IETF Logo Mail Archive

Re: [Tsvwg] WGLC for Port Randomization starts now (April 1st)

Joe Touch <touch@ISI.EDU> Thu, 28 May 2009 18:19 UTC

Return-Path: <touch@ISI.EDU>
X-Original-To: tsvwg@core3.amsl.com
Delivered-To: tsvwg@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id AE66C28C2ED for <tsvwg@core3.amsl.com>; Thu, 28 May 2009 11:19:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.888
X-Spam-Level:
X-Spam-Status: No, score=-1.888 tagged_above=-999 required=5 tests=[AWL=-0.189, BAYES_00=-2.599, J_CHICKENPOX_41=0.6, MIME_8BIT_HEADER=0.3]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0MCn1Mj4q49i for <tsvwg@core3.amsl.com>; Thu, 28 May 2009 11:19:25 -0700 (PDT)
Received: from nitro.isi.edu (nitro.isi.edu [128.9.208.207]) by core3.amsl.com (Postfix) with ESMTP id F18E328C31F for <tsvwg@ietf.org>; Thu, 28 May 2009 11:18:06 -0700 (PDT)
Received: from [128.9.168.63] (bet.isi.edu [128.9.168.63]) by nitro.isi.edu (8.13.8/8.13.8) with ESMTP id n4SIIDGE005318; Thu, 28 May 2009 11:18:14 -0700 (PDT)
Message-ID: <4A1ED565.9040404@isi.edu>
Date: Thu, 28 May 2009 11:18:13 -0700
From: Joe Touch <touch@ISI.EDU>
User-Agent: Thunderbird 2.0.0.21 (Windows/20090302)
MIME-Version: 1.0
To: Michael Tüxen <Michael.Tuexen@lurchi.franken.de>
References: <20090415033307.F00C0CD585E@lawyers.icir.org> <4A037030.6040107@isi.edu> <0C53DCFB700D144284A584F54711EC58074EEED6@xmb-sjc-21c.amer.cisco.com> <4A1AB6EE.5080900@gont.com.ar> <0C53DCFB700D144284A584F54711EC58074EEF11@xmb-sjc-21c.amer.cisco.com> <4A1BF56D.3020709@isi.edu> <0C53DCFB700D144284A584F54711EC58074EF74C@xmb-sjc-21c.amer.cisco.com> <4A1D6F4E.2080005@isi.edu> <9F71CBFA-9E70-4CD4-B60D-D15F45842739@lakerest.net> <4A1EA9AE.7000309@isi.edu> <D49426F5-E25E-4C7F-A38D-966C9CD834E2@lakerest.net> <4A1EAE47.2090006@isi.edu> <28B33EA8-A171-4453-A5B8-271B05EB5A00@lakerest.net> <EE7BF7C0-E589-4769-AEAB-5C278CFA269B@lurchi.franken.de>
In-Reply-To: <EE7BF7C0-E589-4769-AEAB-5C278CFA269B@lurchi.franken.de>
X-Enigmail-Version: 0.95.7
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 8bit
X-MailScanner-ID: n4SIIDGE005318
X-ISI-4-69-MailScanner: Found to be clean
X-MailScanner-From: touch@isi.edu
Cc: tsvwg <tsvwg@ietf.org>, "Anantha Ramaiah (ananth)" <ananth@cisco.com>, mallman@icir.org, Fernando Gont <fernando@gont.com.ar>, Randy Stewart <randall@lakerest.net>, "James Polk (jmpolk)" <jmpolk@cisco.com>
Subject: Re: [Tsvwg] WGLC for Port Randomization starts now (April 1st)
X-BeenThere: tsvwg@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Transport Area Working Group <tsvwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tsvwg>, <mailto:tsvwg-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tsvwg>
List-Post: <mailto:tsvwg@ietf.org>
List-Help: <mailto:tsvwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tsvwg>, <mailto:tsvwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 28 May 2009 18:19:26 -0000

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



Michael Tüxen wrote:
> Hi Joe,
> 
> just a clarification:
> 
> * timewait for vtags is currently no described in
>   any SCTP specification.
> * the need for this kind of feature came up
>   several times.
> * Randall describes what is used implemented in
>   FreeBSD and it does take the port number pair
>   into account.
> * Since an SCTP endpoint can have multiple addresses
>   and these addresses can change over time, addresses
>   are not considered in the FreeBSD implementation.
> 
> Looking at the discussion, I think we need to write
> up an ID describing this stuff. This would also clarify
> things for other implementations which do not have
> this kind of stuff at all.

Sure - I'd be glad to assist...(NB to the chairs/ADs: yes, only after
TCP-AO is revised, which is coming shortly).

Joe

> On May 28, 2009, at 5:45 PM, Randy Stewart wrote:
> 
>>
>> On May 28, 2009, at 11:31 AM, Joe Touch wrote:
>>
> 
> 
> Randy Stewart wrote:
>>>>>
>>>>> On May 28, 2009, at 11:11 AM, Joe Touch wrote:
>>>>>
>>>>>
>>>>>
>>>>> Randy Stewart wrote:
>>>>>>>> Joe:
>>>>>>>>
>>>>>>>> In-line..
>>>>>>>>
>>>>>>>> ...
>>>>>>>>> Basically for BSD we take a v-tag used in a connection.. call it
>>>>>>>>> 'X', and
>>>>>>>>> we place just the tag 'X' into a "timed-wait" cache for 2MSL. There
>>>>>>>>> is no
>>>>>>>>> restriction on the socket here.. just the tag 'X' will not be used
>>>>>>>>> again
>>>>>>>>> with this socket.
>>>>>
>>>>> ...
>>>>>>>>> So basically the socket/port and peer socket/port is re-used
>>>>>>>>> right away
>>>>>>>>> with
>>>>>>>>> the restriction being that the vtag 'X' cannot be used.
>>>>>>>>
>>>>>>>>> Hope that clears up the issue  :-)
>>>>>
>>>>> Yes, but it also underscores my concern. What you did was basically:
>>>>>
>>>>>   - increase the space available to a single service from
>>>>>   a single IP address
>>>>>       going from TCP's 16 bits (max) of source port to
>>>>>       48 bits of source port + vtag
>>>>>
>>>>>   - *decrease* the space available for different
>>>>>   services from different IP addresses
>>>>>       going from TCP's 32 bits of address +
>>>>>       16 bits of source port + 16 bits of
>>>>>       dest port (64 bits) down to only 32
>>>>>
>>>>>> Joe:
>>>>>
>>>>>> I don't follow your meaning here..
>>>>>
>>>>>> I can have
>>>>>
>>>>>> IP-A Port-X Vtag-Y <---->
>>>>>> and
>>>>>> IP-A Port-Y Vtag=Y <---->
>>>>>
>>>>>> existing simultaneously... so I don't see how this decreased the
>>>>>> space for services from different IP addresses...
> 
> OK so there's two cases:
> 
>     1) the vtag is the unique thing held (NO OTHER STATE)
>     2) the vtag is held in the context of the socket pair
> 
> In 1), the vtag effectively is the connection ID.
> 
> In 2), the connection ID is the 5-tuple of
> [srcIP,srcport,dstIP,dstport,vtag]
> 
> In the case of 1), you decrease the space available for connections vs.
> TCP when you include connections from different machines and for
> different services.
> 
> In the case of 2), you increase the space available, and I don't have
> the concern raised above.
>>>
>>>
>>>
>>> Ok, I just went out and looked at the code (sometimes its good to
>>> refresh your memory ;-D)
>>>
>>> Basically the vtag cache holds:
>>>
>>> 1) Vtag
>>> 2) Source port
>>> 3) Destination port
>>> 4) A timestamp when the entry expires.
>>>
>>> This is all hashed on SrcPrt+DstPrt+Vtag-in-time-wait.
>>>
>>>
>>> So when I go to create a new association, I
>>>
>>> 1) Randomly generate a vtag e.g. R
>>> 2) Hash R+local-port+Peer-port
>>> 3) Use hash to look in vtag time wait block.
>>> 4) If found goto 1
>>>   else use vtag-R
>>>
>>>
>>> The IP addresses themselves are not saved in this. Could they be,
>>> sure, we just
>>> decided not to... since one would then have to have a "set" of IP
>>> addresses
>>> and a port on each side... and that seemed unneeded. Of course, as I
>>> said, most
>>> implementations have no timed-wait on anything.. which we in theory
>>> could do
>>> by setting the Time = 0... so they expire right away... But I don't think
>>> that is wise.
>>>
>>> It might even be wise to go back and expand the hash to include the IP
>>> addresses of the peer...
>>> since this simpler approach does limit the vtags somewhat... i.e. a
>>> peer connecting to
>>> a server from a same port could not use a vtag thats in time-wait...
>>> which is not
>>> strictly correct...
>>>
>>>
>>>
>>> R
>>>
> 
> 
> I am still a bit confused as to which case is true; you appeared to give
> two different responses.
> 
> Joe
>>>
>>
>> -----
>> Randall Stewart
>> randall@lakerest.net
>>
>>
>>
>>
>>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFKHtVlE5f5cImnZrsRAqHoAKDsl5HEu8HofMt/lctf7T56SGPE+gCcDEiF
ePu1FlP4Qywik8K04cjtm7A=
=SOzA
-----END PGP SIGNATURE-----

v2.23.0 | Report a Bug | By Email