Improving TCP's Robustness to Blind In-Window Attacks
draft-ietf-tcpm-tcpsecure-13

[Ballot discuss]
I have a question about the applicability of this that I'd like to understand the answer to before trying to answer the "updates" question Lars raised. Imagine we have a client C, talking from the "inside" of a firewall that tracks TCP state, to a server S on the "outside" of the firewall. If C sends a RST, the firewall forwards it and clears state, but when the RST arrives at S. The reset seq # is within the window but not exact. S sends and ACK, but (this is my question), will the firewall forward the ACK to C or just silently drop it?

I know some firewalls might have the timers to forward traffic for some time after the RST but do they all and is it long enough? Is there something I am just not understanding here that would cause this to work? I'm worried that servers with lots of clients connecting to them not being able to recover TCP connection in a timely matter might cause more harm that attacks that tear down TCP connections.

-----------

We talked about this issues on the IESG call and I'd like to propose the following plan

1) Update the middle-box section to explain there are some cases with some existing firewalls/nats that causes the ACK approach to not work

2) in the applicability section, add a bit that says about when a server should not do this. I would something along lines of some server that are not severely impacted by an attacker closing a connection, and where the number of connections requires rapid clean up of state. So certainly a BGP should do this but a server such as some web servers where state of TCP connections is an issue and an attacker killing a connecting is not a big deal as it will just be redone and it often hard to guess the source port.

Would a plan along these lines be acceptable for folks?

[Ballot discuss]
I have a question about the applicability of this that I'd like to understand the answer to before trying to answer the "updates" question Lars raised. Imagine we have a client C, talking from the "inside" of a firewall that tracks TCP state, to a server S on the "outside" of the firewall. If C sends a RST, the firewall forwards it and clears state, but when the RST arrives at S. The reset seq # is within the window but not exact. S sends and ACK, but (this is my question), will the firewall forward the ACK to C or just silently drop it?

I know some firewalls might have the timers to forward traffic for some time after the RST but do they all and is it long enough? Is there something I am just not understanding here that would cause this to work? I'm worried that servers with lots of clients connecting to them not being able to recover TCP connection in a timely matter might cause more harm that attacks that tear down TCP connections.

This is a Discuss because I want to talk to the IESG & authors about it before deciding an opinion on this draft.

Thanks, Cullen

[Ballot comment]
This document is well written and clearly explains, without needing to flip back to RFC 793 and other docs, the attacks and the mitigations.

Whether or not this document updates RFC 793 depends, in my mind, on the meaning of SHOULD in text like this snippet from section 4.2:

  Instead, the handling of the SYN in the synchronized state SHOULD be
  performed as follows:

  1) If the SYN bit is set, irrespective of the sequence number, TCP
      MUST send an ACK (also referred to as challenge ACK) to the remote
      peer:

     

      After sending the acknowledgment, TCP MUST drop the unacceptable
      segment and stop processing further.

Does the SHOULD imply a change in TCP as defined by RFC 793 or does it apply in the sense of "if the stack implemements the mitigations described in this document, the handling of SYN ..."

I infer from this text in the "Applicability Statement" (section 1.1), that RFC 2119 text is all conditional on "if the stack implements these mitigations":

  The mitigations suggested in this draft
  SHOULD be implemented in devices that regularly need to maintain TCP
  connections of the kind most vulnerable to the attacks described in
  this document.

While this may seem like an editorial nit, I think the doc would be clarified and the issue of updating RFC 793 resolved with an explicit statement about the RFC 2119 text in the Terminology section.
---
In section 5.1, what is the "ACK value of [a] data segment"?
---
This text at the beginning of section 5.2 doesn't seem to appear anywhere in sections 3 or 4:

5.2.  Mitigation

  All TCP stacks MAY implement the following mitigation.

Is there something different about the mitigation in section 5 that is different from the other mitigations?

I see section 6 clarifies the issue I was getting at:

6.  Suggested Mitigation strengths

  As described in the above sections, recommendation levels for RST,
  SYN and DATA are tagged as SHOULD, SHOULD and MAY respectively.

At the risk of fussiness over an editorial nit, I suggest a clear sentence at the beginning of sections 3.2 and 4.2 like the one in section 5.2 explicitly describing the recommendation levels for those mitigations.

[Ballot discuss]
[I am adding this so we don't forget to discuss it - Lars]

This document has:
"Updates: 793 (if approved)"

There was a lot of discussion about this in the WG.  The authors want
it in, because they want implementors of 793 to also look at this document.

The arguments against having this in the header relate to the fact
that currently only one RFC has "Updates: 793" in its header: RFC 3168,
"The Addition of Explicit Congestion Notification (ECN) to IP".  In
addition, this is an optional RFC, this is not a new requirement for
RFC 793/1122 implementations.  You may see the discussion in the
TCPM mailing list, with the subject:
[tcpm] another review of draft-ietf-tcpm-tcpsecure[-10]

As a WG chair, on the mailing list I stated:

  Wes and I discussed this, and we agree with Lars. "Updates" is
  generally for things that are now required if you implement the
  cited spec. Tcpsecure doesn't fit that criteria, so the "Updates 793"
  doesn't belong on this document. As Lars said, this is less than
  perfect, but it is what we currently have.

The larger issue is what does "Updates:" mean in an RFC, and what
should be the criteria for making that decision?  We (the WG chairs)
felt that we were getting into a discussion that was well outside
of the scope of the TCPM WG.

So, we would like the IESG to voice an opinion on whether or not
it would be appropriate to add "Updates: 793" to this document.  If
the answer is yes, then there are other draft documents in the works
that this would probably affect.

>    (1.a)  Who is the Document Shepherd for this document?  Has the
>          Document Shepherd personally reviewed this version of
>          the document and, in particular, does he or she believe
>          this version is ready for forwarding to the IESG for
>          publication?



David Borman (david.borman@windriver.com) (TCPM co-chair) is the shepherd.

I have read the document and believe it is ready for publication.



>    (1.b)  Has the document had adequate review both from key WG members
>          and from key non-WG members?  Does the Document Shepherd have
>          any concerns about the depth or breadth of the reviews that
>          have been performed?


This document has been around for many years.  It has been publicly
reviewed by many participants in the TCPM WG.  The shepherd does not
have any concerns with it.



>    (1.c)  Does the Document Shepherd have concerns that the document
>          needs more review from a particular or broader perspective,
>          e.g., security, operational complexity, someone familiar with
>          AAA, internationalization or XML?



No concerns.



>    (1.d)  Does the Document Shepherd have any specific concerns or
>          issues with this document that the Responsible Area Director
>          and/or the IESG should be aware of?  For example, perhaps he
>          or she is uncomfortable with certain parts of the document, or
>          has concerns whether there really is a need for it.  In any
>          event, if the WG has discussed those issues and has indicated
>          that it still wishes to advance the document, detail those
>          concerns here.  Has an IPR disclosure related to this document
>          been filed?  If so, please include a reference to the
>          disclosure and summarize the WG discussion and conclusion on
>          this issue.

This document has:
"Updates: 793 (if approved)"

There was a lot of discussion about this in the WG.  The authors want
it in, because they want implementors of 793 to also look at this document.

The arguments against having this in the header relate to the fact
that currently only one RFC has "Updates: 793" in its header: RFC 3168,
"The Addition of Explicit Congestion Notification (ECN) to IP".  In
addition, this is an optional RFC, this is not a new requirement for
RFC 793/1122 implementations.  You may see the discussion in the
TCPM mailing list, with the subject:
[tcpm] another review of draft-ietf-tcpm-tcpsecure[-10]

As a WG chair, on the mailing list I stated:

  Wes and I discussed this, and we agree with Lars. "Updates" is
  generally for things that are now required if you implement the
  cited spec. Tcpsecure doesn't fit that criteria, so the "Updates 793"
  doesn't belong on this document. As Lars said, this is less than
  perfect, but it is what we currently have.

The larger issue is what does "Updates:" mean in an RFC, and what
should be the criteria for making that decision?  We (the WG chairs)
felt that we were getting into a discussion that was well outside
of the scope of the TCPM WG.

So, we would like the IESG to voice an opinion on whether or not
it would be appropriate to add "Updates: 793" to this document.  If
the answer is yes, then there are other draft documents in the works
that this would probably affect.

In addition, this document has IPR issues from Cisco, which is one
of the reasons why this document is strictly optional.


>    (1.e)  How solid is the WG consensus behind this document?  Does it
>          represent the strong concurrence of a few individuals, with
>          others being silent, or does the WG as a whole understand and
>          agree with it?


This document has been through many revisions, with a smaller group
of individuals who have done the bulk of the discussion.  It has been
discussed at multiple IETF meetings.  A lot of the controversy was
in the classification of this document.  The Applicability Statement
in the document is the consensus of the WG: it SHOULD be implemented
by devices that are subject to these kinds of attacks (those that have
long-lived TCP connections with well know src/dst ports), and MAY be
implemented in other cases.  Within the document there are three
mitigation stratagies, and the consensus of the WG was that these
are SHOULD, SHOULD and MAY.


>    (1.f)  Has anyone threatened an appeal or otherwise indicated extreme
>          discontent?  If so, please summarise the areas of conflict in
>          separate email messages to the Responsible Area Director.  (It
>          should be in a separate email because this questionnaire is
>          entered into the ID Tracker.)


We are aware of no reasons this document would be appealed or anyone
who is unhappy with it.



>    (1.g)  Has the Document Shepherd personally verified that the
>          document satisfies all ID nits?  (See
>          http://www.ietf.org/ID-Checklist.html and
>          http://tools.ietf.org/tools/idnits/).  Boilerplate checks are
>          not enough; this check needs to be thorough.  Has the document
>          met all formal review criteria it needs to, such as the MIB
>          Doctor, media type and URI type reviews?

The current document was submitted in November 2008, and as such it
does not have the new boilerplate.

There is a warning about FQDN in the document, but this is just text
that looks like a FQDN, but isn't (MAX.SND.WND).


This document does not need MIB or URI reviews.



>    (1.h)  Has the document split its references into normative and
>          informative?  Are there normative references to documents that
>          are not ready for advancement or are otherwise in an unclear
>          state?  If such normative references exist, what is the
>          strategy for their completion?  Are there normative references
>          that are downward references, as described in [RFC3967]?  If
>          so, list these downward references to support the Area
>          Director in the Last Call procedure for them [RFC3967].



The references have been split into 'normative' and 'non-normative'.

The normative references are all published RFCs.

There is one Informative Reference to an ID.



>    (1.i)  Has the Document Shepherd verified that the document IANA
>          consideration section exists and is consistent with the body
>          of the document?  If the document specifies protocol
>          extensions, are reservations requested in appropriate IANA
>          registries?  Are the IANA registries clearly identified?  If
>          the document creates a new registry, does it define the
>          proposed initial contents of the registry and an allocation
>          procedure for future registrations?  Does it suggest a
>          reasonable name for the new registry?  See [RFC2434].  If the
>          document describes an Expert Review process has Shepherd
>          conferred with the Responsible Area Director so that the IESG
>          can appoint the needed Expert during the IESG Evaluation?



The document has an IANA considerations section, and there are no IANA
considerations.



>    (1.j)  Has the Document Shepherd verified that sections of the
>          document that are written in a formal language, such as XML
>          code, BNF rules, MIB definitions, etc., validate correctly in
>          an automated checker?



N/A



>    (1.k)  The IESG approval announcement includes a Document
>          Announcement Write-Up.  Please provide such a Document
>          Announcement Write-Up?  Recent examples can be found in the
>          "Action" announcements for approved documents.  The approval
>          announcement contains the following sections:
>
>          Technical Summary
>              Relevant content can frequently be found in the abstract
>              and/or introduction of the document.  If not, this may be
>              an indication that there are deficiencies in the abstract
>              or introduction.
>
>          Working Group Summary
>              Was there anything in WG process that is worth noting?  For
>              example, was there controversy about particular points or
>              were there decisions where the consensus was particularly
>              rough?
>
>          Document Quality
>              Are there existing implementations of the protocol?  Have a
>              significant number of vendors indicated their plan to
>              implement the specification?  Are there any reviewers that
>              merit special mention as having done a thorough review,
>              e.g., one that resulted in important changes or a
>              conclusion that the document had no substantive issues?  If
>              there was a MIB Doctor, Media Type or other expert review,
>              what was its course (briefly)?  In the case of a Media Type
>              review, on what date was the request posted?



Technical Summary:

  This document examines the fact that long term TCP connections that
  have well known source and destination addresses are vulnerable to
  attack by the injection of bogus RST, SYN or data packets by guessing
  sequence numbers that fall into the current window of the connection.
  It provides three mitigation strategies that can be used to reduce the
  chance that an attacker can be successful with these spoofed segments.

Working Group Summary

  The working group saw that there was a fair amount of experience
  with these mitigation strategies; two of them are very simple, and
  one is a bit more involved.  The WG felt that this document is a
  SHOULD for devices that are susceptible to these types of attacks,
  and a MAY for other implementations.  These changes are not needed
  for correct TCP operation, but reduce the chance that a spoofed
  packet will be accepted as valid.

Document Quality

  The document was reviewed for quality by a fair number of TCPM
  WG members.  There already exist several implementations of these
  strategies, and there are not any known interoperability issues
  with TCP implementations that do not have these changes.