IETF Logo Mail Archive

Re: [tcpm] [Technical Errata Reported] RFC5961 (4772)

Joe Touch <touch@isi.edu> Thu, 11 August 2016 19:37 UTC

Return-Path: <touch@isi.edu>
X-Original-To: tcpm@ietfa.amsl.com
Delivered-To: tcpm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 00D0B12D14A for <tcpm@ietfa.amsl.com>; Thu, 11 Aug 2016 12:37:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -8.167
X-Spam-Level:
X-Spam-Status: No, score=-8.167 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-1.247] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id N-RFi_GPBXj3 for <tcpm@ietfa.amsl.com>; Thu, 11 Aug 2016 12:37:20 -0700 (PDT)
Received: from boreas.isi.edu (boreas.isi.edu [128.9.160.161]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6AB6D12D0EC for <tcpm@ietf.org>; Thu, 11 Aug 2016 12:37:20 -0700 (PDT)
Received: from [128.9.184.139] ([128.9.184.139]) (authenticated bits=0) by boreas.isi.edu (8.13.8/8.13.8) with ESMTP id u7BJadwa026094 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NOT); Thu, 11 Aug 2016 12:36:39 -0700 (PDT)
To: Loganaden Velvindron <loganaden@gmail.com>
References: <20160810183654.05358B80C3A@rfc-editor.org> <CAOp4FwTogyBXLYdjHrrnM3-Uz2wpSX31eZg+GJwUP5LBnqu=sQ@mail.gmail.com>
From: Joe Touch <touch@isi.edu>
Message-ID: <7ac89d58-fc3a-9e12-9d22-0602944f8677@isi.edu>
Date: Thu, 11 Aug 2016 12:36:37 -0700
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:45.0) Gecko/20100101 Thunderbird/45.2.0
MIME-Version: 1.0
In-Reply-To: <CAOp4FwTogyBXLYdjHrrnM3-Uz2wpSX31eZg+GJwUP5LBnqu=sQ@mail.gmail.com>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
X-ISI-4-43-8-MailScanner: Found to be clean
X-MailScanner-From: touch@isi.edu
Archived-At: <https://mailarchive.ietf.org/arch/msg/tcpm/Hk5x_-0bcZd7PCWMLqUD5i_g9Dg>
Cc: tcpm@ietf.org
Subject: Re: [tcpm] [Technical Errata Reported] RFC5961 (4772)
X-BeenThere: tcpm@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: TCP Maintenance and Minor Extensions Working Group <tcpm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tcpm>, <mailto:tcpm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tcpm/>
List-Post: <mailto:tcpm@ietf.org>
List-Help: <mailto:tcpm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 11 Aug 2016 19:37:22 -0000

FWIW, I see nothing in RFC5961 that implies that ACK throttling - or
anything in the doc - should be across connections.

This new doc can claim to clarify Sec 7 of that RFC, but I see no reason
to deprecate it.

Joe


On 8/11/2016 9:27 AM, Loganaden Velvindron wrote:
> I submitted this draft, yesterday.:
>
> https://tools.ietf.org/html/draft-lvelvindron-ack-throttling-02
>
> It's a work-in-progress, but I welcome feedback.
>
>
> On Wed, Aug 10, 2016 at 10:36 PM, RFC Errata System
> <rfc-editor@rfc-editor.org> wrote:
>> The following errata report has been submitted for RFC5961,
>> "Improving TCP's Robustness to Blind In-Window Attacks".
>>
>> --------------------------------------
>> You may review the report below and at:
>> http://www.rfc-editor.org/errata_search.php?rfc=5961&eid=4772
>>
>> --------------------------------------
>> Type: Technical
>> Reported by: Stéphane Bortzmeyer <bortzmeyer+ietf@nic.fr>
>>
>> Section: 7
>>
>> Original Text
>> -------------
>> [The entire section]
>>
>> Corrected Text
>> --------------
>> No suggested text because it requires a much more serious analysis.
>> May be adding that the rate-limit counter SHOULD be per-connection,
>> in the spirit of RFC 6528?
>>
>> Notes
>> -----
>> It appears the section does not specify that the counter for ACK throttling SHOULD be per-connection. In Linux, it is apparently global, which allowed its use as a side channel enabling nasty attacks (CVE-2016-5696 and the paper "Off-Path TCP Exploits: Global Rate Limit Considered Dangerous" <http://www.cs.ucr.edu/~zhiyunq/pub/sec16_TCP_pure_offpath.pdf>)
>>
>> Instructions:
>> -------------
>> This erratum is currently posted as "Reported". If necessary, please
>> use "Reply All" to discuss whether it should be verified or
>> rejected. When a decision is reached, the verifying party (IESG)
>> can log in to change the status and edit the report, if necessary.
>>
>> --------------------------------------
>> RFC5961 (draft-ietf-tcpm-tcpsecure-13)
>> --------------------------------------
>> Title               : Improving TCP's Robustness to Blind In-Window Attacks
>> Publication Date    : August 2010
>> Author(s)           : A. Ramaiah, R. Stewart, M. Dalal
>> Category            : PROPOSED STANDARD
>> Source              : TCP Maintenance and Minor Extensions
>> Area                : Transport
>> Stream              : IETF
>> Verifying Party     : IESG
>>
>>
>> _______________________________________________
>> tcpm mailing list
>> tcpm@ietf.org
>> https://www.ietf.org/mailman/listinfo/tcpm
>>
> _______________________________________________
> tcpm mailing list
> tcpm@ietf.org
> https://www.ietf.org/mailman/listinfo/tcpm

v2.23.0 | Report a Bug | By Email