Re: [tcpm] TCP Fast Open and dynamic IP-address assignments
Yuchung Cheng <ycheng@google.com> Sat, 13 April 2013 20:24 UTC
Return-Path: <ycheng@google.com>
X-Original-To: tcpm@ietfa.amsl.com
Delivered-To: tcpm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B116C21F861A for <tcpm@ietfa.amsl.com>; Sat, 13 Apr 2013 13:24:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -101.227
X-Spam-Level:
X-Spam-Status: No, score=-101.227 tagged_above=-999 required=5 tests=[AWL=0.750, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, NO_RELAYS=-0.001, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3XHedIORB2UZ for <tcpm@ietfa.amsl.com>; Sat, 13 Apr 2013 13:24:25 -0700 (PDT)
Received: from mail-la0-x22f.google.com (mail-la0-x22f.google.com [IPv6:2a00:1450:4010:c03::22f]) by ietfa.amsl.com (Postfix) with ESMTP id 7BBB821F8615 for <tcpm@ietf.org>; Sat, 13 Apr 2013 13:24:24 -0700 (PDT)
Received: by mail-la0-f47.google.com with SMTP id eh20so2318529lab.6 for <tcpm@ietf.org>; Sat, 13 Apr 2013 13:24:23 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=x-received:mime-version:in-reply-to:references:from:date:message-id :subject:to:cc:content-type; bh=nAnudtaKODukxLEzNb4Kt8ilK+Ef+VGOwskkpI2suIk=; b=HJojM3aZc9vpfgYwFd8tV0C5RDXCy/hBzfTZJQGqVAEvPFdpAoZ/aoqBOrnlBsBDSs 0IoEgbokrl2K88XAu7pK/bqionhyiWzm/1PdD/PfYBWuPwlCh5u9OpdU6ImxKxdxUDp/ Z9BTEAjI5gpbf2pkPjzz2+XVrl7LOdMco7XrCn6xe/Hz5rFVwZrCN+qtslssh0W1ln3t dBCGngQgXRBChm0XMNS4d7uFoKcA3PQOZhGoTLvtBinOwfja3faAyvO3dBoaHTgE9GnH F1axrBTFDa9TaRV+rXyH04KRyaM8ViU2AjnvjK+Vujw43pStG/0tlHkhas7ZMF6Dsc5R lwCA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=x-received:mime-version:in-reply-to:references:from:date:message-id :subject:to:cc:content-type:x-gm-message-state; bh=nAnudtaKODukxLEzNb4Kt8ilK+Ef+VGOwskkpI2suIk=; b=WotkCsyDXMDcTRNhh3TF5B0tE1uipTg+bJNSa+kf1bbrlBAFgsiTuCzvGlQKSxvwOB cqjC86vuMG0N+jyPB1c5KqfqYLrMAXRq+6/YDYyY0juAffwejrdQwmS5mGcFWTCZUFpU l6XvNnsNj7jRbl8Pfuk5Bt2FgmwFq/IdBR+eZxKCuh+uqyjb5dd4orrqnPkGjtVz9Ipj vjIVaXHvATBCSHf6z4wELUUbK02IgZyd5t5lX4Pn81pM77kvnKmnXLiTfDhFEvg25Prg iGkFzq8eMxer7Zt11U4zXo4pjBkHH2UQp1VbqlFXpvpWWKJmxo/Kb2BljpcQConEW4CW t8Hg==
X-Received: by 10.112.133.198 with SMTP id pe6mr7564275lbb.103.1365884663258; Sat, 13 Apr 2013 13:24:23 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.112.148.34 with HTTP; Sat, 13 Apr 2013 13:24:03 -0700 (PDT)
In-Reply-To: <51695516.50505@nexgo.de>
References: <51695516.50505@nexgo.de>
From: Yuchung Cheng <ycheng@google.com>
Date: Sat, 13 Apr 2013 13:24:03 -0700
Message-ID: <CAK6E8=dmm37VThD0t5dm12U6ME9nFbj8P2Y=tE_T+ATyYGjg6g@mail.gmail.com>
To: Hendrik Brummermann <nhb_web@nexgo.de>
Content-Type: multipart/alternative; boundary="047d7b3a837428832e04da43ce12"
X-Gm-Message-State: ALoCoQmyKC8HnM+ZXAKBn3LAT2uHu3GSK5XVfeB5IeTpJO/xsVScExk8xTCSGZ2Rr06/809mMweudWx7vleJvnV9iXKL7GWaCOD1fGFwcS3UHiOG68NMRKCJ69Omxy3bLOlMn6LtB+LGrx4U6SHSeAOP7ju/UqvGyKLR0gYav3EPUN7JCUVmpFxzIC9KRxiGMUedENPo73Ow
Cc: "tcpm@ietf.org Extensions" <tcpm@ietf.org>
Subject: Re: [tcpm] TCP Fast Open and dynamic IP-address assignments
X-BeenThere: tcpm@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: TCP Maintenance and Minor Extensions Working Group <tcpm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tcpm>, <mailto:tcpm-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tcpm>
List-Post: <mailto:tcpm@ietf.org>
List-Help: <mailto:tcpm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 13 Apr 2013 20:24:25 -0000
On Sat, Apr 13, 2013 at 5:52 AM, Hendrik Brummermann <nhb_web@nexgo.de>wrote: > The section on security consideration mentions carrier grade NAT as a > potential issue. A similar issues exists in the context of dynamic > IP-address assignments: > > An adversary may request a TFO cookie and disconnect from the Internet. > A new user will get the same IP-address. But the adversary can still > send packets with the TFO cookie, spoofing this ip-address as source. > Are you suggesting the current text http://tools.ietf.org/html/draft-ietf-tcpm-fastopen-03#section-6 is not clear on this case? happy to revise if it's not clear. > > In addition to the reflection of large answer packets to the current > user, this makes it likely that the current user is blamed for malicious > actions caused by the adversary. Log files on the server will show the > IP-address and the current timestamp. > so is a regular SYN flood. btw the "large answer" packets are limited to the initial TCP congestion window > > While the NAT gateway may prevent TCP Fast Open by filtering the flags, > there seems to be no way an Internet user can protect himself against > the previous user of his ip-address. > yes if the ISP allows any user to send IP packet with (previously owned) spoofed IP packet. (and so is regular syn flood). _______________________________________________ > tcpm mailing list > tcpm@ietf.org > https://www.ietf.org/mailman/listinfo/tcpm >
- [tcpm] TCP Fast Open and dynamic IP-address assig… Hendrik Brummermann
- Re: [tcpm] TCP Fast Open and dynamic IP-address a… Yuchung Cheng
- Re: [tcpm] TCP Fast Open and dynamic IP-address a… Hendrik Brummermann
- Re: [tcpm] TCP Fast Open and dynamic IP-address a… Yuchung Cheng