Re: [tcpm] Security issues of AccECN (was: RE: AccECN field order)
Bob Briscoe <ietf@bobbriscoe.net> Wed, 18 November 2020 18:39 UTC
Return-Path: <ietf@bobbriscoe.net>
X-Original-To: tcpm@ietfa.amsl.com
Delivered-To: tcpm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9EEA43A067A; Wed, 18 Nov 2020 10:39:43 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.1
X-Spam-Level:
X-Spam-Status: No, score=-2.1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, NICE_REPLY_A=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=bobbriscoe.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yN6pv-l4qfxg; Wed, 18 Nov 2020 10:39:41 -0800 (PST)
Received: from cl3.bcs-hosting.net (cl3.bcs-hosting.net [3.11.37.202]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D289E3A03FA; Wed, 18 Nov 2020 10:39:40 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=bobbriscoe.net; s=default; h=Content-Type:In-Reply-To:MIME-Version:Date: Message-ID:From:References:Cc:To:Subject:Sender:Reply-To: Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=VmCRyIW3YSPjvtjqIb8UoZPVF7Xh3gxuAhnf1R1JNhk=; b=RmrGzajJ4HGRsKrm/zlqwxM/j L5/GNeAdzrGd7j8Asq5otFHlZNdn/M/r+l6CVCU7xadYqDZT+E1QV1QuEy5HLmgzJJjOEI9Id3ThU ggbrKJ8WmHNUGf3zMTW1kTsUw/xIlpggR6Md1/qoFiPS83F2xzWXHXALtrJySiIo8E77pAJo6PE9h VYR6rGng/u6YHryeQ+kxoyyEcPztrITYvLQmYCWb5xQirDqFjSO4Ak71f8IPM9CYIhnFdtXNUo1ht y77cb8oVtmD9Xz8gSj7YSzGsGLiWDugizER+ggLIta4XwxfA5WY0a3TZOeC/7N+G+9zjtWIGEPU/o jUj+yOQgA==;
Received: from 67.153.238.178.in-addr.arpa ([178.238.153.67]:52528 helo=[192.168.1.11]) by cl3.bcs-hosting.net with esmtpsa (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.93) (envelope-from <ietf@bobbriscoe.net>) id 1kfSMi-005J6c-P1; Wed, 18 Nov 2020 18:39:38 +0000
To: "Scharf, Michael" <Michael.Scharf@hs-esslingen.de>, Yoshifumi Nishida <nsd.ietf@gmail.com>
Cc: Michael Tuexen <tuexen@fh-muenster.de>, "tcpm-chairs@ietf.org" <tcpm-chairs@ietf.org>, Mirja Kuehlewind <ietf@kuehlewind.net>, "Scheffenegger, Richard" <Richard.Scheffenegger@netapp.com>, tcpm IETF list <tcpm@ietf.org>
References: <20ac3652d55d4bc19c9c37714c59c95c@hs-esslingen.de>
From: Bob Briscoe <ietf@bobbriscoe.net>
Message-ID: <ee61d0c1-03ec-6643-d613-248a2fc66b14@bobbriscoe.net>
Date: Wed, 18 Nov 2020 18:38:52 +0000
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.10.0
MIME-Version: 1.0
In-Reply-To: <20ac3652d55d4bc19c9c37714c59c95c@hs-esslingen.de>
Content-Type: multipart/alternative; boundary="------------781524B6DA23B9AD26587F5D"
Content-Language: en-GB
X-OutGoing-Spam-Status: No, score=-1.0
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - cl3.bcs-hosting.net
X-AntiAbuse: Original Domain - ietf.org
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - bobbriscoe.net
X-Get-Message-Sender-Via: cl3.bcs-hosting.net: authenticated_id: in@bobbriscoe.net
X-Authenticated-Sender: cl3.bcs-hosting.net: in@bobbriscoe.net
X-Source:
X-Source-Args:
X-Source-Dir:
Archived-At: <https://mailarchive.ietf.org/arch/msg/tcpm/u4oUjeTbh0N6siRl_8craE6N9zw>
Subject: Re: [tcpm] Security issues of AccECN (was: RE: AccECN field order)
X-BeenThere: tcpm@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: TCP Maintenance and Minor Extensions Working Group <tcpm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tcpm>, <mailto:tcpm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tcpm/>
List-Post: <mailto:tcpm@ietf.org>
List-Help: <mailto:tcpm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 18 Nov 2020 18:39:44 -0000
Michael, On 18/11/2020 05:36, Scharf, Michael wrote: > > Only on remark [ms2] regarding the issue of a covert channel due to > „forward compatibility“… > > From a security perspective, it is not clear to me whether > allowing arbitrary unspecified bytes in a TCP option is a good > idea **at all**. It will be interesting to hear the opinion > from SEC area on that. Personally, I am not convinced that > this really makes sense, but I my concerns are not strong > enough to formally push back. I’ll leave it to others to think > about whether this is a bug or a feature. > > > [BB] Well, let's first try to deal with security ourselves: > * Octets that are explicitly declared as part of an option cannot > be used for a buffer overflow attack. I don't really need to, but > I could add the following text to the forward compatibility wording: > A receiver considers octets beyond those it uses, but within > the specified length, as if they are padding. > * And such octets cannot be any different from the current ability > of a sender to add padding. So there's no new attack possible here. > * And there's no need to specify a max length for any AccECN > Option, which would just unnecessarily limit flexibility. > > [ms] I have more thought about the covert channel that some > unspecified bytes in a standards track TCP option could offer… In > particular if the AccECN option gets widely deployed and used, > would some malicious users find those bytes useful? For what? For > instance, what in the AccECN protocol design prevents use of these > “padding” bytes as super-cookie? To me, it is much more important > to think about abuse of whatever we standardize **now**, instead > of engineering for some entirely unknown future. I am not a > security expert, but I suggest a careful analysis of any security > implications of the AccECN option. We seldomly specify new TCP > options and malicious users will certainly look for > “opportunities” in the spec. So far, I don’t know whether that > whole idea of forward compatibility is a feature or a bug. > > > [BB] If that were a problem, it could already be done, because (by my > reading of RFC793) it is valid to set the data offset to stretch out > the padding to any length within the max option space limits. > > [ms2] I don’t understand. RFC 793 mandates that padding is composed of > zeros, i.e., a firewall or IDS could detect a non-zero covert channel > in the padding (and even remove the padding). Also, there are IMHO no > reasonable engineering reasons for making the padding longer than > needed, i.e. such a covert channel could be detected as anomality. As > far as I understand RFC 793, a middlebox could also safely remove the > additional padding w/o impacting a standard-compliant TCP connection. > > [ms2] Allowing arbitrary bytes in a TCP option is IMHO a very > different story, in particular if you allow the values to have > non-zero values and forbid middleboxes to check or remove parts of the > option that are not standardized by the IETF. If I correctly > understand draft -13, an attacker could transmit 29 bytes payload at > the end of the AccECN option, in any TCP connection, for any purpose. > > [ms2] I think the „forward compatibility“ (e.g., Section 3.3.2 in the > I-D) needs a very careful security analysis. As far as I understand, > this whole idea of „forward compatibility“ is not needed for using the > **currently** standardized AccECN options. IMHO you could just remove > that „forward compatibility“ idea w/o impacting the rest of the AccECN > protocol as currently specified (including the current format of the > two options). If the idea of „forward compatibility“ stays in the > document, IMHO the security section needs a dedicated discussion > regarding potential misuse as covert channel. This could either be a > security or privacy issue, depending on who puts what additional bytes > into the option and claims that these bytes to be AccECNv2. > [BB] Fair enough. I will happily mention in Security Considerations that this forward compatibility provision creates a covert channel of up to 29B, but I don't think we need to panic about it. I suspect SEC area review will think about it for a moment, then let it through. There are all sorts of covert channels in TCP/IP headers, not least the packet ID field, or a TFO cookie. If they want it changed, we can either limit the additional length that we allow for forward compatibility or shut it down completely, depending on what we agree. It is definitely worth noting this, and useful that you've noticed it at this stage, but I think even the SEC area will consider that future extensibility is more valuable than shutting off a covert channel. Bob > Michael > -- ________________________________________________________________ Bob Briscoe http://bobbriscoe.net/
- [tcpm] Security issues of AccECN (was: RE: AccECN… Scharf, Michael
- Re: [tcpm] Security issues of AccECN (was: RE: Ac… Bob Briscoe