RE: TRIGTRAN Security Considerations (was: RE: [Trigtran] TRIGTRAN Nextsteps ("let the games begin"))
john.loughney@nokia.com Tue, 14 January 2003 07:11 UTC
Received: from www1.ietf.org (ietf.org [132.151.1.19] (may be forged)) by ietf.org (8.9.1a/8.9.1a) with ESMTP id CAA17250 for <trigtran-archive@odin.ietf.org>; Tue, 14 Jan 2003 02:11:12 -0500 (EST)
Received: (from mailnull@localhost) by www1.ietf.org (8.11.6/8.11.6) id h0E7PDA04431 for trigtran-archive@odin.ietf.org; Tue, 14 Jan 2003 02:25:13 -0500
Received: from ietf.org (odin.ietf.org [132.151.1.176]) by www1.ietf.org (8.11.6/8.11.6) with ESMTP id h0E7PDJ04428 for <trigtran-web-archive@optimus.ietf.org>; Tue, 14 Jan 2003 02:25:13 -0500
Received: from www1.ietf.org (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id CAA17238 for <trigtran-web-archive@ietf.org>; Tue, 14 Jan 2003 02:10:40 -0500 (EST)
Received: from www1.ietf.org (localhost.localdomain [127.0.0.1]) by www1.ietf.org (8.11.6/8.11.6) with ESMTP id h0E7P7J04407; Tue, 14 Jan 2003 02:25:07 -0500
Received: from ietf.org (odin.ietf.org [132.151.1.176]) by www1.ietf.org (8.11.6/8.11.6) with ESMTP id h0E7MuJ04250 for <trigtran@optimus.ietf.org>; Tue, 14 Jan 2003 02:22:56 -0500
Received: from mgw-x4.nokia.com (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id CAA17198 for <trigtran@ietf.org>; Tue, 14 Jan 2003 02:08:23 -0500 (EST)
From: john.loughney@nokia.com
Received: from esvir04nok.ntc.nokia.com (esvir04nokt.ntc.nokia.com [172.21.143.36]) by mgw-x4.nokia.com (Switch-2.2.1/Switch-2.2.0) with ESMTP id h0E7Dmt16294 for <trigtran@ietf.org>; Tue, 14 Jan 2003 09:13:48 +0200 (EET)
Received: from esebh002.NOE.Nokia.com (unverified) by esvir04nok.ntc.nokia.com (Content Technologies SMTPRS 4.2.5) with ESMTP id <T5fc85e1326ac158f24078@esvir04nok.ntc.nokia.com>; Tue, 14 Jan 2003 09:11:41 +0200
Received: from esebe002.NOE.Nokia.com ([172.21.138.17]) by esebh002.NOE.Nokia.com with Microsoft SMTPSVC(5.0.2195.5329); Tue, 14 Jan 2003 09:11:30 +0200
Received: from esebe022.NOE.Nokia.com ([172.21.138.113]) by esebe002.NOE.Nokia.com with Microsoft SMTPSVC(5.0.2195.5329); Tue, 14 Jan 2003 09:11:28 +0200
X-MimeOLE: Produced By Microsoft Exchange V6.0.6249.0
Content-Class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Subject: RE: TRIGTRAN Security Considerations (was: RE: [Trigtran] TRIGTRAN Nextsteps ("let the games begin"))
Date: Tue, 14 Jan 2003 09:11:27 +0200
Message-ID: <A16A3EE4D4CA124FADC7987B1AC89FE440EA5A@esebe022.ntc.nokia.com>
Thread-Topic: [Trigtran] TRIGTRAN Nextsteps ("let the games begin")
Thread-Index: AcK7D/szmzj3l8ePS/6cWbM+IrtUHAAB5McQACEOlIA=
To: sdawkins@cynetanetworks.com, trigtran@ietf.org
X-OriginalArrivalTime: 14 Jan 2003 07:11:28.0625 (UTC) FILETIME=[285CAE10:01C2BB9C]
Content-Transfer-Encoding: 8bit
X-MIME-Autoconverted: from quoted-printable to 8bit by www1.ietf.org id h0E7MuJ04251
Sender: trigtran-admin@ietf.org
Errors-To: trigtran-admin@ietf.org
X-BeenThere: trigtran@ietf.org
X-Mailman-Version: 2.0.12
Precedence: bulk
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/trigtran>, <mailto:trigtran-request@ietf.org?subject=unsubscribe>
List-Id: Triggers for Transport <trigtran.ietf.org>
List-Post: <mailto:trigtran@ietf.org>
List-Help: <mailto:trigtran-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/trigtran>, <mailto:trigtran-request@ietf.org?subject=subscribe>
Content-Transfer-Encoding: 8bit
Content-Transfer-Encoding: 8bit
Spencer, Quick question - in a number of wireless networks, there can be spurious time-outs due to radio unavailability (or bad layer 2/3 coupling). Quite often, this can kick-off a chain of events, along the line of time-out -> tcp abort -> application protocol tear-down, security association tear-down. Can TRIGTRAN also be used to prevent unnescessary tear-downs (a sort of - hold on, don't disconnect quite yet message)? If so, your text below might need to be updated slightly. thanks, John > -----Original Message----- > From: ext Spencer Dawkins [mailto:sdawkins@cynetanetworks.com] > Sent: 13 January, 2003 17:30 > To: trigtran@ietf.org > Subject: TRIGTRAN Security Considerations (was: RE: > [Trigtran] TRIGTRAN > Nextsteps ("let the games begin")) > > > Hi, Gorry, > > What follows is not in RESPONSE to your thought-provoking > e-mail, just on the same topic (so it doesn't address all the > excellent questions you asked), but Carl and I had been > thinking on the same topic, so - to get more points of view: > > ------------ > > Preliminary Security Considerations for TRIGTRAN > ================================================ > > TRIGTRAN ("Triggers for Transport" is working on mechanisms > to provide explicit notifications from edge routers to endpoint > transport implementations across the Internet. More details are > available at: > > http://www.ietf.org/proceedings/02nov/slides/trigtran-5.pdf/ > > But, in a nutshell, the minimal TRIGTRAN architecture looks > like this: > > +------+ +-----------------+ (Internet +------+ > | Host | | TRIGTRAN Router | goes | Host | > +------+ +-----------------+ here) +------+ > X X > Sub-network Event -----------------> Notifies Transport > Here Here > > (taken from the Problem Statement I-D) > > The critical feature here is that the host receiving a TRIGTRAN > trigger is across an arbitrary network topology from the TRIGTRAN > edge router sending the trigger, and the host receiving the > trigger has no previous trust relationship with the TRIGTRAN > router. The host receiving the trigger then takes some > transport-level action (sending a packet, retransmitting a > packet, waiting for some period of time to transmit a packet, > etc.). > > The transports would "figure out an event" eventually, > given enough time. TRIGTRAN is intended to provide > network-based hints that clue the transport in more quickly > (where "quickly" is measured in RTTs, not in milliseconds). > Since "link down" will probably be one of the triggers, > end-to-end mechanisms cannot be used to send explicit > notifications (since one of the ends isn't accessible). > > A security assessment for TRIGTRAN amounts to evaluating what > impact a forged trigger can have on a host that uses the hints > to deal with the respective event. For example, we don't want > TRIGTRAN to provide a mechanism for denial of service attacks, > etc. (this should be obvious, but let's make it explicit). > > TRIGTRAN triggers are advisory in nature - they do not replace > transport-level mechanisms (in the case of TCP, the receiver's > ACK stream). If a transport gets a forged "link down" trigger, > but continues to receive ACKs from the actually-reachable receiver, > the reasonable action is to ignore the trigger, not the ACKs. > If a transport gets a forged "link up" trigger, but does not > receive ACKs from the actually-unreachable receiver, the transport > would take its normal action for an unresponsive receiver (in the > case of TCP, this would be RTO, retransmission, and slow start). > > The receiving host can use existing transport-level mechanisms > to determine the validity of the trigger. Because TRIGTRAN triggers > are advisory the host isn't required to act as if the > events are real. > Thus, we don't think a security association is required > between the TRIGTRAN router and the host receiving triggers. If > one is present, fine, but it's not required. > > The alternative, requiring the host to establish trust > relationships > with arbitrary routers in other administrative domains in order > to receive triggers, seems to be overkill in this situation. > > What are we ignoring/overlooking, if we use this model? > > > -----Original Message----- > > From: Dr G Fairhurst [mailto:gorry@erg.abdn.ac.uk] > > Sent: Monday, January 13, 2003 8:20 AM > > To: trigtran@ietf.org; Sally Floyd > > Subject: Re: [Trigtran] TRIGTRAN Nextsteps ("let the games begin") > > > > > > I'd like to understand what can go wrong with these signals, > > and therefore what constraints we need to introduce. > > > > I would like to see a "threat" analysis that looks at the > > implications of "Forged, malicious trigtran reports" > > and also "erronous" reports taht do not reflect actual > > path status. > > > > Here's some first thoughts: > > > > Perhaps we could look at how these sort of things impact: > > > > 1) The network path from the reporting device to end host. > > i.e., the signalling cost itself. > > > > 2) The impact on the recipient - of retransmission, cwnd > > management, etc. > > > > 3) The rate/burst characteristics of the traffic on the > > network path from the sending end-host that arises > > after trigtran processing. > > > > > > It could be useful to look at scenarios which produce > > confusing indications: > > > > 1) Alternate paths - one reporting, one not.... > > > > 2) Effect of two reporting devicec, with differing path > > delay (possibly on the same path?) ... > > > > etc. > > > > Any ideas??? > > > > Gorry Fairhurst > > > > Sally Floyd wrote: > > > > > > Spencer - > > > > > > (Getting to things a little late...) > > > > > > Here are a few things to add to the outline... > > > > > > >Possible Trigger Responses (choice of response depends > on trigger) > > > ... > > > > Slow Start > > > (Modify the slow-start threshold ssthresh.) > > > Sending a trial packet, without waiting for the > > retransmit timer to > > > expire. > > > > > > ... > > > >Major Challenges > > > ... > > > Forged, malicious trigtran reports. > > > > > > - Sally > _______________________________________________ > Trigtran mailing list > Trigtran@ietf.org > https://www1.ietf.org/mailman/listinfo/trigtran > _______________________________________________ Trigtran mailing list Trigtran@ietf.org https://www1.ietf.org/mailman/listinfo/trigtran
- TRIGTRAN Security Considerations (was: RE: [Trigt… Spencer Dawkins
- RE: TRIGTRAN Security Considerations (was: RE: [T… john.loughney
- RE: TRIGTRAN Security Considerations (was: RE: [T… Spencer Dawkins
- RE: TRIGTRAN Security Considerations (was: RE: [T… john.loughney