IETF Logo Mail Archive

Re: [tsvwg] Some unclear points about rfc4960 (SCTP).

Marcelo Ricardo Leitner <marcelo.leitner@gmail.com> Tue, 24 August 2021 14:37 UTC

Return-Path: <marcelo.leitner@gmail.com>
X-Original-To: tsvwg@ietfa.amsl.com
Delivered-To: tsvwg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5D48B3A1547 for <tsvwg@ietfa.amsl.com>; Tue, 24 Aug 2021 07:37:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OlWy5yVKC9nd for <tsvwg@ietfa.amsl.com>; Tue, 24 Aug 2021 07:37:21 -0700 (PDT)
Received: from mail-qk1-x72c.google.com (mail-qk1-x72c.google.com [IPv6:2607:f8b0:4864:20::72c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 241F83A1160 for <tsvwg@ietf.org>; Tue, 24 Aug 2021 07:37:00 -0700 (PDT)
Received: by mail-qk1-x72c.google.com with SMTP id m21so23292502qkm.13; Tue, 24 Aug 2021 07:37:00 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=date:from:to:cc:subject:message-id:references:mime-version :content-disposition:content-transfer-encoding:in-reply-to; bh=mYj0ITxnkq7H+7QPTRkB7P2o26zHLLkBWTwdxNCYwU0=; b=MNNejR+RUjIa2G4VobMQF2U9qv8/YTxgngK5q1SKzrU0J1XctNc6duZKOLtaFw8DTI /1GT3cCCH5M18RDam4Kko5MLu2Z0Cf5AmBRiteInY9quQOOWWMjZyi3v02OLU2LLA5on g9B8qBV5YCdqSiJ/pGvilZrIEqZji8hiIr0FAnfTmxXJa5Z25JOnNCpAndfCyHxmplfg tNCPIgMgHI053lAPzdG3rh28WNCDi3CPxSwjoNeTFKh9Ej/Qidu6XjA3Tox18gL/QBQw A6pseRupVstSQqudNdFMowgSaxhMpGeOtSEQvCbDuXvtEZQAQRi3Upd1/ZX381wSCWZo ieIw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:content-transfer-encoding :in-reply-to; bh=mYj0ITxnkq7H+7QPTRkB7P2o26zHLLkBWTwdxNCYwU0=; b=K36fqgiCyg6Y4gctiOcYS3Bt8C/DbqnCOJ9QvujKqlgL2yaboDBI/VLGFcQv74kjcf e0AxF9ZfAA7KDA5iGoNivkXDqfCRrS7QSkbksB2gf4aLfHQIyqwJE3IiRFYFx0Bq/x04 wj6XOYWp5XFkXOgUktyrsLpZJFjCXtDFyrSRQ8k2GTzdlrMVxMJEN2pVu2P2H0JwveOQ vER+py21YN5Pz60h3nVBhOGdS2sPRffTnlumEO4kqy07FsWF13RQN0PGBLsFcg1xyb1w 9+WI5CcIngP8FKgFh+YFe0kslO9BMV+xzD9WrVCpqWSZiP2SPnDzpzggHXPSGINiAeYo VsBw==
X-Gm-Message-State: AOAM530/5IMBvhzZGOpwMl9ogqKxCCquBL60/M6O6DjANBkOiEho7cyQ +BH/DBgBsEYmDFjWnP48bAhb8IhbLiTp8w==
X-Google-Smtp-Source: ABdhPJyWzUbjTWO4doSt12n2UcFkhFMLqmG2gnOs1njsFoHqGjnCDiyT46z7ka0oyVGcyw7PZQ0+Yw==
X-Received: by 2002:a37:8747:: with SMTP id j68mr27297559qkd.165.1629815817453; Tue, 24 Aug 2021 07:36:57 -0700 (PDT)
Received: from horizon.localdomain ([177.220.172.97]) by smtp.gmail.com with ESMTPSA id u27sm11114774qku.9.2021.08.24.07.36.56 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 24 Aug 2021 07:36:57 -0700 (PDT)
Received: by horizon.localdomain (Postfix, from userid 1000) id B84A3C3B2F; Tue, 24 Aug 2021 11:36:54 -0300 (-03)
Date: Tue, 24 Aug 2021 11:36:54 -0300
From: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
To: Michael Tuexen <michael.tuexen@lurchi.franken.de>
Cc: 一念之后★だ <zhouming948@foxmail.com>, gorry <gorry@erg.abdn.ac.uk>, tsvwg <tsvwg@ietf.org>, draft-ietf-tsvwg-2960bis <draft-ietf-tsvwg-2960bis@ietf.org>
Message-ID: <YSUEBmWHpx6srF6V@horizon.localdomain>
References: <tencent_020235B85610F75C84CBD32D777C04FEE00A@qq.com> <C6464D19-93F8-4A7C-B0E6-55ED35ACDA72@lurchi.franken.de>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <C6464D19-93F8-4A7C-B0E6-55ED35ACDA72@lurchi.franken.de>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tsvwg/S9Rh8ZKmXY_u-SYAJedTjevckTQ>
Subject: Re: [tsvwg] Some unclear points about rfc4960 (SCTP).
X-BeenThere: tsvwg@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Transport Area Working Group <tsvwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tsvwg>, <mailto:tsvwg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tsvwg/>
List-Post: <mailto:tsvwg@ietf.org>
List-Help: <mailto:tsvwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tsvwg>, <mailto:tsvwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 24 Aug 2021 14:37:37 -0000

Hi,

Thanks Michael for the ping.

I tried to catch up with the thread here but I'm very confused. Can
somebody do a write up on the issue please? :-)

Thanks,
Marcelo

On Tue, Aug 24, 2021 at 01:50:53PM +0200, Michael Tuexen wrote:
> > On 22. Aug 2021, at 06:13, 一念之后★だ <zhouming948@foxmail.com> wrote:
> > 
> > HI,
> > I am sorry for late reply. I combined the reply for several emails: 
> > 
> > Which version of the Linux kernel are you using (what is the output of uname -a)?
> > 
> > Zhouming: I test ubuntu16.04 LTS and ubuntu20.04 LTS, they both have these problems.
> > 
> >  uname -a
> > 
> > 
> > Linux ubuntu 4.4.0-142-generic #168-Ubuntu SMP Wed Jan 16 21:00:45 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
> > 
> > # uname -a
> > 
> > Linux ubuntu 5.11.0-27-generic #29~20.04.1-Ubuntu SMP Wed Aug 11 15:58:17 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
> > 
> > NCAT version:   Ncat: Version 7.80 ( https://nmap.org/ncat )
> > 
> > 
> > 
> > ---------------
> > 
> > I agree that the your attached .pcap file indicates that the implementation used has the bug you are describing. I used packetdrill (from https://github.com/nplab/packetdrill) with the  attached script on a 5.11 kernel, and the attached script passes, which means that that stack does not have the problem. I'm also attaching the corresponding .pcapng file.
> > 
> > So it seems that this bug was fixed recently in Linux, or am I missing something?
> > 
> > Zhouming:  I checked the source code of 5.11 kernel, and find nothing fix about the problems we discussed. I guess maybe you missed something, I have no idea if packetdrill is suitable for this test.
> OK, I spend some more time and now figured out what is going on:
> 
> * The linux kernel implementation handles the reception of an INIT chunk with 
>   (1) initiate tag = 0
>   (2) os = 0
>   (3) mis = 0
>   (4) partial chunk (chunk length >= 20, but but not enough bytes in the packet)
>   (5) missing mandatory parameters (chunk length < 20, number of bytes in the packet as described by chunk length)
>   in state ESTABLSHED in the same way:
>   (a) It does not affect the state of the association at the endpoint receiving the INIT chunk
>   (b) It sends out a packet with an ABORT chunk. The verification tag of this packet it the verification
>       tag expected by the peer.
> 
> * packetdrill was not verifying the verification tag used in the outgoing packets containing the ABORT
>   chunks. This is fixed now in packetdrill.
> 
> So I can confirm that Linux has a bug. It should not send a packet
> containing an ABORT chunk when condition (1) is true. When sending a
> packet containing an ABORT chunk because it received an INIT chunk
> with (2), (3), (4), or (5), it should use the initiate tag of the
> received INIT chunk. If that is not possible, no ABORT should be
> sent.
> 
> I guess we agree now on the current state of the Linux
> implementation. Sorry for not seeing this initially, since I was
> only focussing on the endpoint receiving the INIT chunk and was
> happy that it stays in ESTABLISHED.  I'm also attaching a .pcapng
> file showing (4) and (5).
> > 
> > 
> > 
> > ---------------
> > 
> > > This has already been clarified in draft-ietf-tsvwg-rfc4960-bis-13.
> > >
> > > It states now:
> > > <t>If the value of the Initiate Tag in a received INIT chunk is found to be 0,
> > > the receiver MUST treat it as an error and silently discard the packet.</t>
> > >
> > > For OS = 0 or MIS = 0, the INIT chunk MUST be dropped and an ABORT chunk
> > > SHOULD be sent. So the next revision will contain:
> > >
> > > <t>A receiver of an INIT chunk with the OS value set to 0 MUST discard the
> > > packet and SHOULD send a packet in response containing an ABORT chunk and using
> > > the Initiate Tag as the Verification Tag.
> > > Any existing association MUST NOT be affected.</t>
> > >
> > > <t>A receiver of an INIT chunk with the MIS value set to 0 MUST discard the
> > > packet and SHOULD send a packet in response containing an ABORT chunk and using
> > > the Initiate Tag as the Verification Tag.
> > > Any existing association MUST NOT be affected.</t>
> > >
> > > I guess this makes the description for the INIT chunk crystal clear.
> > 
> > Zhouming:  situation(2) is missing in draft-ietf-tsvwg-rfc4960-bis-13 or it no need to be clarified  ??    I have test this, an init msg with mandatory parameters not fully carried can also trigger an Abort msg to release the association.
> I agree that there is a problem in the Linux implementation.
> 
> I changed the text in Section 5.1 from
> 
> OLD:
> The Verification Tag field in the common header of the outbound SCTP packet containing the
> ABORT chunk MUST be set to the Initiate Tag value of the peer.
> 
> NEW:
> The Verification Tag field in the common header of the outbound SCTP packet
> containing the ABORT chunk MUST be set to the Initiate Tag value of the
> received INIT or INIT ACK chunk this ABORT chunk is responding to.</t>
> 
> I guess the makes things clearer.
> > 
> > ---
> > 
> > As can be seen from the above description, when an init message or init ACK message is received,
> > 
> > (1)If the init tag in the message is 0, the association must be released
> > 
> > (2)If the mandatory parameters in the message are not fully carried, the association must be released
> > 
> > 
> > (3)When the OS value or MIS value in the message is 0, it is strongly recommended to release this association
> > 
> > 
> > 
> > >> Unfortunately, the SCTP implementation of Linux will be affected by the attacks described above, such as the open source lksctp.
> > > Have you reported that issue? If not, I can let them know.
> > 
> > Zhouming:  I still do not report this issue to them, I think I need disscuss it with you first, so you can let them know about it.
> OK. I think we agree now on the state? Please CC me on the mail you send to lksctp mailing
> list, I can provide a packetdrill script.
> > 
> > -------------
> > 
> > > Please let me know how to write your name in ASCII to give you credit.
> > 
> > Zhouming:  Thanks very much,  it's a great honor,my English name is Zhouming.
> OK, thank you. I have added your name to the acknowledgement section of RFC 4960bis.
> 
> Best regards
> Michael
> 


> 
> > 
> > 
> > 
> > ------------------ 原始邮件 ------------------
> > 发件人: "Michael Tuexen" <michael.tuexen@lurchi.franken.de>;
> > 发送时间: 2021年8月21日(星期六) 上午6:03
> > 收件人: "一念之后★だ"<zhouming948@foxmail.com>;
> > 抄送: "tsvwg"<tsvwg@ietf.org>;"draft-ietf-tsvwg-2960bis"<draft-ietf-tsvwg-2960bis@ietf.org>;
> > 主题: Re: [tsvwg] Some unclear points about rfc4960 (SCTP).
> > 
> > > On 18. Aug 2021, at 18:46, Michael Tuexen <Michael.Tuexen@lurchi.franken.de> wrote:
> > > 
> > >> On 17. Aug 2021, at 18:56, 一念之后★だ <zhouming948@foxmail.com> wrote:
> > >> 
> > >> Dear IETF experts,
> > >> 
> > >> I read rfc4960 (SCTP) and felt that there were some unclear descriptions in the document. I hope to get your reply, so I wrote this email to you. And I think it's better to describe these more clearly in the subsequent version of the RFC.
> > >> The following description describes some scenarios requiring abort Association in rfc4960:
> > >> Page25
> > >> 
> > >> 
> > >> <8BD7343D@5C03830D.45EA1B61.png.jpg>
> > >> 
> > >> Page26
> > >> <35034230@AD73F10A.45EA1B61.png.jpg>
> > >> 
> > >> Page30
> > >> <30040808@E72FC146.45EA1B61.png.jpg>
> > >> 
> > >> Page31
> > >> <3B65D2C9@0ACE147B.45EA1B61.png.jpg>
> > >> 
> > >> Page56
> > >> <8E3B5E0D@11868C69.45EA1B61.png.jpg>
> > >> 
> > >> As can be seen from the above description, when an init message or init ACK message is received,
> > >> (1)If the init tag in the message is 0, the association must be released
> > >> (2)If the mandatory parameters in the message are not fully carried, the association must be released
> > >> (3)When the OS value or MIS value in the message is 0, it is strongly recommended to release this association
> > > You are correct, using an initiate tag of 0 or limit the number of streams to 0 is not allowed.
> > > 
> > > Please note the in the case of an initiate tag of 0 in an INIT chunk, you can't send an ABORT
> > > since you have no tag different from 0 you could use as the verification tag.
> > > This has already been clarified in draft-ietf-tsvwg-rfc4960-bis-13.
> > > 
> > > It states now:
> > > <t>If the value of the Initiate Tag in a received INIT chunk is found to be 0,
> > > the receiver MUST treat it as an error and silently discard the packet.</t>
> > > 
> > > For OS = 0 or MIS = 0, the INIT chunk MUST be dropped and an ABORT chunk
> > > SHOULD be sent. So the next revision will contain:
> > > 
> > > <t>A receiver of an INIT chunk with the OS value set to 0 MUST discard the
> > > packet and SHOULD send a packet in response containing an ABORT chunk and using
> > > the Initiate Tag as the Verification Tag.
> > > Any existing association MUST NOT be affected.</t>
> > > 
> > > <t>A receiver of an INIT chunk with the MIS value set to 0 MUST discard the
> > > packet and SHOULD send a packet in response containing an ABORT chunk and using
> > > the Initiate Tag as the Verification Tag.
> > > Any existing association MUST NOT be affected.</t>
> > > 
> > > I guess this makes the description for the INIT chunk crystal clear.
> > > 
> > > The situation for the INIT-ACK is different. The INIT-ACK is only processed, if
> > > the verification tag in the common header was correct. In this case it is OK
> > > to destroy the association. A potential attacker has to guess the 32-bit
> > > verification tag and if the attacker can do this, the attacker can send a
> > > packet containing an ABORT chunk.
> > > However, the consistency of the text can be improved.
> > Here are the suggested changes to improve the consistency of the handling
> > of illegal parameters in the INIT ACK chunk:
> > 
> > For the Initiate Tag:
> > <t>If an endpoint in the COOKIE-WAIT state receives an INIT ACK chunk with the
> > Initiate Tag set to 0, it MUST destroy the TCB and SHOULD send an ABORT chunk
> > with the T bit set.
> > If such an INIT-ACK chunk is received in any state other than CLOSED or
> > COOKIE-WAIT, it SHOULD be discarded silently
> > (see <xref target='sec_unexpected_init_ack'/>).</t>
> > 
> > 
> > For OS:
> > <t>If an endpoint in the COOKIE-WAIT state receives an INIT ACK chunk with the
> > OS value set to 0, it MUST destroy the TCB and SHOULD send an ABORT chunk.
> > If such an INIT-ACK chunk is received in any state other than CLOSED or
> > COOKIE-WAIT, it SHOULD be discarded silently
> > (see <xref target='sec_unexpected_init_ack'/>).</t>
> > 
> > For MIS:
> > <t>If an endpoint in the COOKIE-WAIT state receives an INIT ACK chunk with the
> > MIS value set to 0, it MUST destroy the TCB and SHOULD send an ABORT chunk.
> > If such an INIT-ACK chunk is received in any state other than CLOSED or
> > COOKIE-WAIT, it SHOULD be discarded silently
> > (see <xref target='sec_unexpected_init_ack'/>).</t>
> > 
> > Best regards
> > Michael
> > >> 
> > >> The following description also shows that there can only be one SCTP association between two SCTP endpoints at any time:
> > >> <0096CA66@4B725944.45EA1B61.png.jpg>
> > >> 
> > >> 
> > >> Because init messages can be forged arbitrarily, take the scenario where the initial tag in init message is 0 as an example.
> > >> In this scenario, a malicious attacker can destroy other associations at a very low cost:
> > >> <5E5A32BF@B01FE933.45EA1B61.png.jpg>
> > >> 
> > >> For the other two scenarios, i.e. init message with missing mandatory parameters or init message with OS value / MIS value of 0, the effect may be similar.
> > >> I think from the original intention of the protocol design, these error scenarios should be handled according to the following. However, the RFC does not specify how to deal with the established association endpoint when receiving this wrong init (or init ACK) message, and whether the corresponding association should still be removed.
> > > I agree. I think the suggested changes above make this crystal clear.
> > >> <FE060690@88C75D15.45EA1B61.png.jpg>
> > >> 
> > >> Unfortunately, the SCTP implementation of Linux will be affected by the attacks described above, such as the open source lksctp.
> > > Have you reported that issue? If not, I can let them know.
> > >> I hope to receive your reply to clarify the above unclear areas.
> > >> Thank you very much.
> > > Thank you very mich for reporting the issue.
> > >> 
> > >> Yours faithfully!
> > >> Zhouming.
> > > Please let me know how to write your name in ASCII to give you credit.
> > > 
> > > Best regards
> > > Michael
> > > 
> > 
>

v2.23.0 | Report a Bug | By Email