IETF Logo Mail Archive

Re: [tcpm] A few comments on 793bis

Wesley Eddy <wes@mti-systems.com> Fri, 23 October 2020 15:23 UTC

Return-Path: <wes@mti-systems.com>
X-Original-To: tcpm@ietfa.amsl.com
Delivered-To: tcpm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 822933A0EF0 for <tcpm@ietfa.amsl.com>; Fri, 23 Oct 2020 08:23:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.135
X-Spam-Level:
X-Spam-Status: No, score=-2.135 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, NICE_REPLY_A=-0.247, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=mti-systems-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aCpfr9EK3QvW for <tcpm@ietfa.amsl.com>; Fri, 23 Oct 2020 08:23:11 -0700 (PDT)
Received: from mail-qv1-xf2b.google.com (mail-qv1-xf2b.google.com [IPv6:2607:f8b0:4864:20::f2b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C11423A0EEF for <tcpm@ietf.org>; Fri, 23 Oct 2020 08:23:10 -0700 (PDT)
Received: by mail-qv1-xf2b.google.com with SMTP id t20so850495qvv.8 for <tcpm@ietf.org>; Fri, 23 Oct 2020 08:23:10 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mti-systems-com.20150623.gappssmtp.com; s=20150623; h=subject:to:references:from:message-id:date:user-agent:mime-version :in-reply-to:content-language; bh=blv7wMz4to6yVa9biY72b+KdezZSBWdG6Dm+bTFUlA4=; b=qeivBuora+29ne1bSIYbFsJdJKFq0Gw4gRxCu+GNCU6WXNxmWAN+C21UE/0ldv/9X7 GAl8c9sad9DfPjZPDTrydm2TOomWPHmuZw0vUKxIyJGni/YYvEVbdAmXV4xRGjUWXlPJ eXdXsaRRJugPkQYoAdaDwdbwehFoPv+5SztqjTH58PFA8Epd5OOx5KH1EhoZhRZ8uQJ8 gsDWCYAUz1EMaCTwtokuTYoag/g2P86NydKsIW5fPOcFzWAfUhDJE9Dg4JVG2oqPOLJr gZ7Cr0AxMMRX/nWN5Vqf5viswCaCT4K6j9+pUHKtD+BJTF6EgnKkUWs2sE6gPCzqKjjp sNMQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language; bh=blv7wMz4to6yVa9biY72b+KdezZSBWdG6Dm+bTFUlA4=; b=LT10iY2LmTaiHl7Jrd4tXx/5NAhYhjE6XrWE8epH6tFUBP0eMw+Y7T2qOq09o/Ii3u Bt7NI3Qv4p1KlwcVsC+DfIaDH8yMk59koE2GeJeP/5ae1XfwWWfbl9KWTvEuTD/xoZ6d 58JpqGuA05pyCEnpcMPAdwnSeYWPFJvApgDx7+WoTZupFjnHwBQpAvrOpnntFPxggl0R h9JwCPYEhXc7u/Z7rN4YBtrnyK8txW6FXis6I0ilYIBaOvYLhVqVKobtSQl912V71HIr tPtnLUSju83uvXxmq59SIXUcZecaaJBt/O86mFb36RCGx4mv/nbPw0ur6udFNW4m9pzA IomQ==
X-Gm-Message-State: AOAM532eKoJ6yTNVPGbdk9/cmB76D5aOPwrztPVaYzAcaMNYzX7XcrGg fTEWU7uBZHq9sej09xSItKK3eRSeLWmoaaup
X-Google-Smtp-Source: ABdhPJzbzYC64ojdqen6sqde46ao73DnRdXbMljmQtUMNHc7nKk0WI0yJqnWrVyX9Y/hRbOjACWj4g==
X-Received: by 2002:ad4:46a8:: with SMTP id br8mr2893627qvb.24.1603466589223; Fri, 23 Oct 2020 08:23:09 -0700 (PDT)
Received: from [192.168.1.114] (rrcs-69-135-1-122.central.biz.rr.com. [69.135.1.122]) by smtp.gmail.com with ESMTPSA id o193sm952953qke.12.2020.10.23.08.23.07 for <tcpm@ietf.org> (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Fri, 23 Oct 2020 08:23:08 -0700 (PDT)
To: tcpm@ietf.org
References: <77B766C3-2895-40AD-82DF-EC318C65B909@strayalpha.com> <CACS3ZpD-Sf1yfhM_ACDhXNXjHGqtuOzR394Sfjh_Epf5Avo4aw@mail.gmail.com> <EEA5F649-FB31-4049-807A-E5D6F5DED629@strayalpha.com>
From: Wesley Eddy <wes@mti-systems.com>
Message-ID: <cd9acc8b-630f-cbe7-546d-3d05eff92973@mti-systems.com>
Date: Fri, 23 Oct 2020 11:23:06 -0400
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:68.0) Gecko/20100101 Thunderbird/68.12.1
MIME-Version: 1.0
In-Reply-To: <EEA5F649-FB31-4049-807A-E5D6F5DED629@strayalpha.com>
Content-Type: multipart/alternative; boundary="------------51C911F8D8C720CA40A040A5"
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/tcpm/WdaQdjuqVYu-nNQql16AfX7F0XA>
Subject: Re: [tcpm] A few comments on 793bis
X-BeenThere: tcpm@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: TCP Maintenance and Minor Extensions Working Group <tcpm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tcpm>, <mailto:tcpm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tcpm/>
List-Post: <mailto:tcpm@ietf.org>
List-Help: <mailto:tcpm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 23 Oct 2020 15:23:14 -0000

We are trying not to make up anything new for this document that wasn't 
already from prior RFCs, so if that has been done wrong, then we should 
fix it!

In this case, I think the MUST comes from RFC1122 (4.2.2.9):

             A TCP MUST use the specified clock-driven selection of
             initial sequence numbers.

And the text on this in 793bis is a merger of this and RFC 6528, as it says:

    This recommended algorithm is further described inRFC 6528  <https://datatracker.ietf.org/doc/html/rfc6528>  [36  <https://datatracker.ietf.org/doc/html/draft-ietf-tcpm-rfc793bis-18#ref-36>] and
    builds on the basic clock-driven algorithm fromRFC 793  <https://datatracker.ietf.org/doc/html/rfc793>.

    A TCP implementation MUST use a clock-driven selection of initial
    sequence numbers (MUST-8), and SHOULD generate its Initial Sequence
    Numbers with the expression:
    ...

So, I could use help in understanding what to do here, without going 
against what has already been put down in 1122 and not relaxed since.


On 10/23/2020 11:09 AM, Joseph Touch wrote:
> FWIW, I don’t know where the MUST for that came from. It’s never been 
> a MUST.
>
> The sad thing is how much of this doc rolls in the continued (IMO) 
> assault on TCP as needing “security” protections somehow integrated 
> into its basic mechanisms. It continues a trend of mistaking errors 
> for attacks and mistaking unsecured TCP for a secure service.
>
> Joe
>
>> On Oct 22, 2020, at 10:20 PM, Juhamatti Kuusisaari 
>> <juhamatk@gmail.com <mailto:juhamatk@gmail.com>> wrote:
>>
>>
>> +1
>>
>> Especially the last ISN clock MUST statement is something that I also 
>> consider quite restrictive for low end devices. If we cannot change 
>> it for bis, some minimum viable solution described in 
>> detail/referenced would be nice.
>>
>> --
>>   Juhamatti
>>
>>
>> pe 23. lokakuuta 2020 klo 1.49 Joseph Touch <touch@strayalpha.com 
>> <mailto:touch@strayalpha.com>> kirjoitti:
>>
>>     Hi, all,
>>
>>     Comments below, if still useful.
>>
>>     Joe
>>
>>     ——
>>
>>     Regarding RFC5961, we were very careful in the applicability
>>     statement therein to limit the SHOULD recommendations with
>>     specific conditions and MAY implement elsewhere. This update to
>>     793 misrepresents those current recommendations as SHOULD for
>>     everyone, e.g., here:
>>
>>                    A potential blind reset attack is described in RFC
>>     5961
>>                    [32], with the mitigation that a TCP implementation
>>                    SHOULD first check that the sequence number exactly
>>                    matches RCV.NXT prior to executing the action in
>>     the next
>>                    paragraph.
>>
>>     That text should instead say “MAY first check”, adding, if
>>     desired, "(SHOULD, under the conditions noted in RFC 5961)”. That
>>     corrected text belongs also in section 3.4 where reset processing
>>     is discussed.
>>
>>     —
>>
>>     All places that mention issuing a RST (including sec 3.4 and the
>>     state machine) should note that the side issuing the RST ought to
>>     enter TIME_WAIT - and explain why, as noted in:
>>             Faber, T; Touch, J; Yue, W: The TIME-WAIT state in TCP
>>     and Its Effect on Busy Servers. In: Infocom, pp. 1573-1583, IEEE,
>>     1999.
>>
>>     —
>>
>>     The following text should include a MUST, as shown below:
>>
>>         (all TCP options except End of option list and No-Operation
>>          MUST have length fields)
>>
>>     —
>>
>>     The following text should be preceded by an inline ‘heading’ as
>>     shown:
>>
>>             Experimental TCP options
>>
>>             Experimental TCP option values are defined in [22], and [39]
>>             describes the current recommended usage for these
>>     experimental
>>             values.
>>
>>     —
>>
>>     The following text should be moved earlier in the section,
>>     because its current location suggests it is related to the
>>     experimental options discussion (and it is not):
>>
>>             Note: There is ongoing work to extend the space available for
>>             TCP options, such as [53].
>>
>>     It might be appropriate to move this before the discussion of
>>     specific options, for example.
>>
>>     —
>>
>>     The definition of TIME-WAIT should describe its purpose as also
>>     including avoiding delayed segments from previous connections
>>     affecting new connections.
>>
>>     —
>>
>>     I would strongly encourage reformatting to allow the TCP state
>>     machine to avoid page break boundaries.
>>
>>     It may also be useful to add a note that RST can be issued from
>>     any state with a corresponding (implied) transition to TIME-WAIT;
>>     similarly, receipt of RST from any state goes to LISTEN. These
>>     transitions are not shown only because they would complicate the
>>     diagram.
>>
>>     —
>>
>>     The following statement is false:
>>
>>       The protocol places no restriction on a particular connection being
>>        used over and over again.
>>
>>     Avoiding that happening too quickly in succession is one of the
>>     purposes of TIME-WAIT. New ISNs are only PART of that protection
>>     (which means the rest of this section needs revision to clarify
>>     this issue).
>>
>>     —
>>
>>     The security of TCP is discussed incorrectly, IMO. The ISN
>>     discussion and RST discussion, in particular, although trying to
>>     help protect against off-path attacks, are only very tenuously
>>     considered “security”. There should be some other way of
>>     discussing this and making sure that if TCP users need secure
>>     connections they need to use TCP-AO or IPsec.
>>
>>     —
>>
>>     The ISN clock statement with MUST seems to overreach. The
>>     previous text talks about the use of clocks being recommended,
>>     but a MUST is much stronger. The assertion needs more wiggle
>>     words or a more generous definition of clock to avoid being used
>>     out of context to prevent simple implementations on lightweight
>>     devices.
>>
>>     —
>>     end.
>>
>>
>>
>>
>>
>>     _______________________________________________
>>     tcpm mailing list
>>     tcpm@ietf.org <mailto:tcpm@ietf.org>
>>     https://www.ietf.org/mailman/listinfo/tcpm
>>
>> _______________________________________________
>> tcpm mailing list
>> tcpm@ietf.org <mailto:tcpm@ietf.org>
>> https://www.ietf.org/mailman/listinfo/tcpm
>
>
> _______________________________________________
> tcpm mailing list
> tcpm@ietf.org
> https://www.ietf.org/mailman/listinfo/tcpm

v2.23.0 | Report a Bug | By Email