Improving TCP's Robustness to Blind In-Window Attacks
draft-ietf-tcpm-tcpsecure-13
Revision differences
Document history
Date | Rev. | By | Action |
---|---|---|---|
2012-08-22
|
13 | (System) | post-migration administrative database adjustment to the No Record position for Cullen Jennings |
2012-08-22
|
13 | (System) | post-migration administrative database adjustment to the Yes position for Lars Eggert |
2010-05-18
|
13 | Cindy Morgan | State Changes to RFC Ed Queue from Approved-announcement sent by Cindy Morgan |
2010-05-18
|
13 | (System) | IANA Action state changed to No IC from In Progress |
2010-05-18
|
13 | (System) | IANA Action state changed to In Progress |
2010-05-18
|
13 | Amy Vezza | IESG state changed to Approved-announcement sent |
2010-05-18
|
13 | Amy Vezza | IESG has approved the document |
2010-05-18
|
13 | Amy Vezza | Closed "Approve" ballot |
2010-05-18
|
13 | Gonzalo Camarillo | [Ballot Position Update] New position, No Objection, has been recorded by Gonzalo Camarillo |
2010-05-13
|
13 | Dan Romascanu | [Ballot Position Update] New position, No Objection, has been recorded by Dan Romascanu |
2010-05-04
|
13 | Lars Eggert | State Changes to Approved-announcement to be sent from IESG Evaluation::AD Followup by Lars Eggert |
2010-05-04
|
13 | Lars Eggert | [Ballot Position Update] Position for Lars Eggert has been changed to Yes from Discuss by Lars Eggert |
2010-05-04
|
13 | (System) | Sub state has been changed to AD Follow up from New Id Needed |
2010-05-04
|
13 | (System) | New version available: draft-ietf-tcpm-tcpsecure-13.txt |
2010-03-24
|
13 | Cullen Jennings | [Ballot Position Update] Position for Cullen Jennings has been changed to Undefined from Discuss by Cullen Jennings |
2009-10-12
|
13 | Lars Eggert | State Changes to IESG Evaluation::Revised ID Needed from IESG Evaluation::AD Followup by Lars Eggert |
2009-10-12
|
13 | Lars Eggert | Needs a rev to remove the 793 update and to address Cullen's discuss. |
2009-10-09
|
13 | (System) | Removed from agenda for telechat - 2009-10-08 |
2009-10-08
|
13 | Cindy Morgan | State Changes to IESG Evaluation::AD Followup from IESG Evaluation by Cindy Morgan |
2009-10-08
|
13 | (System) | [Ballot Position Update] New position, No Objection, has been recorded for Lisa Dusseault by IESG Secretary |
2009-10-08
|
13 | Cullen Jennings | [Ballot discuss] I have a question about the applicability of this that I'd like to understand the answer to before trying to answer the "updates" … [Ballot discuss] I have a question about the applicability of this that I'd like to understand the answer to before trying to answer the "updates" question Lars raised. Imagine we have a client C, talking from the "inside" of a firewall that tracks TCP state, to a server S on the "outside" of the firewall. If C sends a RST, the firewall forwards it and clears state, but when the RST arrives at S. The reset seq # is within the window but not exact. S sends and ACK, but (this is my question), will the firewall forward the ACK to C or just silently drop it? I know some firewalls might have the timers to forward traffic for some time after the RST but do they all and is it long enough? Is there something I am just not understanding here that would cause this to work? I'm worried that servers with lots of clients connecting to them not being able to recover TCP connection in a timely matter might cause more harm that attacks that tear down TCP connections. ----------- We talked about this issues on the IESG call and I'd like to propose the following plan 1) Update the middle-box section to explain there are some cases with some existing firewalls/nats that causes the ACK approach to not work 2) in the applicability section, add a bit that says about when a server should not do this. I would something along lines of some server that are not severely impacted by an attacker closing a connection, and where the number of connections requires rapid clean up of state. So certainly a BGP should do this but a server such as some web servers where state of TCP connections is an issue and an attacker killing a connecting is not a big deal as it will just be redone and it often hard to guess the source port. Would a plan along these lines be acceptable for folks? |
2009-10-08
|
13 | Ross Callon | [Ballot Position Update] New position, No Objection, has been recorded by Ross Callon |
2009-10-08
|
13 | Tim Polk | [Ballot Position Update] New position, No Objection, has been recorded by Tim Polk |
2009-10-08
|
13 | Adrian Farrel | [Ballot Position Update] New position, No Objection, has been recorded by Adrian Farrel |
2009-10-07
|
13 | Cullen Jennings | [Ballot discuss] I have a question about the applicability of this that I'd like to understand the answer to before trying to answer the "updates" … [Ballot discuss] I have a question about the applicability of this that I'd like to understand the answer to before trying to answer the "updates" question Lars raised. Imagine we have a client C, talking from the "inside" of a firewall that tracks TCP state, to a server S on the "outside" of the firewall. If C sends a RST, the firewall forwards it and clears state, but when the RST arrives at S. The reset seq # is within the window but not exact. S sends and ACK, but (this is my question), will the firewall forward the ACK to C or just silently drop it? I know some firewalls might have the timers to forward traffic for some time after the RST but do they all and is it long enough? Is there something I am just not understanding here that would cause this to work? I'm worried that servers with lots of clients connecting to them not being able to recover TCP connection in a timely matter might cause more harm that attacks that tear down TCP connections. This is a Discuss because I want to talk to the IESG & authors about it before deciding an opinion on this draft. Thanks, Cullen |
2009-10-07
|
13 | Cullen Jennings | [Ballot Position Update] New position, Discuss, has been recorded by Cullen Jennings |
2009-10-07
|
13 | Robert Sparks | [Ballot Position Update] New position, No Objection, has been recorded by Robert Sparks |
2009-10-07
|
13 | Alexey Melnikov | [Ballot Position Update] New position, No Objection, has been recorded by Alexey Melnikov |
2009-10-07
|
13 | Ralph Droms | [Ballot comment] This document is well written and clearly explains, without needing to flip back to RFC 793 and other docs, the attacks and the … [Ballot comment] This document is well written and clearly explains, without needing to flip back to RFC 793 and other docs, the attacks and the mitigations. Whether or not this document updates RFC 793 depends, in my mind, on the meaning of SHOULD in text like this snippet from section 4.2: Instead, the handling of the SYN in the synchronized state SHOULD be performed as follows: 1) If the SYN bit is set, irrespective of the sequence number, TCP MUST send an ACK (also referred to as challenge ACK) to the remote peer: After sending the acknowledgment, TCP MUST drop the unacceptable segment and stop processing further. Does the SHOULD imply a change in TCP as defined by RFC 793 or does it apply in the sense of "if the stack implemements the mitigations described in this document, the handling of SYN ..." I infer from this text in the "Applicability Statement" (section 1.1), that RFC 2119 text is all conditional on "if the stack implements these mitigations": The mitigations suggested in this draft SHOULD be implemented in devices that regularly need to maintain TCP connections of the kind most vulnerable to the attacks described in this document. While this may seem like an editorial nit, I think the doc would be clarified and the issue of updating RFC 793 resolved with an explicit statement about the RFC 2119 text in the Terminology section. --- In section 5.1, what is the "ACK value of [a] data segment"? --- This text at the beginning of section 5.2 doesn't seem to appear anywhere in sections 3 or 4: 5.2. Mitigation All TCP stacks MAY implement the following mitigation. Is there something different about the mitigation in section 5 that is different from the other mitigations? I see section 6 clarifies the issue I was getting at: 6. Suggested Mitigation strengths As described in the above sections, recommendation levels for RST, SYN and DATA are tagged as SHOULD, SHOULD and MAY respectively. At the risk of fussiness over an editorial nit, I suggest a clear sentence at the beginning of sections 3.2 and 4.2 like the one in section 5.2 explicitly describing the recommendation levels for those mitigations. |
2009-10-07
|
13 | Ralph Droms | [Ballot Position Update] New position, No Objection, has been recorded by Ralph Droms |
2009-10-06
|
13 | Ron Bonica | [Ballot comment] I don't think that UPDATES is required because an implementer can produce a perfectly compliant implementation without ever reading this document. |
2009-10-06
|
13 | Ron Bonica | [Ballot Position Update] New position, No Objection, has been recorded by Ron Bonica |
2009-10-06
|
13 | Pasi Eronen | [Ballot Position Update] New position, No Objection, has been recorded by Pasi Eronen |
2009-10-06
|
13 | Russ Housley | [Ballot Position Update] New position, No Objection, has been recorded by Russ Housley |
2009-09-25
|
13 | Lars Eggert | Placed on agenda for telechat - 2009-10-08 by Lars Eggert |
2009-09-25
|
13 | Lars Eggert | State Changes to IESG Evaluation from Waiting for AD Go-Ahead::AD Followup by Lars Eggert |
2009-09-14
|
13 | (System) | Sub state has been changed to AD Follow up from New Id Needed |
2009-09-14
|
12 | (System) | New version available: draft-ietf-tcpm-tcpsecure-12.txt |
2009-04-30
|
13 | Lars Eggert | Removed from agenda for telechat - 2009-05-07 by Lars Eggert |
2009-04-24
|
13 | Samuel Weiler | Request for Last Call review by SECDIR Completed. Reviewer: Sandra Murphy. |
2009-04-17
|
13 | Lars Eggert | Telechat date was changed to 2009-05-07 from 2009-04-23 by Lars Eggert |
2009-04-16
|
13 | Lars Eggert | State Changes to Waiting for AD Go-Ahead::Revised ID Needed from Waiting for AD Go-Ahead by Lars Eggert |
2009-04-16
|
13 | Lars Eggert | LC comments need to be addressed (gen-art + Fernando's) |
2009-04-16
|
13 | (System) | State has been changed to Waiting for AD Go-Ahead from In Last Call by system |
2009-04-03
|
13 | Samuel Weiler | Request for Last Call review by SECDIR is assigned to Sandra Murphy |
2009-04-03
|
13 | Samuel Weiler | Request for Last Call review by SECDIR is assigned to Sandra Murphy |
2009-04-03
|
13 | Amanda Baber | IANA comments: As described in the IANA Considerations section, we understand this document to have NO IANA Actions. |
2009-04-02
|
13 | Lars Eggert | [Ballot discuss] [I am adding this so we don't forget to discuss it - Lars] This document has: "Updates: 793 (if approved)" There was a … [Ballot discuss] [I am adding this so we don't forget to discuss it - Lars] This document has: "Updates: 793 (if approved)" There was a lot of discussion about this in the WG. The authors want it in, because they want implementors of 793 to also look at this document. The arguments against having this in the header relate to the fact that currently only one RFC has "Updates: 793" in its header: RFC 3168, "The Addition of Explicit Congestion Notification (ECN) to IP". In addition, this is an optional RFC, this is not a new requirement for RFC 793/1122 implementations. You may see the discussion in the TCPM mailing list, with the subject: [tcpm] another review of draft-ietf-tcpm-tcpsecure[-10] As a WG chair, on the mailing list I stated: Wes and I discussed this, and we agree with Lars. "Updates" is generally for things that are now required if you implement the cited spec. Tcpsecure doesn't fit that criteria, so the "Updates 793" doesn't belong on this document. As Lars said, this is less than perfect, but it is what we currently have. The larger issue is what does "Updates:" mean in an RFC, and what should be the criteria for making that decision? We (the WG chairs) felt that we were getting into a discussion that was well outside of the scope of the TCPM WG. So, we would like the IESG to voice an opinion on whether or not it would be appropriate to add "Updates: 793" to this document. If the answer is yes, then there are other draft documents in the works that this would probably affect. |
2009-04-02
|
13 | Lars Eggert | [Ballot Position Update] Position for Lars Eggert has been changed to Discuss from Yes by Lars Eggert |
2009-04-02
|
13 | Amy Vezza | Last call sent |
2009-04-02
|
13 | Amy Vezza | State Changes to In Last Call from Last Call Requested by Amy Vezza |
2009-04-02
|
13 | Lars Eggert | [Ballot Position Update] New position, Yes, has been recorded for Lars Eggert |
2009-04-02
|
13 | Lars Eggert | Ballot has been issued by Lars Eggert |
2009-04-02
|
13 | Lars Eggert | Created "Approve" ballot |
2009-04-02
|
13 | Lars Eggert | Placed on agenda for telechat - 2009-04-23 by Lars Eggert |
2009-04-02
|
13 | Lars Eggert | State Changes to Last Call Requested from AD Evaluation by Lars Eggert |
2009-04-02
|
13 | Lars Eggert | Last Call was requested by Lars Eggert |
2009-04-02
|
13 | (System) | Ballot writeup text was added |
2009-04-02
|
13 | (System) | Last call text was added |
2009-04-02
|
13 | (System) | Ballot approval text was added |
2009-04-02
|
13 | Lars Eggert | [Note]: 'IESG: Please read the Document Shepherd Writeup, we need to discuss the "Updates: 793" issue.' added by Lars Eggert |
2009-04-02
|
13 | Lars Eggert | State Change Notice email list have been change to tcpm-chairs@tools.ietf.org, draft-ietf-tcpm-tcpsecure@tools.ietf.org from tcpm-chairs@tools.ietf.org |
2009-04-02
|
13 | Lars Eggert | State Changes to AD Evaluation from Publication Requested by Lars Eggert |
2009-03-31
|
13 | Cindy Morgan | State Changes to Publication Requested from AD is watching by Cindy Morgan |
2009-03-31
|
13 | Cindy Morgan | > (1.a) Who is the Document Shepherd for this document? Has the > Document Shepherd personally reviewed this version of … > (1.a) Who is the Document Shepherd for this document? Has the > Document Shepherd personally reviewed this version of > the document and, in particular, does he or she believe > this version is ready for forwarding to the IESG for > publication? David Borman (david.borman@windriver.com) (TCPM co-chair) is the shepherd. I have read the document and believe it is ready for publication. > (1.b) Has the document had adequate review both from key WG members > and from key non-WG members? Does the Document Shepherd have > any concerns about the depth or breadth of the reviews that > have been performed? This document has been around for many years. It has been publicly reviewed by many participants in the TCPM WG. The shepherd does not have any concerns with it. > (1.c) Does the Document Shepherd have concerns that the document > needs more review from a particular or broader perspective, > e.g., security, operational complexity, someone familiar with > AAA, internationalization or XML? No concerns. > (1.d) Does the Document Shepherd have any specific concerns or > issues with this document that the Responsible Area Director > and/or the IESG should be aware of? For example, perhaps he > or she is uncomfortable with certain parts of the document, or > has concerns whether there really is a need for it. In any > event, if the WG has discussed those issues and has indicated > that it still wishes to advance the document, detail those > concerns here. Has an IPR disclosure related to this document > been filed? If so, please include a reference to the > disclosure and summarize the WG discussion and conclusion on > this issue. This document has: "Updates: 793 (if approved)" There was a lot of discussion about this in the WG. The authors want it in, because they want implementors of 793 to also look at this document. The arguments against having this in the header relate to the fact that currently only one RFC has "Updates: 793" in its header: RFC 3168, "The Addition of Explicit Congestion Notification (ECN) to IP". In addition, this is an optional RFC, this is not a new requirement for RFC 793/1122 implementations. You may see the discussion in the TCPM mailing list, with the subject: [tcpm] another review of draft-ietf-tcpm-tcpsecure[-10] As a WG chair, on the mailing list I stated: Wes and I discussed this, and we agree with Lars. "Updates" is generally for things that are now required if you implement the cited spec. Tcpsecure doesn't fit that criteria, so the "Updates 793" doesn't belong on this document. As Lars said, this is less than perfect, but it is what we currently have. The larger issue is what does "Updates:" mean in an RFC, and what should be the criteria for making that decision? We (the WG chairs) felt that we were getting into a discussion that was well outside of the scope of the TCPM WG. So, we would like the IESG to voice an opinion on whether or not it would be appropriate to add "Updates: 793" to this document. If the answer is yes, then there are other draft documents in the works that this would probably affect. In addition, this document has IPR issues from Cisco, which is one of the reasons why this document is strictly optional. > (1.e) How solid is the WG consensus behind this document? Does it > represent the strong concurrence of a few individuals, with > others being silent, or does the WG as a whole understand and > agree with it? This document has been through many revisions, with a smaller group of individuals who have done the bulk of the discussion. It has been discussed at multiple IETF meetings. A lot of the controversy was in the classification of this document. The Applicability Statement in the document is the consensus of the WG: it SHOULD be implemented by devices that are subject to these kinds of attacks (those that have long-lived TCP connections with well know src/dst ports), and MAY be implemented in other cases. Within the document there are three mitigation stratagies, and the consensus of the WG was that these are SHOULD, SHOULD and MAY. > (1.f) Has anyone threatened an appeal or otherwise indicated extreme > discontent? If so, please summarise the areas of conflict in > separate email messages to the Responsible Area Director. (It > should be in a separate email because this questionnaire is > entered into the ID Tracker.) We are aware of no reasons this document would be appealed or anyone who is unhappy with it. > (1.g) Has the Document Shepherd personally verified that the > document satisfies all ID nits? (See > http://www.ietf.org/ID-Checklist.html and > http://tools.ietf.org/tools/idnits/). Boilerplate checks are > not enough; this check needs to be thorough. Has the document > met all formal review criteria it needs to, such as the MIB > Doctor, media type and URI type reviews? The current document was submitted in November 2008, and as such it does not have the new boilerplate. There is a warning about FQDN in the document, but this is just text that looks like a FQDN, but isn't (MAX.SND.WND). This document does not need MIB or URI reviews. > (1.h) Has the document split its references into normative and > informative? Are there normative references to documents that > are not ready for advancement or are otherwise in an unclear > state? If such normative references exist, what is the > strategy for their completion? Are there normative references > that are downward references, as described in [RFC3967]? If > so, list these downward references to support the Area > Director in the Last Call procedure for them [RFC3967]. The references have been split into 'normative' and 'non-normative'. The normative references are all published RFCs. There is one Informative Reference to an ID. > (1.i) Has the Document Shepherd verified that the document IANA > consideration section exists and is consistent with the body > of the document? If the document specifies protocol > extensions, are reservations requested in appropriate IANA > registries? Are the IANA registries clearly identified? If > the document creates a new registry, does it define the > proposed initial contents of the registry and an allocation > procedure for future registrations? Does it suggest a > reasonable name for the new registry? See [RFC2434]. If the > document describes an Expert Review process has Shepherd > conferred with the Responsible Area Director so that the IESG > can appoint the needed Expert during the IESG Evaluation? The document has an IANA considerations section, and there are no IANA considerations. > (1.j) Has the Document Shepherd verified that sections of the > document that are written in a formal language, such as XML > code, BNF rules, MIB definitions, etc., validate correctly in > an automated checker? N/A > (1.k) The IESG approval announcement includes a Document > Announcement Write-Up. Please provide such a Document > Announcement Write-Up? Recent examples can be found in the > "Action" announcements for approved documents. The approval > announcement contains the following sections: > > Technical Summary > Relevant content can frequently be found in the abstract > and/or introduction of the document. If not, this may be > an indication that there are deficiencies in the abstract > or introduction. > > Working Group Summary > Was there anything in WG process that is worth noting? For > example, was there controversy about particular points or > were there decisions where the consensus was particularly > rough? > > Document Quality > Are there existing implementations of the protocol? Have a > significant number of vendors indicated their plan to > implement the specification? Are there any reviewers that > merit special mention as having done a thorough review, > e.g., one that resulted in important changes or a > conclusion that the document had no substantive issues? If > there was a MIB Doctor, Media Type or other expert review, > what was its course (briefly)? In the case of a Media Type > review, on what date was the request posted? Technical Summary: This document examines the fact that long term TCP connections that have well known source and destination addresses are vulnerable to attack by the injection of bogus RST, SYN or data packets by guessing sequence numbers that fall into the current window of the connection. It provides three mitigation strategies that can be used to reduce the chance that an attacker can be successful with these spoofed segments. Working Group Summary The working group saw that there was a fair amount of experience with these mitigation strategies; two of them are very simple, and one is a bit more involved. The WG felt that this document is a SHOULD for devices that are susceptible to these types of attacks, and a MAY for other implementations. These changes are not needed for correct TCP operation, but reduce the chance that a spoofed packet will be accepted as valid. Document Quality The document was reviewed for quality by a fair number of TCPM WG members. There already exist several implementations of these strategies, and there are not any known interoperability issues with TCP implementations that do not have these changes. |
2008-11-02
|
11 | (System) | New version available: draft-ietf-tcpm-tcpsecure-11.txt |
2008-07-09
|
10 | (System) | New version available: draft-ietf-tcpm-tcpsecure-10.txt |
2008-01-08
|
09 | (System) | New version available: draft-ietf-tcpm-tcpsecure-09.txt |
2007-07-10
|
08 | (System) | New version available: draft-ietf-tcpm-tcpsecure-08.txt |
2007-02-23
|
07 | (System) | New version available: draft-ietf-tcpm-tcpsecure-07.txt |
2006-11-09
|
06 | (System) | New version available: draft-ietf-tcpm-tcpsecure-06.txt |
2006-06-16
|
05 | (System) | New version available: draft-ietf-tcpm-tcpsecure-05.txt |
2006-03-20
|
13 | Lars Eggert | Shepherding AD has been changed to Lars Eggert from Allison Mankin |
2006-03-19
|
13 | Lars Eggert | Draft Added by Lars Eggert in state AD is watching |
2006-02-15
|
04 | (System) | New version available: draft-ietf-tcpm-tcpsecure-04.txt |
2005-05-18
|
03 | (System) | New version available: draft-ietf-tcpm-tcpsecure-03.txt |
2004-11-23
|
02 | (System) | New version available: draft-ietf-tcpm-tcpsecure-02.txt |
2004-06-10
|
01 | (System) | New version available: draft-ietf-tcpm-tcpsecure-01.txt |
2004-05-17
|
(System) | Posted related IPR disclosure: Cisco's Statement about IPR Claimed in draft-ietf-tcpm-tcpsecure | |
2004-04-20
|
00 | (System) | New version available: draft-ietf-tcpm-tcpsecure-00.txt |