[Trigtran] TRIGTRAN Security Considerations
Kacheong Poon <poon@cs.wisc.edu> Wed, 15 January 2003 01:09 UTC
Received: from www1.ietf.org (ietf.org [132.151.1.19] (may be forged)) by ietf.org (8.9.1a/8.9.1a) with ESMTP id UAA18109 for <trigtran-archive@odin.ietf.org>; Tue, 14 Jan 2003 20:09:46 -0500 (EST)
Received: (from mailnull@localhost) by www1.ietf.org (8.11.6/8.11.6) id h0F1O9p18411 for trigtran-archive@odin.ietf.org; Tue, 14 Jan 2003 20:24:09 -0500
Received: from ietf.org (odin.ietf.org [132.151.1.176]) by www1.ietf.org (8.11.6/8.11.6) with ESMTP id h0F1O8J18408 for <trigtran-web-archive@optimus.ietf.org>; Tue, 14 Jan 2003 20:24:08 -0500
Received: from www1.ietf.org (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id UAA18105 for <trigtran-web-archive@ietf.org>; Tue, 14 Jan 2003 20:09:15 -0500 (EST)
Received: from www1.ietf.org (localhost.localdomain [127.0.0.1]) by www1.ietf.org (8.11.6/8.11.6) with ESMTP id h0F1O5J18400; Tue, 14 Jan 2003 20:24:05 -0500
Received: from ietf.org (odin.ietf.org [132.151.1.176]) by www1.ietf.org (8.11.6/8.11.6) with ESMTP id h0F1NvJ18385 for <trigtran@optimus.ietf.org>; Tue, 14 Jan 2003 20:23:57 -0500
Received: from parmesan.cs.wisc.edu (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id UAA18101 for <trigtran@ietf.org>; Tue, 14 Jan 2003 20:09:03 -0500 (EST)
Received: (from poon@localhost) by parmesan.cs.wisc.edu (8.9.2/8.9.2) id TAA21991 for trigtran@ietf.org; Tue, 14 Jan 2003 19:12:25 -0600 (CST)
Date: Tue, 14 Jan 2003 19:12:25 -0600
From: Kacheong Poon <poon@cs.wisc.edu>
Message-Id: <200301150112.TAA21991@parmesan.cs.wisc.edu>
To: trigtran@ietf.org
Subject: [Trigtran] TRIGTRAN Security Considerations
Sender: trigtran-admin@ietf.org
Errors-To: trigtran-admin@ietf.org
X-BeenThere: trigtran@ietf.org
X-Mailman-Version: 2.0.12
Precedence: bulk
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/trigtran>, <mailto:trigtran-request@ietf.org?subject=unsubscribe>
List-Id: Triggers for Transport <trigtran.ietf.org>
List-Post: <mailto:trigtran@ietf.org>
List-Help: <mailto:trigtran-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/trigtran>, <mailto:trigtran-request@ietf.org?subject=subscribe>
> The transports would "figure out an event" eventually, > given enough time. TRIGTRAN is intended to provide > network-based hints that clue the transport in more quickly > (where "quickly" is measured in RTTs, not in milliseconds). > Since "link down" will probably be one of the triggers, > end-to-end mechanisms cannot be used to send explicit > notifications (since one of the ends isn't accessible). I'm wondering if this kind of end2end notification should be ruled out. To me, notification mechanisms, such as ECN, are much better than triggers. And security is automatically tied to the transport protocol as it is end2end. It seems to me that the issue with "link down" info does not justify to rule out notification mechanism altogether. Please correct me if I am wrong, I believe the major issue here is that if the link is down for a period of time because of some transient problems (e.g. wireless), we do not want the other end to time out prematurely, thus the "link down trigger." Assuming we are talking about the first hop (I believe this is what is being considered as the first step), when a transport level connection is being made, the two sides can agree on a more reasonable timeout period as one end knows that the immediate link can have this kind of transient issue. Will this eliminate the timeout issue in practise? The draw back of this with normal transport protocol, such as TCP, is that the other end will continue to retransmit data packets. First, this kind of retransmission with exponential backoff will probably not cause congestion issue. Second, if the transport is modified such that the end2end notification can include several timeout periods such that the other end will stop retransmission after a certain period and wait until it hears again from the end with a down link or a reasonable timeout period which is longer than the default, it will work better. Are they other major problems? As a matter of fact, there is a security issue with simple "link down trigger." What should the other end do when it gets a "link down trigger?" Well, the simple behavior is not to time out and wait until it hears again from the other side. We all know that this is the wrong behavior as an attacker can simply use this kind of trigger to make sure that a machine will hang on to existing connections, thus exhausting its resources. (Note that I skip a few steps here to illustrate how this attack can work effectively in practise...) So a machine getting a "link down trigger" will still have to somehow time out the connection after a period of idle time. Does it mean that the "link down trigger" is really not useful at all? Compare this trigger with an explicit end2end notificiation of a reasonable timeout period, which one is better? Assuming the normal case of first hop link issue, after the link comes back up, there can be an end2end notification telling the other end to gracefully recover. This can replace the "link up trigger." What other triggers are needed which cannot be replaced with end2end notification? I read in the minutes that this point of end2end notification was raised in the IETF BOF. But I don't see any discussion that it should be ruled out completely. So what is the major problem with this? An end2end solution is better because there is no state stored in the network, thus it is more scalable. And security is tied to the transport automatically. Why isn't this being considered first before IETF should look at triggers? IMHO, there are too many issues with triggers such that we should only look at it unless all other alternatives have been ruled out. K. Poon. _______________________________________________ Trigtran mailing list Trigtran@ietf.org https://www1.ietf.org/mailman/listinfo/trigtran
- [Trigtran] TRIGTRAN Security Considerations Kacheong Poon