One document matched: draft-ananth-tsvwg-timewait-00.txt
tsvwg A. Ramaiah
Internet-Draft P. Tate
Intended status: Informational Cisco Systems
Expires: January 7, 2009 July 6, 2008
Effects of port randomization with TCP TIME-WAIT state.
draft-ananth-tsvwg-timewait-00.txt
Status of this Memo
By submitting this Internet-Draft, each author represents that any
applicable patent or other IPR claims of which he or she is aware
have been or will be disclosed, and any of which he or she becomes
aware will be disclosed, in accordance with Section 6 of BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as Internet-
Drafts.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html.
This Internet-Draft will expire on January 7, 2009.
Ramaiah & Tate Expires January 7, 2009 [Page 1]
Internet-Draft Port randomization issues July 2008
Abstract
Source port randomization has been suggested to provide improved
security and obfuscation which helps in adding robustness towards
blind attacks. With TCP in practice, simply producing a random port
as the source port for a new connection can lead to problems when a
TCP client establishes connections to a TCP server at a high rate.
If the same source port value is chosen twice, the client TCP
connection can fail due to the server having the Transmission Control
Block (TCB) for this tuple lingering in TIME-WAIT state.
This memo discusses the ramifications of such source port reuse
scenarios and suggests some mitigations to avoid the same.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
2. The TIME-WAIT problem . . . . . . . . . . . . . . . . . . . . 4
3. Approaches to avoid issues due to port randomization . . . . . 6
3.1. Recommended solution . . . . . . . . . . . . . . . . . . . 6
3.2. Implementation methods . . . . . . . . . . . . . . . . . . 6
3.2.1. Method 1: Bit Array and Timers . . . . . . . . . . . . 6
3.2.2. Method 2: Bit Array and Passive Timers . . . . . . . . 7
3.2.3. Method 3: 2-Bit Array and Timers . . . . . . . . . . . 7
4. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 9
5. Informative References . . . . . . . . . . . . . . . . . . . . 10
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 11
Intellectual Property and Copyright Statements . . . . . . . . . . 12
Ramaiah & Tate Expires January 7, 2009 [Page 2]
Internet-Draft Port randomization issues July 2008
1. Introduction
The draft [I-D.ietf-tsvwg-port-randomization] recommends that
transport protocols SHOULD allocate ephemeral port numbers randomly,
since this improves obfuscation of ephemeral port numbers and thus,
for relatively little cost, improves susceptibility to blind attacks.
Choosing random ephemeral ports can lead to problems when TCP clients
establish connections to TCP servers at a high rate or with a small
ephemeral port range. If an ephemeral port is randomly chosen twice
before the TCP server has closed a TCB in TIME-WAIT for the port,
this may result in connection failure or other side effects.
The subsequent sections of this document cover the issue in detail
and discuss solutions to the issue. The methods described in this
document are intended to complement and not replace those described
in [I-D.ietf-tsvwg-port-randomization] .
Ramaiah & Tate Expires January 7, 2009 [Page 3]
Internet-Draft Port randomization issues July 2008
2. The TIME-WAIT problem
When a TCP connection is actively closed by the server, it will keep
the TCB of the connection around in TIME-WAIT state for 2*MSL. The
passive closer (client) removes its TCB altogether (once it gets the
ACK for the FIN) for the connection and keeps no state. When the
client attempts a new connection to the server, if the random source
port selection algorithm returns the same source port as the previous
incarnation of this connection within the 2*MSL time period, one of
the following things can happen :
a) TIME-WAIT assassination of the server TCB. As per RFC 793, if the
SYN is in window, the server would respond with RST. If the SYN
is outside the window, an ACK would be sent back which would
solicit an RST back.
b) As per RFC 1122, some implementations would allow the SYN to be
accepted to reopen the connection directly from TIME-WAIT state,
if the sequence number of the SYN is larger than the largest
sequence number it used on the previous connection incarnation.
c) The SYN would be dropped by the server to prevent TIME-WAIT
assassination. This would cause the connection attempts from the
client to stall until the server TCB is destroyed.
It needs to be noted that TCP permits a condition known as
simultaneous close where both ends send FIN and therefore end up in
TIME-WAIT state. In such cases, since the source port selection is a
local decision, the new connection attempt can be made by choosing a
different source port than the previous incarnation. Of further
note, if the client initiates the FIN and thus is the active closer
of the connection, the client will retain a TCB in TIME-WAIT state,
such that the random port algorithm should not be able to return this
port as available.
a) and c) can be attributed to the side effects of port
randomization. The behavior b) cannot be guaranteed to be
implemented everywhere and also it depends on the sequence number
which may be chosen randomly as well. There are a few factors that
can lead to scenarios described above occurring more readily:
- The Random Number Generator(RNG) is poor leading to repeated
values often. It needs to be noted that with a stateless RNG,
frequent repetitions will occur (the birthday paradox).
Ramaiah & Tate Expires January 7, 2009 [Page 4]
Internet-Draft Port randomization issues July 2008
- The ephemeral port range that the client is utilizing is small and
not taking advantage of the large recommended port space which is
1024-65535. Moreover a host or a router can have many TCP
applications running, which can result in active as well as
passive connection opens which in turn puts a limit on the port
availability.
- The client is connecting to the server at a high rate, bringing up
and tearing down connections quickly with respect to 2*MSL time.
It is important to note that many applications (e.g., voice
applications, RTP, etc.) are not designed to be able to take
advantage of the full ephemeral port range and are required by the
design characteristics of the application to only use a subset of
these ports. Even if all applications are able to take advantage of
the full recommended ephemeral port range (1024 to 65535) and are
able to utilize a very good random number generator, the connection
rate can be high enough to lead to this TIME-WAIT problem.
One of the main motivations to write this document stems from the
fact that this issue was observed in the field with one of our voice
gateway products. The running code had the TCP/IP stack where the
source ports were randomized. The client application was the
Interactive Voice Response (IVR) HTTP client which fetches VXML
documents from a VXML server (Windows 2003) and does audio playback.
When the connection load increased, many server connections were left
hanging around in TIME-WAIT state. The port randomization algorithm
on the client sometimes returned repeated port values, which resulted
in the server dropped the SYN packets. This indirectly affected the
connection rate and caused users to view this as a failure of the IVR
application. This problem did not occur in earlier versions of the
TCP/IP stack which did not include port randomization but instead
returned sequential ports.
Ramaiah & Tate Expires January 7, 2009 [Page 5]
Internet-Draft Port randomization issues July 2008
3. Approaches to avoid issues due to port randomization
3.1. Recommended solution
The solution lies in the client to avoid reusing the same source port
for a duration of the server's TIME-WAIT state after it has passively
closed the connection. Since many servers may have varying TIME-WAIT
timeouts, it is recommended that length of the timer SHOULD be 2*MSL
or 4 minutes. It needs to be noted that the TCB and connection
resources can be released and only the source port would be marked
unusable for this duration.
3.2. Implementation methods
The following subsections list some possible implementation methods
for this issue.
3.2.1. Method 1: Bit Array and Timers
One approach to solving this problem is to utilize a bit array
representing each possible port. Each bit represents one of the
ephemeral ports 1024 to 65535. If the bit is 0, the port is
available for use and if the bit is 1, the port is unavailable for
use.
When a connection is opened using an ephemeral port, the bit is set
to 1 in the bit array. When a connection is actively closed and
transitions from TIME-WAIT to CLOSED and the TCB is removed, the bit
representing the port is returned to 0. When a connection is
passively closed, no change is made to the bit array. Instead, a
timer is started for 2*MSL, and when it expires, the bit representing
this port number in the bit array is returned to 0.
The algorithm for generating random port numbers can then consult the
bit array before returning a port as available. If it is
unavailable, find another port number instead to try. Any of the 4
algorithms for finding ports described in
[I-D.ietf-tsvwg-port-randomization] can still be used with this
approach. This approach simply means the check:
if (five-tuple is unique)
includes consulting the bit array of ports to determine if a port is
available.
It is also important to note that this easily can be the same bit
array referred to in [I-D.ietf-tsvwg-port-randomization] to keep the
user-specific server ports from being returned by the random port
Ramaiah & Tate Expires January 7, 2009 [Page 6]
Internet-Draft Port randomization issues July 2008
number algorithm. The user-specific server ports can be reserved
using the bit array by setting the bits corresponding to the user-
specific server ports to 1. E.g., the setting of these bits could be
performed when the listening port is opened.
3.2.2. Method 2: Bit Array and Passive Timers
This is same as the above except with the following variation. The
timer mentioned could be a passive timer, in the sense that instead
of having an active timer running for each port, we could simply
record the timestamp during connection closure. A recurring timer
(background process) which awakens every 2*MSL would scan the array
and release all the ports whose timestamps have elapsed are >= 2*MSL
from the recorded timestamp. This has the drawback that the port
reuse duration is indeterministic (i.e. somewhere between 2*MSL and
4*MSL)
Another slight variation of the above scheme would be to not have
timer (background process) at all. This is an on-demand approach,
which relies on checking whether the source port satisfies the
condition or not (i.e. 2*MSL has elapsed or not) at the time the port
request happens (during bind() or implicit bind()). The issue with
this scheme is that you will have the array maintained for a longer
period of time and also extra latency incurred to make sure whether
the port is safe to be re-used.
3.2.3. Method 3: 2-Bit Array and Timers
The cost of implementing the approach described in 3.1 is relatively
low in terms of memory space for the bit array (~8KBytes) , but may
possibly require a timer running for all 64535 ephemeral ports. An
alternative approach is to utilize a 2-bit array and a single timer
or sleeping (background) process.
Two bits in the array are used to represent state for each port. A
bit setting of 00 indicates the port is available for use. A bit
setting of 01 indicates a port is in use. When a connection is
actively closed and transitions from TIME-WAIT to CLOSED and the TCB
is removed, the bits representing the port are restored to 00. When
a connection is passively closed, the bits representing the port are
set to 10.
A single timer or sleeping process can be used to expire or awaken at
an interval of 2*MSL. When this timer event occurs or the process
awakens, all ports in the table with bits set to 10 are set to 11,
indicating the ports are ready to be released. All ports in the
table with bits set to 11 are then set to 00, and these ports are now
available for use.
Ramaiah & Tate Expires January 7, 2009 [Page 7]
Internet-Draft Port randomization issues July 2008
This approach is similar to the approach mentioned in 3.2 except that
it uses bit array to store the port state instead of having to store
a timestamp which denotes the port release time.
Ramaiah & Tate Expires January 7, 2009 [Page 8]
Internet-Draft Port randomization issues July 2008
4. Acknowledgments
Thanks to James Polk for his useful suggestions. Thanks to Jason Kuo
for his insight into the workings of the IVR client application.
Special thanks to Siva Yaragalla for his comments and suggestions on
various aspects of this draft.
Ramaiah & Tate Expires January 7, 2009 [Page 9]
Internet-Draft Port randomization issues July 2008
5. Informative References
[I-D.ietf-tsvwg-port-randomization]
Larsen, M. and F. Gont, "Port Randomization",
draft-ietf-tsvwg-port-randomization-01 (work in progress),
February 2008.
[RFC0793] Postel, J., "Transmission Control Protocol", STD 7,
RFC 793, September 1981.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997.
Ramaiah & Tate Expires January 7, 2009 [Page 10]
Internet-Draft Port randomization issues July 2008
Authors' Addresses
Anantha Ramaiah
Cisco Systems
170 Tasman Drive
San Jose, CA 95134
USA
Phone: +1 (408) 525-6486
Email: ananth@cisco.com
Patrick Tate
Cisco Systems
4055 Faber Place Drive
Suit 100
North Charleston, South Carolina 29405
USA
Phone: +1 (678) 352-2730
Email: ptate@cisco.com
Ramaiah & Tate Expires January 7, 2009 [Page 11]
Internet-Draft Port randomization issues July 2008
Full Copyright Statement
Copyright (C) The IETF Trust (2008).
This document is subject to the rights, licenses and restrictions
contained in BCP 78, and except as set forth therein, the authors
retain all their rights.
This document and the information contained herein are provided on an
"AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND
THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS
OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF
THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Intellectual Property
The IETF takes no position regarding the validity or scope of any
Intellectual Property Rights or other rights that might be claimed to
pertain to the implementation or use of the technology described in
this document or the extent to which any license under such rights
might or might not be available; nor does it represent that it has
made any independent effort to identify any such rights. Information
on the procedures with respect to rights in RFC documents can be
found in BCP 78 and BCP 79.
Copies of IPR disclosures made to the IETF Secretariat and any
assurances of licenses to be made available, or the result of an
attempt made to obtain a general license or permission for the use of
such proprietary rights by implementers or users of this
specification can be obtained from the IETF on-line IPR repository at
http://www.ietf.org/ipr.
The IETF invites any interested party to bring to its attention any
copyrights, patents or patent applications, or other proprietary
rights that may cover technology that may be required to implement
this standard. Please address the information to the IETF at
ietf-ipr@ietf.org.
Ramaiah & Tate Expires January 7, 2009 [Page 12]
| PAFTECH AB 2003-2026 | 2026-04-22 06:24:41 |