IETF Logo Mail Archive

Re: [tcpm] [tcpinc] TCP Stealth - possible interest to the WG

Hagen Paul Pfeifer <hagen@jauu.net> Tue, 19 August 2014 18:07 UTC

Return-Path: <hagen@jauu.net>
X-Original-To: tcpm@ietfa.amsl.com
Delivered-To: tcpm@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 54D0F1A0684 for <tcpm@ietfa.amsl.com>; Tue, 19 Aug 2014 11:07:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.378
X-Spam-Level:
X-Spam-Status: No, score=-1.378 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, J_CHICKENPOX_14=0.6, RCVD_IN_DNSWL_LOW=-0.7] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vK25rEBn8vvr for <tcpm@ietfa.amsl.com>; Tue, 19 Aug 2014 11:07:27 -0700 (PDT)
Received: from mail-la0-f42.google.com (mail-la0-f42.google.com [209.85.215.42]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 61AEC1A0665 for <tcpm@ietf.org>; Tue, 19 Aug 2014 11:07:27 -0700 (PDT)
Received: by mail-la0-f42.google.com with SMTP id pv20so6280017lab.1 for <tcpm@ietf.org>; Tue, 19 Aug 2014 11:07:25 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=pmotbsUgAlQbsGxenyIVVMObpkAMjCWIKZeywVRO7c8=; b=NoSR/Zwsn/JdVuYLiHxM3pnl4WjNFn2lvjBC3WGTyoZsgpdDYyqloW2rlvgI769e7n kbcMcoBd1hSOSoRwRpBLkNkX64Yn2O25cQJIZkmBC5o5jz6JWGEvLummFHjJtQ7N04iE bEJc+vHSrDQhkRXI975zs0cDAYoaZv9wN/Evk2IJzFBCEyXHXxyvOCsW52j9QgWoec5X tDs1gOwEJweGh+ViIiGD8BM0wMZ4UTOOCt4W6VVd4wvdoRxo7pD7zF+H96tXs1gMS1mI 9Qswh+KwlNYgoAhS97jFxae71E4yiPQ2Nxxc9Xfx6eWoVGAsNT6pqtWTKU9sWtnOZwVS WJyg==
X-Gm-Message-State: ALoCoQl0AysOowGrsfNLEKqUiLCJWBrtY/TUqEOMOj8+0psCz7Gwkq8eg2OixrB4CDgW+N9R+E+Z
MIME-Version: 1.0
X-Received: by 10.152.87.97 with SMTP id w1mr11322668laz.92.1408471645560; Tue, 19 Aug 2014 11:07:25 -0700 (PDT)
Received: by 10.152.242.42 with HTTP; Tue, 19 Aug 2014 11:07:25 -0700 (PDT)
X-Originating-IP: [2a02:810d:740:57c:6a05:caff:fe03:ab31]
In-Reply-To: <CAFggDF39L+kLQLmiWJR3q6suPOtYmKJiJUqp0kBv7GjUtNVOjA@mail.gmail.com>
References: <ecdbe694b6964c159f64b1d3311c8cc6@hioexcmbx02-prd.hq.netapp.com> <CAFggDF2jhQPz0Eez=AU9M-k862wD_=VSyVpXtRAjT4zC6H4tgA@mail.gmail.com> <1408397675.299896.154112109.6F69043F@webmail.messagingengine.com> <8c5f6a1e9f2340e48e25dd151406b7d3@hioexcmbx05-prd.hq.netapp.com> <1408401991.317123.154137701.0A30F30C@webmail.messagingengine.com> <CAPh34meB=EtgNu=_eBS6ekB20fRccAqXFWydkCWG+6VKSa98rg@mail.gmail.com> <CAFggDF39L+kLQLmiWJR3q6suPOtYmKJiJUqp0kBv7GjUtNVOjA@mail.gmail.com>
Date: Tue, 19 Aug 2014 20:07:25 +0200
Message-ID: <CAPh34mdPtKvVJ2FfshPFwrwRDOw9CxxHT4ZTFYZZEVSoKOEq0A@mail.gmail.com>
From: Hagen Paul Pfeifer <hagen@jauu.net>
To: Jacob Appelbaum <jacob@appelbaum.net>
Content-Type: text/plain; charset="UTF-8"
Archived-At: http://mailarchive.ietf.org/arch/msg/tcpm/j5ANa06k9xHQdxXxaODIu-XSyM0
Cc: "tcpinc@ietf.org" <tcpinc@ietf.org>, "tcpm (tcpm@ietf.org)" <tcpm@ietf.org>, Joe Touch <touch@isi.edu>, Christian Grothoff <christian@grothoff.org>, alfiej@fastmail.fm
Subject: Re: [tcpm] [tcpinc] TCP Stealth - possible interest to the WG
X-BeenThere: tcpm@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: TCP Maintenance and Minor Extensions Working Group <tcpm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tcpm>, <mailto:tcpm-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tcpm/>
List-Post: <mailto:tcpm@ietf.org>
List-Help: <mailto:tcpm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 19 Aug 2014 18:07:29 -0000

On 19 August 2014 19:15, Jacob Appelbaum <jacob@appelbaum.net> wrote:

> No. I want to protect my TLS service from implementation exploitation.
> You cannot probe my TLS service for the next heartbleed without a
> shared secret.

C'mon Jacob, this smells fishy! Let's assume you protect *your*
service from one potential TLS bugs, this is (partly) possible with
the mechanism described in the ID. But what happens in the meantime
with your https:// browsing, openvpn, ... communications? If you
assume bugs in TLS you must stop all your communications! TLS and
strong cryptography is the fundamental building block - when it is
broken the whole communication system is b0rken.

The other way, if you trust TLS you can also trust the TLS client
certificates mechanism as well.

I understand your objection but the "fix" feels wrong. We should do
everything we can to make TLS fast, clean and strong. But to repeat
myself: I see advantages and benefits and _if_ there are no major
disadvantages we can push things forward. Well, no need to answer
here, I got your point in detail and I want to make sure we discuss
all possibilities, using TLS client certificates is one alternative.

> It isn't abuse - we're even trying to make it a standard to ensure
> that it is well documented non-abusive behavior - rather different
> than most other port knocking, I'd add.

The ISN has 32 bits, reduce this space leads to problems in the past.
We must do everything to not open any other attack vectors regarding
TCP by mistake. If you *prove* that this will not lead to problems, I
will never ever mention the word "abuse" in an email to you! ;-)

Hagen

v2.23.0 | Report a Bug | By Email