IETF Logo Mail Archive

Re: [tcpm] [tcpinc] TCP Stealth - possible interest to the WG

Alfie John <alfiej@fastmail.fm> Mon, 18 August 2014 21:34 UTC

Return-Path: <alfiej@fastmail.fm>
X-Original-To: tcpm@ietfa.amsl.com
Delivered-To: tcpm@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CF5DB1A6F2A for <tcpm@ietfa.amsl.com>; Mon, 18 Aug 2014 14:34:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.3
X-Spam-Level:
X-Spam-Status: No, score=-1.3 tagged_above=-999 required=5 tests=[BAYES_05=-0.5, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JP2xkcL1KtEB for <tcpm@ietfa.amsl.com>; Mon, 18 Aug 2014 14:34:37 -0700 (PDT)
Received: from out1-smtp.messagingengine.com (out1-smtp.messagingengine.com [66.111.4.25]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 161AE1A000B for <tcpm@ietf.org>; Mon, 18 Aug 2014 14:34:37 -0700 (PDT)
Received: from compute4.internal (compute4.nyi.internal [10.202.2.44]) by gateway1.nyi.internal (Postfix) with ESMTP id 2BDBB232BE for <tcpm@ietf.org>; Mon, 18 Aug 2014 17:34:36 -0400 (EDT)
Received: from web2 ([10.202.2.212]) by compute4.internal (MEProxy); Mon, 18 Aug 2014 17:34:36 -0400
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=fastmail.fm; h= message-id:from:to:cc:mime-version:content-transfer-encoding :content-type:subject:reply-to:date:in-reply-to:references; s= mesmtp; bh=2ikeGNz3vIFi/uwN2Bdy0kWIpeM=; b=llMsvPB0yiWFAZMjiWpcK rBLXGbN9nR5HooWgV2/VFA9iZl59zcJbMhmgRSo6hJ79FLaRi7ppJxILf5dFWXsx oPomxvnbUbSJ3/31o6aD5qFZWNMu/eTJvRbhGSPCZx3/hchyMVaqgrzkHN2C0+iB xk3weCBzaLCh1xqjOEbCMs=
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d= messagingengine.com; h=message-id:from:to:cc:mime-version :content-transfer-encoding:content-type:subject:reply-to:date :in-reply-to:references; s=smtpout; bh=2ikeGNz3vIFi/uwN2Bdy0kWIp eM=; b=IJ8dhWSQgCx+LpEFVDG60WJRBF5FIOYOXko0UnfmgRSHicwsgf7zzcg9k W6m/c1B/eTJQ0lyDEmBdvVsmfq/RHeZJNapbElra4mNdqYjeDgd+/nafg8FJ9zOR Elu1khgsNVy/z63aVKNZm7xYGXREsGvKJRVPDhY/4d50uJhb3w=
Received: by web2.nyi.internal (Postfix, from userid 99) id 0641A540211; Mon, 18 Aug 2014 17:34:36 -0400 (EDT)
Message-Id: <1408397675.299896.154112109.6F69043F@webmail.messagingengine.com>
X-Sasl-Enc: 0mUKHRI1hJp/303iaQwsqJhUK09ryrtHpqowW6PFvXc/ 1408397675
From: Alfie John <alfiej@fastmail.fm>
To: Jacob Appelbaum <jacob@appelbaum.net>, "Scheffenegger, Richard" <rs@netapp.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Type: text/plain
X-Mailer: MessagingEngine.com Webmail Interface - ajax-5f815d4c
Date: Mon, 18 Aug 2014 23:34:35 +0200
In-Reply-To: <CAFggDF2jhQPz0Eez=AU9M-k862wD_=VSyVpXtRAjT4zC6H4tgA@mail.gmail.com>
References: <ecdbe694b6964c159f64b1d3311c8cc6@hioexcmbx02-prd.hq.netapp.com> <CAFggDF2jhQPz0Eez=AU9M-k862wD_=VSyVpXtRAjT4zC6H4tgA@mail.gmail.com>
Archived-At: http://mailarchive.ietf.org/arch/msg/tcpm/jG9T42yXa5uZ-yIHL7ZIVwyqoio
X-Mailman-Approved-At: Tue, 19 Aug 2014 08:01:35 -0700
Cc: Christian Grothoff <christian@grothoff.org>, tcpinc@ietf.org, "tcpm (tcpm@ietf.org)" <tcpm@ietf.org>, Joe Touch <touch@isi.edu>
Subject: Re: [tcpm] [tcpinc] TCP Stealth - possible interest to the WG
X-BeenThere: tcpm@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: alfiej@fastmail.fm
List-Id: TCP Maintenance and Minor Extensions Working Group <tcpm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tcpm>, <mailto:tcpm-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tcpm/>
List-Post: <mailto:tcpm@ietf.org>
List-Help: <mailto:tcpm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 18 Aug 2014 21:34:39 -0000

On Mon, Aug 18, 2014, at 02:50 PM, Jacob Appelbaum wrote:
> On 8/15/14, Scheffenegger, Richard <rs@netapp.com> wrote:
> > I just learned about an individual submission, which is probably of
> > interest not only to the members of these two WGs;
> >
> > http://tools.ietf.org/html/draft-kirsch-ietf-tcp-stealth-00
>
> > There seem to be at least two or three major issues that compromise
> > either the working and stability of TCP, or work against the
> > intended "stealthieness" of this modification (making it easy for an
> > attacker to identify such sessions, provided he is able to actively
> > interfere with segments in transit (ie. cause certain segments to be
> > dropped).
>
> Could you expand on these thoughts a bit?
>
> > Nevertheless, it might be beneficial to discuss the generic idea in
> > a wider forum, among brighter minds than me.

Let's look at Richard's concerns:

> compromise either the working and stability of TCP

This RFC only modifies the calculation of the SQN number in order to get
port-knockable services. Every other host between just continues to see
the SQN as a random number as it did before. Unless between hops were to
modify the packet's timestamps, this will be completely backwards
compatible.

> work against the intended "stealthieness" of this modification (making
> it easy for an attacker to identify such sessions, provided he is able
> to actively interfere with segments in transit

This is not about hiding from big brother who is listening on the wire.
This is about minimising your visible footprint to the wider internet.
It's on par to your server's firewall dropping all incoming connections
unless you have the shared secret. But with this RFC, you don't need to
know the source IP address before hand.

I think it's a great idea. Nice work.

Alfie

-- 
  Alfie John
  alfiej@fastmail.fm

v2.23.0 | Report a Bug | By Email