Disabling PAWS When Other Protections Are Available
draft-nishida-tcpm-disabling-paws-00

Document Type Active Internet-Draft (individual)
Last updated 2018-06-20
Stream (None)
Intended RFC status (None)
Formats plain text xml pdf html bibtex
Stream Stream state (No stream defined)
Consensus Boilerplate Unknown
RFC Editor Note (None)
IESG IESG state I-D Exists
Telechat date
Responsible AD (None)
Send notices to (None)
Network Working Group                                         Y. Nishida
Internet-Draft                                        GE Global Research
Intended status: Experimental                              June 20, 2018
Expires: December 22, 2018

          Disabling PAWS When Other Protections Are Available
                  draft-nishida-tcpm-disabling-paws-00

Abstract

   PAWS provides protection against old duplicated segments caused by
   wrapped sequence or earlier incarnated connections.  One drawback of
   PAWS is that it requires to place timestamp option in all segments,
   which consumes 10-12 bytes in the option space of TCP.  In addition,
   since PAWS just checks if timestamps is older or not, the protection
   logic is not very strong against malicious attacks or cannot work
   properly in some situations.  On the other hand, some other
   technologies which can provide stronger protections than PAWS are
   becoming available these days.  In this document, we propose to
   utilize other protection mechanisms as replacements of PAWS when they
   are available.

Status of This Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at https://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on December 22, 2018.

Copyright Notice

   Copyright (c) 2018 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (https://trustee.ietf.org/license-info) in effect on the date of

Nishida                 Expires December 22, 2018               [Page 1]
Internet-Draft               Disabling PAWS                    June 2018

   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.

Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   2
   2.  Conventions and Terminology . . . . . . . . . . . . . . . . .   3
   3.  Possible Mechanisms AS Replacements of PAWS . . . . . . . . .   3
     3.1.  TCP Increased Security (tcpinc) . . . . . . . . . . . . .   3
     3.2.  Multipath TCP . . . . . . . . . . . . . . . . . . . . . .   4
     3.3.  TLS . . . . . . . . . . . . . . . . . . . . . . . . . . .   4
   4.  Duplicates from Earlier Connection Incarnations . . . . . . .   5
   5.  Security Considerations . . . . . . . . . . . . . . . . . . .   5
   6.  IANA Considerations . . . . . . . . . . . . . . . . . . . . .   5
   7.  References  . . . . . . . . . . . . . . . . . . . . . . . . .   5
     7.1.  Normative References  . . . . . . . . . . . . . . . . . .   5
     7.2.  Informative References  . . . . . . . . . . . . . . . . .   6
   Author's Address  . . . . . . . . . . . . . . . . . . . . . . . .   7

1.  Introduction

   PAWS (Protect Against Wrapped Sequences) defined in [RFC7323] is a
   technique that can identify old duplicate segments in a TCP
   connection or segments from earlier incarnated connections.  PAWS
   utilizes timestamp option in TCP segments.  When both TCP endpoints
   agree to use PAWS, all segments belong to this connection will have
   the options, which consumes 10-12 bytes of 40 bytes option space.  As
   recent TCP connections use option space for other TCP extensions such
   as [RFC2018], [RFC5925] and [RFC6824], this feature tends to be
   considered as expensive these days.

   Timestamp option is also used for RTTM (Round Trip Time Measurement).
   Gathering many RTT samples from the timestamp in every TCP segment
   may look useful approach to improve RTO estimations.  However, some
   research results shows taking a few timestamps per RTT can be
   sufficient [MALLMAN99].  Also, some TCP implementations record the
   transmission time of each packet.  In this case, timestamp option is
   not necessary to measure RTTs.

   The basic idea of PAWS is that a received segment is considered as an
   old duplicate if the timestamp in it is less than the timestamps
   recently received on a connection.  The timestamp values used in PAWS
   is 32-bit unsigned integers.  Hence, when PAWS compares two timestamp
   values: t1, t2, it regards t2 as "newer than t1" if 0 < (t2 - t1) <
Show full document text