Re: [tcpm] Benjamin Kaduk's Discuss on draft-ietf-tcpm-rfc793bis-25: (with DISCUSS and COMMENT)
"touch@strayalpha.com" <touch@strayalpha.com> Wed, 23 March 2022 16:40 UTC
Return-Path: <touch@strayalpha.com>
X-Original-To: tcpm@ietfa.amsl.com
Delivered-To: tcpm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BB8BC3A17C7; Wed, 23 Mar 2022 09:40:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.328
X-Spam-Level:
X-Spam-Status: No, score=-1.328 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_NEUTRAL=0.779, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=strayalpha.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TIUPZ4JfQbIo; Wed, 23 Mar 2022 09:40:03 -0700 (PDT)
Received: from server217-1.web-hosting.com (server217-1.web-hosting.com [198.54.114.226]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4740E3A17C5; Wed, 23 Mar 2022 09:40:03 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=strayalpha.com; s=default; h=To:References:Message-Id:Cc:Date:In-Reply-To: From:Subject:Mime-Version:Content-Type:Sender:Reply-To: Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=3aiqha/xghVLsbqBMPn8LngDuhNnqbIdaF5Osxi+gJs=; b=sMP2X+4BM2fF3a13ZZJgT+BhJ+ 44EC6FWnXS6GMFHk9eUJmtiDJAC4dvV8f83GXqBneDafh5qZln1oM0oTvlMBpge1dF6yeq5nlnzjq /VWcjWmUTwchvKgc8llxmrxz96lNOreydPDK+9Oi43RSEoi0Z0zSS6HcoQoL/XdghzoqyRftEag+E dAuEg3i7HUn/9eNul+MCZMsLgJcq2qw59fCFnTyimDhqMOnvN9LIWKt+t87l8hwn63aDTDGLaGmYb 3TeUK1wW782m7WqlS8kt188+SbSC2PaCTgBmuugs/kNfMG3GasYFARdZg0GtjNVuOYVMV2JKSVvdP pQ29O6+Q==;
Received: from cpe-172-114-237-88.socal.res.rr.com ([172.114.237.88]:60171 helo=smtpclient.apple) by server217.web-hosting.com with esmtpsa (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from <touch@strayalpha.com>) id 1nX41d-000dQJ-AM; Wed, 23 Mar 2022 12:40:02 -0400
Content-Type: multipart/alternative; boundary="Apple-Mail=_7840F894-6CD2-4B27-AF5C-3E9D8DEA9B30"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3696.80.82.1.1\))
From: "touch@strayalpha.com" <touch@strayalpha.com>
In-Reply-To: <20220323134718.GI13021@mit.edu>
Date: Wed, 23 Mar 2022 09:39:56 -0700
Cc: draft-ietf-tcpm-rfc793bis@ietf.org, tcpm@ietf.org, The IESG <iesg@ietf.org>, tcpm-chairs@ietf.org
Message-Id: <7926767A-3CEE-46B7-8A8E-DFF991468825@strayalpha.com>
References: <20220322105731.GB13021@mit.edu> <86138A85-CA18-44FA-BEA7-50C5BD0341B4@strayalpha.com> <20220323134718.GI13021@mit.edu>
To: Benjamin Kaduk <kaduk@mit.edu>
X-Mailer: Apple Mail (2.3696.80.82.1.1)
X-OutGoing-Spam-Status: No, score=-1.0
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - server217.web-hosting.com
X-AntiAbuse: Original Domain - ietf.org
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - strayalpha.com
X-Get-Message-Sender-Via: server217.web-hosting.com: authenticated_id: touch@strayalpha.com
X-Authenticated-Sender: server217.web-hosting.com: touch@strayalpha.com
X-Source:
X-Source-Args:
X-Source-Dir:
X-From-Rewrite: unmodified, already matched
Archived-At: <https://mailarchive.ietf.org/arch/msg/tcpm/jdsrXCwymRX4jmm4hVmrJyNU8iw>
Subject: Re: [tcpm] Benjamin Kaduk's Discuss on draft-ietf-tcpm-rfc793bis-25: (with DISCUSS and COMMENT)
X-BeenThere: tcpm@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: TCP Maintenance and Minor Extensions Working Group <tcpm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tcpm>, <mailto:tcpm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tcpm/>
List-Post: <mailto:tcpm@ietf.org>
List-Help: <mailto:tcpm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 23 Mar 2022 16:40:08 -0000
— Dr. Joe Touch, temporal epistemologist www.strayalpha.com > On Mar 23, 2022, at 6:47 AM, Benjamin Kaduk <kaduk@mit.edu> wrote: > > On Tue, Mar 22, 2022 at 06:28:03AM -0700, Joe Touch wrote: >> ... >> It’s not the traffic alone, but the location of the traffic too. > > RFC 3552 is pretty clear that we should design for That document describes how to write *security considerations*. It is not a protocol design recommendation. Note also that. 3552 also overlooks key issues in threat assessment (more later below). > a threat model where the > attacker controls the communication channel. I think that underscores the issue. You seem to think we are designing a security protocol. I do not. >> Unless you run a server with connections whose interruption is useful, this is not an attack worth over engineering protection for. Even for BGP, the primary case of concern, the vulnerability isn’t just from interrupting the connection, but from the incorrect assumption that dropped connections should cause dropped routes. That errant assumption has already been corrected. > > Could you clarify which parts of my proposed text you see to be > "over-engineering"? You gave a very long update but didn’t highlight or explain the specific changes. Of the text you gave: To avoid confusion we must prevent segments from one incarnation of a connection from being used while the same sequence numbers may still be present in the network from an earlier incarnation. However, the design of the TIME-WAIT state means that actual information about previously used sequence numbers will be discarded, and a robust system will provide some protection against processing segments from a previous incarnation of the connection even when such sequence-number state has been discarded or lost (e.g., due to restart). The procedure for selecting an initial sequence number (ISN) for an instance of a connection needs to be designed so as to minimize the likelihood of sequence number reuse for that connection. This procedure also needs to account for the security issues that result if an off-path attacker is able to predict or guess ISN values [43], >> break inserted to show change as a special case of the attacks possible by guessing in-window sequence number values at any point in a connection's lifecycle. >> That last sentence is incorrect. Here’s a fix: which can enable an off-path attacker to attack a connection by predicting in-window sequence numbers shortly after the connection starts, if the attacker knows the connection socket pair. >> knowing the ISN does no good after the window moves on. >> and knowing the socket pair is also required The logical independence of sequence numbers across connections, combined with the ease with which an attacker can probe the ISN generation algorithm on an individual connection and data minimization best practices, implies that ISN generation should >> add also >> produce unrelated values for different connections at any given point in time. Within a given connection, the likelihood of sequence number reuse is minimized by ensuring that the full space >> majority of the space, not the full space of potential ISN values is exhausted before reusing any individual ISN value. In keeping with RFC 793, this specification achieves that behavior using a number sequence that monotonically increases until it wraps, known loosely as a "clock". This clock is a 32-bit counter that typically increments at least once every roughly 4 microseconds, although it is neither assumed to be realtime nor precise, and need not persist across reboots. The clock component is intended to ensure that within a Maximum Segment Lifetime (MSL), generated ISNs will be unique, since it cycles approximately every 4.55 hours, which is much longer than the MSL. The combined properties of connection independence and clock dependence of ISNs can be achieved with only a small amount of per-implementation state by combining a global clock with a pseudorandom function of the connection identifiers and a secret key; the following procedure from [43] SHOULD be used for ISN selection: ISN = M + F(secretkey, localip, localport, remoteip, remoteport) where M is the 4 microsecond timer, and F() is a pseudorandom function (PRF) of the connection's identifying parameters ("localip, localport, remoteip, remoteport") and a secret key ("secretkey") (SHLD-1). F() MUST NOT be computable from the outside (MUST-9), or an attacker could still guess at sequence numbers from the ISN used for some other connection. The PRF could be implemented as a cryptographic hash of the concatenation of the TCP connection parameters and some secret data. For discussion of the selection of a specific hash algorithm and management of the secret key data, please see Section 3 of [43]. >> the following section goes overboard: In cases where the above procedure is not used, the selection of initial sequence numbers for a connection still MUST incorporate a clock-driven update as described above into its generation of initial sequence numbers (MUST-8). >> The above effectively changes the SHOULD to a MUST. >> —— RFC 3552 talks about threat assessment, but does not even mention the probability of an attack. For ISNs, this all boils down to the probability that an attacker - knows IP addresses - knows port pair - but is off-path An on-path attacker can just read the ISN as it flies by. Off path attacks aren’t typically aimed at arbitrary endpoints; they are targeted to well-known services, esp. between known pairs. BGP is the typical case, and there are not really a lot of others. And BGP needs to be protected with TCP-AO or IPsec, IMO. So all of this is “security theater” that has no impact on most users, except to complicate implementations. >> A security problem is a combination of a the existence of vulnerability, how easy it is to exploit, how likely it is to occur, and the impact if it does occur. Those four converge in only a very few places, whose operators SHOULD use protection. But this is not the only protection and we don’t need to complicate TCP everywhere in the name of ‘security’. > > Similarly, could you clarify which parts of my proposal you see as > "complicat[ing] TCP everywhere"? > >> If we did, why are you not advocating to require true security (TCP-AO) rather than this halfway measure? I’m guessing cost and complexity vs benefit. The same argument applies to needing clocks though. > > I'm happy to advocate requiring true security, but not as part of a "bis" > of the core TCP specification at the Internet Standard maturity level. > Such a revision of the core specification has stringent requirements > for backwards compatibility that are clearly not met for TCP-AO at the > present time. If we come back in a decade, maybe the situation will be > different, but it's clearly not feasible right now. I was trying to use hyperbole to prove a point. I am not advocating true security for the core of TCP either. Joe
- [tcpm] Benjamin Kaduk's Discuss on draft-ietf-tcp… Benjamin Kaduk via Datatracker
- Re: [tcpm] Benjamin Kaduk's Discuss on draft-ietf… touch@strayalpha.com
- Re: [tcpm] Benjamin Kaduk's Discuss on draft-ietf… Wesley Eddy
- Re: [tcpm] Benjamin Kaduk's Discuss on draft-ietf… Benjamin Kaduk
- Re: [tcpm] Benjamin Kaduk's Discuss on draft-ietf… touch@strayalpha.com
- Re: [tcpm] Benjamin Kaduk's Discuss on draft-ietf… Wesley Eddy
- Re: [tcpm] Benjamin Kaduk's Discuss on draft-ietf… Benjamin Kaduk
- Re: [tcpm] Benjamin Kaduk's Discuss on draft-ietf… touch@strayalpha.com
- Re: [tcpm] Benjamin Kaduk's Discuss on draft-ietf… Scharf, Michael
- Re: [tcpm] Benjamin Kaduk's Discuss on draft-ietf… Wesley Eddy
- Re: [tcpm] Benjamin Kaduk's Discuss on draft-ietf… Benjamin Kaduk
- Re: [tcpm] Benjamin Kaduk's Discuss on draft-ietf… Joe Touch
- Re: [tcpm] Benjamin Kaduk's Discuss on draft-ietf… Benjamin Kaduk
- Re: [tcpm] Benjamin Kaduk's Discuss on draft-ietf… touch@strayalpha.com