what everybody has been doing for quite some time. Again, known implementation bugs aren't the issue - and since seq checking isn't required, dropping packets due to that check qualifies IMO as an implementation bug. But this is still somewhat off topic if there's a way to get 95% of the way there without doing a seq check, which is what I'm suggesting. That would correct the *intent* of the current code without *needing to change the current specs* (which is the only way to *require* timely ICMPs). >>> However, if TCP waits for USER_TIMEOUT to check whether the >>> connection is making forward progress, then this is basically the >>> "hard errors should be considered to indicate soft errors when >>> received for connections in any of the synchronized states" behavior, >>> and thus an attacker could not exploit the so-called ICMP hard errors >>> to perform reset attacks. >> >> Waiting that long defeats the purpose of the errors - to terminate >> connections more rapidly than TCP would otherwise. That is, IMO, too far. > > Well, that's just a matter of policy. In any case, Clark's RFC on "Fault > Isolation and Recovery" and even "The Design of the DARPA..." seem to > support this idea: data transfers should work when there is at least a > working path to do the transfer. > As I have seen you have mentioned a number of times, TCP is not supposed > to be optimized for any scenario (e.g., multi-path scenarios). So if > there's a working path, I think that for robustness sake the connection > should not be aborted. Robustness also allows signalled connection faults to recover quickly, rather than on the same timescale as a 'no message' timeout. Yes, though, the devil is in the detail of what that timeout would be. > In any case, I don't think we'd even have to stick to any particular > timeout. Particularly, given that we can accommodate existing > implementations (hard errors -> soft errors) as a degenerate case of the > above. That's assuming the worst timeout, IMO, which is a particular timeout value I disagree with. >>> (i.e., the "hard errors should be considered to indicate soft errors >>> when received for connections in any of the synchronized states" >>> becomes a degenerate case of the "checking for progress on the TCP >>> connection" when TCP waits for USER_TIMEOUT seconds before concluding >>> whether the connection is making progress or not). >>> (FWIW, the TCP SEQ is of a little bit more of help for PMTUD, as >>> during what I called 'Initial Path-MTU Discovery', you probably don't >>> want to wait, so that you get a good convergence time for the PMTUD). >> >> I'd have to think further to see if this appropriate - i.e., if done >> only once during a connection, before a wrap, then the SEQ might be >> appropriate to check, but only within that period. > > Most of all, the check is needed once at the beginning of the connection. > Then, it might be nice to do it after the 10-minute PMTUD timeout when > you want to discover the PMTU again. Although at that point (t>10 > minutes) it wouldn't be much of a problem to just check for progress on > the connection (what's most important is to avoid delays at he beginning > of the connection, as that would hurt interactive applications) The first one can easily have a seq num check, since the connection isn't open long enough for a legitimate delay. However, the subesquent ones don't seem to have that luxury, IMO. Joe
_______________________________________________ tcpm mailing list tcpm@ietf.org https://www.ietf.org/mailman/listinfo/tcpm
- [tcpm] Some comments on tcpsecure Fernando Gont
- Re: [tcpm] Some comments on tcpsecure Joe Touch
- Re: [tcpm] Some comments on tcpsecure Fernando Gont
- Re: [tcpm] Some comments on tcpsecure Joe Touch
- Re: [tcpm] Some comments on tcpsecure Anantha Ramaiah (ananth)
- Re: [tcpm] Some comments on tcpsecure Fernando Gont
- Re: [tcpm] Some comments on tcpsecure Fernando Gont
- Re: [tcpm] Some comments on tcpsecure Joe Touch
- Re: [tcpm] Some comments on tcpsecure Anantha Ramaiah (ananth)
- Re: [tcpm] Some comments on tcpsecure Fernando Gont
- Re: [tcpm] Some comments on tcpsecure Joe Touch
- Re: [tcpm] Some comments on tcpsecure Fernando Gont
- Re: [tcpm] Some comments on tcpsecure Joe Touch
- Re: [tcpm] Some comments on tcpsecure Anantha Ramaiah (ananth)
- Re: [tcpm] Some comments on tcpsecure Fernando Gont
- Re: [tcpm] Some comments on tcpsecure Joe Touch
- Re: [tcpm] Some comments on tcpsecure Fernando Gont
- Re: [tcpm] Some comments on tcpsecure Joe Touch
- [tcpm] ICMP error origination timeliness Pekka Savola
- Re: [tcpm] ICMP error origination timeliness Joe Touch
- Re: [tcpm] ICMP error origination timeliness Anantha Ramaiah (ananth)
- Re: [tcpm] ICMP error origination timeliness Joe Touch
- Re: [tcpm] Some comments on tcpsecure Fernando Gont
- Re: [tcpm] Some comments on tcpsecure Joe Touch
- Re: [tcpm] Some comments on tcpsecure Ted Faber
- Re: [tcpm] Some comments on tcpsecure Joe Touch
- Re: [tcpm] Some comments on tcpsecure Ted Faber
- Re: [tcpm] Some comments on tcpsecure Joe Touch
- Re: [tcpm] Some comments on tcpsecure Ted Faber
- Re: [tcpm] Some comments on tcpsecure Anantha Ramaiah (ananth)
- Re: [tcpm] Some comments on tcpsecure Ted Faber
- Re: [tcpm] Some comments on tcpsecure Fernando Gont
- Re: [tcpm] Some comments on tcpsecure Joe Touch
- Re: [tcpm] Some comments on tcpsecure Fernando Gont
- Re: [tcpm] Some comments on tcpsecure Anantha Ramaiah (ananth)