IETF Logo Mail Archive

Re: [Tsvwg] WGLC for Port Randomization starts now (April 1st)

Michael Tüxen <Michael.Tuexen@lurchi.franken.de> Thu, 28 May 2009 17:53 UTC

Return-Path: <Michael.Tuexen@lurchi.franken.de>
X-Original-To: tsvwg@core3.amsl.com
Delivered-To: tsvwg@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id D1D3528C2EC for <tsvwg@core3.amsl.com>; Thu, 28 May 2009 10:53:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.867
X-Spam-Level:
X-Spam-Status: No, score=0.867 tagged_above=-999 required=5 tests=[AWL=-1.771, BAYES_00=-2.599, HOST_EQ_DIP_TDIAL=2.144, HOST_MISMATCH_NET=0.311, J_CHICKENPOX_41=0.6, MIME_8BIT_HEADER=0.3, RCVD_IN_PBL=0.905, RCVD_IN_SORBS_DUL=0.877, RDNS_DYNAMIC=0.1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1VyzwKoxHnMu for <tsvwg@core3.amsl.com>; Thu, 28 May 2009 10:53:24 -0700 (PDT)
Received: from mail-n.franken.de (drew.ipv6.franken.de [IPv6:2001:638:a02:a001:20e:cff:fe4a:feaa]) by core3.amsl.com (Postfix) with ESMTP id 9E7F53A69E5 for <tsvwg@ietf.org>; Thu, 28 May 2009 10:53:23 -0700 (PDT)
Received: from [192.168.1.102] (p5481D8B4.dip.t-dialin.net [84.129.216.180]) by mail-n.franken.de (Postfix) with ESMTP id C4BE91C0B4619; Thu, 28 May 2009 19:55:00 +0200 (CEST)
Message-Id: <EE7BF7C0-E589-4769-AEAB-5C278CFA269B@lurchi.franken.de>
From: Michael Tüxen <Michael.Tuexen@lurchi.franken.de>
To: Joe Touch <touch@ISI.EDU>
In-Reply-To: <28B33EA8-A171-4453-A5B8-271B05EB5A00@lakerest.net>
Content-Type: text/plain; charset="US-ASCII"; format="flowed"; delsp="yes"
Content-Transfer-Encoding: 7bit
Mime-Version: 1.0 (Apple Message framework v935.3)
Date: Thu, 28 May 2009 19:55:00 +0200
References: <20090415033307.F00C0CD585E@lawyers.icir.org> <4A037030.6040107@isi.edu> <0C53DCFB700D144284A584F54711EC58074EEED6@xmb-sjc-21c.amer.cisco.com> <4A1AB6EE.5080900@gont.com.ar> <0C53DCFB700D144284A584F54711EC58074EEF11@xmb-sjc-21c.amer.cisco.com> <4A1BF56D.3020709@isi.edu> <0C53DCFB700D144284A584F54711EC58074EF74C@xmb-sjc-21c.amer.cisco.com> <4A1D6F4E.2080005@isi.edu> <9F71CBFA-9E70-4CD4-B60D-D15F45842739@lakerest.net> <4A1EA9AE.7000309@isi.edu> <D49426F5-E25E-4C7F-A38D-966C9CD834E2@lakerest.net> <4A1EAE47.2090006@isi.edu> <28B33EA8-A171-4453-A5B8-271B05EB5A00@lakerest.net>
X-Mailer: Apple Mail (2.935.3)
Cc: tsvwg <tsvwg@ietf.org>, "Anantha Ramaiah (ananth)" <ananth@cisco.com>, mallman@icir.org, Fernando Gont <fernando@gont.com.ar>, Randy Stewart <randall@lakerest.net>, "James Polk (jmpolk)" <jmpolk@cisco.com>
Subject: Re: [Tsvwg] WGLC for Port Randomization starts now (April 1st)
X-BeenThere: tsvwg@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Transport Area Working Group <tsvwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tsvwg>, <mailto:tsvwg-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tsvwg>
List-Post: <mailto:tsvwg@ietf.org>
List-Help: <mailto:tsvwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tsvwg>, <mailto:tsvwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 28 May 2009 17:53:54 -0000

Hi Joe,

just a clarification:

* timewait for vtags is currently no described in
   any SCTP specification.
* the need for this kind of feature came up
   several times.
* Randall describes what is used implemented in
   FreeBSD and it does take the port number pair
   into account.
* Since an SCTP endpoint can have multiple addresses
   and these addresses can change over time, addresses
   are not considered in the FreeBSD implementation.

Looking at the discussion, I think we need to write
up an ID describing this stuff. This would also clarify
things for other implementations which do not have
this kind of stuff at all.

Best regards
Michael

On May 28, 2009, at 5:45 PM, Randy Stewart wrote:

>
> On May 28, 2009, at 11:31 AM, Joe Touch wrote:
>
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>>
>>
>> Randy Stewart wrote:
>>>
>>> On May 28, 2009, at 11:11 AM, Joe Touch wrote:
>>>
>>>
>>>
>>> Randy Stewart wrote:
>>>>>> Joe:
>>>>>>
>>>>>> In-line..
>>>>>>
>>>>>> ...
>>>>>>> Basically for BSD we take a v-tag used in a connection.. call it
>>>>>>> 'X', and
>>>>>>> we place just the tag 'X' into a "timed-wait" cache for 2MSL.  
>>>>>>> There
>>>>>>> is no
>>>>>>> restriction on the socket here.. just the tag 'X' will not be  
>>>>>>> used
>>>>>>> again
>>>>>>> with this socket.
>>>
>>> ...
>>>>>>> So basically the socket/port and peer socket/port is re-used  
>>>>>>> right away
>>>>>>> with
>>>>>>> the restriction being that the vtag 'X' cannot be used.
>>>>>>
>>>>>>> Hope that clears up the issue  :-)
>>>
>>> Yes, but it also underscores my concern. What you did was basically:
>>>
>>>   - increase the space available to a single service from
>>>   a single IP address
>>>       going from TCP's 16 bits (max) of source port to
>>>       48 bits of source port + vtag
>>>
>>>   - *decrease* the space available for different
>>>   services from different IP addresses
>>>       going from TCP's 32 bits of address +
>>>       16 bits of source port + 16 bits of
>>>       dest port (64 bits) down to only 32
>>>
>>>> Joe:
>>>
>>>> I don't follow your meaning here..
>>>
>>>> I can have
>>>
>>>> IP-A Port-X Vtag-Y <---->
>>>> and
>>>> IP-A Port-Y Vtag=Y <---->
>>>
>>>> existing simultaneously... so I don't see how this decreased the
>>>> space for services from different IP addresses...
>>
>> OK so there's two cases:
>>
>> 	1) the vtag is the unique thing held (NO OTHER STATE)
>> 	2) the vtag is held in the context of the socket pair
>>
>> In 1), the vtag effectively is the connection ID.
>>
>> In 2), the connection ID is the 5-tuple of
>> [srcIP,srcport,dstIP,dstport,vtag]
>>
>> In the case of 1), you decrease the space available for connections  
>> vs.
>> TCP when you include connections from different machines and for
>> different services.
>>
>> In the case of 2), you increase the space available, and I don't have
>> the concern raised above.
>
>
>
> Ok, I just went out and looked at the code (sometimes its good to  
> refresh your memory ;-D)
>
> Basically the vtag cache holds:
>
> 1) Vtag
> 2) Source port
> 3) Destination port
> 4) A timestamp when the entry expires.
>
> This is all hashed on SrcPrt+DstPrt+Vtag-in-time-wait.
>
>
> So when I go to create a new association, I
>
> 1) Randomly generate a vtag e.g. R
> 2) Hash R+local-port+Peer-port
> 3) Use hash to look in vtag time wait block.
> 4) If found goto 1
>   else use vtag-R
>
>
> The IP addresses themselves are not saved in this. Could they be,  
> sure, we just
> decided not to... since one would then have to have a "set" of IP  
> addresses
> and a port on each side... and that seemed unneeded. Of course, as I  
> said, most
> implementations have no timed-wait on anything.. which we in theory  
> could do
> by setting the Time = 0... so they expire right away... But I don't  
> think
> that is wise.
>
> It might even be wise to go back and expand the hash to include the  
> IP addresses of the peer...
> since this simpler approach does limit the vtags somewhat... i.e. a  
> peer connecting to
> a server from a same port could not use a vtag thats in time-wait...  
> which is not
> strictly correct...
>
>
>
> R
>
>>
>>
>> I am still a bit confused as to which case is true; you appeared to  
>> give
>> two different responses.
>>
>> Joe
>> -----BEGIN PGP SIGNATURE-----
>> Version: GnuPG v1.4.9 (MingW32)
>> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>>
>> iEYEARECAAYFAkoerkcACgkQE5f5cImnZrvVlQCgoNoQPGril0N687ocbOD1n0ex
>> cUoAn35PgtR+ogd0NGkkPZBD74H39MzN
>> =uJLP
>> -----END PGP SIGNATURE-----
>>
>
> -----
> Randall Stewart
> randall@lakerest.net
>
>
>
>
>

v2.23.0 | Report a Bug | By Email