Re: [tcpm] TCP Fast Open and dynamic IP-address assignments
Hendrik Brummermann <nhb_web@nexgo.de> Sun, 14 April 2013 22:53 UTC
Return-Path: <nhb_web@nexgo.de>
X-Original-To: tcpm@ietfa.amsl.com
Delivered-To: tcpm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7F28B21F8CEC for <tcpm@ietfa.amsl.com>; Sun, 14 Apr 2013 15:53:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.444
X-Spam-Level:
X-Spam-Status: No, score=-2.444 tagged_above=-999 required=5 tests=[AWL=0.155, BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2jxg3JCNtBUd for <tcpm@ietfa.amsl.com>; Sun, 14 Apr 2013 15:53:11 -0700 (PDT)
Received: from mail-in-08.arcor-online.net (mail-in-08.arcor-online.net [151.189.21.48]) by ietfa.amsl.com (Postfix) with ESMTP id 75BE021F8CA1 for <tcpm@ietf.org>; Sun, 14 Apr 2013 15:53:10 -0700 (PDT)
Received: from mail-in-14-z2.arcor-online.net (mail-in-14-z2.arcor-online.net [151.189.8.31]) by mx.arcor.de (Postfix) with ESMTP id 999DC15C376 for <tcpm@ietf.org>; Mon, 15 Apr 2013 00:53:09 +0200 (CEST)
Received: from mail-in-13.arcor-online.net (mail-in-13.arcor-online.net [151.189.21.53]) by mail-in-14-z2.arcor-online.net (Postfix) with ESMTP id 91CE418461 for <tcpm@ietf.org>; Mon, 15 Apr 2013 00:53:09 +0200 (CEST)
X-Greylist: Passed host: 82.83.193.9
X-DKIM: Sendmail DKIM Filter v2.8.2 mail-in-13.arcor-online.net 7C86A21236B
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=nexgo.de; s=mail-in; t=1365979989; bh=O0rJ6bR6+PSy04HMEhF0ip64R4cplntoGpUvCdxcc14=; h=Message-ID:Date:From:MIME-Version:To:Subject:References: In-Reply-To:Content-Type:Content-Transfer-Encoding; b=nVcPjVMvxthLH+hHUFOcWjiw2AXZNjkqj5sFS5wSKJ+DSE6RNha/NnpeCRpXaFrus ej3RnG+1i5j8XBwxR935D7MFsBqMjwdJ9V7cdHTak0SKrb6RJsDSJLnCRXHYey8xvb TscVwcfKnXXRwL+9/o6WJwdHgc/rN+zBlxany5lc=
Received: from [192.168.25.241] (dslc-082-083-193-009.pools.arcor-ip.net [82.83.193.9]) (Authenticated sender: nhb@arcor.de) by mail-in-13.arcor-online.net (Postfix) with ESMTPSA id 7C86A21236B for <tcpm@ietf.org>; Mon, 15 Apr 2013 00:53:09 +0200 (CEST)
Message-ID: <516B3356.1050306@nexgo.de>
Date: Mon, 15 Apr 2013 00:53:10 +0200
From: Hendrik Brummermann <nhb_web@nexgo.de>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130329 Thunderbird/17.0.5
MIME-Version: 1.0
To: "tcpm@ietf.org Extensions" <tcpm@ietf.org>
References: <51695516.50505@nexgo.de> <CAK6E8=dmm37VThD0t5dm12U6ME9nFbj8P2Y=tE_T+ATyYGjg6g@mail.gmail.com>
In-Reply-To: <CAK6E8=dmm37VThD0t5dm12U6ME9nFbj8P2Y=tE_T+ATyYGjg6g@mail.gmail.com>
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
Subject: Re: [tcpm] TCP Fast Open and dynamic IP-address assignments
X-BeenThere: tcpm@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: TCP Maintenance and Minor Extensions Working Group <tcpm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tcpm>, <mailto:tcpm-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tcpm>
List-Post: <mailto:tcpm@ietf.org>
List-Help: <mailto:tcpm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 14 Apr 2013 22:53:12 -0000
Am 13.04.2013 22:24, schrieb Yuchung Cheng: > On Sat, Apr 13, 2013 at 5:52 AM, Hendrik Brummermann <nhb_web@nexgo.de>wrote: >> The section on security consideration mentions carrier grade NAT as a >> potential issue. A similar issues exists in the context of dynamic >> IP-address assignments: >> An adversary may request a TFO cookie and disconnect from the Internet. >> A new user will get the same IP-address. But the adversary can still >> send packets with the TFO cookie, spoofing this ip-address as source. > Are you suggesting the current text > http://tools.ietf.org/html/draft-ietf-tcpm-fastopen-03#section-6 > is not clear on this case? happy to revise if it's not clear. I am sorry, I missed the last paragraph of the introduction section. PPP/PPPoE is used by most boardband providers at least in Germany instead of DHCP. Large ISP here force an IP-change on end-users every 24 hours. >> In addition to the reflection of large answer packets to the current >> user, this makes it likely that the current user is blamed for malicious >> actions caused by the adversary. Log files on the server will show the >> IP-address and the current timestamp. > so is a regular SYN flood. btw the "large answer" packets are limited to > the initial TCP congestion window In case of a syn flood it is widely assumed that the source address is forged. But in case of webserver logs, it is reasonable likely that the source address and timestamp will lead to the real origin of the connection. It may either be the attacker themselves or a relay which might be used with or without permission. (Yes, a TCP three way handshake can be faked in some circumstances, but this is reasonable unlikely). It may be a good idea to document the risks of TFO in the context of blaming innocent clients more clearly. It basically means that each log entry timestamp gets blurred into a timeframe which goes back into the past for the validation duration of the TFO cookie. >> While the NAT gateway may prevent TCP Fast Open by filtering the flags, >> there seems to be no way an Internet user can protect himself against >> the previous user of his ip-address. > yes if the ISP allows any user to send IP packet with (previously owned) > spoofed IP packet. The packets may be sent using another ISP.
- [tcpm] TCP Fast Open and dynamic IP-address assig… Hendrik Brummermann
- Re: [tcpm] TCP Fast Open and dynamic IP-address a… Yuchung Cheng
- Re: [tcpm] TCP Fast Open and dynamic IP-address a… Hendrik Brummermann
- Re: [tcpm] TCP Fast Open and dynamic IP-address a… Yuchung Cheng