Internet DRAFT - draft-gont-tcpm-tcp-seccomp-prec

draft-gont-tcpm-tcp-seccomp-prec






TCP Maintenance and Minor Extensions                             F. Gont
(tcpm)                                            UTN-FRH / SI6 Networks
Internet-Draft                                            March 29, 2012
Updates: 793 (if approved)
Intended status: Standards Track
Expires: September 30, 2012


Processing of IP Security/Compartment and Precedence Information by TCP
                draft-gont-tcpm-tcp-seccomp-prec-00.txt

Abstract

   This document discusses the security and interoperability problems
   that may arise as a result of the processing of IP security/
   compartment and precedence information by TCP.  Additionally, it
   formally updates RFC 793 such that these issues are mitigated.

Status of this Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at http://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on September 30, 2012.

Copyright Notice

   Copyright (c) 2012 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (http://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as



Gont                   Expires September 30, 2012               [Page 1]

Internet-Draft     Processing of IP layer information         March 2012


   described in the Simplified BSD License.


Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . . . 3
   2.  Updating RFC 793  . . . . . . . . . . . . . . . . . . . . . . . 4
   3.  IANA Considerations . . . . . . . . . . . . . . . . . . . . . . 4
   4.  Security Considerations . . . . . . . . . . . . . . . . . . . . 4
   5.  Acknowledgements  . . . . . . . . . . . . . . . . . . . . . . . 4
   6.  References  . . . . . . . . . . . . . . . . . . . . . . . . . . 4
     6.1.  Normative References  . . . . . . . . . . . . . . . . . . . 4
     6.2.  Informative References  . . . . . . . . . . . . . . . . . . 5
   Author's Address  . . . . . . . . . . . . . . . . . . . . . . . . . 5





































Gont                   Expires September 30, 2012               [Page 2]

Internet-Draft     Processing of IP layer information         March 2012


1.  Introduction

   Section 3.9 (page 71) of RFC 793 [RFC0793] states that if the IP
   security/compartment and precedence of an incoming segment does not
   exactly match the security/compartment in the TCB, a RST segment
   should be sent, and the connection should be aborted.

      A discussion of the IP security options relevant to this section
      can be found in Section 3.13.2.12, Section 3.13.2.13, and Section
      3.13.2.14 of [RFC6274].

   This certainly provides another attack vector for performing
   connection-reset attacks, as an attacker could forge TCP segments
   with a security/compartment that is different from that recorded in
   the corresponding TCB and, as a result, the attacked connection would
   be reset.

      It is interesting to note that for connections in the ESTABLISHED
      state, this check is performed after validating the TCP Sequence
      Number and checking the RST bit, but before validating the
      Acknowledgement field.  Therefore, even if the stricter validation
      of the Acknowledgement field (described in Section 3.4) was
      implemented, it would not help to mitigate this attack vector.

   Resetting a connection due to a change in the Precedence value could
   also have a negative impact on interoperability.  For example, the
   packets that correspond to a TCP connection could temporarily take a
   different internet path, in which some middle-box could re-mark the
   Precedence field (due to administration policies at the network to be
   transited).  In such a scenario, an implementation following the
   advice in RFC 793 would abort the connection, when the connection
   would have otherwise probably survived.

   While the IPv4 Type of Service field (and hence the Precedence field)
   has been redefined by the Differentiated Services (DS) field
   specified in RFC 2474 [RFC2474], RFC 793 [RFC0793] was never formally
   updated in this respect.  We note that both legacy systems that have
   not been upgraded to implement the differentiated services
   architecture described in RFC 2475 [RFC2475] and current
   implementations that have extrapolated the discussion of the
   Precedence field to the Differentiated Services field may still be
   vulnerable to the connection reset vector discussed in Section 1.

   Section 2 formally updates RFC 793 [RFC0793] such that these issues
   are mitigated.

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this



Gont                   Expires September 30, 2012               [Page 3]

Internet-Draft     Processing of IP layer information         March 2012


   document are to be interpreted as described in RFC 2119 [RFC2119].


2.  Updating RFC 793

   If the IP security/compartment field of an incoming TCP segment does
   not match the value recorded in the corresponding TCB, TCP MUST NOT
   abort the connection, but simply discard the corresponding packet.
   Additionally, this whole event SHOULD be logged as a security
   violation.

   If the IP Differentiated Services field of an incoming TCP segment
   does not match the value recorded in the corresponding TCB, TCP MUST
   NOT abort the corresponding connection.


3.  IANA Considerations

   This document has no IANA actions.  The RFC Editor is requested to
   remove this section before publishing this document as an RFC.


4.  Security Considerations

   This document discusses the processing of the IP security/compartment
   and precedence information, and the interoperability and security
   implications that arise from it.  It updates RFC 793 such that the
   aforementioned issues are eliminated.


5.  Acknowledgements

   This document is based on the technical report "Security Assessment
   of the Transmission Control Protocol (TCP)" [CPNI-TCP] written by
   Fernando Gont on behalf of the UK CPNI.

   Fernando Gont would like to thank the UK CPNI for their continued
   support.


6.  References

6.1.  Normative References

   [RFC0793]  Postel, J., "Transmission Control Protocol", STD 7,
              RFC 793, September 1981.

   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate



Gont                   Expires September 30, 2012               [Page 4]

Internet-Draft     Processing of IP layer information         March 2012


              Requirement Levels", BCP 14, RFC 2119, March 1997.

   [RFC2474]  Nichols, K., Blake, S., Baker, F., and D. Black,
              "Definition of the Differentiated Services Field (DS
              Field) in the IPv4 and IPv6 Headers", RFC 2474,
              December 1998.

   [RFC2475]  Blake, S., Black, D., Carlson, M., Davies, E., Wang, Z.,
              and W. Weiss, "An Architecture for Differentiated
              Services", RFC 2475, December 1998.

6.2.  Informative References

   [CPNI-TCP]
              Gont, F., "CPNI Technical Note 3/2009: Security Assessment
              of the Transmission Control Protocol (TCP)", 2009, <http:/
              /www.gont.com.ar/papers/
              tn-03-09-security-assessment-TCP.pdf>.

   [RFC6274]  Gont, F., "Security Assessment of the Internet Protocol
              Version 4", RFC 6274, July 2011.


Author's Address

   Fernando Gont
   UTN-FRH / SI6 Networks
   Evaristo Carriego 2644
   Haedo, Provincia de Buenos Aires  1706
   Argentina

   Phone: +54 11 4650 8472
   Email: fgont@si6networks.com
   URI:   http://www.si6networks.com

















Gont                   Expires September 30, 2012               [Page 5]