Re: [tcpm] [tcpinc] TCP Stealth - possible interest to the WG
Florian Westphal <fw@strlen.de> Tue, 19 August 2014 21:23 UTC
Return-Path: <fw@strlen.de>
X-Original-To: tcpm@ietfa.amsl.com
Delivered-To: tcpm@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D1C481A6F58; Tue, 19 Aug 2014 14:23:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id m67cgEkFP6qQ; Tue, 19 Aug 2014 14:23:55 -0700 (PDT)
Received: from Chamillionaire.breakpoint.cc (Chamillionaire.breakpoint.cc [IPv6:2001:4d88:1ffa:82:880:aa0:9009:64ae]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C09B01A6F55; Tue, 19 Aug 2014 14:23:55 -0700 (PDT)
Received: from fw by Chamillionaire.breakpoint.cc with local (Exim 4.80) (envelope-from <fw@strlen.de>) id 1XJqsh-00089n-Cw; Tue, 19 Aug 2014 23:23:51 +0200
Date: Tue, 19 Aug 2014 23:23:51 +0200
From: Florian Westphal <fw@strlen.de>
To: Jacob Appelbaum <jacob@appelbaum.net>
Message-ID: <20140819212351.GB11767@breakpoint.cc>
References: <ecdbe694b6964c159f64b1d3311c8cc6@hioexcmbx02-prd.hq.netapp.com> <CAFggDF2jhQPz0Eez=AU9M-k862wD_=VSyVpXtRAjT4zC6H4tgA@mail.gmail.com> <1408397675.299896.154112109.6F69043F@webmail.messagingengine.com> <8c5f6a1e9f2340e48e25dd151406b7d3@hioexcmbx05-prd.hq.netapp.com> <1408401991.317123.154137701.0A30F30C@webmail.messagingengine.com> <CAPh34meB=EtgNu=_eBS6ekB20fRccAqXFWydkCWG+6VKSa98rg@mail.gmail.com> <CAFggDF39L+kLQLmiWJR3q6suPOtYmKJiJUqp0kBv7GjUtNVOjA@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <CAFggDF39L+kLQLmiWJR3q6suPOtYmKJiJUqp0kBv7GjUtNVOjA@mail.gmail.com>
User-Agent: Mutt/1.5.21 (2010-09-15)
Archived-At: http://mailarchive.ietf.org/arch/msg/tcpm/eMekVFMfEZcd-RV92tAIA93oWZ4
Cc: "tcpinc@ietf.org" <tcpinc@ietf.org>, "tcpm (tcpm@ietf.org)" <tcpm@ietf.org>, Joe Touch <touch@isi.edu>, Christian Grothoff <christian@grothoff.org>
Subject: Re: [tcpm] [tcpinc] TCP Stealth - possible interest to the WG
X-BeenThere: tcpm@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: TCP Maintenance and Minor Extensions Working Group <tcpm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tcpm>, <mailto:tcpm-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tcpm/>
List-Post: <mailto:tcpm@ietf.org>
List-Help: <mailto:tcpm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 19 Aug 2014 21:23:59 -0000
Jacob Appelbaum <jacob@appelbaum.net> wrote: > No. I want to protect my TLS service from implementation exploitation. > You cannot probe my TLS service for the next heartbleed without a > shared secret. So you won't accept e.g. smtp STARTTLS on your mail server? Also, once this becomes widespread, people will add --probe-all-isns switch to their port scanners.... It looks to me like this (I apologize In advance if this seems offensive): Q: - I want to run $service, but I don't want anyone to see it! A: - don't run it. Q: - But I need to access the service sometimes from random locations! A: - protect it with a password/some other form of secret. Q: - But then its visible to port scanners! A: - So what? Q: - But it allows people who have detected service presence to try running exploits against it! A: - If you really care, tunnel via ssh perhaps? Q: But I really really want to hide the presence of all services, i.e. all tcp ports should appear to be closed A1: - There are portknock schemes to add obfuscation if you really want this. Q: - But I cannot use portknocking because....? A: - ? I tried to find explanation in draft-kirsch-ietf-tcp-stealth-00, but did not find any. It talks about "pitfalls" of applications trying to "reimplement tcp in user space". Perhaps there should be a paragraph as to why ra But even assuming that there is a need for portknocking and/or TCP Stealth: - How does this relate to TCP-AO? (The draft mentions tcp md5sig only, then disregards it as it doesn't work in NATted environments) [ I realize TCP AO has other issues esp. vs. the proposed stealth scheme, especially wrt. complexity. Anything else? ] Problems I see with the proposal (ignoring the TCP related issues others pointed out and the "obscurity only" approach), and a few questions: - What about timing? I.e. is response time different regarding RST-from-closed-port vs. RST-from-stealth port? - e.g., are hosts required to perform authentication even for SYN-to-closed-port, etc? - Your adversary may be able to do full passive monitoring of all network traffic (also compare "replay" above), so whats the purpose of "avoiding" active scans? - Key Propagation (either your group is very very small, or I can probably find the secret-secret-word via a web search...) - Seems most services cannot use it since they have to accept connections from (almost) anyone In fact, this is one of the main problems that I see with the proposal; its use seems severely limited; up to the point where its unusable in practice. Perhaps it would help to show specific usage examples of how this would be deployed/where this is usable? > > Another objection: the mechanism help only for a small fraction of use > > cases. Especially when the server communicate with one or a few > > clients where the "shared secret" is no problem. But especially in > > these setups TLS client certificates could be used without any > > problems. > > > > What happens in your example when there is exploitable code in the > client certificate parsing code? "What happens in your example when there is exploitable code in the payload protection verification?" [ Its rhetoric question. I am aware of complexity difference. The point is, do your really think its worth to add yet another layer -- which can have issues both in the specification and the implementation -- rather than e.g. slim down/fix security transport protocol specs and implementations? ] Else, I guess I could argue that running your service via SCTP is "more secure" since its "less likely to be found in scan..."
- [tcpm] TCP Stealth - possible interest to the WG Scheffenegger, Richard
- Re: [tcpm] TCP Stealth - possible interest to the… Hagen Paul Pfeifer
- Re: [tcpm] [tcpinc] TCP Stealth - possible intere… Jacob Appelbaum
- Re: [tcpm] TCP Stealth - possible interest to the… Ted Faber
- Re: [tcpm] [tcpinc] TCP Stealth - possible intere… Scheffenegger, Richard
- Re: [tcpm] [tcpinc] TCP Stealth - possible intere… Alfie John
- Re: [tcpm] [tcpinc] TCP Stealth - possible intere… Alfie John
- Re: [tcpm] [tcpinc] TCP Stealth - possible intere… Hagen Paul Pfeifer
- Re: [tcpm] [tcpinc] TCP Stealth - possible intere… Jacob Appelbaum
- Re: [tcpm] [tcpinc] TCP Stealth - possible intere… Scheffenegger, Richard
- Re: [tcpm] [tcpinc] TCP Stealth - possible intere… Hagen Paul Pfeifer
- Re: [tcpm] [tcpinc] TCP Stealth - possible intere… Jacob Appelbaum
- Re: [tcpm] [tcpinc] TCP Stealth - possible intere… Hagen Paul Pfeifer
- Re: [tcpm] [tcpinc] TCP Stealth - possible intere… Florian Westphal
- Re: [tcpm] [tcpinc] TCP Stealth - possible intere… Florian Westphal
- Re: [tcpm] [tcpinc] TCP Stealth - possible intere… Yoshifumi Nishida
- Re: [tcpm] [tcpinc] TCP Stealth - possible intere… Scheffenegger, Richard
- Re: [tcpm] [tcpinc] TCP Stealth - possible intere… Hagen Paul Pfeifer
- Re: [tcpm] [tcpinc] TCP Stealth - possible intere… Scheffenegger, Richard
- Re: [tcpm] [tcpinc] TCP Stealth - possible intere… Scheffenegger, Richard
- Re: [tcpm] [tcpinc] TCP Stealth - possible intere… Hagen Paul Pfeifer
- Re: [tcpm] [tcpinc] TCP Stealth - possible intere… Jacob Appelbaum
- Re: [tcpm] [tcpinc] TCP Stealth - possible intere… Christian Grothoff
- Re: [tcpm] [tcpinc] TCP Stealth - possible intere… Christian Grothoff
- Re: [tcpm] [tcpinc] TCP Stealth - possible intere… Christian Grothoff
- Re: [tcpm] [tcpinc] TCP Stealth - possible intere… Christian Grothoff
- Re: [tcpm] [tcpinc] TCP Stealth - possible intere… Christian Grothoff
- Re: [tcpm] [tcpinc] TCP Stealth - possible intere… Daniel Borkmann
- Re: [tcpm] [tcpinc] TCP Stealth - possible intere… Jacob Appelbaum
- Re: [tcpm] [tcpinc] TCP Stealth - possible intere… Alfie John
- Re: [tcpm] [tcpinc] TCP Stealth - possible intere… Joe Touch
- Re: [tcpm] [tcpinc] TCP Stealth - possible intere… Joe Touch
- Re: [tcpm] [tcpinc] TCP Stealth - possible intere… Christian Grothoff