Internet DRAFT - draft-wing-nat-reveal-option

draft-wing-nat-reveal-option






Network Working Group                                     A. Yourtchenko
Internet-Draft                                                   D. Wing
Intended status:  Standards Track                                  cisco
Expires:  June 10, 2012                                 December 8, 2011


         Revealing hosts sharing an IP address using TCP option
                    draft-wing-nat-reveal-option-03

Abstract

   When an IP address is shared among several subscribers -- with a NAT
   or with an application-level proxy -- it is impossible for the server
   to differentiate between different clients.  Such differentiation is
   valuable in several scenarios.  This memo describes a technique to
   differentiate TCP clients sharing an IP address.  The proposed method
   uses a TCP option, which avoids altering the application-level
   payload and works well with SSL-protected connections.

Status of this Memo

   This Internet-Draft is submitted to IETF in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF), its areas, and its working groups.  Note that
   other groups may also distribute working documents as Internet-
   Drafts.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   The list of current Internet-Drafts can be accessed at
   http://www.ietf.org/ietf/1id-abstracts.txt.

   The list of Internet-Draft Shadow Directories can be accessed at
   http://www.ietf.org/shadow.html.

   This Internet-Draft will expire on June 10, 2012.

Copyright Notice

   Copyright (c) 2011 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal



Yourtchenko & Wing        Expires June 10, 2012                 [Page 1]

Internet-Draft          User Hint via TCP option           December 2011


   Provisions Relating to IETF Documents
   (http://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as
   described in the BSD License.


Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . . . 3
   2.  Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . 3
   3.  Description . . . . . . . . . . . . . . . . . . . . . . . . . . 4
     3.1.  Operation of Address Sharing Device . . . . . . . . . . . . 4
     3.2.  Operation of the TCP Server . . . . . . . . . . . . . . . . 4
     3.3.  Reusing the USER_HINT value . . . . . . . . . . . . . . . . 4
   4.  USER_HINT Option Format . . . . . . . . . . . . . . . . . . . . 5
   5.  Interaction with other TCP Options  . . . . . . . . . . . . . . 5
     5.1.  Option Space  . . . . . . . . . . . . . . . . . . . . . . . 5
     5.2.  Multipath TCP (MPTCP) . . . . . . . . . . . . . . . . . . . 6
     5.3.  Authentication Option (TCP-AO)  . . . . . . . . . . . . . . 6
   6.  Interaction with TCP SYN Cookies  . . . . . . . . . . . . . . . 6
   7.  Security Considerations . . . . . . . . . . . . . . . . . . . . 8
   8.  Acknowledgements  . . . . . . . . . . . . . . . . . . . . . . . 8
   9.  IANA Considerations . . . . . . . . . . . . . . . . . . . . . . 8
   10. References  . . . . . . . . . . . . . . . . . . . . . . . . . . 8
     10.1. Normative References  . . . . . . . . . . . . . . . . . . . 8
     10.2. Informative References  . . . . . . . . . . . . . . . . . . 8
   Appendix A.  Change History . . . . . . . . . . . . . . . . . . . . 9
     A.1.  Changes from draft-wing-nat-reveal-option-01 to -02 . . . . 9
   Authors' Addresses  . . . . . . . . . . . . . . . . . . . . . . . . 9


















Yourtchenko & Wing        Expires June 10, 2012                 [Page 2]

Internet-Draft          User Hint via TCP option           December 2011


1.  Introduction

   When clients are allocated unique, publicly-routable IPv4 addresses,
   it is easy to associate certain characteristics with their IP
   address.  For example, if an IP address sends a lot of spam, that IP
   address is classified by many public (and private) system as "a
   spammer".  Such classification can cause email or other traffic from
   that IP address to be blocked, rate limited, challenged with a
   captcha, or to receive other treatment.  Reputation systems of
   various sorts exist for a wide variety of services on the Internet
   including IMAP, HTTP, ssh -- often these systems will slow down or
   interfere with normal login attempts when a dictionary attack is
   detected.  An IP address can be added to a multitude of 'reputation'
   systems.  Some of these systems are distributed across the Internet,
   some are shared amongst consenting parties, and some are operated by
   individual enterprises or individual hosts.  Further discussion of
   the impacts of address sharing can be found in
   [I-D.ietf-intarea-shared-addressing-issues].

   With the exhaustion of the IPv4 address space, IPv4 addresses will be
   shared on a large scale.  This sharing will persist long after IPv6
   is ubiquitous -- in fact, IPv4 address sharing will persist until all
   content and services on the Internet are available over IPv6.  Once
   all content and services are available over IPv6, an Internet service
   provider will no longer need to provide access to the IPv4 Internet.

   Until that time, both legitimate users and attackers will share IPv4
   addresses.  This IP address sharing means legitimate users will share
   the reputation of attackers.

   This document describes a TCP option which can be added by an address
   sharing device such as a NAT or an application-level proxy.  This TCP
   option allows a TCP server to differentiate between the TCP clients
   sharing that IP address.

   An analysis of other techniques is available in
   [I-D.boucadair-intarea-nat-reveal-analysis].


2.  Terminology

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
   document are to be interpreted as described in RFC2119 [RFC2119].

   subscriber:  the client accessing an address sharing device, who is
   responsible for the actions of their device(s).  This might be an
   individual handset (with mobile devices), a home Internet connection,



Yourtchenko & Wing        Expires June 10, 2012                 [Page 3]

Internet-Draft          User Hint via TCP option           December 2011


   a small-medium business Internet connection, a University dormitory
   room, an individual employee of a company, or the company itself.


3.  Description

   This proposal defines one new TCP option, USER_HINT, to contain the
   TCP client's 16 bit identifier.  This value might be the lower 16
   bits of their IPv4 address, their VLAN ID, VRF ID, subscriber ID, or
   similar.  The address sharing device (NAT, application proxy) would
   add the TCP option to the TCP SYN packet.  TCP options are treated
   outside of the TCP sequence space, so no modifications of either
   sequence or acknowledgement numbers are needed.

3.1.  Operation of Address Sharing Device

   The address sharing device inserts the USER_HINT option into the TCP
   SYN, as depicted below.  If the TCP SYN already has a USER_HINT
   option present, it is ignored and over-written with the new value.

   TCP CLIENT    proxy, NAT64, NAT44              TCP SERVER
   ----------    -------------------              ----------
       |                 |                              |
       |---TCP SYN------>|                              |
       |                 |---TCP SYN, USER_HINT=12345-->|
      ...               ...                            ...

3.2.  Operation of the TCP Server

   The TCP server identifies the client by combining the source IPv4
   address in the IP header with the data in the USER_HINT option.  This
   can be implemented by modifying the TCP stack to make the USER_HINT
   data available to the application via an API (e.g., via a socket
   option).

3.3.  Reusing the USER_HINT value

   The USER_HINT value is only 16 bits, so is obviously not globally
   unique.  Even when combined with the publicly-routable IP address,
   the additional 16 bits are still not guaranteed to uniquely identify
   a particular subscriber.  Out of necessity, the numbering space will
   be re-used by some address sharing devices, especially address
   sharing devices that are sharing many users on one IP address.  As
   with today's IPv4 addresses which are assigned by an ISP,
   deterministically associating the IPv4 address (or IPv4 address and
   USER_HINT) with a particular subscriber requires more than simply
   completing a TCP 3-way handshake.  For example, over a single day, an
   address sharing device might serve tens of thousands of different



Yourtchenko & Wing        Expires June 10, 2012                 [Page 4]

Internet-Draft          User Hint via TCP option           December 2011


   subscribers from the same shared IP address, and thus it will need to
   rotate through the 16 bit USER_HINT space several times during the
   day.  When doing so, the USER_HINT MUST NOT be re-used more often
   than every 2 minutes (a number chosen out of thin air); if an address
   sharing device needs to re-use a USER_HINT value more often than
   that, it should use additional IP addresses (to reduce how quickly
   the USER_HINT space is consumed on each address) or simply send TCP
   SYNs without USER_HINT until 2 minutes have elapsed.  This 2 minute
   delay is necessary to allow the reputation system on a TCP server to
   differentiate between subscribers.  For most implementations, the
   port sharing ratio (rather than a timer) is sufficient to meet this
   requirement.


4.  USER_HINT Option Format

   The USER_HINT option is always 4 bytes long, with 16 bits of
   USER_HINT data

                +--------+--------+-----------------------+
                |xxxxxxxx|00000100|    USER_HINT data     |
                +--------+--------+-----------------------+
                Kind=TBD  Length=4

   User Hint option data:  16 bits.

   If this option is present, it differentiates between active TCP hosts
   sharing the same IP address.  This field MUST only be sent in the
   initial connection request (i.e., in segments with the SYN control
   bit set), or in the first ACK if the server's SYN contained the
   USER_HINT option.


5.  Interaction with other TCP Options

   This section details how USER_HINT functions in conjunction with
   other TCP options.

5.1.  Option Space

   As discussed in Appendix A of Multipath TCP (MPTCP)
   [I-D.ietf-mptcp-multiaddressed], there is a maximum of 40 bytes for
   TCP options, and a typical SYN (with MSS, window scale, SACK
   permitted, and timestamp options) leaves 16 bytes spare (if the
   options are word-aligned) or 21 bytes spare (if the options are not
   word-aligned).

   Thus, the 4 byte option proposed in this memo would not cause a



Yourtchenko & Wing        Expires June 10, 2012                 [Page 5]

Internet-Draft          User Hint via TCP option           December 2011


   problem with a typical TCP SYN.

5.2.  Multipath TCP (MPTCP)

   If the TCP client supports Multipath TCP (MPTCP)
   [I-D.ietf-mptcp-multiaddressed], the client will include the
   Multipath Capable or Multipath Join options to the TCP SYN.  The
   Multipath Capable (MP_CAPABLE) option consumes 12 bytes, so a SYN
   containing all of these options would fully consume the 40 byte SYN
   option space.  The Multipath Join (MP_JOIN) can consumes 12 or 16
   bytes, but it is only used after successful early exchange containing
   the MP_CAPABLE option.  Thus, there is reason to include USER_HINT if
   MP_JOIN is present in the TCP SYN -- if the MP_JOIN is not valid, it
   will be rejected by the server without creating any state on the
   server.  Furthermore, if a client TCP is multi-homed, the client's
   TCP connections will probably go through different address sharing
   devices and thus have different externally-visible IP addresses and
   different USER_HINT values.  Thus, it is NOT RECOMMENDED to include
   the USER_HINT option if the TCP SYN contains the MP_JOIN option.

5.3.  Authentication Option (TCP-AO)

   The USER_HINT option is incompatible with the Authentication Option
   (TCP-AO) [RFC5925], because TCP-AO provides integrity protection of
   the TCP SYN, including TCP options.  However, TCP-AO is already
   incompatible with address sharing, because TCP-AO provides integrity
   protection of the source IP address.


6.  Interaction with TCP SYN Cookies

   TCP SYN cookies [RFC4987] are commonly deployed to mitigate TCP SYN
   attacks, which have some side effects.  The USER_HINT information in
   the TCP SYN provides the TCP server with additional information it
   can use when deciding if this TCP connection attempt should be
   answered with a SYN cookie or should be answered normally.  In the
   event the TCP server does not (or cannot) store the USER_HINT data,
   the USER_HINT data can be re-established on the TCP server when the
   client's first ACK is sent.  There is a slight risk, however, that
   the client's first ACK, as seen by the middlebox, might contain data.
   If it does contain data, adding another 4 bytes to the packet could
   cause MTU to be exceeded.









Yourtchenko & Wing        Expires June 10, 2012                 [Page 6]

Internet-Draft          User Hint via TCP option           December 2011


      TCP CLIENT         proxy, NAT64, NAT44               TCP SERVER
      ----------         -------------------               ----------
          |                      |                              |
          |---TCP SYN----------->|                              |
      1.  |                      |---TCP SYN, USER_HINT=12345-->|
      2.  |                      |<--TCP SYNACK, USER_HINT=8988-|
      3.  |<--TCP SYNACK---------|                              |

          :                      :                              :

      4a. |---TCP ACK (no data)->|                              |
      4a. |                      |---TCP ACK, USER_HINT=8988--->|
          |                      |                              |

          :                      :                              :

      4b. |---TCP ACK (data)---->|                              |
      4b. |                      |---TCP ACK------------------->|


   The procedure is as follows:

   1.  Upon receiving a TCP SYN containing the USER_HINT option, the TCP
       server MAY respond to a SYN containing USER_HINT with an ACK
       packet containing its own USER_HINT value.  (Note:  this ACK
       response will typically have the SYN bit set.)  If the server
       does not include the USER_HINT in its ACK packet, processing
       stops.

   2.  The middlebox, upon seeing the USER_HINT in the ACK, records
       those 2 bytes, which are used in a later step.

   3.  The middlebox strips the USER_HINT from the ACK, so it is not
       received by the TCP client.  The middlebox sends the TCP ACK,
       without its USER_HINT option, to the TCP client.

   4.  The TCP client responds normally, generating a TCP ACK.

   5.  The middlebox receives an ACK from the TCP client.  This ACK will
       either contain:

       A.  no data, which causes the middlebox to add the USER_HINT
           value (from step 2) to the TCP ACK

       B.  data, which causes the middlebox to simply forward the ACK
           packet.  This is done to avoid MTU problems between the
           middlebox and the TCP server.




Yourtchenko & Wing        Expires June 10, 2012                 [Page 7]

Internet-Draft          User Hint via TCP option           December 2011


   State is required in the address sharing device to perform the steps
   described in this section.  This isn't a disaster with stateful
   address sharing (e.g., NAPT).  However, in an A+P-like system (e.g.,
   [I-D.ymbk-aplusp], [I-D.despres-intarea-4rd]), the CPE would need to
   perform the USER_HINT function, which introduces additional security
   considerations (not yet discussed in this version of the document).


7.  Security Considerations

   An attacker might use this functionality to appear as if IP address
   sharing is occurring, in the hopes that a naive server will allow
   additional attack traffic.  TCP servers and applications SHOULD NOT
   assume the mere presence of the functionality described in this paper
   indicates there are other (benign) users sharing the same IP address.


8.  Acknowledgements

   Thanks to Anantha Ramaiah for the discussion.  Thanks to Senthil
   Sivakumar for his review.


9.  IANA Considerations

   Assign a new TCP option number (kind value), USER_HINT.


10.  References

10.1.  Normative References

   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
              Requirement Levels", BCP 14, RFC 2119, March 1997.

   [RFC5925]  Touch, J., Mankin, A., and R. Bonica, "The TCP
              Authentication Option", RFC 5925, June 2010.

10.2.  Informative References

   [I-D.boucadair-intarea-nat-reveal-analysis]
              Boucadair, M., Touch, J., Levis, P., and R. Penno,
              "Analysis of Solution Candidates to Reveal a Host
              Identifier in Shared Address Deployments",
              draft-boucadair-intarea-nat-reveal-analysis-04 (work in
              progress), September 2011.

   [I-D.despres-intarea-4rd]



Yourtchenko & Wing        Expires June 10, 2012                 [Page 8]

Internet-Draft          User Hint via TCP option           December 2011


              Despres, R., Matsushima, S., Murakami, T., and O. Troan,
              "IPv4 Residual Deployment across IPv6-Service networks
              (4rd) ISP-NAT's made optional",
              draft-despres-intarea-4rd-01 (work in progress),
              March 2011.

   [I-D.ietf-intarea-shared-addressing-issues]
              Ford, M., Boucadair, M., Durand, A., Levis, P., and P.
              Roberts, "Issues with IP Address Sharing",
              draft-ietf-intarea-shared-addressing-issues-05 (work in
              progress), March 2011.

   [I-D.ietf-mptcp-multiaddressed]
              Ford, A., Raiciu, C., Handley, M., and O. Bonaventure,
              "TCP Extensions for Multipath Operation with Multiple
              Addresses", draft-ietf-mptcp-multiaddressed-04 (work in
              progress), July 2011.

   [I-D.ymbk-aplusp]
              Bush, R., "The A+P Approach to the IPv4 Address Shortage",
              draft-ymbk-aplusp-10 (work in progress), May 2011.

   [RFC4987]  Eddy, W., "TCP SYN Flooding Attacks and Common
              Mitigations", RFC 4987, August 2007.


Appendix A.  Change History

   [Note to RFC Editor:  Please remove this section prior to
   publication.]

A.1.  Changes from draft-wing-nat-reveal-option-01 to -02

   o  Limit option value to 16 bits (which becomes 32 bits total with
      the 8 bit option number and 8 bit length)

   o  described how USER_HINT can work successfully with Multipath TCP
      (MPTCP)'s options.

   o  Better described operation with TCP SYN Cookies.

   o  Renamed option from CX-ID to USER_HINT









Yourtchenko & Wing        Expires June 10, 2012                 [Page 9]

Internet-Draft          User Hint via TCP option           December 2011


Authors' Addresses

   Andrew Yourtchenko
   Cisco Systems, Inc.
   6a de Kleetlaan
   Diegem  1831
   BE

   Phone:  +32 2 704 5494
   Email:  ayourtch@cisco.com


   Dan Wing
   Cisco Systems, Inc.
   170 West Tasman Drive
   San Jose  CA 95134
   USA

   Email:  dwing@cisco.com
































Yourtchenko & Wing        Expires June 10, 2012                [Page 10]