[tcpm] previous notes on tcp-secure-04
Joe Touch <touch@ISI.EDU> Fri, 14 July 2006 02:24 UTC
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1G1DLl-0004yl-Az; Thu, 13 Jul 2006 22:24:17 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1G1DLk-0004yZ-IQ for tcpm@ietf.org; Thu, 13 Jul 2006 22:24:16 -0400
Received: from stsc1260-eth-s1-s1p1-vip.va.neustar.com ([156.154.16.129] helo=chiedprmail1.ietf.org) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1G15Fw-00018N-OU for tcpm@ietf.org; Thu, 13 Jul 2006 13:45:44 -0400
Received: from vapor.isi.edu ([128.9.64.64]) by chiedprmail1.ietf.org with esmtp (Exim 4.43) id 1G158j-0003D8-1x for tcpm@ietf.org; Thu, 13 Jul 2006 13:38:18 -0400
Received: from [132.219.18.179] (h12b3-net84db.lab.risq.net [132.219.18.179] (may be forged)) by vapor.isi.edu (8.11.6p2+0917/8.11.2) with ESMTP id k6DHaHH24381; Thu, 13 Jul 2006 10:36:17 -0700 (PDT)
Message-ID: <44B6848B.5050108@isi.edu>
Date: Thu, 13 Jul 2006 10:36:11 -0700
From: Joe Touch <touch@ISI.EDU>
User-Agent: Thunderbird 1.5.0.4 (Windows/20060516)
MIME-Version: 1.0
To: tcpm@ietf.org
X-Enigmail-Version: 0.94.0.0
X-ISI-4-43-8-MailScanner: Found to be clean
X-MailScanner-From: touch@isi.edu
X-Spam-Score: -2.6 (--)
X-Scan-Signature: 25eb6223a37c19d53ede858176b14339
Subject: [tcpm] previous notes on tcp-secure-04
X-BeenThere: tcpm@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: TCP Maintenance and Minor Extensions Working Group <tcpm.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:tcpm@ietf.org>
List-Help: <mailto:tcpm-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=subscribe>
Content-Type: multipart/mixed; boundary="===============2070166575=="
Errors-To: tcpm-bounces@ietf.org
Here are my previous notes on v04, with comments to clarify. I do not
feel that some were addressed in v05. I appreciate Randall's addressing
them in the WG today, but it would have been useful to have addressed
them on-list when 05 was issued. That would have saved substantial
effort in re-reviewing 05 on points that were not addressed.
I further felt that 05 was a cosmetic update to 04, especially given the
detail provided below.
FWIW, these were sent privately to Randall and the chairs in March; this
is the first time they appear on this list.
I have added "NOTE:" comments to clarify below.
Joe
-----------------------------------------------------------------------
A. the doc describes 3 different mods
1. RST
2. SYN
3. data injection
It'd be useful to explain what the common thread is, and why all three
are needed. RST and SYN fall into the same "short run for a long slide"
category.
NOTE: there are a set of solutions that are all
presented in this document as related, and all implied as
"quick fixes with large benefit" (short run/long slide).
It'd be useful to explain them as having a common reason,
rather than just as a shopping list of things to fix.
The data injection stuff seems out of place, though. The solution is
comparatively cumbersome and I don't believe as well agreed. It's also a
bit misnamed (it's really a blind window sliding attack), and blind data
injection is still fairly simple (in-window).
B. the general document writing and presentation needs work
including spelling, sentence structure, etc.
NOTE: this refers to readability and comprehension
of the issues and protocol changes required, to the
extent that the current language gets in the way
of that.
C. I would suggest a more focused discussion as follows:
a. section 1 should summarize tcp-antispoof in a paragraph or
two, but otherwise ref off to that
instead, it should focus on a few things:
1. how a TCP solution is different
2. why the group of mods to TCP are all related
3. why modifying TCP here is a good thing
I would agree that cleaning up unintended holes in TCP
processing is reasonable, esp. given the small mods that can
accomplish them (e.g., for RST and SYN).
I would prefer if that were the focus of the doc (safety from
incorrect messages, regardless of intent) , with the
side effect of increasing resistance to some recent attacks,
BUT that if real protection is required, that real security
is recommended (e.g., IPsec).
Where increased resistance is described ("much harder"), it
should be quantified.
b. the protocol sections should discuss things 793-style
Some of the discussion of the changes seems more like a
recipe than a protocol spec change.
Specific portions of 793 should be quoted where needed,
and changes clearly indicated. These should be entitled
"Changes to 793" or somesuch, rather than 'Mitigation'.
c. section 5- the blind data stuff, is "too long a walk
for a short slide"
It requires new TCB state (MAX.SND.WND) which is very informally
introduced, and not discussed:
- do you save the window scale for that max?
- does this present an opportunity for attack itself?
While this protects from some ACK attacks, it's still
sufficiently easy, after this mod, to inject ACKs that
accomplish the same purpose, or to inject data similarly.
I would recommend removing it.
D. ACK throttling needs a more clear discussion
The requirements need to be separated and condensed as a list, rather
than dispersed througout (the same recommendation applies to other
sections, BTW).
The potential for implementation deadlock deserves much more than a
passing reference; this is a substantial concern. If there's a way
around it, it should be discussed. It seems incumbent to me that this
solution MUST ;-) specify the protocol behavior in such a way that
such deadlocks are not possible. (793 does this all over the place, by
placing rules on the order of handling queued segments, order of
handling signals, data, etc., etc.)
E. the backward compatibility section needs to highlight a few more things:
- - when incrementally or mutually deployed (separate discussions):
- which sides benefit and how
- which sides are impacted and how
- is there any impact or benefit to third parties
middlebox considerations are a subsection of backward compatibility, IMO
I would suggest that mboxes that modify TCP packets are briefly
described as "deserving what they get" rather than going into details.
What some mboxes do is irrelevant; more to the point is what we can
expect a mbox to do, and that's not really static anyway (unless you
refer off to the RFC defining the versions, like half-cone, full-cone,
etc.) Finally, I would suggest that protection from mbox interference is
better provided by IPsec (which would interfere with mbox mod of the
packets). ;-)
Interoperability reports seem like at best an appendix, but more like
something that would accompany the submission of this doc as
standards-track. It doesn't seem like it ought to be inside the doc.
F. security considerations should address the benefits vs limits in
specific - how much more security is provided, and what are the limits.
it should also note that on-path attacks are still possible, and that
data injection attacks are still possible. it should finally note that
full protection warrants the use of IPsec (that's what security consids
are for!)
if there are still deadlocks possible that can be triggered by malicious
parties, then that needs to be noted here too
G. section 12 ought to note the input of the TCPM WG, and a few names
there if you feel appropriate. This work was, IMO, polished by the WG a
bit since I first saw it (e.g., the need for ACK throttling), and that
too should (IMO) be noted.
NOTE: i.e., the ack throttling (ACK war avoidance solution)
should be noted as a WG contribution.
---
_______________________________________________ tcpm mailing list tcpm@ietf.org https://www1.ietf.org/mailman/listinfo/tcpm
- [tcpm] previous notes on tcp-secure-04 Joe Touch