Re: [tcpm] [tcpinc] TCP Stealth - possible interest to the WG
Jacob Appelbaum <jacob@appelbaum.net> Wed, 20 August 2014 16:01 UTC
Return-Path: <jacob@appelbaum.net>
X-Original-To: tcpm@ietfa.amsl.com
Delivered-To: tcpm@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 048521A1F16 for <tcpm@ietfa.amsl.com>; Wed, 20 Aug 2014 09:01:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.978
X-Spam-Level:
X-Spam-Status: No, score=-1.978 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-0.7] autolearn=unavailable
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Z6CqUj_8tinV for <tcpm@ietfa.amsl.com>; Wed, 20 Aug 2014 09:01:09 -0700 (PDT)
Received: from mail-qc0-f175.google.com (mail-qc0-f175.google.com [209.85.216.175]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1FC711A7D82 for <tcpm@ietf.org>; Wed, 20 Aug 2014 09:00:22 -0700 (PDT)
Received: by mail-qc0-f175.google.com with SMTP id w7so7797269qcr.20 for <tcpm@ietf.org>; Wed, 20 Aug 2014 09:00:18 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=RTTF9wJXVaJ7Co0KUCkJqoqA3CxmFpAfW+l5zsG+IP4=; b=IDVYCkxoJn2mBNEAP9rFLH+GHPWONmVe37dgUTPUVxzztmReHeB6FXCyRBoY5y3YGH Hn42wctfRnNBgh5LNQWzBrn83a2hHi7NdruLzuUMzRZp4aU9csoWK0g0d9881renIDSU iMKH9m1RTx4oFBkxdEJK+N5U2qUlGb5OpWMO57/f2AVCNNiGsbNOSLhuuY1GiLcPRJpz HJFpsW2/N9WIOEz6PBacd1xSB8QxD2t4LSoZM1BPTpzNG3Lh6JgpLC2svCuEkSleAfCG UQZ/3CV7sfDr1lu93ReRRGj6OwU4zz7b7vjJ1lg8DU4mGN5Me1RtH3jJioxqKqQvQcyx laFA==
X-Gm-Message-State: ALoCoQlFsjBx9CVJKuHgS4QkAzDQkTg4i+JgQdaKZKhjVrZYXm71ZDuKapRqeBbddBEOR5S+bhPL
MIME-Version: 1.0
X-Received: by 10.224.138.8 with SMTP id y8mr79809868qat.38.1408550417917; Wed, 20 Aug 2014 09:00:17 -0700 (PDT)
Received: by 10.140.91.50 with HTTP; Wed, 20 Aug 2014 09:00:17 -0700 (PDT)
X-Originating-IP: [91.185.200.222]
In-Reply-To: <53F4C265.4000402@redhat.com>
References: <ecdbe694b6964c159f64b1d3311c8cc6@hioexcmbx02-prd.hq.netapp.com> <CAFggDF2jhQPz0Eez=AU9M-k862wD_=VSyVpXtRAjT4zC6H4tgA@mail.gmail.com> <1408397675.299896.154112109.6F69043F@webmail.messagingengine.com> <8c5f6a1e9f2340e48e25dd151406b7d3@hioexcmbx05-prd.hq.netapp.com> <1408401991.317123.154137701.0A30F30C@webmail.messagingengine.com> <CAPh34meB=EtgNu=_eBS6ekB20fRccAqXFWydkCWG+6VKSa98rg@mail.gmail.com> <CAFggDF39L+kLQLmiWJR3q6suPOtYmKJiJUqp0kBv7GjUtNVOjA@mail.gmail.com> <20140819212351.GB11767@breakpoint.cc> <CAFggDF30285E3eYfUOR-2hwNkdFf7Jh_Q5d8A38MtOT4K_9gsA@mail.gmail.com> <53F4C265.4000402@redhat.com>
Date: Wed, 20 Aug 2014 16:00:17 +0000
Message-ID: <CAFggDF0hg_eiPG4f6QEp6BRjuOYEVZ8eYsWXQGNq7DZvHU0ZrQ@mail.gmail.com>
From: Jacob Appelbaum <jacob@appelbaum.net>
To: Daniel Borkmann <dborkman@redhat.com>
Content-Type: text/plain; charset="UTF-8"
Archived-At: http://mailarchive.ietf.org/arch/msg/tcpm/V_NCk5pcK_wriM-eyj9uM0rB-Lw
Cc: Christian Grothoff <christian@grothoff.org>, "tcpinc@ietf.org" <tcpinc@ietf.org>, "tcpm (tcpm@ietf.org)" <tcpm@ietf.org>, Joe Touch <touch@isi.edu>
Subject: Re: [tcpm] [tcpinc] TCP Stealth - possible interest to the WG
X-BeenThere: tcpm@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: TCP Maintenance and Minor Extensions Working Group <tcpm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tcpm>, <mailto:tcpm-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tcpm/>
List-Post: <mailto:tcpm@ietf.org>
List-Help: <mailto:tcpm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 20 Aug 2014 16:01:11 -0000
On 8/20/14, Daniel Borkmann <dborkman@redhat.com> wrote: > On 08/20/2014 03:43 PM, Jacob Appelbaum wrote: >> On 8/19/14, Florian Westphal <fw@strlen.de> wrote: > [...] >>> - Your adversary may be able to do full passive monitoring of >>> all network traffic (also compare "replay" above), so whats the purpose >>> of "avoiding" active scans? >> >> Exactly the purpose - we wish to avoid active scans. The GCHQ/NSA/CSEC >> do active scans when their full passive monitoring isn't enough. This >> hampers that angle of information gathering. It also ensures that even > [...] > > Ok, but for the majority of use cases, lets presume that you'd > pass one of these secretly hidden taps located at some cooperative > IX. Assuming the worst case that some passive adversary has access > to enough taps distributed at convenient locations, did a previous > active port scan and knows that from your machine port 22 is closed. > Later, it observes a two-way flow to port 22 to that machine and the > existence of the service is of course nevertheless revealed. Sounds good. We've just taken detection of the service from everyone in the world to a passive wiretapping attacker observing a sysadmin/user and the service. Otherwise they're going to need to send ~2^32-1 packets per port guess. > > You might be able then to 'mitigate' actual access to the service > a bit, but then again 32 bit is perhaps a limited sense of 'security'. Sure, I agree. We're limiting against a specific, well scoped specific issue that is pervasive and a problem. We do not solve every problem for every attacker. We have deployed code that is running today and it works, roughly. :) > It would also be required that machines running more than one service > have /all/ services somewhat protected by TCP stealth, otherwise an > attacker moves on with the next service as an attack vector That would be consistent but it isn't required. Not all services are created equally - e.g.: OpenSSH ( + ssh keys + TCP Stealth) has root privileges on a system, even if privilege separated. Not all services are so enabled. Another use case is for Tor bridges - in this case - we only care about active probing. Even in advanced cases like the "great" firewall of China, they use active probing to confirm their wiretapped machine learning decisions... > Again, > if also services over other transport protocols are used on the > machines (that cannot make use of TCP stealth), an attacker might > first probe for these as an easier target to get in. Of course. > Key propagation is certainly an issue I assume; you might also want > to consider to rotate them etc; large public sites most likely cannot > make use of TCP stealth, and the larger a group becomes, the more weak > points might arise (including humans) to disclose the shared secret > somehow. Per user shared secrets seem to fit the bill here. > Then again, it might also not be worth it for pubkeys as it > would significantly increase computational complexity on the server > side and we're only talking about 32 bit ... > I think that the decoy routing field holds some interesting tricks for public keys. Telex hides a signature in the TLS handshake, for example. Perhaps for a later version of TCP stealth? :) > /offtopic here, but wouldn't it then be better to work towards full > encryption like CurveCP et al is trying to solve ... I'd like to see that too. We'll get there and this is one step in a similar direction. All the best, Jacob
- [tcpm] TCP Stealth - possible interest to the WG Scheffenegger, Richard
- Re: [tcpm] TCP Stealth - possible interest to the… Hagen Paul Pfeifer
- Re: [tcpm] [tcpinc] TCP Stealth - possible intere… Jacob Appelbaum
- Re: [tcpm] TCP Stealth - possible interest to the… Ted Faber
- Re: [tcpm] [tcpinc] TCP Stealth - possible intere… Scheffenegger, Richard
- Re: [tcpm] [tcpinc] TCP Stealth - possible intere… Alfie John
- Re: [tcpm] [tcpinc] TCP Stealth - possible intere… Alfie John
- Re: [tcpm] [tcpinc] TCP Stealth - possible intere… Hagen Paul Pfeifer
- Re: [tcpm] [tcpinc] TCP Stealth - possible intere… Jacob Appelbaum
- Re: [tcpm] [tcpinc] TCP Stealth - possible intere… Scheffenegger, Richard
- Re: [tcpm] [tcpinc] TCP Stealth - possible intere… Hagen Paul Pfeifer
- Re: [tcpm] [tcpinc] TCP Stealth - possible intere… Jacob Appelbaum
- Re: [tcpm] [tcpinc] TCP Stealth - possible intere… Hagen Paul Pfeifer
- Re: [tcpm] [tcpinc] TCP Stealth - possible intere… Florian Westphal
- Re: [tcpm] [tcpinc] TCP Stealth - possible intere… Florian Westphal
- Re: [tcpm] [tcpinc] TCP Stealth - possible intere… Yoshifumi Nishida
- Re: [tcpm] [tcpinc] TCP Stealth - possible intere… Scheffenegger, Richard
- Re: [tcpm] [tcpinc] TCP Stealth - possible intere… Hagen Paul Pfeifer
- Re: [tcpm] [tcpinc] TCP Stealth - possible intere… Scheffenegger, Richard
- Re: [tcpm] [tcpinc] TCP Stealth - possible intere… Scheffenegger, Richard
- Re: [tcpm] [tcpinc] TCP Stealth - possible intere… Hagen Paul Pfeifer
- Re: [tcpm] [tcpinc] TCP Stealth - possible intere… Jacob Appelbaum
- Re: [tcpm] [tcpinc] TCP Stealth - possible intere… Christian Grothoff
- Re: [tcpm] [tcpinc] TCP Stealth - possible intere… Christian Grothoff
- Re: [tcpm] [tcpinc] TCP Stealth - possible intere… Christian Grothoff
- Re: [tcpm] [tcpinc] TCP Stealth - possible intere… Christian Grothoff
- Re: [tcpm] [tcpinc] TCP Stealth - possible intere… Christian Grothoff
- Re: [tcpm] [tcpinc] TCP Stealth - possible intere… Daniel Borkmann
- Re: [tcpm] [tcpinc] TCP Stealth - possible intere… Jacob Appelbaum
- Re: [tcpm] [tcpinc] TCP Stealth - possible intere… Alfie John
- Re: [tcpm] [tcpinc] TCP Stealth - possible intere… Joe Touch
- Re: [tcpm] [tcpinc] TCP Stealth - possible intere… Joe Touch
- Re: [tcpm] [tcpinc] TCP Stealth - possible intere… Christian Grothoff