IETF Logo Mail Archive

Re: [tcpm] Some comments on tcpsecure

"Anantha Ramaiah (ananth)" <ananth@cisco.com> Sat, 05 April 2008 18:30 UTC

Return-Path: <tcpm-bounces@ietf.org>
X-Original-To: tcpm-archive@megatron.ietf.org
Delivered-To: ietfarch-tcpm-archive@core3.amsl.com
Received: from core3.amsl.com (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 8276C28C3D7; Sat, 5 Apr 2008 11:30:32 -0700 (PDT)
X-Original-To: tcpm@core3.amsl.com
Delivered-To: tcpm@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 1BBCA28C3D7 for <tcpm@core3.amsl.com>; Sat, 5 Apr 2008 11:30:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.599
X-Spam-Level:
X-Spam-Status: No, score=-6.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kYCaI+vCL47e for <tcpm@core3.amsl.com>; Sat, 5 Apr 2008 11:30:30 -0700 (PDT)
Received: from sj-iport-6.cisco.com (sj-iport-6.cisco.com [171.71.176.117]) by core3.amsl.com (Postfix) with ESMTP id A743F28C381 for <tcpm@ietf.org>; Sat, 5 Apr 2008 11:30:00 -0700 (PDT)
Received: from sj-dkim-2.cisco.com ([171.71.179.186]) by sj-iport-6.cisco.com with ESMTP; 05 Apr 2008 11:30:09 -0700
Received: from sj-core-4.cisco.com (sj-core-4.cisco.com [171.68.223.138]) by sj-dkim-2.cisco.com (8.12.11/8.12.11) with ESMTP id m35IU9QV016205; Sat, 5 Apr 2008 11:30:09 -0700
Received: from xbh-sjc-211.amer.cisco.com (xbh-sjc-211.cisco.com [171.70.151.144]) by sj-core-4.cisco.com (8.13.8/8.13.8) with ESMTP id m35IU9Ci008409; Sat, 5 Apr 2008 18:30:09 GMT
Received: from xmb-sjc-21c.amer.cisco.com ([171.70.151.176]) by xbh-sjc-211.amer.cisco.com with Microsoft SMTPSVC(6.0.3790.1830); Sat, 5 Apr 2008 11:30:09 -0700
X-MimeOLE: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Date: Sat, 05 Apr 2008 11:29:37 -0700
Message-ID: <0C53DCFB700D144284A584F54711EC5804FA106D@xmb-sjc-21c.amer.cisco.com>
In-Reply-To: <200804050607.m35679ER022947@venus.xmundo.net>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: [tcpm] Some comments on tcpsecure
Thread-Index: AciW41PaNoXzv4MoQD+9DLyyuhlfoQAXqIqA
References: <200804041832.m34IWTC5025090@venus.xmundo.net> <0C53DCFB700D144284A584F54711EC5804F48EC2@xmb-sjc-21c.amer.cisco.com> <200804050607.m35679ER022947@venus.xmundo.net>
From: "Anantha Ramaiah (ananth)" <ananth@cisco.com>
To: Fernando Gont <fernando@gont.com.ar>, tcpm@ietf.org
X-OriginalArrivalTime: 05 Apr 2008 18:30:09.0280 (UTC) FILETIME=[13EE8800:01C8974B]
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; l=1487; t=1207420209; x=1208284209; c=relaxed/simple; s=sjdkim2002; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version; d=cisco.com; i=ananth@cisco.com; z=From:=20=22Anantha=20Ramaiah=20(ananth)=22=20<ananth@cisco .com> |Subject:=20RE=3A=20[tcpm]=20Some=20comments=20on=20tcpsecu re |Sender:=20; bh=aov48mAXmO9w2wAdZY9Ae+5Iy5Y0Fgsp4LEMk1KiXyw=; b=P7FfSQjOoaQ2+NskdI6VCho5EMR3NmLGWwAeXSZtbQTzn9Tb6ZP8NtZThd k7xEVQkBZxz6LDw1VbyoObPpnf8MdxxY0fktQYiHqoW4WPpMzrm93zRdLBAb OorLfeSFz+;
Authentication-Results: sj-dkim-2; header.From=ananth@cisco.com; dkim=pass ( sig from cisco.com/sjdkim2002 verified; );
Subject: Re: [tcpm] Some comments on tcpsecure
X-BeenThere: tcpm@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: TCP Maintenance and Minor Extensions Working Group <tcpm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:tcpm@ietf.org>
List-Help: <mailto:tcpm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: tcpm-bounces@ietf.org
Errors-To: tcpm-bounces@ietf.org

 
> 
> >I can only agree that randomization makes the attack harder to
> >accomplish, but like you noted many systems don't do it today.
> 
> Nowadays, at least FreeBSD, OpenBSD and Linux do it.

Just for the sake of record, we have been doing port randomization in
some of our main protocol stacks for about 3 years or so and the
algorithms we follow are more less the ones recommended in the port
randomization draft.

> Yes. Something along the lines of "TCP port randomization 
> [draft-ietf-port-randomization] increases the amount of work on the 
> side of the attacker by obfuscating the TCP ephemeral port value"
> 
> To make my point clear: I'm not saying you should make "statements" 
> on whether host should or should implement "icmp attacks" or "port 
> randomization". But you should note that the ICMP attacks are easier, 
> and direct people to the icmp attacks draft for more information 
> about this. And you should note that port randomization is a general 
> mitigation-technique for off-path attacks against TCP that require 
> more work on the side of the attacker to successfully perform 
> such attacks.

One point which I wish to add : the long lived nature of some TCP
connections gives enough time for the attacker (attack program) to
successfully penetrate the connection.

I'll leave it to the WG consensus to determine whether citing these
references is ok at this point in the game. 

-Anantha


_______________________________________________
tcpm mailing list
tcpm@ietf.org
https://www.ietf.org/mailman/listinfo/tcpm

v2.35.0 | Report a Bug | By Email | System Status