Re: [tcpm] WGLC: draft-ietf-tcpm-tcpsecure-10.txt

Ted Faber <faber@ISI.EDU> Sat, 06 September 2008 02:03 UTC

Return-Path: <>
Received: from [] (localhost []) by (Postfix) with ESMTP id D86293A6965; Fri, 5 Sep 2008 19:03:59 -0700 (PDT)
Received: from localhost (localhost []) by (Postfix) with ESMTP id 350153A6965 for <>; Fri, 5 Sep 2008 19:03:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id bi71JIp51l1k for <>; Fri, 5 Sep 2008 19:03:53 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 6D5FE3A68A1 for <>; Fri, 5 Sep 2008 19:03:53 -0700 (PDT)
Received: from ( []) by (8.13.8/8.13.8) with ESMTP id m861cX2s022703 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Fri, 5 Sep 2008 18:40:37 -0700 (PDT)
Received: (from faber@localhost) by (8.14.3/8.14.2/Submit) id m861cWhj030581; Fri, 5 Sep 2008 18:38:32 -0700 (PDT) (envelope-from faber)
Date: Fri, 05 Sep 2008 18:38:32 -0700
From: Ted Faber <faber@ISI.EDU>
To: David Borman <>
Message-ID: <>
References: <> <> <>
Mime-Version: 1.0
In-Reply-To: <>
User-Agent: Mutt/
X-ISI-4-43-8-MailScanner: Found to be clean
Cc:,, "Anantha Ramaiah (ananth)" <>,
Subject: Re: [tcpm] WGLC: draft-ietf-tcpm-tcpsecure-10.txt
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: TCP Maintenance and Minor Extensions Working Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
Content-Type: multipart/mixed; boundary="===============1440093475=="

On Thu, Aug 21, 2008 at 12:40:43PM -0500, David Borman wrote:
> Wes and I would like to start the WG Last Call for:
>  Title           : Improving TCP's Robustness to Blind In-Window  
> Attacks'
>  Author(s)       : A. Ramaiah, R. Stewart & M. Dalal
>  Filename        : draft-ietf-tcpm-tcpsecure-10.txt
>  Pages           : 27
>  Date            : July 9, 2008
>  Intended Status : Proposed Standard
> It is our understanding that all the feedback has been incorporated  
> into this latest version and that there are no known outstanding  
> issues with this document.
> Please send feedback to the list, even if it is just a "yes, go ahead  
> and publish".
> The WGLC will end on Friday, September 5, 2009.

Overall I think this is a good draft and should advance.  I have
comments, which I'll present in page order:

Probably the most technical comment I have is the objection to the
"There was no sound technical reasoning for choosing the Data mitigation
as MAY", which is on P15.

The 4-tuple is called a socket pair in 793.  Even if you don't want to
adopt that terminology, it's probably worth mentioning.  I also don't
like "RST, SYN or DATA segment."  These are TCP segments with the RST or
SYN flag set and I'd describe them that way.  ONce you've had a chance
to define "RST segment" as a segment with the RST bit set, you can use
the short form.

I'd delete "either" from "This can cause the connection to either abort
or possibly cause data corruption."  I'd consider deleting "possibly" as


"The TCP spoofing attacks, which are seen in the Internet today," - I'd
say "The off-path TCP spoofing attacks".  We're still describing the
problem, so let's be clear.  The next paragraph starts with a
description of the attacks this draft cares about, but until then be

"... making the odds of guessing correctly the 4-tuple..."  I think
"correctly guessing" is more common.  I'd actually suggest "... making
it much easier to guess the 4-tuple."


"One of the important things to note is that, for the attack to succeed
the RST..." -> delete the comma.

"A slight enhancement to the TCP's segment processing" -> delete the


"Every application has control of a number of factors that effect
drastically the probability of a successful spoofing attack."  You mean
"affect" not "effect".  I'd also use "drastically affect" rather than
"affect drastically".  The order of the adverb is a matter of style,
using "affect" changes the meaning of the sentence to the one you

On the figures in the "To successfully inject a spoofed packet..."

1. Use parens, not [].
2. Finish the math.  If you want to say 1/2 * 2^32 = 2^31 rather than
just dropping 2^31 that's fine, but we're going to be comparing these
requirements, so don't hide the results.  "[SITW] shows that the mean
number of tries needed to inject a RST command is (2^31/window) rather
than the 2^31 assumed before."


"...please refer to draft [RFC4953]" -> "please refer to [RFC4953]"
It's not a draft any more.


Why use 1) and 2) and A), B), C)?  Pick one.

"The previous text, quoted from [RFC0793], woould thus become:" -> That
sounds a lot like we're mandating the change rather than it being a
SHOULD.  Do we really need this restatement at all?


" the chances of successfully injecting data into a connection are
1 in (2^32/RCV.WND *2)."  In describing the RST attacks, we spoke in
terms of mean number of tries, and I'd be consistent here.  Similarly
I'd do the math all the way: " ... so the mean number of tries needed to
inject data successfully is  2*2^32/RWND = 2^33/RCV.WND."

This section used a) and b) instead of either A) and B) or 1) and 2)
(used earlier for the same purpose). Again, pick one.


"There was no strong technical reasoning for choosing the Data mitigation
as MAY."
First, everywhere else the you use "DATA", I'd use it here.

Second, if I failed to make the case before, let me make it now.  The
DATA injection is 4 times less likely than either the RST or the SYN
attacks (2^33 vs 2^31) and may be visible to the application as garbled
data.  If the attack is visible an application can gracefully
terminate the connection and re-establish the conversation - unlike the
RST/SYN cases.  As the attack is harder to carry out, and a successful
attack may be easier to recover from, I recommend a MAY.  I don't care
if you repeat that argument, but I do believe that there are sound
technical reasons for the MAY, and I'd like to see the sentence that
started this comment elided.


"Currently there is no known bad behavior that can be attributed to the
lack of ACK throttling, but as a general principle, if ever invoked,
something incorrect is occurring and such a mechanism will act as a
failsafe that protects both the sender and the network." -> "While we
have not encountered a case where the lack of ACK throttling can be
exploited, as a fail-safe mechanism we recommend its use.  An
implementation may take an excessive number of invocations of the
throttling mechanism as an indication that network conditions are
unusual or hostile."


"...the middle box design does not comply to [RFC0793]."   No middlebox
complies with RFC793; I suggest "...the middle box is generating packets
a conformant TCP endpoint would not generate."


"ACK throttling was introduced to this document bt combining the
suggestions from the tcpm working group."  That seems out of place in
"Contributors".  That section is to acknowledge the efforts of


Why are RFC's 4302 and 4303 normative?  And if they are why isn't
RFC2385?  They're all referred to as possible mitigations.  My
preference is making 4302 and 4303 non-normative, but it's very likely
that I'm missing a rule here.

Quotation marks are misplaced on the Medina05 reference.

The NISCC reference lacks a date.


Quotation marks are misplaced on the SITW reference.

Ted Faber           PGP:
Unexpected attachment on this mail? See
tcpm mailing list