Re: [tcpm] [tcpinc] TCP Stealth - possible interest to the WG
Daniel Borkmann <dborkman@redhat.com> Wed, 20 August 2014 15:44 UTC
Return-Path: <dborkman@redhat.com>
X-Original-To: tcpm@ietfa.amsl.com
Delivered-To: tcpm@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B39A61A070A; Wed, 20 Aug 2014 08:44:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.57
X-Spam-Level:
X-Spam-Status: No, score=-7.57 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.668, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GRNoLGPQTa8E; Wed, 20 Aug 2014 08:44:57 -0700 (PDT)
Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 16B861A06FE; Wed, 20 Aug 2014 08:44:57 -0700 (PDT)
Received: from int-mx10.intmail.prod.int.phx2.redhat.com (int-mx10.intmail.prod.int.phx2.redhat.com [10.5.11.23]) by mx1.redhat.com (8.14.4/8.14.4) with ESMTP id s7KFifAd018945 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 20 Aug 2014 11:44:41 -0400
Received: from [10.36.4.100] (vpn1-4-100.ams2.redhat.com [10.36.4.100]) by int-mx10.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id s7KFibSE009864 (version=TLSv1/SSLv3 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=NO); Wed, 20 Aug 2014 11:44:39 -0400
Message-ID: <53F4C265.4000402@redhat.com>
Date: Wed, 20 Aug 2014 17:44:37 +0200
From: Daniel Borkmann <dborkman@redhat.com>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/17.0 Thunderbird/17.0
MIME-Version: 1.0
To: Jacob Appelbaum <jacob@appelbaum.net>
References: <ecdbe694b6964c159f64b1d3311c8cc6@hioexcmbx02-prd.hq.netapp.com> <CAFggDF2jhQPz0Eez=AU9M-k862wD_=VSyVpXtRAjT4zC6H4tgA@mail.gmail.com> <1408397675.299896.154112109.6F69043F@webmail.messagingengine.com> <8c5f6a1e9f2340e48e25dd151406b7d3@hioexcmbx05-prd.hq.netapp.com> <1408401991.317123.154137701.0A30F30C@webmail.messagingengine.com> <CAPh34meB=EtgNu=_eBS6ekB20fRccAqXFWydkCWG+6VKSa98rg@mail.gmail.com> <CAFggDF39L+kLQLmiWJR3q6suPOtYmKJiJUqp0kBv7GjUtNVOjA@mail.gmail.com> <20140819212351.GB11767@breakpoint.cc> <CAFggDF30285E3eYfUOR-2hwNkdFf7Jh_Q5d8A38MtOT4K_9gsA@mail.gmail.com>
In-Reply-To: <CAFggDF30285E3eYfUOR-2hwNkdFf7Jh_Q5d8A38MtOT4K_9gsA@mail.gmail.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Scanned-By: MIMEDefang 2.68 on 10.5.11.23
Archived-At: http://mailarchive.ietf.org/arch/msg/tcpm/r6pnnn42mtuQcTJVsghsNV1r0eA
Cc: Christian Grothoff <christian@grothoff.org>, "tcpinc@ietf.org" <tcpinc@ietf.org>, "tcpm (tcpm@ietf.org)" <tcpm@ietf.org>, Joe Touch <touch@isi.edu>
Subject: Re: [tcpm] [tcpinc] TCP Stealth - possible interest to the WG
X-BeenThere: tcpm@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: TCP Maintenance and Minor Extensions Working Group <tcpm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tcpm>, <mailto:tcpm-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tcpm/>
List-Post: <mailto:tcpm@ietf.org>
List-Help: <mailto:tcpm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 20 Aug 2014 15:44:59 -0000
On 08/20/2014 03:43 PM, Jacob Appelbaum wrote: > On 8/19/14, Florian Westphal <fw@strlen.de> wrote: [...] >> - Your adversary may be able to do full passive monitoring of >> all network traffic (also compare "replay" above), so whats the purpose >> of "avoiding" active scans? > > Exactly the purpose - we wish to avoid active scans. The GCHQ/NSA/CSEC > do active scans when their full passive monitoring isn't enough. This > hampers that angle of information gathering. It also ensures that even [...] Ok, but for the majority of use cases, lets presume that you'd pass one of these secretly hidden taps located at some cooperative IX. Assuming the worst case that some passive adversary has access to enough taps distributed at convenient locations, did a previous active port scan and knows that from your machine port 22 is closed. Later, it observes a two-way flow to port 22 to that machine and the existence of the service is of course nevertheless revealed. You might be able then to 'mitigate' actual access to the service a bit, but then again 32 bit is perhaps a limited sense of 'security'. It would also be required that machines running more than one service have /all/ services somewhat protected by TCP stealth, otherwise an attacker moves on with the next service as an attack vector. Again, if also services over other transport protocols are used on the machines (that cannot make use of TCP stealth), an attacker might first probe for these as an easier target to get in. Key propagation is certainly an issue I assume; you might also want to consider to rotate them etc; large public sites most likely cannot make use of TCP stealth, and the larger a group becomes, the more weak points might arise (including humans) to disclose the shared secret somehow. Then again, it might also not be worth it for pubkeys as it would significantly increase computational complexity on the server side and we're only talking about 32 bit ... /offtopic here, but wouldn't it then be better to work towards full encryption like CurveCP et al is trying to solve ...
- [tcpm] TCP Stealth - possible interest to the WG Scheffenegger, Richard
- Re: [tcpm] TCP Stealth - possible interest to the… Hagen Paul Pfeifer
- Re: [tcpm] [tcpinc] TCP Stealth - possible intere… Jacob Appelbaum
- Re: [tcpm] TCP Stealth - possible interest to the… Ted Faber
- Re: [tcpm] [tcpinc] TCP Stealth - possible intere… Scheffenegger, Richard
- Re: [tcpm] [tcpinc] TCP Stealth - possible intere… Alfie John
- Re: [tcpm] [tcpinc] TCP Stealth - possible intere… Alfie John
- Re: [tcpm] [tcpinc] TCP Stealth - possible intere… Hagen Paul Pfeifer
- Re: [tcpm] [tcpinc] TCP Stealth - possible intere… Jacob Appelbaum
- Re: [tcpm] [tcpinc] TCP Stealth - possible intere… Scheffenegger, Richard
- Re: [tcpm] [tcpinc] TCP Stealth - possible intere… Hagen Paul Pfeifer
- Re: [tcpm] [tcpinc] TCP Stealth - possible intere… Jacob Appelbaum
- Re: [tcpm] [tcpinc] TCP Stealth - possible intere… Hagen Paul Pfeifer
- Re: [tcpm] [tcpinc] TCP Stealth - possible intere… Florian Westphal
- Re: [tcpm] [tcpinc] TCP Stealth - possible intere… Florian Westphal
- Re: [tcpm] [tcpinc] TCP Stealth - possible intere… Yoshifumi Nishida
- Re: [tcpm] [tcpinc] TCP Stealth - possible intere… Scheffenegger, Richard
- Re: [tcpm] [tcpinc] TCP Stealth - possible intere… Hagen Paul Pfeifer
- Re: [tcpm] [tcpinc] TCP Stealth - possible intere… Scheffenegger, Richard
- Re: [tcpm] [tcpinc] TCP Stealth - possible intere… Scheffenegger, Richard
- Re: [tcpm] [tcpinc] TCP Stealth - possible intere… Hagen Paul Pfeifer
- Re: [tcpm] [tcpinc] TCP Stealth - possible intere… Jacob Appelbaum
- Re: [tcpm] [tcpinc] TCP Stealth - possible intere… Christian Grothoff
- Re: [tcpm] [tcpinc] TCP Stealth - possible intere… Christian Grothoff
- Re: [tcpm] [tcpinc] TCP Stealth - possible intere… Christian Grothoff
- Re: [tcpm] [tcpinc] TCP Stealth - possible intere… Christian Grothoff
- Re: [tcpm] [tcpinc] TCP Stealth - possible intere… Christian Grothoff
- Re: [tcpm] [tcpinc] TCP Stealth - possible intere… Daniel Borkmann
- Re: [tcpm] [tcpinc] TCP Stealth - possible intere… Jacob Appelbaum
- Re: [tcpm] [tcpinc] TCP Stealth - possible intere… Alfie John
- Re: [tcpm] [tcpinc] TCP Stealth - possible intere… Joe Touch
- Re: [tcpm] [tcpinc] TCP Stealth - possible intere… Joe Touch
- Re: [tcpm] [tcpinc] TCP Stealth - possible intere… Christian Grothoff