[tsvwg] 回复: Some unclear points about rfc4960 (SCTP).
一念之后★だ <zhouming948@foxmail.com> Sun, 22 August 2021 04:13 UTC
Return-Path: <zhouming948@foxmail.com>
X-Original-To: tsvwg@ietfa.amsl.com
Delivered-To: tsvwg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E69903A0849 for <tsvwg@ietfa.amsl.com>; Sat, 21 Aug 2021 21:13:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.317
X-Spam-Level: *
X-Spam-Status: No, score=1.317 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, HELO_DYNAMIC_IPADDR=1.951, HTML_MESSAGE=0.001, NO_FM_NAME_IP_HOSTN=0.232, RCVD_IN_MSPIKE_H2=-0.001, RDNS_DYNAMIC=0.982, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=foxmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Q0o2A8CtQeBW for <tsvwg@ietfa.amsl.com>; Sat, 21 Aug 2021 21:13:46 -0700 (PDT)
Received: from out203-205-221-202.mail.qq.com (out203-205-221-202.mail.qq.com [203.205.221.202]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 379603A0840 for <tsvwg@ietf.org>; Sat, 21 Aug 2021 21:13:45 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=foxmail.com; s=s201512; t=1629605620; bh=7rcas1a2dz+M90YXHJ+0ks1t144nh1q0AdjwUuIdIH8=; h=From:To:Cc:Subject:Date; b=EzFg88C6IAKvGUwffaMKJOPVjUiwxC3liPS/foIFuR19nfEvJYGsLEv2o/lyeQLAU Wj7g5m5DnSJ4CvaTP5t7bcjMeiLrYY109bNzZxvXg1qiRtvRCrhL8u7Hv+hJGG4uFp EgyufD9LsL/wYub/r2AiHTTZKXX+X1vyZjBHm8GY=
X-QQ-FEAT: vgyHkztH/IGRjXJ3uldwi8La71l++kMu
X-QQ-SSF: 000000000000002000000000000000Z
X-QQ-XMAILINFO: M+8qex0/fVe7ocCfLKcLhMZaww4Z067Nnu4ABphC/szv9AgefXxUsnuNORvyqW 4IcECfj9HhXvq+kGfCkSvfT3ZKeqoet2yVCbypuX4+EbrNZLFvSJ0EfN+/tfWlq/6qDTb/w3gjfaM mNeP9QOv10/Uf90i8GzXm1LzE0U18BeFeD70SERgeX5fVOm5co2zHR5oBFdCahe3m+zOTQ6bvV7WW lP/bFCflb69odYUrnMCzYWN0I7dWIJuDoDmHsLSsTemmU073MOEbDHcrGX6NyvhY7nYSqkYlIP5ot 2/b5Gk2z5mOyZOwXDIUD6S4MVV5kz+fyiQ5mpKUTF6HbAfxRlbsRMHL3+e0f1xhoJXFdzL82oLYFh VT/3V0wTEBY1ACobY7p8pEtru11a1p0dQ9xY4f+MYPWjfylQlOAosEWWKK6OoNDn/7AyJltPr+GIh ui2aPSSaCA9uWknQEbCAsxcQshSjayLBjab5c06A+jA62TPzudmBEKVBpICQINsz4f/lChoDDWQfS siDjr2Yy3tL00BBBi6s8Uf6qfhFnfLPbmhXzH2FcG32u7lByVuGZIfkIJwl6aND1HHXjb6FSvm0k4 1Lhzcr7P/sWyjvFs0+V+3BA6Rs4wnAxqhz0igIvpHePo6B+cM+6imtPAbeOzvM+skosjlBqDY5v3z QwPfHeAhOEO9/NpK8v9PhFYOkVzabWdWp1/gFvRVpBxxtnT/SWUrVNI5i9nUtaLuM+edCcInySkLO 6Wcfp1RFklbYAO6/SXLIZlND7QKoaKNRC4JgahP3YmxrPguJicvRKCfXmFSUj0tvD3fzWEUyyiuhP UaG2RjnbdwutKl1Mmzz3+CmpkkNH66F0is6wXDCwww/DDHR6hc6B4ADlWPfeVZw6tHRW+KKWcEnzL 2RFr3yExolUBLsvoQpt0GwP8YSKb99UYz4sMcQTfRFw/u/mJcTIlw==
X-HAS-ATTACH: no
X-QQ-BUSINESS-ORIGIN: 2
X-Originating-IP: 111.222.255.42
X-QQ-STYLE:
X-QQ-mid: webmail606t1629605597t1614158
From: 一念之后★だ <zhouming948@foxmail.com>
To: Michael Tuexen <michael.tuexen@lurchi.franken.de>
Cc: tsvwg <tsvwg@ietf.org>, draft-ietf-tsvwg-2960bis <draft-ietf-tsvwg-2960bis@ietf.org>, "claudio.porfiri" <claudio.porfiri@ericsson.com>, gorry <gorry@erg.abdn.ac.uk>
Mime-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_NextPart_6121CEDC_1030EAD0_52915348"
Content-Transfer-Encoding: 8bit
Date: Sun, 22 Aug 2021 12:13:16 +0800
X-Priority: 3
Message-ID: <tencent_020235B85610F75C84CBD32D777C04FEE00A@qq.com>
X-QQ-MIME: TCMime 1.0 by Tencent
X-Mailer: QQMail 2.x
X-QQ-Mailer: QQMail 2.x
X-QQ-ReplyHash: 1925932602
Archived-At: <https://mailarchive.ietf.org/arch/msg/tsvwg/7c82pStWp0Q3UuHnrsIMI5nRWng>
X-Mailman-Approved-At: Mon, 23 Aug 2021 13:13:33 -0700
Subject: [tsvwg] 回复: Some unclear points about rfc4960 (SCTP).
X-BeenThere: tsvwg@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Transport Area Working Group <tsvwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tsvwg>, <mailto:tsvwg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tsvwg/>
List-Post: <mailto:tsvwg@ietf.org>
List-Help: <mailto:tsvwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tsvwg>, <mailto:tsvwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 22 Aug 2021 04:13:53 -0000
HI, I am sorry for late reply. I combined the reply for several emails: Which version of the Linux kernel are you using (what is the output of uname -a)? Zhouming: I test ubuntu16.04 LTS and ubuntu20.04 LTS, they both have these problems. uname -a Linux ubuntu 4.4.0-142-generic #168-Ubuntu SMP Wed Jan 16 21:00:45 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux # uname -a Linux ubuntu 5.11.0-27-generic #29~20.04.1-Ubuntu SMP Wed Aug 11 15:58:17 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux NCAT version: Ncat: Version 7.80 ( https://nmap.org/ncat ) --------------- I agree that the your attached .pcap file indicates that the implementation used has the bug you are describing. I used packetdrill (from https://github.com/nplab/packetdrill) with the attached script on a 5.11 kernel, and the attached script passes, which means that that stack does not have the problem. I'm also attaching the corresponding .pcapng file. So it seems that this bug was fixed recently in Linux, or am I missing something? Zhouming: I checked the source code of 5.11 kernel, and find nothing fix about the problems we discussed. I guess maybe you missed something, I have no idea if packetdrill is suitable for this test. --------------- > This has already been clarified in draft-ietf-tsvwg-rfc4960-bis-13. > > It states now: > <t>If the value of the Initiate Tag in a received INIT chunk is found to be 0, > the receiver MUST treat it as an error and silently discard the packet.</t> > > For OS = 0 or MIS = 0, the INIT chunk MUST be dropped and an ABORT chunk > SHOULD be sent. So the next revision will contain: > > <t>A receiver of an INIT chunk with the OS value set to 0 MUST discard the > packet and SHOULD send a packet in response containing an ABORT chunk and using > the Initiate Tag as the Verification Tag. > Any existing association MUST NOT be affected.</t> > > <t>A receiver of an INIT chunk with the MIS value set to 0 MUST discard the > packet and SHOULD send a packet in response containing an ABORT chunk and using > the Initiate Tag as the Verification Tag. > Any existing association MUST NOT be affected.</t> > > I guess this makes the description for the INIT chunk crystal clear. Zhouming: situation(2) is missing in draft-ietf-tsvwg-rfc4960-bis-13 or it no need to be clarified ?? I have test this, an init msg with mandatory parameters not fully carried can also trigger an Abort msg to release the association. --- As can be seen from the above description, when an init message or init ACK message is received, (1)If the init tag in the message is 0, the association must be released (2)If the mandatory parameters in the message are not fully carried, the association must be released (3)When the OS value or MIS value in the message is 0, it is strongly recommended to release this association >> Unfortunately, the SCTP implementation of Linux will be affected by the attacks described above, such as the open source lksctp. > Have you reported that issue? If not, I can let them know. Zhouming: I still do not report this issue to them, I think I need disscuss it with you first, so you can let them know about it. ------------- > Please let me know how to write your name in ASCII to give you credit. Zhouming: Thanks very much, it's a great honor,my English name is Zhouming. ------------------ 原始邮件 ------------------ 发件人: "Michael Tuexen" <michael.tuexen@lurchi.franken.de>; 发送时间: 2021年8月21日(星期六) 上午6:03 收件人: "一念之后★だ"<zhouming948@foxmail.com>; 抄送: "tsvwg"<tsvwg@ietf.org>;"draft-ietf-tsvwg-2960bis"<draft-ietf-tsvwg-2960bis@ietf.org>; 主题: Re: [tsvwg] Some unclear points about rfc4960 (SCTP). > On 18. Aug 2021, at 18:46, Michael Tuexen <Michael.Tuexen@lurchi.franken.de> wrote: > >> On 17. Aug 2021, at 18:56, 一念之后★だ <zhouming948@foxmail.com> wrote: >> >> Dear IETF experts, >> >> I read rfc4960 (SCTP) and felt that there were some unclear descriptions in the document. I hope to get your reply, so I wrote this email to you. And I think it's better to describe these more clearly in the subsequent version of the RFC. >> The following description describes some scenarios requiring abort Association in rfc4960: >> Page25 >> >> >> <8BD7343D@5C03830D.45EA1B61.png.jpg> >> >> Page26 >> <35034230@AD73F10A.45EA1B61.png.jpg> >> >> Page30 >> <30040808@E72FC146.45EA1B61.png.jpg> >> >> Page31 >> <3B65D2C9@0ACE147B.45EA1B61.png.jpg> >> >> Page56 >> <8E3B5E0D@11868C69.45EA1B61.png.jpg> >> >> As can be seen from the above description, when an init message or init ACK message is received, >> (1)If the init tag in the message is 0, the association must be released >> (2)If the mandatory parameters in the message are not fully carried, the association must be released >> (3)When the OS value or MIS value in the message is 0, it is strongly recommended to release this association > You are correct, using an initiate tag of 0 or limit the number of streams to 0 is not allowed. > > Please note the in the case of an initiate tag of 0 in an INIT chunk, you can't send an ABORT > since you have no tag different from 0 you could use as the verification tag. > This has already been clarified in draft-ietf-tsvwg-rfc4960-bis-13. > > It states now: > <t>If the value of the Initiate Tag in a received INIT chunk is found to be 0, > the receiver MUST treat it as an error and silently discard the packet.</t> > > For OS = 0 or MIS = 0, the INIT chunk MUST be dropped and an ABORT chunk > SHOULD be sent. So the next revision will contain: > > <t>A receiver of an INIT chunk with the OS value set to 0 MUST discard the > packet and SHOULD send a packet in response containing an ABORT chunk and using > the Initiate Tag as the Verification Tag. > Any existing association MUST NOT be affected.</t> > > <t>A receiver of an INIT chunk with the MIS value set to 0 MUST discard the > packet and SHOULD send a packet in response containing an ABORT chunk and using > the Initiate Tag as the Verification Tag. > Any existing association MUST NOT be affected.</t> > > I guess this makes the description for the INIT chunk crystal clear. > > The situation for the INIT-ACK is different. The INIT-ACK is only processed, if > the verification tag in the common header was correct. In this case it is OK > to destroy the association. A potential attacker has to guess the 32-bit > verification tag and if the attacker can do this, the attacker can send a > packet containing an ABORT chunk. > However, the consistency of the text can be improved. Here are the suggested changes to improve the consistency of the handling of illegal parameters in the INIT ACK chunk: For the Initiate Tag: <t>If an endpoint in the COOKIE-WAIT state receives an INIT ACK chunk with the Initiate Tag set to 0, it MUST destroy the TCB and SHOULD send an ABORT chunk with the T bit set. If such an INIT-ACK chunk is received in any state other than CLOSED or COOKIE-WAIT, it SHOULD be discarded silently (see <xref target='sec_unexpected_init_ack'/>).</t> For OS: <t>If an endpoint in the COOKIE-WAIT state receives an INIT ACK chunk with the OS value set to 0, it MUST destroy the TCB and SHOULD send an ABORT chunk. If such an INIT-ACK chunk is received in any state other than CLOSED or COOKIE-WAIT, it SHOULD be discarded silently (see <xref target='sec_unexpected_init_ack'/>).</t> For MIS: <t>If an endpoint in the COOKIE-WAIT state receives an INIT ACK chunk with the MIS value set to 0, it MUST destroy the TCB and SHOULD send an ABORT chunk. If such an INIT-ACK chunk is received in any state other than CLOSED or COOKIE-WAIT, it SHOULD be discarded silently (see <xref target='sec_unexpected_init_ack'/>).</t> Best regards Michael >> >> The following description also shows that there can only be one SCTP association between two SCTP endpoints at any time: >> <0096CA66@4B725944.45EA1B61.png.jpg> >> >> >> Because init messages can be forged arbitrarily, take the scenario where the initial tag in init message is 0 as an example. >> In this scenario, a malicious attacker can destroy other associations at a very low cost: >> <5E5A32BF@B01FE933.45EA1B61.png.jpg> >> >> For the other two scenarios, i.e. init message with missing mandatory parameters or init message with OS value / MIS value of 0, the effect may be similar. >> I think from the original intention of the protocol design, these error scenarios should be handled according to the following. However, the RFC does not specify how to deal with the established association endpoint when receiving this wrong init (or init ACK) message, and whether the corresponding association should still be removed. > I agree. I think the suggested changes above make this crystal clear. >> <FE060690@88C75D15.45EA1B61.png.jpg> >> >> Unfortunately, the SCTP implementation of Linux will be affected by the attacks described above, such as the open source lksctp. > Have you reported that issue? If not, I can let them know. >> I hope to receive your reply to clarify the above unclear areas. >> Thank you very much. > Thank you very mich for reporting the issue. >> >> Yours faithfully! >> Zhouming. > Please let me know how to write your name in ASCII to give you credit. > > Best regards > Michael >
- [tsvwg] 回复: Some unclear points about rfc4960 (SC… 一念之后★だ
- Re: [tsvwg] Some unclear points about rfc4960 (SC… Michael Tuexen
- Re: [tsvwg] Some unclear points about rfc4960 (SC… Marcelo Ricardo Leitner
- Re: [tsvwg] Some unclear points about rfc4960 (SC… Michael Tuexen
- Re: [tsvwg] Some unclear points about rfc4960 (SC… Michael Tuexen
- Re: [tsvwg] Some unclear points about rfc4960 (SC… Marcelo Ricardo Leitner
- Re: [tsvwg] Some unclear points about rfc4960 (SC… Michael Tuexen
- Re: [tsvwg] Some unclear points about rfc4960 (SC… 一念之后★だ