Re: [tcpm] TCP segment reassembly vulnerability

Caitlin Bestler <cait@asomi.com> Thu, 09 August 2018 20:12 UTC

Return-Path: <cait@asomi.com>
X-Original-To: tcpm@ietfa.amsl.com
Delivered-To: tcpm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D7DB7130E77 for <tcpm@ietfa.amsl.com>; Thu, 9 Aug 2018 13:12:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.909
X-Spam-Level:
X-Spam-Status: No, score=-1.909 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, SPF_PASS=-0.001, T_DKIMWL_WL_MED=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=netorgft3309700.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Mun4scdE0qUO for <tcpm@ietfa.amsl.com>; Thu, 9 Aug 2018 13:12:02 -0700 (PDT)
Received: from NAM04-BN3-obe.outbound.protection.outlook.com (mail-bn3nam04on0716.outbound.protection.outlook.com [IPv6:2a01:111:f400:fe4e::716]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7E30C130E41 for <tcpm@ietf.org>; Thu, 9 Aug 2018 13:12:02 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=NETORGFT3309700.onmicrosoft.com; s=selector1-asomi-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=GPE3+weaKzvt1qz1KxDbc8s4dXf3iYoTKH1Pq202nAs=; b=kT5+KlEAAK7Hlbf6g73VZ8pDattbOpyV1mtM1qz599QJUj8VPOl4zAHqcKC6WTfveIo3pVTQbWMux0wifolv5/smS7gy7G8jSwdtMm+T1f5RO4oY2EZLXmGOl/wTUb2YfcMBWxumkSeGOcC+4UihPKQkdDQtSvYFFs5vnE4iJ6o=
Received: from SN6PR11MB2606.namprd11.prod.outlook.com (52.135.91.27) by SN6PR11MB2846.namprd11.prod.outlook.com (52.135.93.25) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1038.19; Thu, 9 Aug 2018 20:11:59 +0000
Received: from SN6PR11MB2606.namprd11.prod.outlook.com ([fe80::ddc5:5460:7da9:c964]) by SN6PR11MB2606.namprd11.prod.outlook.com ([fe80::ddc5:5460:7da9:c964%4]) with mapi id 15.20.1038.019; Thu, 9 Aug 2018 20:11:59 +0000
From: Caitlin Bestler <cait@asomi.com>
To: Loganaden Velvindron <loganaden@gmail.com>, "tcpm@ietf.org Extensions" <tcpm@ietf.org>
Thread-Topic: [tcpm] TCP segment reassembly vulnerability
Thread-Index: AQHUMBDc+yngLnimCk2VyjEQkFD99KS32fhv
Date: Thu, 9 Aug 2018 20:11:59 +0000
Message-ID: <SN6PR11MB26069983A24EE191F9FD1033D3250@SN6PR11MB2606.namprd11.prod.outlook.com>
References: <CAOp4FwRpO1t5hqv-QGfDi3G7SSRy43Kf+GEirDT24GFJh8r03Q@mail.gmail.com>
In-Reply-To: <CAOp4FwRpO1t5hqv-QGfDi3G7SSRy43Kf+GEirDT24GFJh8r03Q@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=cait@asomi.com;
x-originating-ip: [67.207.101.170]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; SN6PR11MB2846; 6:tXRh/sQ5CgViJhYW1VoihszUz7rugRK4AMdsKUghb/bawIymSs+d5FyaeP/e2vN2YDU2evjEXz0YkWB+on1lbj226W00s37tRdvS7F84Sdudo6DL67PRYlHuaPZtOVTKRQQgXHLxqJcwuYiUjkwdPniU1QKhjuZofQWg8mA9iQX+hh84qP1qQ/fDfKnixzGy79kWfe9wfAlcy/ZwOtB3AknPjCSU9X70OVnaafvpWwBoPln3YlixMvAU5md90bUySFcNXc+N0Uhd1CAXEElPaHz39jD0Jw4maTaaKnuzTDqBNPtAZglsz1haLwqTI5JM1s9hd2G6G4meeI5SuxMENvVO3+vYQ4dp+KhPc3Ju/0WWFkr00+uiiMxlzhE7fyxlAN2ugZYhcsjCcsBwB47d1Vy9BUgrmuzBYlOATfuv8ft7enFzvxcnKh/EIoGBp2ET9VNdpGvQNUrEsWn2Sp25Pw==; 5:UrTxYXpKHYngohIKb3xdnqkaFPteeTinXvkzGfL9ppHOZEDInQoIEoeGxsZhyCho9OhH0+6LXZiB94rRhV6qbeBKdrNJoP3R4/+NJuo4juu3QhOSPWZ5+Jb3wamr6m6akmRyxcyBNh0EOaZDBY8w2VrTcQbk1+64+FOBhlL4+Qc=; 7:u94LBxZfsuZx6HKEKSDxWOB9UY8cJls5v2RXEpuYz94YNsCWux5zvwOsaV3mWThMlf1tlueEjJ0iJ9fBmDvOT8FJdyeuLPHJvpIVSMOXzkLQug0t6lTrUt3RgUgKe8hW7lopVEH4KNjBlefkMgij80IB+miZ6jnnEA9zhHql0oEWTZda5ZwEdWQX7hOkqTwy133QkUMzQWXB/MUOwpzB7NUYcXQiD1joEpL2gJVWLQHfIILw8QN0gLL7bTi8bksg
x-ms-exchange-antispam-srfa-diagnostics: SOS;
x-ms-office365-filtering-correlation-id: 7b8efbc7-21ac-4f4b-9b8d-08d5fe345d0c
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(7020095)(4652040)(7021125)(8989117)(4534165)(7022125)(4603075)(4627221)(201702281549075)(8990107)(7048125)(7024125)(7027125)(7028125)(7023125)(5600074)(711020)(2017052603328)(7153060)(7193020); SRVR:SN6PR11MB2846;
x-ms-traffictypediagnostic: SN6PR11MB2846:
x-microsoft-antispam-prvs: <SN6PR11MB28468C7E00C1A931C88979B2D3250@SN6PR11MB2846.namprd11.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(192374486261705)(85827821059158)(84791874153150);
x-ms-exchange-senderadcheck: 1
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(6040522)(2401047)(8121501046)(5005006)(10201501046)(3002001)(93006095)(93001095)(3231311)(944501410)(52105095)(149027)(150027)(6041310)(20161123558120)(20161123564045)(20161123562045)(2016111802025)(20161123560045)(6072148)(6043046)(201708071742011)(7699016); SRVR:SN6PR11MB2846; BCL:0; PCL:0; RULEID:; SRVR:SN6PR11MB2846;
x-forefront-prvs: 0759F7A50A
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(376002)(346002)(39830400003)(396003)(136003)(366004)(189003)(199004)(14454004)(186003)(105586002)(106356001)(25786009)(39060400002)(966005)(2900100001)(33656002)(478600001)(99286004)(14444005)(256004)(81156014)(97736004)(81166006)(8936002)(19627405001)(102836004)(53546011)(6506007)(68736007)(8676002)(26005)(5660300001)(76176011)(66066001)(53936002)(3846002)(7696005)(6436002)(6116002)(54896002)(6306002)(606006)(229853002)(86362001)(55016002)(5250100002)(6246003)(9686003)(316002)(236005)(2906002)(446003)(575784001)(7736002)(110136005)(74316002)(486006)(11346002)(476003)(6606003); DIR:OUT; SFP:1102; SCL:1; SRVR:SN6PR11MB2846; H:SN6PR11MB2606.namprd11.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: asomi.com does not designate permitted sender hosts)
x-microsoft-antispam-message-info: sHV7sa2CWUofDbtewdRCbRlH97R9xWdHYEazejaJgoJCCntfaJFuPypTHDpd1dFLKrC1vAGB7XDvoKhNAGX2x1kgT0GXMHci2LwNdXf3BZB5lqu38akmvI1h3Wa8Jb2PH6QyelsEI9TadQs7EGR+I2zEc7QQKTrKgxMd+9HFgkTup5U58pCcyBDeaJyYHlNgmgg+uOJLFM2aC8aVkRDC2l/jvE/48bQm+Bwb9WrCISwr0CBTvMEV1buPOFhQctup3ir8MzATOP7bIw5OoRem/vpMYMELqRv17GbfFdt3vX56KYAnuJbssBgpHcaH5b6rWRdbcW8lk26BhtCmEuaxb+GM/l1pi5DY5uPQDbYP8lg=
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_SN6PR11MB26069983A24EE191F9FD1033D3250SN6PR11MB2606namp_"
MIME-Version: 1.0
X-OriginatorOrg: asomi.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 7b8efbc7-21ac-4f4b-9b8d-08d5fe345d0c
X-MS-Exchange-CrossTenant-originalarrivaltime: 09 Aug 2018 20:11:59.3155 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: a90e44c6-9570-49f9-9cdb-dff096fd98a3
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SN6PR11MB2846
Archived-At: <https://mailarchive.ietf.org/arch/msg/tcpm/lvnUfum0ADeXVT0LCoTj4XXsbsg>
Subject: Re: [tcpm] TCP segment reassembly vulnerability
X-BeenThere: tcpm@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: TCP Maintenance and Minor Extensions Working Group <tcpm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tcpm>, <mailto:tcpm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tcpm/>
List-Post: <mailto:tcpm@ietf.org>
List-Help: <mailto:tcpm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 09 Aug 2018 20:12:05 -0000

My reading of the two citations show that the issue can be addressed
adequately by implementers already without the need for any guidance
from the IETF.


________________________________
From: tcpm <tcpm-bounces@ietf.org> on behalf of Loganaden Velvindron <loganaden@gmail.com>
Sent: Thursday, August 9, 2018 11:43:10 AM
To: tcpm@ietf.org Extensions
Subject: [tcpm] TCP segment reassembly vulnerability

It appears to be an issue on multiple implementations. AFAIK, it's due
to lack of limits for the reassembly logic when the segments enter the
queue.

FreeBSD:
https://www.freebsd.org/security/advisories/FreeBSD-SA-18:08.tcp.asc

Linux:
https://git.kernel.org/pub/scm/linux/kernel/git/davem/net.git/commit/?id=1a4f14bab1868b443f0dd3c55b689a478f82e72e

Perhaps it might be worth documenting those solutions and possible workarounds.


Thoughts ?

_______________________________________________
tcpm mailing list
tcpm@ietf.org
https://www.ietf.org/mailman/listinfo/tcpm