draft-ietf-tcpm-rfc1948bis-01.txt   draft-ietf-tcpm-rfc1948bis-02.txt 
TCP Maintenance and Minor Extensions F. Gont TCP Maintenance and Minor Extensions F. Gont
(tcpm) UTN/FRH (tcpm) SI6 Networks / UTN-FRH
Internet-Draft S. Bellovin Internet-Draft S. Bellovin
Obsoletes: 1948 (if approved) Columbia University Obsoletes: 1948 (if approved) Columbia University
Updates: 793 (if approved) June 28, 2011 Updates: 793 (if approved) December 16, 2011
Intended status: Standards Track Intended status: Standards Track
Expires: December 30, 2011 Expires: June 18, 2012
Defending Against Sequence Number Attacks Defending Against Sequence Number Attacks
draft-ietf-tcpm-rfc1948bis-01.txt draft-ietf-tcpm-rfc1948bis-02.txt
Abstract Abstract
This document specifies an algorithm for the generation of TCP This document specifies an algorithm for the generation of TCP
Initial Sequence Numbers (ISNs), such that the chances of an off-path Initial Sequence Numbers (ISNs), such that the chances of an off-path
attacker guessing the sequence numbers in use by a target connection attacker guessing the sequence numbers in use by a target connection
are reduced. This document revises (and formally obsoletes) RFC are reduced. This document revises (and formally obsoletes) RFC
1948, and takes the ISN generation algorithm originally proposed in 1948, and takes the ISN generation algorithm originally proposed in
that document to Standards Track. that document to Standards Track, formally updating RFC 793.
Status of this Memo Status of this Memo
This Internet-Draft is submitted in full conformance with the This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79. provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on December 30, 2011. This Internet-Draft will expire on June 18, 2012.
Copyright Notice Copyright Notice
Copyright (c) 2011 IETF Trust and the persons identified as the Copyright (c) 2011 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 2, line 19 skipping to change at page 2, line 19
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
2. Generation of Initial Sequence Numbers . . . . . . . . . . . . 3 2. Generation of Initial Sequence Numbers . . . . . . . . . . . . 3
3. Proposed Initial Sequence Number generation algorithm . . . . 4 3. Proposed Initial Sequence Number generation algorithm . . . . 4
4. Security Considerations . . . . . . . . . . . . . . . . . . . 6 4. Security Considerations . . . . . . . . . . . . . . . . . . . 6
5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 7 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 7
6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 7 6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 7
7. References . . . . . . . . . . . . . . . . . . . . . . . . . . 7 7. References . . . . . . . . . . . . . . . . . . . . . . . . . . 7
7.1. Normative References . . . . . . . . . . . . . . . . . . . 7 7.1. Normative References . . . . . . . . . . . . . . . . . . . 7
7.2. Informative References . . . . . . . . . . . . . . . . . . 7 7.2. Informative References . . . . . . . . . . . . . . . . . . 8
Appendix A. Address-based trust relationship exploitation Appendix A. Address-based trust relationship exploitation
attacks . . . . . . . . . . . . . . . . . . . . . . . 10 attacks . . . . . . . . . . . . . . . . . . . . . . . 10
A.1. Blind TCP connection-spoofing . . . . . . . . . . . . . . 10 A.1. Blind TCP connection-spoofing . . . . . . . . . . . . . . 10
Appendix B. Changes from RFC 1948 . . . . . . . . . . . . . . . . 12 Appendix B. Changes from RFC 1948 . . . . . . . . . . . . . . . . 12
Appendix C. Changes from previous versions of the document Appendix C. Changes from previous versions of the document
(this section should be removed by the RFC Editor (this section should be removed by the RFC Editor
before publication of this document as an RFC) . . . 12 before publication of this document as an RFC) . . . 12
C.1. Changes from draft-ietf-tcpm-rfc1948bis-00 . . . . . . . . 12 C.1. Changes from draft-ietf-tcpm-rfc1948bis-00 . . . . . . . . 12
C.2. Changes from draft-gont-tcpm-rfc1948bis-00 . . . . . . . . 12 C.2. Changes from draft-gont-tcpm-rfc1948bis-00 . . . . . . . . 12
C.3. Changes from RFC 1948 . . . . . . . . . . . . . . . . . . 13 C.3. Changes from RFC 1948 . . . . . . . . . . . . . . . . . . 13
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 13 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 13
1. Introduction 1. Introduction
For a long time, the Internet has experienced a number of off-path For a long time, the Internet has experienced a number of off-path
attacks against TCP connections. These attacks have ranged from attacks against TCP connections. These attacks have ranged from
trust relationships exploitation to Denial of Service attacks trust relationships exploitation to Denial of Service attacks
[CPNI-TCP]. Discusion of some of these attacks dates back to at [CPNI-TCP]. Discussion of some of these attacks dates back to at
least 1985, when Morris [Morris1985] described a form of attack based least 1985, when Morris [Morris1985] described a form of attack based
on guessing what sequence numbers TCP [RFC0793] will use for new on guessing what sequence numbers TCP [RFC0793] will use for new
connections between two known end-points. connections between two known end-points.
In 1996, RFC 1948 [RFC1948] proposed an algorithm for the selection In 1996, RFC 1948 [RFC1948] proposed an algorithm for the selection
of TCP ISNs, such that the chances of an off-path attacker guessing of TCP Initial Sequence Numbers (ISNs), such that the chances of an
valid sequence numbers are reduced. With the aforementioned off-path attacker guessing valid sequence numbers are reduced. With
algorithm, such attacks would remain possible if and only if the the aforementioned algorithm, such attacks would remain possible if
attacker already has the ability to perform "man in the middle" and only if the attacker already has the ability to perform "man in
attacks. the middle" attacks.
This document revises (and formally obsoletes) RFC 1948, and takes This document revises (and formally obsoletes) RFC 1948, and takes
the ISN generation algorithm originally proposed in that document to the ISN generation algorithm originally proposed in that document to
Standards Track. Standards Track.
Section 2 provides a brief discussion of the requirements for a good Section 2 provides a brief discussion of the requirements for a good
ISN generation algorithm. Section 3 specifies a good ISN selection ISN generation algorithm. Section 3 specifies a good ISN selection
algorithm. Finally, Appendix A provides a discussion of the trust- algorithm. Finally, Appendix A provides a discussion of the trust-
relationship exploitation attacks that originally motivated the relationship exploitation attacks that originally motivated the
publication of RFC 1948 [RFC1948]. publication of RFC 1948 [RFC1948].
skipping to change at page 4, line 7 skipping to change at page 4, line 7
It is interesting to note that, as a matter of fact, protection It is interesting to note that, as a matter of fact, protection
against stale segments from a previous incarnation of the connection against stale segments from a previous incarnation of the connection
is enforced by preventing the creation of a new incarnation of a is enforced by preventing the creation of a new incarnation of a
previous connection before 2*MSL have passed since a segment previous connection before 2*MSL have passed since a segment
corresponding to the old incarnation was last seen. This is corresponding to the old incarnation was last seen. This is
accomplished by the TIME-WAIT state, and TCP's "quiet time" concept accomplished by the TIME-WAIT state, and TCP's "quiet time" concept
(see Appendix B of [RFC1323]). (see Appendix B of [RFC1323]).
Based on the assumption that ISNs are monotonically-increasing across Based on the assumption that ISNs are monotonically-increasing across
connections, many stacks (e.g., 4.2BSD-derived) use the ISN of an connections, many stacks (e.g., 4.2BSD-derived) use the ISN of an
incomming SYN segment to perform "heuristics" that enable the incoming SYN segment to perform "heuristics" that enable the creation
creation of a new incarnation of a connection while the previous of a new incarnation of a connection while the previous incarnation
incarnation is still in the TIME-WAIT state (see pp. 945 of is still in the TIME-WAIT state (see pp. 945 of [Wright1994]). This
[Wright1994]). This avoids an interoperability problem that may avoids an interoperability problem that may arise when a node
arise when a node establishes connections to a specific TCP end-point establishes connections to a specific TCP end-point at a high rate
at a high rate [Silbersack2005]. [Silbersack2005].
Unfortunately, the ISN generator described in [RFC0793] makes it Unfortunately, the ISN generator described in [RFC0793] makes it
trivial for an off-path attacker to predict the ISN that a TCP will trivial for an off-path attacker to predict the ISN that a TCP will
use for new connections, thus allowing a variety of attacks against use for new connections, thus allowing a variety of attacks against
TCP connections [CPNI-TCP]. One of the possible attacks that takes TCP connections [CPNI-TCP]. One of the possible attacks that takes
advantage of weak sequence numbers was first described in advantage of weak sequence numbers was first described in
[Morris1985], and its exploitation was widely publicized about 10 [Morris1985], and its exploitation was widely publicized about 10
years later [Shimomura1995]. [CERT2001] and [USCERT2001] are years later [Shimomura1995]. [CERT2001] and [USCERT2001] are
advisories about the security implications of weak ISN generators. advisories about the security implications of weak ISN generators.
[Zalewski2001] and [Zalewski2002] contain a detailed analysis of ISN [Zalewski2001] and [Zalewski2002] contain a detailed analysis of ISN
skipping to change at page 5, line 7 skipping to change at page 5, line 7
propose an improvement to the TCP ISN generation algorithm, that does propose an improvement to the TCP ISN generation algorithm, that does
not require TCP to keep state for all recently-terminated not require TCP to keep state for all recently-terminated
connections. connections.
3. Proposed Initial Sequence Number generation algorithm 3. Proposed Initial Sequence Number generation algorithm
TCP SHOULD generate its Initial Sequence Numbers with the expression: TCP SHOULD generate its Initial Sequence Numbers with the expression:
ISN = M + F(localip, localport, remoteip, remoteport) ISN = M + F(localip, localport, remoteip, remoteport)
where M is the 4 microsecond timer, and F is a pseudorandom function where M is the 4 microsecond timer, and F() is a pseudorandom
(PRF) of the connection-id. It is vital that F not be computable function (PRF) of the connection-id. F() MUST NOT be computable from
from the outside, or an attacker could still guess at sequence the outside, or an attacker could still guess at sequence numbers
numbers from the ISN used for some other connection. The PRF could from the ISN used for some other connection. The PRF could be
be implemented as a cryptographic hash of the concatenation of the implemented as a cryptographic hash of the concatenation of the
connection-id and some secret data; MD5 [RFC1321] would be a good connection-id and some secret data; MD5 [RFC1321] would be a good
choice for the hash function. choice for the hash function.
The result of F() is no more secure than the the secret key. If an The result of F() is no more secure than the secret key. If an
attacker is aware of which cryptographic hash function is being used attacker is aware of which cryptographic hash function is being used
by the victim (which we should expect), and the attacker can obtain by the victim (which we should expect), and the attacker can obtain
enough material (i.e., ISNs selected by the victim), the attacker may enough material (i.e., ISNs selected by the victim), the attacker may
simply search the entire secret-key space to find matches. To simply search the entire secret-key space to find matches. To
protect against this, the secret key should be of a reasonable protect against this, the secret key should be of a reasonable
length. Key lengths of 128 bits should be adequate. The secret key length. Key lengths of 128 bits should be adequate. The secret key
can either be a true random number [RFC4086], or some per-host can either be a true random number [RFC4086], or some per-host
secret. A possible mechanism for protecting the secret key would be secret. A possible mechanism for protecting the secret key would be
to change it on occasion. For example, the secret key could be to change it on occasion. For example, the secret key could be
changed whenever one of the following events occur: changed whenever one of the following events occur:
skipping to change at page 5, line 44 skipping to change at page 5, line 44
Note that changing the secret would change the ISN space used for Note that changing the secret would change the ISN space used for
reincarnated connections, and thus could lead to the 4.4BSD reincarnated connections, and thus could lead to the 4.4BSD
heuristics to fail; to maintain safety, either dead connection state heuristics to fail; to maintain safety, either dead connection state
could be kept or a quiet time observed for two maximum segment could be kept or a quiet time observed for two maximum segment
lifetimes before such a change. lifetimes before such a change.
It should be noted that while there have been concerns about the It should be noted that while there have been concerns about the
security properties of MD5 [RFC6151], the algorithm specified in this security properties of MD5 [RFC6151], the algorithm specified in this
document simply aims at reducing the chances of an off-path attacker document simply aims at reducing the chances of an off-path attacker
of guessing the ISN of a new connection, and thus in our threat model guessing the ISN of a new connection, and thus in our threat model it
it is not worth the effort for an attacker to try to learn the secret is not worth the effort for an attacker to try to learn the secret
key. Since MD5 is faster than other "stronger" alternatives, and is key. Since MD5 is faster than other "stronger" alternatives, and is
used in virtually all existing implementations of this algorithm, we used in virtually all existing implementations of this algorithm, we
consider that use of MD5 in the specified algorithm is acceptable. consider that use of MD5 in the specified algorithm is acceptable.
However, implementations should consider the trade-offs involved in However, implementations should consider the trade-offs involved in
using functions with stronger security properties, and employ them if using functions with stronger security properties, and employ them if
it is deemed appropriate. it is deemed appropriate.
4. Security Considerations 4. Security Considerations
Good sequence numbers are not a replacement for cryptographic Good sequence numbers are not a replacement for cryptographic
skipping to change at page 6, line 21 skipping to change at page 6, line 21
If random numbers are used as the sole source of the secret, they If random numbers are used as the sole source of the secret, they
MUST be chosen in accordance with the recommendations given in MUST be chosen in accordance with the recommendations given in
[RFC4086]. [RFC4086].
A security consideration that should be made about the algorithm A security consideration that should be made about the algorithm
proposed in this document is that it might allow an attacker to count proposed in this document is that it might allow an attacker to count
the number of systems behind a Network Address Translator (NAT) the number of systems behind a Network Address Translator (NAT)
[RFC3022]. Depending on the ISN generators implemented by each of [RFC3022]. Depending on the ISN generators implemented by each of
the systems behind the NAT, an attacker might be able to count the the systems behind the NAT, an attacker might be able to count the
number of systems behind a NAT by establishing a number of TCP number of systems behind a NAT by establishing a number of TCP
connections (using the public address of the NAT) and indentifying connections (using the public address of the NAT) and identifying the
the number of different sequence number "spaces". number of different sequence number "spaces".
[I-D.gont-behave-nat-security] discusses how this and other [I-D.gont-behave-nat-security] discusses how this and other
information leakages at NATs could be mitigated. information leakages at NATs could be mitigated.
An eavesdropper who can observe the initial messages for a connection An eavesdropper who can observe the initial messages for a connection
can determine its sequence number state, and may still be able to can determine its sequence number state, and may still be able to
launch sequence number guessing attacks by impersonating that launch sequence number guessing attacks by impersonating that
connection. However, such an eavesdropper can also hijack existing connection. However, such an eavesdropper can also hijack existing
connections [Joncheray1995], so the incremental threat is not that connections [Joncheray1995], so the incremental threat is not that
high. Still, since the offset between a fake connection and a given high. Still, since the offset between a fake connection and a given
real connection will be more or less constant for the lifetime of the real connection will be more or less constant for the lifetime of the
skipping to change at page 7, line 15 skipping to change at page 7, line 15
5. IANA Considerations 5. IANA Considerations
This document has no actions for IANA. This document has no actions for IANA.
6. Acknowledgements 6. Acknowledgements
Matt Blaze and Jim Ellis contributed some crucial ideas to RFC 1948, Matt Blaze and Jim Ellis contributed some crucial ideas to RFC 1948,
on which this document is based. Frank Kastenholz contributed on which this document is based. Frank Kastenholz contributed
constructive comments to that memo. constructive comments to that memo.
The authors of this document woul like to thank (in chronological The authors of this document would like to thank (in chronological
order) Alfred Hoenes, Lloyd Wood, Lars Eggert, Joe Touch, William order) Alfred Hoenes, Lloyd Wood, Lars Eggert, Joe Touch, William
Allen Simpson, Tim Shepard, Wesley Eddy, and Anantha Ramaiah, for Allen Simpson, Tim Shepard, Wesley Eddy, Anantha Ramaiah, and Ben
providing valuable comments on earlier versions of this document. Campbell, for providing valuable comments on earlier versions of this
document.
Fernando Gont would like to thank the United Kingdom's Centre for the Fernando Gont would like to thank the United Kingdom's Centre for the
Protection of National Infrastructure (UK CPNI) for their continued Protection of National Infrastructure (UK CPNI) for their continued
support. support.
7. References 7. References
7.1. Normative References 7.1. Normative References
[RFC0793] Postel, J., "Transmission Control Protocol", STD 7, [RFC0793] Postel, J., "Transmission Control Protocol", STD 7,
skipping to change at page 13, line 20 skipping to change at page 13, line 20
updated and moved to an Appendix. updated and moved to an Appendix.
o The recommended hash algorithm has been changed to SHA-256, in o The recommended hash algorithm has been changed to SHA-256, in
response to the security concerns for MD5 [RFC1321]. response to the security concerns for MD5 [RFC1321].
o Formal requirements ([RFC2119]) are specified. o Formal requirements ([RFC2119]) are specified.
Authors' Addresses Authors' Addresses
Fernando Gont Fernando Gont
Universidad Tecnologica Nacional / Facultad Regional Haedo UTN-FRH / SI6 Networks
Evaristo Carriego 2644 Evaristo Carriego 2644
Haedo, Provincia de Buenos Aires 1706 Haedo, Provincia de Buenos Aires 1706
Argentina Argentina
Phone: +54 11 4650 8472 Phone: +54 11 4650 8472
Email: fernando@gont.com.ar Email: fernando@gont.com.ar
URI: http://www.gont.com.ar URI: http://www.si6networks.com
Steven M. Bellovin Steven M. Bellovin
Columbia University Columbia University
1214 Amsterdam Avenue 1214 Amsterdam Avenue
MC 0401 MC 0401
New York, NY 10027 New York, NY 10027
US US
Phone: +1 212 939 7149 Phone: +1 212 939 7149
Email: bellovin@acm.org Email: bellovin@acm.org
 End of changes. 18 change blocks. 
34 lines changed or deleted 35 lines changed or added

This html diff was produced by rfcdiff 1.41. The latest version is available from http://tools.ietf.org/tools/rfcdiff/