IETF Logo Mail Archive

Re: [tcpm] [Technical Errata Reported] RFC5961 (4772)

Joe Touch <touch@isi.edu> Thu, 11 August 2016 19:41 UTC

Return-Path: <touch@isi.edu>
X-Original-To: tcpm@ietfa.amsl.com
Delivered-To: tcpm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6867512D633 for <tcpm@ietfa.amsl.com>; Thu, 11 Aug 2016 12:41:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -8.167
X-Spam-Level:
X-Spam-Status: No, score=-8.167 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-1.247] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SP5lMVACu5wC for <tcpm@ietfa.amsl.com>; Thu, 11 Aug 2016 12:41:13 -0700 (PDT)
Received: from boreas.isi.edu (boreas.isi.edu [128.9.160.161]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3201612D14A for <tcpm@ietf.org>; Thu, 11 Aug 2016 12:41:13 -0700 (PDT)
Received: from [128.9.184.139] ([128.9.184.139]) (authenticated bits=0) by boreas.isi.edu (8.13.8/8.13.8) with ESMTP id u7BJenWh026639 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NOT); Thu, 11 Aug 2016 12:40:49 -0700 (PDT)
To: Loganaden Velvindron <loganaden@gmail.com>
References: <20160810183654.05358B80C3A@rfc-editor.org> <CAOp4FwTogyBXLYdjHrrnM3-Uz2wpSX31eZg+GJwUP5LBnqu=sQ@mail.gmail.com> <7ac89d58-fc3a-9e12-9d22-0602944f8677@isi.edu>
From: Joe Touch <touch@isi.edu>
Message-ID: <e8d9584f-a069-ec4f-d6f1-f8e199fdb071@isi.edu>
Date: Thu, 11 Aug 2016 12:40:47 -0700
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:45.0) Gecko/20100101 Thunderbird/45.2.0
MIME-Version: 1.0
In-Reply-To: <7ac89d58-fc3a-9e12-9d22-0602944f8677@isi.edu>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
X-ISI-4-43-8-MailScanner: Found to be clean
X-MailScanner-From: touch@isi.edu
Archived-At: <https://mailarchive.ietf.org/arch/msg/tcpm/nSdJbewUxer4GLfKJic924XXryE>
Cc: tcpm@ietf.org
Subject: Re: [tcpm] [Technical Errata Reported] RFC5961 (4772)
X-BeenThere: tcpm@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: TCP Maintenance and Minor Extensions Working Group <tcpm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tcpm>, <mailto:tcpm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tcpm/>
List-Post: <mailto:tcpm@ietf.org>
List-Help: <mailto:tcpm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 11 Aug 2016 19:41:17 -0000

FWIW, I don't really see the need for this new doc at all.

Everything in 5961 is within the context of a single connection. The
misreading of this doc doesn't warrant updating, clarifying, etc.

The behavior of Linux should be treated simply as the bug that it is and
corrected, but there's no reason to pollute the RFC stream or increase
the complexity of TCP requirements on the basis of a bug.

Joe


On 8/11/2016 12:36 PM, Joe Touch wrote:
> FWIW, I see nothing in RFC5961 that implies that ACK throttling - or
> anything in the doc - should be across connections.
>
> This new doc can claim to clarify Sec 7 of that RFC, but I see no reason
> to deprecate it.
>
> Joe
>
>
> On 8/11/2016 9:27 AM, Loganaden Velvindron wrote:
>> I submitted this draft, yesterday.:
>>
>> https://tools.ietf.org/html/draft-lvelvindron-ack-throttling-02
>>
>> It's a work-in-progress, but I welcome feedback.
>>
>>
>> On Wed, Aug 10, 2016 at 10:36 PM, RFC Errata System
>> <rfc-editor@rfc-editor.org> wrote:
>>> The following errata report has been submitted for RFC5961,
>>> "Improving TCP's Robustness to Blind In-Window Attacks".
>>>
>>> --------------------------------------
>>> You may review the report below and at:
>>> http://www.rfc-editor.org/errata_search.php?rfc=5961&eid=4772
>>>
>>> --------------------------------------
>>> Type: Technical
>>> Reported by: Stéphane Bortzmeyer <bortzmeyer+ietf@nic.fr>
>>>
>>> Section: 7
>>>
>>> Original Text
>>> -------------
>>> [The entire section]
>>>
>>> Corrected Text
>>> --------------
>>> No suggested text because it requires a much more serious analysis.
>>> May be adding that the rate-limit counter SHOULD be per-connection,
>>> in the spirit of RFC 6528?
>>>
>>> Notes
>>> -----
>>> It appears the section does not specify that the counter for ACK throttling SHOULD be per-connection. In Linux, it is apparently global, which allowed its use as a side channel enabling nasty attacks (CVE-2016-5696 and the paper "Off-Path TCP Exploits: Global Rate Limit Considered Dangerous" <http://www.cs.ucr.edu/~zhiyunq/pub/sec16_TCP_pure_offpath.pdf>)
>>>
>>> Instructions:
>>> -------------
>>> This erratum is currently posted as "Reported". If necessary, please
>>> use "Reply All" to discuss whether it should be verified or
>>> rejected. When a decision is reached, the verifying party (IESG)
>>> can log in to change the status and edit the report, if necessary.
>>>
>>> --------------------------------------
>>> RFC5961 (draft-ietf-tcpm-tcpsecure-13)
>>> --------------------------------------
>>> Title               : Improving TCP's Robustness to Blind In-Window Attacks
>>> Publication Date    : August 2010
>>> Author(s)           : A. Ramaiah, R. Stewart, M. Dalal
>>> Category            : PROPOSED STANDARD
>>> Source              : TCP Maintenance and Minor Extensions
>>> Area                : Transport
>>> Stream              : IETF
>>> Verifying Party     : IESG
>>>
>>>
>>> _______________________________________________
>>> tcpm mailing list
>>> tcpm@ietf.org
>>> https://www.ietf.org/mailman/listinfo/tcpm
>>>
>> _______________________________________________
>> tcpm mailing list
>> tcpm@ietf.org
>> https://www.ietf.org/mailman/listinfo/tcpm

v2.23.0 | Report a Bug | By Email