TRIGTRAN Security Considerations (was: RE: [Trigtran] TRIGTRAN Nextsteps ("let the games begin"))
"Spencer Dawkins" <sdawkins@cynetanetworks.com> Mon, 13 January 2003 15:28 UTC
Received: from www1.ietf.org (ietf.org [132.151.1.19] (may be forged)) by ietf.org (8.9.1a/8.9.1a) with ESMTP id KAA13329 for <trigtran-archive@odin.ietf.org>; Mon, 13 Jan 2003 10:28:29 -0500 (EST)
Received: (from mailnull@localhost) by www1.ietf.org (8.11.6/8.11.6) id h0DFgAX32743 for trigtran-archive@odin.ietf.org; Mon, 13 Jan 2003 10:42:10 -0500
Received: from ietf.org (odin.ietf.org [132.151.1.176]) by www1.ietf.org (8.11.6/8.11.6) with ESMTP id h0DFgAJ32740 for <trigtran-web-archive@optimus.ietf.org>; Mon, 13 Jan 2003 10:42:10 -0500
Received: from www1.ietf.org (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id KAA13315 for <trigtran-web-archive@ietf.org>; Mon, 13 Jan 2003 10:27:58 -0500 (EST)
Received: from www1.ietf.org (localhost.localdomain [127.0.0.1]) by www1.ietf.org (8.11.6/8.11.6) with ESMTP id h0DFg6J32732; Mon, 13 Jan 2003 10:42:06 -0500
Received: from ietf.org (odin.ietf.org [132.151.1.176]) by www1.ietf.org (8.11.6/8.11.6) with ESMTP id h0DFf8J32695 for <trigtran@optimus.ietf.org>; Mon, 13 Jan 2003 10:41:08 -0500
Received: from MAIL.cynetanetworks.com (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id KAA13303 for <trigtran@ietf.org>; Mon, 13 Jan 2003 10:26:55 -0500 (EST)
X-MimeOLE: Produced By Microsoft Exchange V6.0.6249.0
content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Subject: TRIGTRAN Security Considerations (was: RE: [Trigtran] TRIGTRAN Nextsteps ("let the games begin"))
Date: Mon, 13 Jan 2003 09:30:13 -0600
Message-ID: <9255B6CD76A88943A3062F7D4E6432F51030DC@mail.cynetanetworks.com>
Thread-Topic: [Trigtran] TRIGTRAN Nextsteps ("let the games begin")
Thread-Index: AcK7D/szmzj3l8ePS/6cWbM+IrtUHAAB5McQ
From: Spencer Dawkins <sdawkins@cynetanetworks.com>
To: trigtran@ietf.org
Content-Transfer-Encoding: 8bit
X-MIME-Autoconverted: from quoted-printable to 8bit by www1.ietf.org id h0DFf8J32696
Sender: trigtran-admin@ietf.org
Errors-To: trigtran-admin@ietf.org
X-BeenThere: trigtran@ietf.org
X-Mailman-Version: 2.0.12
Precedence: bulk
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/trigtran>, <mailto:trigtran-request@ietf.org?subject=unsubscribe>
List-Id: Triggers for Transport <trigtran.ietf.org>
List-Post: <mailto:trigtran@ietf.org>
List-Help: <mailto:trigtran-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/trigtran>, <mailto:trigtran-request@ietf.org?subject=subscribe>
Content-Transfer-Encoding: 8bit
Content-Transfer-Encoding: 8bit
Hi, Gorry,
What follows is not in RESPONSE to your thought-provoking e-mail, just on the same topic (so it doesn't address all the excellent questions you asked), but Carl and I had been thinking on the same topic, so - to get more points of view:
------------
Preliminary Security Considerations for TRIGTRAN
================================================
TRIGTRAN ("Triggers for Transport" is working on mechanisms
to provide explicit notifications from edge routers to endpoint
transport implementations across the Internet. More details are
available at:
http://www.ietf.org/proceedings/02nov/slides/trigtran-5.pdf/
But, in a nutshell, the minimal TRIGTRAN architecture looks
like this:
+------+ +-----------------+ (Internet +------+
| Host | | TRIGTRAN Router | goes | Host |
+------+ +-----------------+ here) +------+
X X
Sub-network Event -----------------> Notifies Transport
Here Here
(taken from the Problem Statement I-D)
The critical feature here is that the host receiving a TRIGTRAN
trigger is across an arbitrary network topology from the TRIGTRAN
edge router sending the trigger, and the host receiving the
trigger has no previous trust relationship with the TRIGTRAN
router. The host receiving the trigger then takes some
transport-level action (sending a packet, retransmitting a
packet, waiting for some period of time to transmit a packet,
etc.).
The transports would "figure out an event" eventually,
given enough time. TRIGTRAN is intended to provide
network-based hints that clue the transport in more quickly
(where "quickly" is measured in RTTs, not in milliseconds).
Since "link down" will probably be one of the triggers,
end-to-end mechanisms cannot be used to send explicit
notifications (since one of the ends isn't accessible).
A security assessment for TRIGTRAN amounts to evaluating what
impact a forged trigger can have on a host that uses the hints
to deal with the respective event. For example, we don't want
TRIGTRAN to provide a mechanism for denial of service attacks,
etc. (this should be obvious, but let's make it explicit).
TRIGTRAN triggers are advisory in nature - they do not replace
transport-level mechanisms (in the case of TCP, the receiver's
ACK stream). If a transport gets a forged "link down" trigger,
but continues to receive ACKs from the actually-reachable receiver,
the reasonable action is to ignore the trigger, not the ACKs.
If a transport gets a forged "link up" trigger, but does not
receive ACKs from the actually-unreachable receiver, the transport
would take its normal action for an unresponsive receiver (in the
case of TCP, this would be RTO, retransmission, and slow start).
The receiving host can use existing transport-level mechanisms
to determine the validity of the trigger. Because TRIGTRAN triggers
are advisory the host isn't required to act as if the events are real.
Thus, we don't think a security association is required
between the TRIGTRAN router and the host receiving triggers. If
one is present, fine, but it's not required.
The alternative, requiring the host to establish trust relationships
with arbitrary routers in other administrative domains in order
to receive triggers, seems to be overkill in this situation.
What are we ignoring/overlooking, if we use this model?
> -----Original Message-----
> From: Dr G Fairhurst [mailto:gorry@erg.abdn.ac.uk]
> Sent: Monday, January 13, 2003 8:20 AM
> To: trigtran@ietf.org; Sally Floyd
> Subject: Re: [Trigtran] TRIGTRAN Nextsteps ("let the games begin")
>
>
> I'd like to understand what can go wrong with these signals,
> and therefore what constraints we need to introduce.
>
> I would like to see a "threat" analysis that looks at the
> implications of "Forged, malicious trigtran reports"
> and also "erronous" reports taht do not reflect actual
> path status.
>
> Here's some first thoughts:
>
> Perhaps we could look at how these sort of things impact:
>
> 1) The network path from the reporting device to end host.
> i.e., the signalling cost itself.
>
> 2) The impact on the recipient - of retransmission, cwnd
> management, etc.
>
> 3) The rate/burst characteristics of the traffic on the
> network path from the sending end-host that arises
> after trigtran processing.
>
>
> It could be useful to look at scenarios which produce
> confusing indications:
>
> 1) Alternate paths - one reporting, one not....
>
> 2) Effect of two reporting devicec, with differing path
> delay (possibly on the same path?) ...
>
> etc.
>
> Any ideas???
>
> Gorry Fairhurst
>
> Sally Floyd wrote:
> >
> > Spencer -
> >
> > (Getting to things a little late...)
> >
> > Here are a few things to add to the outline...
> >
> > >Possible Trigger Responses (choice of response depends on trigger)
> > ...
> > > Slow Start
> > (Modify the slow-start threshold ssthresh.)
> > Sending a trial packet, without waiting for the
> retransmit timer to
> > expire.
> >
> > ...
> > >Major Challenges
> > ...
> > Forged, malicious trigtran reports.
> >
> > - Sally
_______________________________________________
Trigtran mailing list
Trigtran@ietf.org
https://www1.ietf.org/mailman/listinfo/trigtran
- TRIGTRAN Security Considerations (was: RE: [Trigt… Spencer Dawkins
- RE: TRIGTRAN Security Considerations (was: RE: [T… john.loughney
- RE: TRIGTRAN Security Considerations (was: RE: [T… Spencer Dawkins
- RE: TRIGTRAN Security Considerations (was: RE: [T… john.loughney