IETF Logo Mail Archive

Re: [tcpm] Q&C regarding tcpsecure-09 recommendations

"Anantha Ramaiah (ananth)" <ananth@cisco.com> Tue, 03 June 2008 02:46 UTC

Return-Path: <tcpm-bounces@ietf.org>
X-Original-To: tcpm-archive@megatron.ietf.org
Delivered-To: ietfarch-tcpm-archive@core3.amsl.com
Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 1ABD03A6817; Mon, 2 Jun 2008 19:46:50 -0700 (PDT)
X-Original-To: tcpm@core3.amsl.com
Delivered-To: tcpm@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id F0F913A6817 for <tcpm@core3.amsl.com>; Mon, 2 Jun 2008 19:46:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.399
X-Spam-Level:
X-Spam-Status: No, score=-5.399 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, J_CHICKENPOX_33=0.6, J_CHICKENPOX_35=0.6, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id R2G6uUPvWBlw for <tcpm@core3.amsl.com>; Mon, 2 Jun 2008 19:46:47 -0700 (PDT)
Received: from sj-iport-6.cisco.com (sj-iport-6.cisco.com [171.71.176.117]) by core3.amsl.com (Postfix) with ESMTP id AF1383A69CA for <tcpm@ietf.org>; Mon, 2 Jun 2008 19:46:43 -0700 (PDT)
X-IronPort-AV: E=Sophos;i="4.27,581,1204531200"; d="scan'208";a="107505941"
Received: from sj-dkim-2.cisco.com ([171.71.179.186]) by sj-iport-6.cisco.com with ESMTP; 02 Jun 2008 19:46:46 -0700
Received: from sj-core-2.cisco.com (sj-core-2.cisco.com [171.71.177.254]) by sj-dkim-2.cisco.com (8.12.11/8.12.11) with ESMTP id m532kkiI031263; Mon, 2 Jun 2008 19:46:46 -0700
Received: from xbh-sjc-221.amer.cisco.com (xbh-sjc-221.cisco.com [128.107.191.63]) by sj-core-2.cisco.com (8.13.8/8.13.8) with ESMTP id m532kkDh027404; Tue, 3 Jun 2008 02:46:46 GMT
Received: from xmb-sjc-21c.amer.cisco.com ([171.70.151.176]) by xbh-sjc-221.amer.cisco.com with Microsoft SMTPSVC(6.0.3790.1830); Mon, 2 Jun 2008 19:46:06 -0700
X-MimeOLE: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Date: Mon, 02 Jun 2008 19:45:15 -0700
Message-ID: <0C53DCFB700D144284A584F54711EC5805449484@xmb-sjc-21c.amer.cisco.com>
In-Reply-To: <48432005.2070201@freebsd.org>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: [tcpm] Q&C regarding tcpsecure-09 recommendations
Thread-Index: AcjENxDkBaV5f7Z/RZCyVPUpd3XH9wA4xJxg
References: <48432005.2070201@freebsd.org>
From: "Anantha Ramaiah (ananth)" <ananth@cisco.com>
To: Andre Oppermann <andre@freebsd.org>, tcpm@ietf.org
X-OriginalArrivalTime: 03 Jun 2008 02:46:06.0752 (UTC) FILETIME=[F8B9EA00:01C8C523]
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; l=6382; t=1212461206; x=1213325206; c=relaxed/simple; s=sjdkim2002; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version; d=cisco.com; i=ananth@cisco.com; z=From:=20=22Anantha=20Ramaiah=20(ananth)=22=20<ananth@cisco .com> |Subject:=20RE=3A=20[tcpm]=20Q&C=20regarding=20tcpsecure-09 =20recommendations |Sender:=20; bh=IyeMOrUQazenFOQyHm+fx5pcIz/xaDWPC75g4uKi+Eo=; b=2Wn6PzN5/2tBGR+26oUyDEdP7sfQ2tKkPiahQ17RlFpqFdQKRpw3G27lPj 1sZE27sFe/bxdEZ1QHMwaUHQpJ/WL1Iuix+uRPPkI0na9fki6bs4jjCIqJGn RRXCsRzUEr;
Authentication-Results: sj-dkim-2; header.From=ananth@cisco.com; dkim=pass ( sig from cisco.com/sjdkim2002 verified; );
Subject: Re: [tcpm] Q&C regarding tcpsecure-09 recommendations
X-BeenThere: tcpm@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: TCP Maintenance and Minor Extensions Working Group <tcpm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://www.ietf.org/mailman/private/tcpm>
List-Post: <mailto:tcpm@ietf.org>
List-Help: <mailto:tcpm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: tcpm-bounces@ietf.org
Errors-To: tcpm-bounces@ietf.org

Andre,
    Pl see comments inline.  

> -----Original Message-----
> From: tcpm-bounces@ietf.org [mailto:tcpm-bounces@ietf.org] On 
> Behalf Of Andre Oppermann
> Sent: Sunday, June 01, 2008 3:18 PM
> To: tcpm@ietf.org
> Subject: [tcpm] Q&C regarding tcpsecure-09 recommendations
> 
> I'm reworking/refactoring/rewriting the FreeBSD TCP input 
> path (in a separate perforce tree at the moment) and in that 
> process I'm evaluating all assumptions and test them against 
> a close reading of all relevant RFCs.

Cool, thanks.

> 
> While reading and applying draft-ietf-tcpm-tcpsecure-09.txt 
> I've come across a couple of inconsistencies and issues that 
> require further clarification:
> 
> Section 3.2 Mitigation of Blind RST
> 
>   [Real world observation]
>   Some implementations send the RST not on rcv_nxt but on rcv_nxt-1 or
>   rcv_nxt+rcv_win.  Thus we accept three small windows of 
> rcv_nxt(+-1),
>   last_ack_sent(+-1) and rcv_nxt+rcv_win(+-1).
> 
>   Of course the challenge ACK should have the same effect at 
> the expense
>   of another round trip.  While these three (two in case of 
> rcv_nxt == last_ack_sent)
>   do increase the chances of a succesful attack (only every 
> third seq# has to
>   be probed plus the average hit rate is increased due to 
> having two/three
>   different places that match) real world behavior and 
> interop should be
>   considered and discussed.

After you sent the challenge ACK, are you saying that implementations
can still respond with the above values ? (rcvnxt -1 ) rcvnxt + rcvwin
(+-1) etc., ? OR are you saying that the seq# of RST with rcvnxt - 1
should be accepted [Some implementations do this to accept the RST of
the keepalive packet]

FWIW, section 8 (middlebox considerations talks about some corner cases)

Also the following table summarises (standard way) way to generate RST
's :

 * Generating a RST packet in response to an incoming packet.
 * According to TCP/IP Illustrated, Vol 2, page 994:
 *
 * +--------------+----------------------------------------------------+
 * |              |                 RST segment generated              |
 * |              +----------------+-----------------+-----------------|
 * | rcvd segment |      seq#      |      ack.field  |       flags     |
 * |===================================================================|
 * | Contains ACK | rcvd ack.field |          0      |      TH_RST     |
 * |--------------|----------------+-----------------+-----------------|
 * | ACK-less     |         0      | rcvd seq# + len | TH_RST | TH_ACK |
 * +--------------|----------------+-----------------+-----------------+
 *
 * The ACK flag should be set in all segments except when an initial SYN
 * is sent. So all RST packet will have 0 for ack number, without the
ACK
 * flag, except when the RST is in response to an SYN packet.
 */

> 
>   
> http://www.freebsd.org/cgi/cvsweb.cgi/src/sys/netinet/tcp_inpu
> t.c#rev1.316
>   
> http://www.freebsd.org/cgi/cvsweb.cgi/src/sys/netinet/tcp_inpu
> t.c#rev1.259
> 
> 
> Section 4.2 Mitigation of Blind SYN
> 
>   [Possible inconsistency in text]
>   The test in 4.2 eq. 1) is a little different.  In RFC793 it is:
> 
>    RCV.NXT =< SEG.SEQ < RCV.NXT+RCV.WND
> 
>   in tcpsecure it is described as one byte larger beyond the 
> real window:
> 
>    RCV.NXT <= SEG.SEQ <= RCV.NXT+RCV.WND.
> 
>   This seems to be incorrectly transcribed.

Good catch, I'll change it. I thought I had removed it before.

[I think I know the reason why this = got added, this is one of the
corner cases which we have fixed it long back, I'll see if I can
remember that and post it later, in any case I don't want to fix that in
this draft.]

> 
> 
> Section 5.2 Mitigation of Blind data injection attack
> 
>   [Clarification]
>   Data that doesn't satisfy the new check in first paragraph 
> MUST be discarded
>   silently. Before RFC793 used to require an ACK to be sent 
> back. This change
>   is not sufficiently explained and lacks an obvious rationale.

Good question, 793 implicitly tells that the following ACK range is
acceptable :
In other words an ACK value is acceptable if it is ((SND.UNA-(2^31-1))
<= SEG.ACK <= SND.NXT). 

Anything > SND.NXT above would solicit an ACK to be sent back, this is
simply an ACK being sent for something that has not yet been actually
sent. 

With this mitigation we are saying that the acceptability range becomes
:

((SND.UNA - MAX.SND.WND) <= SEG.ACK <= SND.NXT).

Since we haven't accepted this segment we drop this silently to
distinguish with the above case. This is whole point. (old ACK versus an
ACK ack'ing data that is unsent)

FWIW, this is been implemented and tested in some of the stacks and I
don't recall seeing any issues here.

I agree that generating an ACK back is also fine and shouldn't pose any
issues. 

I will think about this a bit more and will get back since my opinion is
either way is fine.


> 
>   The second related issue is where this check should be 
> placed relative to
>   RFC793 ordering?  Before the fifth check, last sentence 
> (page 72) "If the ACK
>   acks something not yet sent (SEG.ACK > SND.NXT) then send 
> an ACK, drop the
>   segment, and return." or right after it?  This has 

Should be before that, this is what we have tested with. Although I
can't think of on top of my head what would happen if we put after
that... 

> implications on the response
>   as tcpsecure requires to silently discard the segment.  If 
> it weren't for the
>   silent discard the new tcpsecure check could simply 
> replace/extend the fifth
>   check from RFC793.

Agreed. I think it is just a matter of perference and I think both
choices don't have any implications that I can see. 

> 
> 
> Feedback appreciated.

Thanks,
-Anantha
> 
> --
> Andre
> 
> andre@FreeBSD.org
> 
> _______________________________________________
> tcpm mailing list
> tcpm@ietf.org
> https://www.ietf.org/mailman/listinfo/tcpm
> 
_______________________________________________
tcpm mailing list
tcpm@ietf.org
https://www.ietf.org/mailman/listinfo/tcpm

v2.23.0 | Report a Bug | By Email