IETF Logo Mail Archive

Re: [tcpm] [tcpinc] TCP Stealth - possible interest to the WG

"Scheffenegger, Richard" <rs@netapp.com> Wed, 20 August 2014 11:24 UTC

Return-Path: <rs@netapp.com>
X-Original-To: tcpm@ietfa.amsl.com
Delivered-To: tcpm@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9505A1A020A; Wed, 20 Aug 2014 04:24:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.87
X-Spam-Level:
X-Spam-Status: No, score=-4.87 tagged_above=-999 required=5 tests=[BAYES_50=0.8, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.668, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gASqBcdHO4FI; Wed, 20 Aug 2014 04:24:42 -0700 (PDT)
Received: from mx1.netapp.com (mx1.netapp.com [216.240.18.38]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5FC011A0205; Wed, 20 Aug 2014 04:24:42 -0700 (PDT)
X-IronPort-AV: E=Sophos;i="5.01,901,1400050800"; d="scan'208";a="339715209"
Received: from vmwexceht03-prd.hq.netapp.com ([10.106.76.241]) by mx1-out.netapp.com with ESMTP; 20 Aug 2014 04:24:43 -0700
Received: from HIOEXCMBX05-PRD.hq.netapp.com (10.122.105.38) by vmwexceht03-prd.hq.netapp.com (10.106.76.241) with Microsoft SMTP Server (TLS) id 14.3.123.3; Wed, 20 Aug 2014 04:23:43 -0700
Received: from HIOEXCMBX05-PRD.hq.netapp.com (10.122.105.38) by hioexcmbx05-prd.hq.netapp.com (10.122.105.38) with Microsoft SMTP Server (TLS) id 15.0.913.22; Wed, 20 Aug 2014 04:23:42 -0700
Received: from HIOEXCMBX05-PRD.hq.netapp.com ([fe80::f0a5:80a1:86de:fa66]) by hioexcmbx05-prd.hq.netapp.com ([fe80::f0a5:80a1:86de:fa66%21]) with mapi id 15.00.0913.011; Wed, 20 Aug 2014 04:23:42 -0700
From: "Scheffenegger, Richard" <rs@netapp.com>
To: Christian Grothoff <christian@grothoff.org>, Jacob Appelbaum <jacob@appelbaum.net>
Thread-Topic: [tcpm] [tcpinc] TCP Stealth - possible interest to the WG
Thread-Index: Ac+448Fsl9mI8tJfQO6l37mQPpygtgCOd38AABJQWoAADckrIP//pc+AgAEg4ACAABUIgIAADnKAgAAFl4CAAAkYAIAAAS8A//9okZA=
Date: Wed, 20 Aug 2014 11:23:41 +0000
Message-ID: <817214c2e5b444c7a780c1387e91da15@hioexcmbx05-prd.hq.netapp.com>
References: <ecdbe694b6964c159f64b1d3311c8cc6@hioexcmbx02-prd.hq.netapp.com> <CAFggDF2jhQPz0Eez=AU9M-k862wD_=VSyVpXtRAjT4zC6H4tgA@mail.gmail.com> <1408397675.299896.154112109.6F69043F@webmail.messagingengine.com> <8c5f6a1e9f2340e48e25dd151406b7d3@hioexcmbx05-prd.hq.netapp.com> <1408401991.317123.154137701.0A30F30C@webmail.messagingengine.com> <CAPh34meB=EtgNu=_eBS6ekB20fRccAqXFWydkCWG+6VKSa98rg@mail.gmail.com> <CAFggDF39L+kLQLmiWJR3q6suPOtYmKJiJUqp0kBv7GjUtNVOjA@mail.gmail.com> <CAPh34mdPtKvVJ2FfshPFwrwRDOw9CxxHT4ZTFYZZEVSoKOEq0A@mail.gmail.com> <53F3970D.5080906@grothoff.org> <CAPh34mf2rnNuM=YZ1uin1_PtkB8buOskMtf3NAJMOwdFeMe9MQ@mail.gmail.com> <53F39FAC.9070500@grothoff.org>
In-Reply-To: <53F39FAC.9070500@grothoff.org>
Accept-Language: de-AT, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.120.60.34]
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Archived-At: http://mailarchive.ietf.org/arch/msg/tcpm/t_Q_CWHbSQMOQkn_qB9nrBwbQKA
Cc: "tcpm (tcpm@ietf.org)" <tcpm@ietf.org>, "tcpinc@ietf.org" <tcpinc@ietf.org>, Joe Touch <touch@isi.edu>
Subject: Re: [tcpm] [tcpinc] TCP Stealth - possible interest to the WG
X-BeenThere: tcpm@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: TCP Maintenance and Minor Extensions Working Group <tcpm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tcpm>, <mailto:tcpm-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tcpm/>
List-Post: <mailto:tcpm@ietf.org>
List-Help: <mailto:tcpm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 20 Aug 2014 11:24:44 -0000

Jacob, Christian,

To add some constructive discussion points:


As the editor of RFC7323 (soon to be released), which is the update to 1323, and the discussion I looked at over at http://thread.gmane.org/gmane.linux.network/294386 and of course here, I was wondering if you might have it backwards...


I have not seen a convincing enough argument, that running a fixed ISN for a 4-tuple is really safe. (And yes, re-use of a 4-tuple should be rare, but it can happen).

Also, you want to add some additional "randomness" by adding the TSval into the hash, if available.

However, TSval is not random, it's in most implementations a pretty accurate uptime indicator (that this in itself is a bad idea, is known for a long time. That it would make sense to randomize the TSval in the same way as the ISN is now much more prominently stated in RFC7323).


So, I could not help myself from wondering, if you haven't got your fields backwards....

If you want undetectable knocking, which authenticates a particular user, why not transport that hash as TSval (or optionally, the unused/empty TSecr; however, that would be detectable to someone with a sniffer, as early Win95 is not really that common any more). That would leave TCP ISN alone  - and as a true core component, arguing for a modification there has to come with very good arguments. Also, it would serve to randomize the TSval - as ISN is supposed to be choosen randomly - thus help close another indirect exploit vector.

And as you already stated that connections across Meddleboxes (those that tweak around with ISN or TSval) are out of scope and may fail, you don't really reduce the population of sessions that could benefit from this.


Finally, as TSopt is optional, modifications there have a much lower bar for acceptance, compared to a modification like the ISN; a server implementing the scheme would still be free to silently discard TCP SYNs without TSOpt, or the wrong TSval / TSecr... (As you could instruct your firewall to block empty, non-related RSTs). 

Finally, the combination of TSval/TSecr would yield 64 bits, btw. But only on the SYN...





Richard Scheffenegger



> -----Original Message-----
> From: Christian Grothoff [mailto:christian@grothoff.org]
> Sent: Dienstag, 19. August 2014 21:04
> To: Hagen Paul Pfeifer
> Cc: Jacob Appelbaum; alfiej@fastmail.fm; Scheffenegger, Richard;
> tcpinc@ietf.org; tcpm (tcpm@ietf.org); Joe Touch
> Subject: Re: [tcpm] [tcpinc] TCP Stealth - possible interest to the WG
> 
> On 08/19/2014 08:59 PM, Hagen Paul Pfeifer wrote:
> > On 19 August 2014 20:27, Christian Grothoff <christian@grothoff.org>
> wrote:
> >
> >> You clearly also deliberately missunderstand the difference between
> >> design / specification / mechanism, and the reality of an
> implementation.
> >
> > No, I don't. But you are right, we should talk about implementation
> issues.
> >
> >> Prove is a strong word.  Now, I would not mind if the standard included
> >> some strong wording on using a random TSval in combination with TCP
> >> Stealth by default.  But, as was pointed out, due to some NATs messing
> >> with TSvals, we decided to keep it optional, as opposed to mandatory.
> >> But I think that is a point I would be open to discuss, as it is really
> >> a trade-off.
> >
> > TSvals *are* optional, you propose TCP stealth should depend on an
> > "optional option"?
> 
> What I said is that if possible, clients should use TCP stealth in
> combination with this optional option. As it is an option, we did not
> make it mandatory, but I think it is totally acceptable to recommend
> using the option.
> 
> > I clearly see problems here because they can be
> > filtered, disabled or simple the limited option space is exhausted by
> > other options.
> 
> We do have a measurement study on this in Julian's master's thesis. Yes,
> it does happen, but it is uncommon.
> 
> > What about PAWS? What about ISN duplicates and how are
> > these handled (and differentiated)?
> 
> We discuss TCP SYN retransmissions in the draft.

v2.23.0 | Report a Bug | By Email