IETF Logo Mail Archive

Re: [tcpm] Some comments on tcpsecure

Joe Touch <touch@ISI.EDU> Sun, 06 April 2008 01:02 UTC

Return-Path: <tcpm-bounces@ietf.org>
X-Original-To: tcpm-archive@megatron.ietf.org
Delivered-To: ietfarch-tcpm-archive@core3.amsl.com
Received: from core3.amsl.com (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 9F20C3A6B92; Sat, 5 Apr 2008 18:02:59 -0700 (PDT)
X-Original-To: tcpm@core3.amsl.com
Delivered-To: tcpm@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 2C10B3A6AA7 for <tcpm@core3.amsl.com>; Sat, 5 Apr 2008 18:02:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jMs7bwtJ+X+f for <tcpm@core3.amsl.com>; Sat, 5 Apr 2008 18:02:57 -0700 (PDT)
Received: from vapor.isi.edu (vapor.isi.edu [128.9.64.64]) by core3.amsl.com (Postfix) with ESMTP id 0BC523A682D for <tcpm@ietf.org>; Sat, 5 Apr 2008 18:02:57 -0700 (PDT)
Received: from [127.0.0.1] (pool-71-105-89-117.lsanca.dsl-w.verizon.net [71.105.89.117]) by vapor.isi.edu (8.13.8/8.13.8) with ESMTP id m3612ewe003745 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Sat, 5 Apr 2008 18:02:42 -0700 (PDT)
Message-ID: <47F82129.2000603@isi.edu>
Date: Sat, 05 Apr 2008 18:02:33 -0700
From: Joe Touch <touch@ISI.EDU>
User-Agent: Thunderbird 2.0.0.12 (Windows/20080213)
MIME-Version: 1.0
To: Fernando Gont <fernando@gont.com.ar>
References: <200804041832.m34IWTC5025090@venus.xmundo.net> <47F68794.6050100@isi.edu> <200804042012.m34KCk8U022643@venus.xmundo.net> <47F68DC7.2050303@isi.edu> <200804050557.m355vAjU013266@venus.xmundo.net> <47F7B43E.6010004@isi.edu> <200804052024.m35KOlmj018418@venus.xmundo.net> <47F7E2D0.8010802@isi.edu> <200804052353.m35NrdO1031661@venus.xmundo.net>
In-Reply-To: <200804052353.m35NrdO1031661@venus.xmundo.net>
X-Enigmail-Version: 0.95.6
X-ISI-4-43-8-MailScanner: Found to be clean
X-MailScanner-From: touch@isi.edu
Cc: tcpm@ietf.org
Subject: Re: [tcpm] Some comments on tcpsecure
X-BeenThere: tcpm@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: TCP Maintenance and Minor Extensions Working Group <tcpm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:tcpm@ietf.org>
List-Help: <mailto:tcpm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=subscribe>
Content-Type: multipart/mixed; boundary="===============1178772018=="
Sender: tcpm-bounces@ietf.org
Errors-To: tcpm-bounces@ietf.org


Fernando Gont wrote:
> At 05:36 p.m. 05/04/2008, Joe Touch wrote:
> 
>> As I said before:
>>
>>         TCP *has* an MSL requirement (RFC793)
>>                 this means that TCP segments should not live
>>                 in the network beyond approx 2 minutes
> 
> Yes, and this requirement cannot be met, as it is based on the 
> assumption that the IP TTL can be enforced. (Not to say that the MSL 
> sort of imposes a requirement on the TTL you set in IP packets. If you 
> set a TTL of say 240, then the TTL becomes 4 minutes, and 2*MSL becomes 
> eight minutes.
> 
> As a result, if anything, this is as incorrect as requiring ICMPs to be 
> in window. Well, unless you run TCP on anything other than IP....

If you want to win this part of the argument, then - as you note - 
window information is never useful within TCP. What's the point of this 
straw-man?

>>         ICMP does *not* have a requirement to respond with an MSL
>>                 so a TCP segment's header can exist inside
>>                 an ICMP packet long after the segment's MSL period
>>
>> As a result, it remains incorrect to validate a TCP segment inside the 
>> ICMP as needing to be "in window".
> 
> If there's an error, the the window won't advance, and in the event the 
> window does advance, then the error was not really "hard". And it would
> have been incorrect to abort the TCP connection. (see e.g., Clark's paper).

The ICMP error isn't "TCP failing to make progress" - if you want that 
one, please create a new ICMP error type. Whether you do or not, please 
stop trying to imply those semantics to the current ICMP errors.

>>> Your argument against (2) is that...mmm... that would be incorrect, 
>>> because it would assume that every packet is an attack. But you do 
>>> want to advocate ICMP filtering at firewalls.
>>
>> Correct. If an individual host or subnet wants to assume that ALL 
>> ICMPs are suspect, then that's its decision - and that already happens 
>> at some firewalls.
> 
> Welcome to the real world. We're suspicious by default.

Postel's rule applies; be conservative in what you do, be liberal in 
what you receive. You can be suspicious all you want - but unfounded 
suspicion isn't appropriate.

>> What "everyone implements" isn't the issue; that is covered in BCPs 
>> when the IETF agrees with it and things like RFC 2525 (Known TCP 
>> Implementation Problems) when the IETF does not feel it is appropriate 
>> to change the standard merely to align with what is deployed.
> 
> What "everyone implements" isn't the issue? ahem... "rough consensus and 
> running code".

It's rough consensus AND running code. Not 'running code trumps everything'.

> There's no code that runs what you're describing, Joe. Everybody is 
> doing what is described in the ICMP attacks draft.

Popular vote does not determine correctness. Part of the problem is that 
there are some people who've deployed prototype code and convinced 
everyone it's appropriate. That is NOT how protocol specifications are 
determined.

We've had this debate before. If there's nothing new to add, let's let 
others chime in.

Joe



_______________________________________________
tcpm mailing list
tcpm@ietf.org
https://www.ietf.org/mailman/listinfo/tcpm

v2.35.0 | Report a Bug | By Email | System Status