INTERNET-DRAFT W A Simpson
DayDreamer
Intended status: Informational 4 July 2010
TCP Cookie Transactions (TCPCT)
Sockets Application Program Interface (API)
draft-simpson-tcpct-api-00
Abstract
TCP Cookie Transactions (TCPCT) deter spoofing of connections and
prevent resource exhaustion, eliminating Responder (server) state
during the initial handshake. The Initiator (client) has sole
responsibility for ensuring required delays between connections. The
cookie exchange may carry data, limited to inhibit amplification and
reflection denial of service attacks.
This document provides a sockets Application Program Interface (API)
to support "basic" and "advanced" TCPCT applications. TCP/IP
applications written using the sockets API have enjoyed a high degree
of portability.
Copyright Notice
Copyright (c) 2010 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document.
This document may not be modified, and derivative works of it may not
be created, except to format it for publication as an RFC or to
translate it into languages other than English.
Status of this Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute working
documents as Internet-Drafts. The list of current Internet-Drafts is
Simpson expires January 4, 2011 [Page i]
DRAFT TCPCT API 4 July 2010
at http://datatracker.ietf.org/drafts/current.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . 1
1.1 Terminology . . . . . . . . . . . . . . . . . . . 1
2. sysctl . . . . . . . . . . . . . . . . . . . . . . . . . 1
3. Socket Option . . . . . . . . . . . . . . . . . . . . . 2
3.1 struct tcp_cookie_transactions . . . . . . . . . . 2
3.2 more ... . . . . . . . . . . . . . . . . . . . . 4
IANA CONSIDERATIONS . . . . . . . . . . . . . . . . . . . . . . 4
SECURITY CONSIDERATIONS . . . . . . . . . . . . . . . . . . . . 5
NORMATIVE REFERENCES . . . . . . . . . . . . . . . . . . . . . 5
CONTACTS . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Simpson expires January 4, 2011 [Page ii]
DRAFT TCPCT API 4 July 2010
1. Introduction
This specification is based upon prior work product by the author for
a Linux implementation, and previous internal documents Copyright (C)
William Allen Simpson (2009-2010).
1.1. Terminology
The key words "MAY", "MUST, "MUST NOT", "OPTIONAL", "RECOMMENDED",
"REQUIRED", "SHOULD", and "SHOULD NOT" in this document are to be
interpreted as described in [RFC 2119].
2. sysctl
tcp_cookie_size - INTEGER
Default size of TCP Cookie Transactions (TCPCT) option, that may
be overridden on a per socket basis by the TCPCT socket option.
Values greater than the maximum (16) are interpreted as the
maximum. Values greater than zero and less than the minimum (8)
are interpreted as the minimum. Odd values are interpreted as the
next even value. Default: 0 (off).
When tcp_cookie_size is 0, the TCP stack will not send the Cookie
Option, and any incoming Cookie Option will be silently discarded.
When tcp_cookie_size is greater than 0, the TCP stack will always
send the Cookie Option, and any incoming Cookie Option will be
processed. This is most useful for single purpose systems, such as
DNS or HTTP servers.
Either case may be modified on a per socket basis.
Simpson expires January 4, 2011 [Page 1]
DRAFT TCPCT API 4 July 2010
3. Socket Option
#define TCP_COOKIE_TRANSACTIONS
When present, the TCP Cookie Transactions (TCPCT) socket option is
available.
3.1. struct tcp_cookie_transactions
/* for TCP_COOKIE_TRANSACTIONS (TCPCT) socket option */
#define TCP_COOKIE_MIN 8 /* 64-bits */
#define TCP_COOKIE_MAX 16 /* 128-bits */
#define TCP_COOKIE_PAIR_SIZE (2*TCP_COOKIE_MAX)
/* Flags for both getsockopt and setsockopt */
#define TCP_COOKIE_IN_ALWAYS (1 << 0)
#define TCP_COOKIE_OUT_NEVER (1 << 1)
#define TCP_S_DATA_IN (1 << 2)
#define TCP_S_DATA_OUT (1 << 3)
#define TCP_EXTEND_TIMESTAMP (7 << 4) /* mask */
#define TCP_EXTEND_TIMESTAMP32 (1 << 4) /* default */
#define TCP_EXTEND_TIMESTAMP64 (1 << 5)
#define TCP_EXTEND_TIMESTAMP128 (1 << 6)
/* TCP_COOKIE_TRANSACTIONS data */
struct tcp_cookie_transactions {
uint16_t tcpct_flags;
uint8_t __tcpct_pad1;
uint8_t tcpct_cookie_desired;
uint16_t tcpct_s_data_desired;
uint16_t tcpct_used;
uint8_t tcpct_value[TCP_COOKIE_PAIR_SIZE];
};
The structure is 64-bit aligned.
tcpct_flags
TCP_COOKIE_IN_ALWAYS
Default: 0 (off). Silently discard any incoming <SYN> or
<SYN,ACK(SYN)> that is missing the Cookie option on a per port
basis.
TCP_COOKIE_OUT_NEVER
Default: 0 (off). Refuse to send (override) the Cookie option
Simpson expires January 4, 2011 [Page 2]
DRAFT TCPCT API 4 July 2010
on a per port basis. This supercedes any other settings to the
contrary.
TCP_S_DATA_IN
getsockopt()
Indicates <SYN> or <SYN,ACK(SYN)> data has been received.
setsockopt()
Ignored.
TCP_S_DATA_OUT
getsockopt()
Indicates <SYN> or <SYN,ACK(SYN)> data has been sent.
setsockopt()
The tcpct_value has been filled with constant data that will
be sent with the <SYN> or <SYN,ACK(SYN)>. Do not wait for
additional data before sending.
TCP_EXTEND_TIMESTAMP
Default: TCP_EXTEND_TIMESTAMP32.
If other symbols are defined, may send 64-bit (or future
128-bit) timestamps extension. Otherwise, 64-bit (or future
128-bit) timestamps have not been implemented.
__tcpct_pad1
Reserved; MUST be zero.
tcpct_cookie_desired
Values: 0 (default), 8, 10, 12, 14, 16. Send the Cookie option
with the <SYN> or <SYN,ACK(SYN)> on a per port basis. Defaults to
tcp_cookie_size instead.
tcpct_s_data_desired
TCP_SYN_DATA_LIMIT
Default: 0. Maximum: 496. The maximum amount of data
transmitted with the <SYN> on a per port basis. Wait for data
before sending.
TCP_SYN_ACK_DATA_LIMIT
Default: 0. Maximum: 1220. The maximum amount of data
Simpson expires January 4, 2011 [Page 3]
DRAFT TCPCT API 4 July 2010
transmitted with the <SYN,ACK(SYN)> on a per port basis. Wait
for data before sending.
tcpct_used
Number of bytes in tcpct_value.
tcpct_value
getsockopt()
Returns the current value of the cookie or cookie pair.
setsockopt()
If TCP_S_DATA_OUT is set, the constant data that will be sent
with the <SYN> or <SYN,ACK(SYN)>. The ultimate size of the
field will depend on the actual amount of data present, up to
TCP_SYN_DATA_LIMIT or TCP_SYN_ACK_DATA_LIMIT.
Otherwise, the Initiator cookie. Note that the minimum size of
this field is TCP_COOKIE_PAIR_SIZE, although only half that
space will be used.
3.2. more ...
IANA Considerations
This specification registers two new TCP options. These (previously
unpublished) options were specifically selected to avoid conflicts,
and IANA was advised in advance.
TCP Cookie Option
Kind: 31
Length: variable.
TCP Timestamps Extended Option
Kind: 32
Length: 3.
Notes: Kind 31 is a prime number, particularly appropriate for a
security enhancement. Kind 32 is a multiple of TCP Timestamps Option
(Kind 8); Kind 16 was already registered.
Simpson expires January 4, 2011 [Page 4]
DRAFT TCPCT API 4 July 2010
Security Considerations
First and foremost, the cookie exchange improves operational security
for vulnerable servers against flooding attacks. All other semantics
are subordinate.
TCPCT provides a number of new security mechanisms that need to be
accessible to applications.
Normative References
[RFC 2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, March 1997.
[TCPCT] Simpson, W. A., "TCP Cookie Transactions (TCPCT)", June
2010. http://tools.ietf.org/html/draft-simpson-tcpct
Author's Address
Questions about this document can be directed to:
William Allen Simpson
DayDreamer
Computer Systems Consulting Services
1384 Fontaine
Madison Heights, Michigan 48071
William.Allen.Simpson@Gmail.com
Simpson expires January 4, 2011 [Page 5]