[tcpm] Security issues of AccECN (was: RE: AccECN field order)
"Scharf, Michael" <Michael.Scharf@hs-esslingen.de> Wed, 18 November 2020 05:36 UTC
Return-Path: <Michael.Scharf@hs-esslingen.de>
X-Original-To: tcpm@ietfa.amsl.com
Delivered-To: tcpm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3ED273A1451; Tue, 17 Nov 2020 21:36:23 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.096
X-Spam-Level:
X-Spam-Status: No, score=-2.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=hs-esslingen.de
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aUA0epsIqX0W; Tue, 17 Nov 2020 21:36:21 -0800 (PST)
Received: from mail.hs-esslingen.de (mail.hs-esslingen.de [134.108.32.78]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8DA3B3A144D; Tue, 17 Nov 2020 21:36:20 -0800 (PST)
Received: from localhost (localhost.localdomain [127.0.0.1]) by mail.hs-esslingen.de (Postfix) with ESMTP id 9886425A13; Wed, 18 Nov 2020 06:36:18 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=hs-esslingen.de; s=mail; t=1605677778; bh=dRZ8tpmw9h6b87K9J2gDzbOWbN5WL88gjOPCCYnL04U=; h=From:To:CC:Subject:Date:From; b=nNsyBDHum7CU3v5v23gM78wl8lj7cIYJykC26IQYFn2DKIFrYyG7sLbz0UHDBS+7B 0EJb9JvC3a1gsB8jt/meOf77lJ4P4pJF3rr9KpMNRowhFLmxRShpSoIOwO5YsB2UR8 A8vQuZa8h2Wu2rrFfeW/xnu3JAcQtJzC3LOBJG8c=
X-Virus-Scanned: by amavisd-new-2.7.1 (20120429) (Debian) at hs-esslingen.de
Received: from mail.hs-esslingen.de ([127.0.0.1]) by localhost (hs-esslingen.de [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EFVQ1SDYzJ21; Wed, 18 Nov 2020 06:36:17 +0100 (CET)
Received: from rznt8202.rznt.rzdir.fht-esslingen.de (rznt8202.hs-esslingen.de [134.108.48.165]) (using TLSv1.2 with cipher AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.hs-esslingen.de (Postfix) with ESMTPS; Wed, 18 Nov 2020 06:36:17 +0100 (CET)
Received: from rznt8202.rznt.rzdir.fht-esslingen.de (134.108.48.165) by rznt8202.rznt.rzdir.fht-esslingen.de (134.108.48.165) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.1979.3; Wed, 18 Nov 2020 06:36:17 +0100
Received: from rznt8202.rznt.rzdir.fht-esslingen.de ([fe80::aca4:171a:3ee1:57e0]) by rznt8202.rznt.rzdir.fht-esslingen.de ([fe80::aca4:171a:3ee1:57e0%3]) with mapi id 15.01.1979.006; Wed, 18 Nov 2020 06:36:17 +0100
From: "Scharf, Michael" <Michael.Scharf@hs-esslingen.de>
To: Bob Briscoe <ietf@bobbriscoe.net>, Yoshifumi Nishida <nsd.ietf@gmail.com>
CC: Michael Tuexen <tuexen@fh-muenster.de>, "tcpm-chairs@ietf.org" <tcpm-chairs@ietf.org>, Mirja Kuehlewind <ietf@kuehlewind.net>, "Scheffenegger, Richard" <Richard.Scheffenegger@netapp.com>, tcpm IETF list <tcpm@ietf.org>
Thread-Topic: Security issues of AccECN (was: RE: AccECN field order)
Thread-Index: Ada9a3nGhSM/yBYjQcaGPWFu48rdFA==
Date: Wed, 18 Nov 2020 05:36:16 +0000
Message-ID: <20ac3652d55d4bc19c9c37714c59c95c@hs-esslingen.de>
Accept-Language: de-DE, en-US
Content-Language: de-DE
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [134.108.140.248]
Content-Type: multipart/alternative; boundary="_000_20ac3652d55d4bc19c9c37714c59c95chsesslingende_"
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/tcpm/hIKV5uXEOAdIhoPf-V9PCL--aAU>
Subject: [tcpm] Security issues of AccECN (was: RE: AccECN field order)
X-BeenThere: tcpm@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: TCP Maintenance and Minor Extensions Working Group <tcpm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tcpm>, <mailto:tcpm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tcpm/>
List-Post: <mailto:tcpm@ietf.org>
List-Help: <mailto:tcpm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 18 Nov 2020 05:36:23 -0000
Only on remark [ms2] regarding the issue of a covert channel due to „forward compatibility“…
From a security perspective, it is not clear to me whether allowing arbitrary unspecified bytes in a TCP option is a good idea *at all*. It will be interesting to hear the opinion from SEC area on that. Personally, I am not convinced that this really makes sense, but I my concerns are not strong enough to formally push back. I’ll leave it to others to think about whether this is a bug or a feature.
[BB] Well, let's first try to deal with security ourselves:
* Octets that are explicitly declared as part of an option cannot be used for a buffer overflow attack. I don't really need to, but I could add the following text to the forward compatibility wording:
A receiver considers octets beyond those it uses, but within the specified length, as if they are padding.
* And such octets cannot be any different from the current ability of a sender to add padding. So there's no new attack possible here.
* And there's no need to specify a max length for any AccECN Option, which would just unnecessarily limit flexibility.
[ms] I have more thought about the covert channel that some unspecified bytes in a standards track TCP option could offer… In particular if the AccECN option gets widely deployed and used, would some malicious users find those bytes useful? For what? For instance, what in the AccECN protocol design prevents use of these “padding” bytes as super-cookie? To me, it is much more important to think about abuse of whatever we standardize *now*, instead of engineering for some entirely unknown future. I am not a security expert, but I suggest a careful analysis of any security implications of the AccECN option. We seldomly specify new TCP options and malicious users will certainly look for “opportunities” in the spec. So far, I don’t know whether that whole idea of forward compatibility is a feature or a bug.
[BB] If that were a problem, it could already be done, because (by my reading of RFC793) it is valid to set the data offset to stretch out the padding to any length within the max option space limits.
[ms2] I don’t understand. RFC 793 mandates that padding is composed of zeros, i.e., a firewall or IDS could detect a non-zero covert channel in the padding (and even remove the padding). Also, there are IMHO no reasonable engineering reasons for making the padding longer than needed, i.e. such a covert channel could be detected as anomality. As far as I understand RFC 793, a middlebox could also safely remove the additional padding w/o impacting a standard-compliant TCP connection.
[ms2] Allowing arbitrary bytes in a TCP option is IMHO a very different story, in particular if you allow the values to have non-zero values and forbid middleboxes to check or remove parts of the option that are not standardized by the IETF. If I correctly understand draft -13, an attacker could transmit 29 bytes payload at the end of the AccECN option, in any TCP connection, for any purpose.
[ms2] I think the „forward compatibility“ (e.g., Section 3.3.2 in the I-D) needs a very careful security analysis. As far as I understand, this whole idea of „forward compatibility“ is not needed for using the *currently* standardized AccECN options. IMHO you could just remove that „forward compatibility“ idea w/o impacting the rest of the AccECN protocol as currently specified (including the current format of the two options). If the idea of „forward compatibility“ stays in the document, IMHO the security section needs a dedicated discussion regarding potential misuse as covert channel. This could either be a security or privacy issue, depending on who puts what additional bytes into the option and claims that these bytes to be AccECNv2.
Michael
- [tcpm] Security issues of AccECN (was: RE: AccECN… Scharf, Michael
- Re: [tcpm] Security issues of AccECN (was: RE: Ac… Bob Briscoe