Re: [tcpm] draft-ietf-tcpm-tcpsecure-00.txt
Lloyd Wood <l.wood@eim.surrey.ac.uk> Fri, 23 April 2004 22:51 UTC
Received: from optimus.ietf.org (optimus.ietf.org [132.151.1.19]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id SAA20275 for <tcpm-archive@odin.ietf.org>; Fri, 23 Apr 2004 18:51:14 -0400 (EDT)
Received: from localhost.localdomain ([127.0.0.1] helo=www1.ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 1BH9SN-0002Ux-J2 for tcpm-archive@odin.ietf.org; Fri, 23 Apr 2004 18:47:39 -0400
Received: (from exim@localhost) by www1.ietf.org (8.12.8/8.12.8/Submit) id i3NMldu0009599 for tcpm-archive@odin.ietf.org; Fri, 23 Apr 2004 18:47:39 -0400
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 1BH9PN-0001TF-Hd for tcpm-web-archive@optimus.ietf.org; Fri, 23 Apr 2004 18:44:33 -0400
Received: from ietf-mx (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id SAA19794 for <tcpm-web-archive@ietf.org>; Fri, 23 Apr 2004 18:44:28 -0400 (EDT)
Received: from ietf-mx.ietf.org ([132.151.6.1] helo=ietf-mx) by ietf-mx with esmtp (Exim 4.32) id 1BH9PK-000467-K7 for tcpm-web-archive@ietf.org; Fri, 23 Apr 2004 18:44:30 -0400
Received: from exim by ietf-mx with spam-scanned (Exim 4.12) id 1BH9OW-0003pw-00 for tcpm-web-archive@ietf.org; Fri, 23 Apr 2004 18:43:40 -0400
Received: from optimus.ietf.org ([132.151.1.19]) by ietf-mx with esmtp (Exim 4.12) id 1BH9Np-0003Z7-00 for tcpm-web-archive@ietf.org; Fri, 23 Apr 2004 18:42:57 -0400
Received: from localhost.localdomain ([127.0.0.1] helo=www1.ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 1BH9CI-0005dk-6m; Fri, 23 Apr 2004 18:31:02 -0400
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 1BH98t-0004MU-3u for tcpm@optimus.ietf.org; Fri, 23 Apr 2004 18:27:31 -0400
Received: from ietf-mx (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id SAA18752 for <tcpm@ietf.org>; Fri, 23 Apr 2004 18:27:26 -0400 (EDT)
Received: from ietf-mx.ietf.org ([132.151.6.1] helo=ietf-mx) by ietf-mx with esmtp (Exim 4.32) id 1BH98q-0007Gr-2d for tcpm@ietf.org; Fri, 23 Apr 2004 18:27:28 -0400
Received: from exim by ietf-mx with spam-scanned (Exim 4.12) id 1BH97q-00070s-00 for tcpm@ietf.org; Fri, 23 Apr 2004 18:26:26 -0400
Received: from [131.227.76.5] (helo=prue.eim.surrey.ac.uk ident=exim) by ietf-mx with esmtp (Exim 4.12) id 1BH96s-0006jO-00 for tcpm@ietf.org; Fri, 23 Apr 2004 18:25:26 -0400
Received: from argos.ee.surrey.ac.uk ([131.227.89.15] ident=eep1lw) by prue.eim.surrey.ac.uk with esmtp (Exim 3.33 #4) id 1BH96f-0005TB-00; Fri, 23 Apr 2004 23:25:13 +0100
Date: Fri, 23 Apr 2004 23:25:11 +0100
From: Lloyd Wood <l.wood@eim.surrey.ac.uk>
X-X-Sender: eep1lw@argos.ee.surrey.ac.uk
To: tcpm@ietf.org, rrs@cisco.com
Subject: Re: [tcpm] draft-ietf-tcpm-tcpsecure-00.txt
In-Reply-To: <40897C4C.9020900@isi.edu>
Message-ID: <Pine.GSO.4.50.0404232249570.5889-100000@argos.ee.surrey.ac.uk>
References: <025E7DD4182874489CC2F61EE0FA19CE02885696@daebe004.americas.nokia.com> <4087B232.4050203@cisco.com> <4087DDE6.3020703@nokia.com> <4087E36F.7000502@cisco.com> <40885BAB.2070200@isi.edu> <87y8omrehb.fsf@deneb.enyo.de> <40897C4C.9020900@isi.edu>
Organization: speaking for none
X-url: http://www.ee.surrey.ac.uk/Personal/L.Wood/
X-no-archive: no
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset="US-ASCII"
X-Scanner: exiscan *1BH96f-0005TB-00*vSsLgRk5IrM* (SECM, UniS)
Sender: tcpm-admin@ietf.org
Errors-To: tcpm-admin@ietf.org
X-BeenThere: tcpm@ietf.org
X-Mailman-Version: 2.0.12
Precedence: bulk
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=unsubscribe>
List-Id: TCP Maintenance and Minor Extensions Working Group <tcpm.ietf.org>
List-Post: <mailto:tcpm@ietf.org>
List-Help: <mailto:tcpm-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=subscribe>
X-Spam-Checker-Version: SpamAssassin 2.60 (1.212-2003-09-23-exp) on ietf-mx.ietf.org
X-Spam-Status: No, hits=0.0 required=5.0 tests=none autolearn=no version=2.60
I'm interested in the proposed RST ack challenge/response mechanism. I expect the case that the valid packet received containing the RST flag is _not_ the packet the receiver was expecting with the next expected sequence number to be quite common, with packet reordering in the Internet, loss (and don't users often kill slow browser connections?), and whatnot. Connections don't always get closed under the best of conditions. It strikes me that, a priori, both sender and receiver know and can remember the initial sequence number ever used on their connection, which is (pseudo-randomly) selected. Randomness of initial sequence numbers was recently improved, after much media fuss: http://www.google.com/search?q=initial+sequence+number+randomness We can use this randomness to our advantage. This first sequence number information can be used to form part of the challenge-response; if the sender has sent an RST packet whose sequence number lies in the window, but it is not the next expected packet, the ack sent back by the receiver can be an indicator for the RST sender to pass the first sequence number in a subsequent packet (also containing a confirming RST flag. 'I told you to close. I'm telling you to close again. And here's a reminder of when we first spoke and agreed to open. It's a random number we both know.'.) I suppose this could be passed as (sigh) a new TCP option -- or, better, you could just use the existing sequence number field. Existing TCP implementations would ignore this second RST packet containing the original first sequence number in that field if that correct number lies outside the window, and if it's inside, well, you've already sent one RST anyway. You're likely backwards compatible. This weak authentication might give added protection to long-lived TCP flows, as the attacker would need to snoop on the start of the connection to know that first sequence number - and if she's doing that, your unsecure data can already be hers. (Why is there so much fuss about a weak DoS attack and no fuss about the widespread reliance on an unsecure transfer protocol?) And in tying to sequence space, which is where our problem lies, storing and resending the initial sequence number on request as a cookie seems somewhat easier to code and deal with than the later and optional timestamps (K Poon's suggestion), as we avoid option fields entirely. L. apologies if this has already been suggested in these related threads. Unfortunately, my life prevents me from reading email full-time. <http://www.ee.surrey.ac.uk/Personal/L.Wood/><L.Wood@eim.surrey.ac.uk> _______________________________________________ tcpm mailing list tcpm@ietf.org https://www1.ietf.org/mailman/listinfo/tcpm
- FW: Re: [tcpm] draft-ietf-tcpm-tcpsecure-00.txt Yogesh.Swami
- [tcpm] draft-ietf-tcpm-tcpsecure-00.txt Tim Shepard
- RE: [tcpm] draft-ietf-tcpm-tcpsecure-00.txt S K
- Re: [tcpm] draft-ietf-tcpm-tcpsecure-00.txt Allison Mankin
- Re: [tcpm] draft-ietf-tcpm-tcpsecure-00.txt Tim Shepard
- RE: [tcpm] draft-ietf-tcpm-tcpsecure-00.txt Mitesh Dalal
- RE: [tcpm] draft-ietf-tcpm-tcpsecure-00.txt sanjay kaniyar
- Re: [tcpm] draft-ietf-tcpm-tcpsecure-00.txt Randall Stewart (cisco)
- Re: [tcpm] draft-ietf-tcpm-tcpsecure-00.txt Randall Stewart (cisco)
- Re: FW: Re: [tcpm] draft-ietf-tcpm-tcpsecure-00.t… Mitesh Dalal
- RE: FW: Re: [tcpm] draft-ietf-tcpm-tcpsecure-00.t… Yogesh.Swami
- Re: FW: Re: [tcpm] draft-ietf-tcpm-tcpsecure-00.t… Randall Stewart (cisco)
- Re: FW: Re: [tcpm] draft-ietf-tcpm-tcpsecure-00.t… Yogesh Prem Swami
- Re: FW: Re: [tcpm] draft-ietf-tcpm-tcpsecure-00.t… Randall Stewart (cisco)
- Re: [tcpm] draft-ietf-tcpm-tcpsecure-00.txt Florian Weimer
- [tcpm] draft-ietf-tcpm-tcpsecure-00.txt Joe Touch
- Re: [tcpm] draft-ietf-tcpm-tcpsecure-00.txt Mitesh Dalal
- Re: FW: Re: [tcpm] draft-ietf-tcpm-tcpsecure-00.t… Joe Touch
- Re: FW: Re: [tcpm] draft-ietf-tcpm-tcpsecure-00.t… Jeremy Harris
- Re: FW: Re: [tcpm] draft-ietf-tcpm-tcpsecure-00.t… Mitesh Dalal
- Re: [tcpm] draft-ietf-tcpm-tcpsecure-00.txt Florian Weimer
- Re: [tcpm] draft-ietf-tcpm-tcpsecure-00.txt Randall Stewart (cisco)
- Re: [tcpm] draft-ietf-tcpm-tcpsecure-00.txt Randall Stewart (cisco)
- Re: FW: Re: [tcpm] draft-ietf-tcpm-tcpsecure-00.t… Florian Weimer
- Re: FW: Re: [tcpm] draft-ietf-tcpm-tcpsecure-00.t… Yogesh Prem Swami
- Re: [tcpm] draft-ietf-tcpm-tcpsecure-00.txt Joe Touch
- Re: [tcpm] draft-ietf-tcpm-tcpsecure-00.txt Mitesh Dalal
- Re: [tcpm] draft-ietf-tcpm-tcpsecure-00.txt Anantha Ramaiah
- Re: [tcpm] draft-ietf-tcpm-tcpsecure-00.txt Mitesh Dalal
- Re: [tcpm] draft-ietf-tcpm-tcpsecure-00.txt Joe Touch
- Re: FW: Re: [tcpm] draft-ietf-tcpm-tcpsecure-00.t… Joe Touch
- Re: [tcpm] draft-ietf-tcpm-tcpsecure-00.txt Don Lewis
- Re: FW: Re: [tcpm] draft-ietf-tcpm-tcpsecure-00.t… Qiaobing Xie
- Re: [tcpm] draft-ietf-tcpm-tcpsecure-00.txt Lloyd Wood
- Re: [tcpm] draft-ietf-tcpm-tcpsecure-00.txt Tim Shepard
- Re: [tcpm] draft-ietf-tcpm-tcpsecure-00.txt Joe Touch
- Re: [tcpm] draft-ietf-tcpm-tcpsecure-00.txt Kacheong Poon
- Re: FW: Re: [tcpm] draft-ietf-tcpm-tcpsecure-00.t… Joe Touch
- Re: [tcpm] draft-ietf-tcpm-tcpsecure-00.txt Lloyd Wood
- Re: [tcpm] draft-ietf-tcpm-tcpsecure-00.txt Florian Weimer
- Re: FW: Re: [tcpm] draft-ietf-tcpm-tcpsecure-00.t… Randall Stewart (cisco)
- Re: [tcpm] draft-ietf-tcpm-tcpsecure-00.txt Randall Stewart (cisco)
- Re: [tcpm] draft-ietf-tcpm-tcpsecure-00.txt Randall Stewart (cisco)
- Re: FW: Re: [tcpm] draft-ietf-tcpm-tcpsecure-00.t… Joe Touch
- Re: [tcpm] draft-ietf-tcpm-tcpsecure-00.txt Mitesh Dalal
- Re: [tcpm] draft-ietf-tcpm-tcpsecure-00.txt Anantha Ramaiah
- Re: [tcpm] draft-ietf-tcpm-tcpsecure-00.txt Kacheong Poon
- RE: [tcpm] draft-ietf-tcpm-tcpsecure-00.txt Paul Goyette
- Re: [tcpm] draft-ietf-tcpm-tcpsecure-00.txt Kacheong Poon
- RE: [tcpm] draft-ietf-tcpm-tcpsecure-00.txt Christian Huitema
- Re: [tcpm] draft-ietf-tcpm-tcpsecure-00.txt Tim Shepard
- Re: [tcpm] draft-ietf-tcpm-tcpsecure-00.txt Mitesh Dalal
- Re: [tcpm] draft-ietf-tcpm-tcpsecure-00.txt Mitesh Dalal
- Re: [tcpm] draft-ietf-tcpm-tcpsecure-00.txt Anantha Ramaiah
- Re: [tcpm] draft-ietf-tcpm-tcpsecure-00.txt Joe Touch
- Re: [tcpm] draft-ietf-tcpm-tcpsecure-00.txt Kacheong Poon
- Re: [tcpm] draft-ietf-tcpm-tcpsecure-00.txt Kacheong Poon
- Re: [tcpm] draft-ietf-tcpm-tcpsecure-00.txt Mika Liljeberg
- Re: [tcpm] draft-ietf-tcpm-tcpsecure-00.txt Mitesh Dalal
- Re: [tcpm] draft-ietf-tcpm-tcpsecure-00.txt Kacheong Poon
- Re: [tcpm] draft-ietf-tcpm-tcpsecure-00.txt Mark Allman
- Re: [tcpm] draft-ietf-tcpm-tcpsecure-00.txt Mitesh Dalal
- Re: [tcpm] draft-ietf-tcpm-tcpsecure-00.txt Randall Stewart (cisco)
- Re: [tcpm] draft-ietf-tcpm-tcpsecure-00.txt Kacheong Poon
- Re: [tcpm] draft-ietf-tcpm-tcpsecure-00.txt Mark Allman
- Re: [tcpm] draft-ietf-tcpm-tcpsecure-00.txt Kacheong Poon
- Re: [tcpm] draft-ietf-tcpm-tcpsecure-00.txt Kacheong Poon
- Re: [tcpm] draft-ietf-tcpm-tcpsecure-00.txt Allwyn Carvalho
- Re: [tcpm] draft-ietf-tcpm-tcpsecure-00.txt Mitesh Dalal
- Re: [tcpm] draft-ietf-tcpm-tcpsecure-00.txt Anantha Ramaiah
- Re: [tcpm] draft-ietf-tcpm-tcpsecure-00.txt Mika Liljeberg
- Re: [tcpm] draft-ietf-tcpm-tcpsecure-00.txt Allwyn Carvalho
- Re: [tcpm] draft-ietf-tcpm-tcpsecure-00.txt Mark Allman
- Re: [tcpm] draft-ietf-tcpm-tcpsecure-00.txt Mark Allman
- Re: [tcpm] draft-ietf-tcpm-tcpsecure-00.txt Joe Touch
- RE: [tcpm] draft-ietf-tcpm-tcpsecure-00.txt Paul Goyette
- Re: [tcpm] draft-ietf-tcpm-tcpsecure-00.txt Mark Allman
- Re: [tcpm] draft-ietf-tcpm-tcpsecure-00.txt Mark Allman
- Re: [tcpm] draft-ietf-tcpm-tcpsecure-00.txt Mark Allman
- Re: [tcpm] draft-ietf-tcpm-tcpsecure-00.txt Joe Touch
- Re: [tcpm] draft-ietf-tcpm-tcpsecure-00.txt Mark Allman
- Re: [tcpm] draft-ietf-tcpm-tcpsecure-00.txt Randall Stewart (cisco)
- Re: [tcpm] draft-ietf-tcpm-tcpsecure-00.txt AClarke
- Re: [tcpm] draft-ietf-tcpm-tcpsecure-00.txt Randall Stewart (cisco)
- Re: [tcpm] draft-ietf-tcpm-tcpsecure-00.txt Randall Stewart (cisco)
- RE: [tcpm] draft-ietf-tcpm-tcpsecure-00.txt Paul Goyette
- Re: [tcpm] draft-ietf-tcpm-tcpsecure-00.txt Randall Stewart (cisco)
- RE: [tcpm] draft-ietf-tcpm-tcpsecure-00.txt Paul Goyette
- Re: [tcpm] draft-ietf-tcpm-tcpsecure-00.txt Tim Shepard
- Re: [tcpm] draft-ietf-tcpm-tcpsecure-00.txt Mark Allman
- Re: [tcpm] draft-ietf-tcpm-tcpsecure-00.txt Mark Allman
- Re: [tcpm] draft-ietf-tcpm-tcpsecure-00.txt Mitesh Dalal
- Re: [tcpm] draft-ietf-tcpm-tcpsecure-00.txt Mitesh Dalal
- Re: [tcpm] draft-ietf-tcpm-tcpsecure-00.txt David Borman
- RE: [tcpm] draft-ietf-tcpm-tcpsecure-00.txt Paul Goyette
- Re: [tcpm] draft-ietf-tcpm-tcpsecure-00.txt Joe Touch
- Re: [tcpm] draft-ietf-tcpm-tcpsecure-00.txt Mitesh Dalal
- Re: [tcpm] draft-ietf-tcpm-tcpsecure-00.txt David Borman
- Re: [tcpm] draft-ietf-tcpm-tcpsecure-00.txt Joe Touch
- Re: [tcpm] draft-ietf-tcpm-tcpsecure-00.txt Joe Touch
- Re: [tcpm] draft-ietf-tcpm-tcpsecure-00.txt David Borman
- Re: [tcpm] draft-ietf-tcpm-tcpsecure-00.txt Joe Touch
- Re: [tcpm] draft-ietf-tcpm-tcpsecure-00.txt Randall Stewart (cisco)
- Re: [tcpm] draft-ietf-tcpm-tcpsecure-00.txt David Borman
- Re: [tcpm] draft-ietf-tcpm-tcpsecure-00.txt Joe Touch
- Re: [tcpm] draft-ietf-tcpm-tcpsecure-00.txt Mika Liljeberg
- Re: [tcpm] draft-ietf-tcpm-tcpsecure-00.txt David Borman
- Re: [tcpm] draft-ietf-tcpm-tcpsecure-00.txt Joe Touch
- Re: is SCTP the answer? (was Re: [tcpm] "TCP Mult… Thomas Narten
- RE: is SCTP the answer? (was Re: [tcpm] "TCP Mult… john.loughney