Re: [tcpm] TCP Fast Open and dynamic IP-address assignments
Yuchung Cheng <ycheng@google.com> Tue, 16 April 2013 18:21 UTC
Return-Path: <ycheng@google.com>
X-Original-To: tcpm@ietfa.amsl.com
Delivered-To: tcpm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 232DC21F96F0 for <tcpm@ietfa.amsl.com>; Tue, 16 Apr 2013 11:21:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -101.978
X-Spam-Level:
X-Spam-Status: No, score=-101.978 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, NO_RELAYS=-0.001, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KPkryhpxVc4E for <tcpm@ietfa.amsl.com>; Tue, 16 Apr 2013 11:21:18 -0700 (PDT)
Received: from mail-la0-x232.google.com (mail-la0-x232.google.com [IPv6:2a00:1450:4010:c03::232]) by ietfa.amsl.com (Postfix) with ESMTP id 33A3221F9711 for <tcpm@ietf.org>; Tue, 16 Apr 2013 11:21:13 -0700 (PDT)
Received: by mail-la0-f50.google.com with SMTP id el20so735160lab.37 for <tcpm@ietf.org>; Tue, 16 Apr 2013 11:21:12 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=x-received:mime-version:in-reply-to:references:from:date:message-id :subject:to:cc:content-type; bh=8DnSsg9PKH5rW90F4+P+DF5z9hSGcMvj3bq0fPlZcJM=; b=ZT0/Rm+3cykT27iuX2gcIUa0BIOwcOamiX95t7PfhE8vh89USPlsENhQV7gBk0z2Gz 1om6tbsST29AkybAW7EDUlGa7ahkKtZHCxoQ2VYVnxpTD8Oy07WCMrusD+2tTWZL9jbR nSbbrJHZfDd0+TztOhRUVYwIcMfb8l7UJnu8j84GHl0XOnKnWF3+2wl84XhObeOetPbz COmLMGEK0kCx7GAarZ3DANL1pdkZV/58PkIE2BQVFaJyjq+OtXUDwAr+ONe+ttvz04Ht S8BUwIrz00A8ASBcEqS1cCQ9mG++zSJu4pzKqcgCF2lMCQu2AGzXuYAnGPRlMJLVzggg 08tg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=x-received:mime-version:in-reply-to:references:from:date:message-id :subject:to:cc:content-type:x-gm-message-state; bh=8DnSsg9PKH5rW90F4+P+DF5z9hSGcMvj3bq0fPlZcJM=; b=f7uLnUgZDbv+FcDLMlMJvPo2BYgQTfkLKzQe++TMuCCJRT9Tz2XU8RtHHi/gdqvJ5r ze1mQYrNfaytTCjknVK7PdRJXgGtXV/9eK8Ug/72pm7KJM1uVLOs+1CcIuz2ARY19HGu cI2eXPN+If5ZUMMYT07TQweHyzuqvq9s12PsDqIN8Qwr8GFGQOAOzkHnDl3cpVUhN0Vo UbO/NnX6KOH41lavRsF5hKGMiJGJPP3ZF3bdwUusG3BG7vbLXt84nPRU/15phV15/wpo iHByZdcP7QvMRCCJOsNF2aYH4cg6QcWDrGu4ocHV0LB/FTVZVITBqxvFrRta48qmlZar 2x2g==
X-Received: by 10.112.19.196 with SMTP id h4mr1884828lbe.111.1366136471949; Tue, 16 Apr 2013 11:21:11 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.112.148.34 with HTTP; Tue, 16 Apr 2013 11:20:51 -0700 (PDT)
In-Reply-To: <516B3356.1050306@nexgo.de>
References: <51695516.50505@nexgo.de> <CAK6E8=dmm37VThD0t5dm12U6ME9nFbj8P2Y=tE_T+ATyYGjg6g@mail.gmail.com> <516B3356.1050306@nexgo.de>
From: Yuchung Cheng <ycheng@google.com>
Date: Tue, 16 Apr 2013 11:20:51 -0700
Message-ID: <CAK6E8=eSpS0KtWJZU0gb7J2CSNudDxawiTn6DPLuVi3oyN=+fA@mail.gmail.com>
To: Hendrik Brummermann <nhb_web@nexgo.de>
Content-Type: text/plain; charset="ISO-8859-1"
X-Gm-Message-State: ALoCoQnbnZC7QRx/EGxtDxnTJYvqx8JE220g2R6KS7UVMPUpRm0EAA8307NiUt2ZIlBlu1gbqtogE0GcEuR2VLEu1VFDTRNv2lDRU6Y36hvkG2aQGk9FVsXx02yO8bEBPWqhA1SQOVYzgCkpoXgCn+Op9tNGccszl34qSsjbsizu7ksR6SAPePO1Bm0cQfNYDZ/IOt5YVQXS
Cc: "tcpm@ietf.org Extensions" <tcpm@ietf.org>
Subject: Re: [tcpm] TCP Fast Open and dynamic IP-address assignments
X-BeenThere: tcpm@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: TCP Maintenance and Minor Extensions Working Group <tcpm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tcpm>, <mailto:tcpm-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tcpm>
List-Post: <mailto:tcpm@ietf.org>
List-Help: <mailto:tcpm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 16 Apr 2013 18:21:21 -0000
On Sun, Apr 14, 2013 at 3:53 PM, Hendrik Brummermann <nhb_web@nexgo.de> wrote: > Am 13.04.2013 22:24, schrieb Yuchung Cheng: >> On Sat, Apr 13, 2013 at 5:52 AM, Hendrik Brummermann <nhb_web@nexgo.de>wrote: >>> The section on security consideration mentions carrier grade NAT as a >>> potential issue. A similar issues exists in the context of dynamic >>> IP-address assignments: >>> An adversary may request a TFO cookie and disconnect from the Internet. >>> A new user will get the same IP-address. But the adversary can still >>> send packets with the TFO cookie, spoofing this ip-address as source. >> Are you suggesting the current text >> http://tools.ietf.org/html/draft-ietf-tcpm-fastopen-03#section-6 >> is not clear on this case? happy to revise if it's not clear. > > I am sorry, I missed the last paragraph of the introduction section. > > PPP/PPPoE is used by most boardband providers at least in Germany > instead of DHCP. Large ISP here force an IP-change on end-users every 24 > hours. > > >>> In addition to the reflection of large answer packets to the current >>> user, this makes it likely that the current user is blamed for malicious >>> actions caused by the adversary. Log files on the server will show the >>> IP-address and the current timestamp. >> so is a regular SYN flood. btw the "large answer" packets are limited to >> the initial TCP congestion window > > In case of a syn flood it is widely assumed that the source address is > forged. But in case of webserver logs, it is reasonable likely that the > source address and timestamp will lead to the real origin of the > connection. It may either be the attacker themselves or a relay which > might be used with or without permission. (Yes, a TCP three way > handshake can be faked in some circumstances, but this is reasonable > unlikely). > > It may be a good idea to document the risks of TFO in the context of > blaming innocent clients more clearly. It basically means that each log > entry timestamp gets blurred into a timeframe which goes back into the > past for the validation duration of the TFO cookie. Great point. Will incorporate that in the security section of next revision. Thanks. > > >>> While the NAT gateway may prevent TCP Fast Open by filtering the flags, >>> there seems to be no way an Internet user can protect himself against >>> the previous user of his ip-address. >> yes if the ISP allows any user to send IP packet with (previously owned) >> spoofed IP packet. > > The packets may be sent using another ISP. > > _______________________________________________ > tcpm mailing list > tcpm@ietf.org > https://www.ietf.org/mailman/listinfo/tcpm
- [tcpm] TCP Fast Open and dynamic IP-address assig… Hendrik Brummermann
- Re: [tcpm] TCP Fast Open and dynamic IP-address a… Yuchung Cheng
- Re: [tcpm] TCP Fast Open and dynamic IP-address a… Hendrik Brummermann
- Re: [tcpm] TCP Fast Open and dynamic IP-address a… Yuchung Cheng