Re: [tcpm] Benjamin Kaduk's Discuss on draft-ietf-tcpm-rfc793bis-25: (with DISCUSS and COMMENT)

"touch@strayalpha.com" <touch@strayalpha.com> Wed, 23 March 2022 16:40 UTC

Return-Path: <touch@strayalpha.com>
X-Original-To: tcpm@ietfa.amsl.com
Delivered-To: tcpm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BB8BC3A17C7; Wed, 23 Mar 2022 09:40:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.328
X-Spam-Level:
X-Spam-Status: No, score=-1.328 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_NEUTRAL=0.779, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=strayalpha.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TIUPZ4JfQbIo; Wed, 23 Mar 2022 09:40:03 -0700 (PDT)
Received: from server217-1.web-hosting.com (server217-1.web-hosting.com [198.54.114.226]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4740E3A17C5; Wed, 23 Mar 2022 09:40:03 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=strayalpha.com; s=default; h=To:References:Message-Id:Cc:Date:In-Reply-To: From:Subject:Mime-Version:Content-Type:Sender:Reply-To: Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=3aiqha/xghVLsbqBMPn8LngDuhNnqbIdaF5Osxi+gJs=; b=sMP2X+4BM2fF3a13ZZJgT+BhJ+ 44EC6FWnXS6GMFHk9eUJmtiDJAC4dvV8f83GXqBneDafh5qZln1oM0oTvlMBpge1dF6yeq5nlnzjq /VWcjWmUTwchvKgc8llxmrxz96lNOreydPDK+9Oi43RSEoi0Z0zSS6HcoQoL/XdghzoqyRftEag+E dAuEg3i7HUn/9eNul+MCZMsLgJcq2qw59fCFnTyimDhqMOnvN9LIWKt+t87l8hwn63aDTDGLaGmYb 3TeUK1wW782m7WqlS8kt188+SbSC2PaCTgBmuugs/kNfMG3GasYFARdZg0GtjNVuOYVMV2JKSVvdP pQ29O6+Q==;
Received: from cpe-172-114-237-88.socal.res.rr.com ([172.114.237.88]:60171 helo=smtpclient.apple) by server217.web-hosting.com with esmtpsa (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from <touch@strayalpha.com>) id 1nX41d-000dQJ-AM; Wed, 23 Mar 2022 12:40:02 -0400
Content-Type: multipart/alternative; boundary="Apple-Mail=_7840F894-6CD2-4B27-AF5C-3E9D8DEA9B30"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3696.80.82.1.1\))
From: "touch@strayalpha.com" <touch@strayalpha.com>
In-Reply-To: <20220323134718.GI13021@mit.edu>
Date: Wed, 23 Mar 2022 09:39:56 -0700
Cc: draft-ietf-tcpm-rfc793bis@ietf.org, tcpm@ietf.org, The IESG <iesg@ietf.org>, tcpm-chairs@ietf.org
Message-Id: <7926767A-3CEE-46B7-8A8E-DFF991468825@strayalpha.com>
References: <20220322105731.GB13021@mit.edu> <86138A85-CA18-44FA-BEA7-50C5BD0341B4@strayalpha.com> <20220323134718.GI13021@mit.edu>
To: Benjamin Kaduk <kaduk@mit.edu>
X-Mailer: Apple Mail (2.3696.80.82.1.1)
X-OutGoing-Spam-Status: No, score=-1.0
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - server217.web-hosting.com
X-AntiAbuse: Original Domain - ietf.org
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - strayalpha.com
X-Get-Message-Sender-Via: server217.web-hosting.com: authenticated_id: touch@strayalpha.com
X-Authenticated-Sender: server217.web-hosting.com: touch@strayalpha.com
X-Source:
X-Source-Args:
X-Source-Dir:
X-From-Rewrite: unmodified, already matched
Archived-At: <https://mailarchive.ietf.org/arch/msg/tcpm/jdsrXCwymRX4jmm4hVmrJyNU8iw>
Subject: Re: [tcpm] Benjamin Kaduk's Discuss on draft-ietf-tcpm-rfc793bis-25: (with DISCUSS and COMMENT)
X-BeenThere: tcpm@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: TCP Maintenance and Minor Extensions Working Group <tcpm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tcpm>, <mailto:tcpm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tcpm/>
List-Post: <mailto:tcpm@ietf.org>
List-Help: <mailto:tcpm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 23 Mar 2022 16:40:08 -0000

—
Dr. Joe Touch, temporal epistemologist
www.strayalpha.com

> On Mar 23, 2022, at 6:47 AM, Benjamin Kaduk <kaduk@mit.edu> wrote:
> 
> On Tue, Mar 22, 2022 at 06:28:03AM -0700, Joe Touch wrote:
>> ...
>> It’s not the traffic alone, but the location of the traffic too.
> 
> RFC 3552 is pretty clear that we should design for

That document describes how to write *security considerations*. It is not a protocol design recommendation.

Note also that. 3552 also overlooks key issues in threat assessment (more later below).

> a threat model where the
> attacker controls the communication channel.  

I think that underscores the issue. You seem to think we are designing a security protocol.

I do not.

>> Unless you run a server with connections whose interruption is useful, this is not an attack worth over engineering protection for.  Even for BGP, the primary case of concern, the vulnerability isn’t just from interrupting the connection, but from the incorrect assumption that dropped connections should cause dropped routes. That errant assumption has already been corrected.
> 
> Could you clarify which parts of my proposed text you see to be
> "over-engineering"?

You gave a very long update but didn’t highlight or explain the specific changes. 

Of the text you gave:

  To avoid confusion we must prevent segments from one incarnation of a
  connection from being used while the same sequence numbers may still
  be present in the network from an earlier incarnation.  However, the
  design of the TIME-WAIT state means that actual information about
  previously used sequence numbers will be discarded, and a robust
  system will provide some protection against processing segments from
  a previous incarnation of the connection even when such
  sequence-number state has been discarded or lost (e.g., due to restart).
  The procedure for selecting an initial sequence number (ISN) for an
  instance of a connection needs to be designed so as to minimize the
  likelihood of sequence number reuse for that connection.  This
  procedure also needs to account for the security issues that result
  if an off-path attacker is able to predict or guess ISN values [43],
>> break inserted to show change
  as a special case of the attacks possible by guessing in-window
  sequence number values at any point in a connection's lifecycle.
>> That last sentence is incorrect. Here’s a fix:

  which can enable an off-path attacker to attack a connection
  by predicting in-window sequence numbers shortly after the connection starts,
  if the attacker knows the connection socket pair.

>> knowing the ISN does no good after the window moves on.
>> and knowing the socket pair is also required

  The logical independence of sequence numbers across connections,
  combined with the ease with which an attacker can probe the ISN
  generation algorithm on an individual connection and data
  minimization best practices, implies that ISN generation should
>> add
also
>>
  produce unrelated values for different connections at any given point
  in time.

  Within a given connection, the likelihood of sequence number reuse is
  minimized by ensuring that the full space 
>> majority of the space, not the full space
  of potential ISN values is
  exhausted before reusing any individual ISN value.  In keeping with
  RFC 793, this specification achieves that behavior using a number
  sequence that monotonically increases until it wraps, known loosely
  as a "clock".  This clock is a 32-bit counter that typically
  increments at least once every roughly 4 microseconds, although it is
  neither assumed to be realtime nor precise, and need not persist
  across reboots.  The clock component is intended to ensure that within
  a Maximum Segment Lifetime (MSL), generated ISNs will be unique,
  since it cycles approximately every 4.55 hours, which is much longer
  than the MSL.

  The combined properties of connection independence and clock
  dependence of ISNs can be achieved with only a small amount of
  per-implementation state by combining a global clock with a
  pseudorandom function of the connection identifiers and a secret key;
  the following procedure from [43] SHOULD be used for ISN selection:

  ISN = M + F(secretkey, localip, localport, remoteip, remoteport)

  where M is the 4 microsecond timer, and F() is a pseudorandom
  function (PRF) of the connection's identifying parameters ("localip,
  localport, remoteip, remoteport") and a secret key ("secretkey")
  (SHLD-1).  F() MUST NOT be computable from the outside (MUST-9), or
  an attacker could still guess at sequence numbers from the ISN used
  for some other connection.  The PRF could be implemented as a
  cryptographic hash of the concatenation of the TCP connection
  parameters and some secret data.  For discussion of the selection of
  a specific hash algorithm and management of the secret key data,
  please see Section 3 of [43].

>> the following section goes overboard:
  In cases where the above procedure is not used, the selection of
  initial sequence numbers for a connection still MUST incorporate a
  clock-driven update as described above into its generation of initial
  sequence numbers (MUST-8).
>> The above effectively changes the SHOULD to a MUST.

>> ——

RFC 3552 talks about threat assessment, but does not even mention the probability of an attack. 

For ISNs, this all boils down to the probability that an attacker
	- knows IP addresses 
	- knows port pair
	- but is off-path

An on-path attacker can just read the ISN as it flies by.

Off path attacks aren’t typically aimed at arbitrary endpoints; they are targeted to well-known services, esp. between known pairs. BGP is the typical case, and there are not really a lot of others.

And BGP needs to be protected with TCP-AO or IPsec, IMO.

So all of this is “security theater” that has no impact on most users, except to complicate implementations.

>> A security problem is a combination of a the existence of vulnerability, how easy it is to exploit, how likely it is to occur, and the impact if it does occur. Those four converge in only a very few places, whose operators SHOULD use protection.  But this is not the only protection and we don’t need to complicate TCP everywhere in the name of ‘security’.
> 
> Similarly, could you clarify which parts of my proposal you see as
> "complicat[ing] TCP everywhere"?
> 
>> If we did, why are you not advocating to require true security (TCP-AO) rather than this halfway measure?   I’m guessing cost and complexity vs benefit. The same argument applies to needing clocks though.
> 
> I'm happy to advocate requiring true security, but not as part of a "bis"
> of the core TCP specification at the Internet Standard maturity level.
> Such a revision of the core specification has stringent requirements
> for backwards compatibility that are clearly not met for TCP-AO at the
> present time.  If we come back in a decade, maybe the situation will be
> different, but it's clearly not feasible right now.

I was trying to use hyperbole to prove a point. I am not advocating true security for the core of TCP either.

Joe