Re: [tcpm] Feedbackt on draft-ietf-tcpm-tcpsecure-13.txt

"Smith, Donald" <Donald.Smith@qwest.com> Tue, 18 May 2010 19:19 UTC

Return-Path: <Donald.Smith@qwest.com>
X-Original-To: tcpm@core3.amsl.com
Delivered-To: tcpm@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 1607E3A68E8; Tue, 18 May 2010 12:19:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.256
X-Spam-Level:
X-Spam-Status: No, score=-0.256 tagged_above=-999 required=5 tests=[AWL=-0.857, BAYES_50=0.001, J_CHICKENPOX_33=0.6]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HlOTW2Dq6VQK; Tue, 18 May 2010 12:19:03 -0700 (PDT)
Received: from suomp64i.qwest.com (suomp64i.qwest.com [155.70.16.237]) by core3.amsl.com (Postfix) with ESMTP id E698F3A6AC0; Tue, 18 May 2010 12:18:17 -0700 (PDT)
Received: from suomp60i.qintra.com (suomp60i.qintra.com [151.117.69.27]) by suomp64i.qwest.com (8.14.4/8.14.4) with ESMTP id o4IJI9Ri016278 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL); Tue, 18 May 2010 14:18:09 -0500 (CDT)
Received: from qtdenexhtm21.AD.QINTRA.COM (localhost [127.0.0.1]) by suomp60i.qintra.com (8.14.4/8.14.4) with ESMTP id o4IJI38t017976; Tue, 18 May 2010 14:18:03 -0500 (CDT)
Received: from qtdenexmbm24.AD.QINTRA.COM ([151.119.91.226]) by qtdenexhtm21.AD.QINTRA.COM ([151.119.91.230]) with mapi; Tue, 18 May 2010 13:18:02 -0600
From: "Smith, Donald" <Donald.Smith@qwest.com>
To: "'tcpm@ietf.org WG'" <tcpm@ietf.org>, "'The IESG'" <iesg@ietf.org>
Date: Tue, 18 May 2010 13:18:00 -0600
Thread-Topic: [tcpm] Feedbackt on draft-ietf-tcpm-tcpsecure-13.txt
Thread-Index: Acq5q9zzpcVWcYT4S5OmJS6FWMliJg9DCCyg
Message-ID: <B01905DA0C7CDC478F42870679DF0F1007C8D4C7F2@qtdenexmbm24.AD.QINTRA.COM>
References: <201003012159.WAA15069@TR-Sys.de> <C80820C2-D74A-49B4-AF22-CE16C46A9A7D@nokia.com> <4B8C70C0.8090708@gont.com.ar>
In-Reply-To: <4B8C70C0.8090708@gont.com.ar>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Subject: Re: [tcpm] Feedbackt on draft-ietf-tcpm-tcpsecure-13.txt
X-BeenThere: tcpm@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: TCP Maintenance and Minor Extensions Working Group <tcpm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tcpm>
List-Post: <mailto:tcpm@ietf.org>
List-Help: <mailto:tcpm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 18 May 2010 19:19:04 -0000

First throughout this draft the authors refer to sequence number checking where they really mean acknowledgement number checking:( You can't quite do :g/sequence number/s//acknowledgement number/g as in a few places it is the senders sequence number they are discussing.
The authors also use "the exact expected sequence number" a lot.
I think they mean: last sent sequence number + the data length sent

This looks a LOT like gonts draft but may be an attempt to address just one issue identified here.

http://tools.ietf.org/html/draft-gont-tcp-security-00#section-3.4


This is slightly incorrect. In window would include an exact match for rcv.net+rcv.wnd
so the right side should be =<.
The wording for how to do the challenge ack is a bit difficult to follow too.



   3) If the RST bit is set and the sequence number does not exactly
      match the next expected sequence value, yet is within the current
      receive window (RCV.NXT < SEG.SEQ < RCV.NXT+RCV.WND), TCP MUST
      send an acknowledgment (challenge ACK):

      <SEQ=SND.NXT><ACK=RCV.NXT><CTL=ACK>

Ramaiah, et al.         Expires November 4, 2010                [Page 9]
Internet-Draft                TCP Security                      May 2010

      After sending the challenge ACK, TCP MUST drop the unacceptable
      segment and stop processing the incoming packet further.  Further
      segments destined to this connection will be processed as normal.






   3) If the RST bit is set and the sequence number does not exactly
      match the next expected sequence value, yet is within the current
      receive window (RCV.NXT < SEG.SEQ =< RCV.NXT+RCV.WND), TCP MUST
      send an acknowledgment (challenge ACK):

      <SEQ=SND.NXT><ACK=RCV.NXT><CTL=ACK>







Ramaiah, et al.         Expires November 4, 2010                [Page 9]

Internet-Draft                TCP Security                      May 2010


      After sending the challenge ACK, TCP MUST silently drop the in window
      but not exact match segment and stop processing it.  Additional
      segments destined to this connection MUST be processed as normal.

That last line is really extraneous. You don't say what happens to the packets before this event I am not sure you have to say handle the next packet per normal behavior;)
The authors need to explain exactly what that challenge ACK looks like.
I think it is the same 4 tuple, ack = last sent ack, seq = last sent seq (no data).




Still on page 9.
In all states except SYN-SENT, all reset (RST) segments are validated
   by checking their SEQ-fields [sequence numbers].  A reset is valid if
   its sequence number exactly matches the next expected sequence
   number.  If the RST arrives and its sequence number field does NOT
   match the next expected sequence number but is within the window,
   then the receiver should generate an ACK.  In all other cases where
   the SEQ-field does not match and is outside the window, the receiver
   MUST silently discard the segment.


Should be:
In all states except SYN-SENT, all reset (RST) segments are validated
   by checking their ACK-fields [acknowledgement numbers].  A reset is valid if
   its acknowledgement number exactly matches the last sent sequence number + the data length sent.
   If the RST arrives and its acknowledgement number field does NOT
   match the last sent sequence number + the data length sent but is within the window,
   then the receiver SHOULD (or MUST?) generate an ACK.  In all other cases where
   the ACK-field does not match and is outside the window, the receiver
   MUST silently discard the segment.



(coffee != sleep) & (!coffee == sleep)
Donald.Smith@qwest.com gcia


This communication is the property of Qwest and may contain confidential or
privileged information. Unauthorized use of this communication is strictly
prohibited and may be unlawful.  If you have received this communication
in error, please immediately notify the sender by reply e-mail and destroy
all copies of the communication and any attachments.