Re: [tcpm] Is this a problem?

John Heffner <jheffner@psc.edu> Wed, 14 November 2007 15:46 UTC

Return-path: <tcpm-bounces@ietf.org>
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1IsKRj-0001bu-UE; Wed, 14 Nov 2007 10:46:31 -0500
Received: from tcpm by megatron.ietf.org with local (Exim 4.43) id 1IsKRi-0001WY-Ah for tcpm-confirm+ok@megatron.ietf.org; Wed, 14 Nov 2007 10:46:30 -0500
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1IsKRh-0001WE-VU for tcpm@ietf.org; Wed, 14 Nov 2007 10:46:29 -0500
Received: from mailer1.psc.edu ([2001:5e8:1:3a::64]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1IsKRh-0007Uj-Ft for tcpm@ietf.org; Wed, 14 Nov 2007 10:46:29 -0500
Received: from [128.182.160.132] (ice.psc.edu [128.182.160.132]) (authenticated bits=0) by mailer1.psc.edu (8.14.1/8.13.3) with ESMTP id lAEFkPMx029311 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 14 Nov 2007 10:46:26 -0500 (EST)
Message-ID: <473B1851.2020502@psc.edu>
Date: Wed, 14 Nov 2007 10:46:25 -0500
From: John Heffner <jheffner@psc.edu>
User-Agent: Thunderbird 2.0.0.6 (Macintosh/20070728)
MIME-Version: 1.0
To: Mahesh Jethanandani <mahesh@cisco.com>
Subject: Re: [tcpm] Is this a problem?
References: <121882.10140.qm@web31702.mail.mud.yahoo.com> <4730B50A.1030102@isi.edu> <20071106190845.GC5881@elb.elitists.net> <4730BC89.5000909@isi.edu> <20071106192746.GE5881@elb.elitists.net> <20071106193912.GF5881@elb.elitists.net> <4730C9D6.1020700@cisco.com> <20071106203212.GG5881@elb.elitists.net> <47333FD9.8010508@cisco.com>
In-Reply-To: <47333FD9.8010508@cisco.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-Spam-Score: -1.4 (-)
X-Scan-Signature: e8a67952aa972b528dd04570d58ad8fe
Cc: tcpm@ietf.org
X-BeenThere: tcpm@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: TCP Maintenance and Minor Extensions Working Group <tcpm.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:tcpm@ietf.org>
List-Help: <mailto:tcpm-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=subscribe>
Errors-To: tcpm-bounces@ietf.org

Mahesh Jethanandani wrote:
> 
> 
> Ethan Blanton wrote:
>> Yes; however, I agree with Joe (and others) that in the situation you
>> are *actually* trying to solve, this is not particularly relevant.  If
>> you are short on resources, the distinction between "not making
>> progress due to zero window" and "not making progress for some other
>> reason" does not seem important.  As previously mentioned, zero window
>> does _not_ indicate a malicious host in any way.
>>   
> Where is the fairness argument in knocking connections off without 
> making distinctions? A connection that is not making progress because of 
> congestion in the network is a transient behavior and is very different 
> from a connection that continues to advertise a zero window. The former 
> is much harder to do and requires TCP stack changes. Zero window 
> connection can be made to happen on a whim (as we successfully did) on a 
> large number of connections from a user level program with little or no 
> privileges.

It's actually an easy and generally more effective attack to just drop 
all the packets on the floor rather than continue ACKing with zero 
window.  The connection will eventually time out, but it takes so long, 
it's easy to initiate another one in this time to take its place.  Once 
again, please look carefully at Stas's netkill: 
<http://shlang.com/netkill/>.  It's a simple short perl script.  The 
defense you are proposing does nothing for this attack.

I don't think it's critical to determine whether a connection is stalled 
while limited by cwnd or rwin.  This *may* be useful information, but 
it's not the most important.  In my view, the more important thing to 
know is (1) whether the connection is making progress, and (2) how much 
memory (the contended resource) it is using.   Using this information, 
you can implement a policy that resets connections that are consuming 
resources with no benefit (progress).  This solves the more general 
problem -- both the netkill attack and a persist attack.


Also, I have a quibble with some of the language in the draft that I 
think reflects a view of where the solution must go:

    In most implementations, TCP runs in kernel mode as part of the
    operating system.  In this mode the operating system may share the
    same address space as TCP.  For the purposes of discussion, this
    draft considers TCP protocol implementation to be a separate module
    responsible for all resources such as buffers and connection control
    blocks that it borrows from the operating system.  The operating
    system can enforce the maximum number of buffers it is willing to
    give to TCP but beyond that it lets TCP decide how to manage them.

Even if you view TCP as running with an inaccessible address space, it 
can still export all sorts of information, in both standard (see RFC 
4022 and RFC 4898) and non-standard ways.  From a standards point of 
view, I think RFC 4898 exports all the necessary information.

And even if the solution must be implemented in an independent TCP 
module, this does not mean the solution should be defined and 
standardized as a transport layer mechanism.  A TCP module could 
implement a memory-based fairness policy if it's controlling its own 
memory pool as you describe.  This does not mean you need to change the 
definition of how the TCP protocol behaves in the persist state.

   -John


_______________________________________________
tcpm mailing list
tcpm@ietf.org
https://www1.ietf.org/mailman/listinfo/tcpm