IETF Logo Mail Archive

Re: [Tsvwg] WGLC for Port Randomization starts now (April 1st)

Joe Touch <touch@ISI.EDU> Thu, 28 May 2009 04:27 UTC

Return-Path: <touch@ISI.EDU>
X-Original-To: tsvwg@core3.amsl.com
Delivered-To: tsvwg@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id A65703A689E for <tsvwg@core3.amsl.com>; Wed, 27 May 2009 21:27:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.545
X-Spam-Level:
X-Spam-Status: No, score=-2.545 tagged_above=-999 required=5 tests=[AWL=0.054, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FX5psGevNv2S for <tsvwg@core3.amsl.com>; Wed, 27 May 2009 21:27:02 -0700 (PDT)
Received: from vapor.isi.edu (vapor.isi.edu [128.9.64.64]) by core3.amsl.com (Postfix) with ESMTP id C92393A6891 for <tsvwg@ietf.org>; Wed, 27 May 2009 21:27:02 -0700 (PDT)
Received: from [192.168.1.46] (pool-71-106-86-44.lsanca.dsl-w.verizon.net [71.106.86.44]) by vapor.isi.edu (8.13.8/8.13.8) with ESMTP id n4S4SJPK027856; Wed, 27 May 2009 21:28:21 -0700 (PDT)
Message-ID: <4A1E12E3.8050601@isi.edu>
Date: Wed, 27 May 2009 21:28:19 -0700
From: Joe Touch <touch@ISI.EDU>
User-Agent: Thunderbird 2.0.0.21 (Windows/20090302)
MIME-Version: 1.0
To: "Anantha Ramaiah (ananth)" <ananth@cisco.com>
References: <20090415033307.F00C0CD585E@lawyers.icir.org> <4A037030.6040107@isi.edu> <0C53DCFB700D144284A584F54711EC58074EEED6@xmb-sjc-21c.amer.cisco.com> <4A1AB6EE.5080900@gont.com.ar> <0C53DCFB700D144284A584F54711EC58074EEF11@xmb-sjc-21c.amer.cisco.com> <4A1BF56D.3020709@isi.edu> <0C53DCFB700D144284A584F54711EC58074EF74C@xmb-sjc-21c.amer.cisco.com> <4A1D6F4E.2080005@isi.edu> <0C53DCFB700D144284A584F54711EC58075636B3@xmb-sjc-21c.amer.cisco.com>
In-Reply-To: <0C53DCFB700D144284A584F54711EC58075636B3@xmb-sjc-21c.amer.cisco.com>
X-Enigmail-Version: 0.95.7
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
X-ISI-4-43-8-MailScanner: Found to be clean
X-MailScanner-From: touch@isi.edu
Cc: tsvwg <tsvwg@ietf.org>, "James Polk (jmpolk)" <jmpolk@cisco.com>, Fernando Gont <fernando@gont.com.ar>, mallman@icir.org
Subject: Re: [Tsvwg] WGLC for Port Randomization starts now (April 1st)
X-BeenThere: tsvwg@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Transport Area Working Group <tsvwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tsvwg>, <mailto:tsvwg-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tsvwg>
List-Post: <mailto:tsvwg@ietf.org>
List-Help: <mailto:tsvwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tsvwg>, <mailto:tsvwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 28 May 2009 04:27:03 -0000

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Oh, and a point about vtags being random:

Anantha Ramaiah (ananth) wrote:
...
>> " A new Verification Tag value MUST be used each time the
>>    endpoint tears-down and then re-establishes an association to the
>>    same peer."
>>
>> Can you explain how you know that the tag is new unless you 
>> hold it for some period of time?
> 
> Well, this is purely implementation specific, some imp. can simply be ok
> having a sequential allocation for vtags.

...
> The SCTP RFC doesn't say that vtag
> generation needs to be sequential/random (rightfully so, since it is all
> implementation details).

Yes, it does:

- From 4960:

    Verification Tag: A 32-bit unsigned integer that is randomly
                                                        ^^^^^^^^
      generated...
      ^^^^^^^^^

Then later:

 A) "A" first sends an INIT chunk to "Z".  In the INIT, "A" must
      provide its Verification Tag (Tag_A) in the Initiate Tag field.
      Tag_A SHOULD be a random number in the range of 1 to 4294967295
                        ^^^^^^^^^^^^^
      (see Section 5.3.1 for Tag value selection).  After sending the
      INIT, "A" starts the T1-init timer and enters the COOKIE-WAIT
      state.


The verification tag is copied from the initiate tag on connection
establishment, which is defined as being random as follows:

5.3.1.  Selection of Tag Value

   Initiate Tag values should be selected from the range of 1 to 2**32 -
   1.  It is very important that the Initiate Tag value be randomized to
   help protect against "man in the middle" and "sequence number"
   attacks.  The methods described in [RFC4086] can be used for the
   Initiate Tag randomization.  Careful selection of Initiate Tags is
   also necessary to prevent old duplicate packets from previous
   associations being mistakenly processed as belonging to the current
   association.

That's pretty random, and AFAICT cannot be sequential and be OK. The
trouble with randomness, however, as I noted is that it often is
(incorrectly) tied to parameters that repeat on reboot.

Joe
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkoeEuMACgkQE5f5cImnZrt4ygCg49IUXOHhqDaYln5UdlbhU1Eu
mRsAn12Ugysx32gLlVUqb93nGSFvRNGJ
=qMOl
-----END PGP SIGNATURE-----

v2.23.0 | Report a Bug | By Email