One document matched: draft-shepard-tcp-reassign-port-number-00.txt
Network Working Group Tim Shepard
INTERNET DRAFT July 12, 2004
Expires: January 13, 2005
By submitting this Internet-Draft, I certify that any applicable
patent or other IPR claims of which I am aware have been disclosed,
or will be disclosed, and any of which I become aware will be
disclosed, in accordance with RFC 3668.
Reassign Port Number option for TCP
draft-shepard-tcp-reassign-port-number-00.txt
Status of this Memo
This document is an Internet-Draft and is in full conformance with
all provisions of Section 10 of RFC2026.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as Internet-
Drafts.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than a "work in progress."
The list of current Internet-Drafts can be accessed at
http://www.ietf.org/1id-abstracts.html
The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html
Copyright Notice
Copyright (C) The Internet Society (2004). All Rights Reserved.
Abstract
Most TCP connections are protected from spoofing attacks from off-
path attackers by their obscurity. This memo suggests that the few
TCP connections that aren't so protected today may be protected by
making them obscure by using random values for both port numbers.
The obvious difficulty with this approach is that the well-known port
Shepard Expires January 13, 2005 [Page 1]
draft-shepard-tcp-reassign-port-number-00.txt July 2004
number is required on the initial SYN to connect to the desired
service. A TCP option is proposed which can be used during the SYN
and SYN-ACK exchange to request (and accomplish) reassignment of the
well known port number to a random value.
Introduction
Communication on the Internet today typically involves no end-to-end
cryptography and is therefore secured only as much as the entire path
of routers and links between the two communicating parties is
secured. More robust methods of securing end-to-end communication
involving cryptography have been developed but have only seen limited
deployment. Most communication on the Internet today remains
vulnerable to an attacker who is located somewhere along the path of
communication.
In the past few months a vulnerability of TCP connections to an off-
path attacker has raised concern. An attacker who merely knows of or
can surmise the existence of an active TCP connection can inject
packets into the connection with forged source addresses (making
packets arrive at one host with a source address which makes it
appear to have come from the other host), disrupting communication in
a variety of ways. These injected packets could come from distant
parts of the Internet, and tracing the true origin of packets with
forged source addresses can be difficult.
Even if the attacker's knowledge of the existence of the connection
is imperfect, the attacker may cover the unknown space rather quickly
by injecting many packets covering all of the possibilities.
To know completly of the existence of a TCP connection, an attacker
would need to know the IP addresses of the two endpoints and the two
16-bit TCP port numbers in use by the TCP connection. If this much
is known to an attacker, then the only hurdle remaining for the
attacker's forged packets is the sequence number acceptability test
where the 32-bit sequence number in the TCP header of the arriving
packet is tested to see if it is in-window.
The RFC1323 window scale option, makes the fraction of TCP sequence
space that is acceptable potentially quite large (as much as 1/4 of
the 32-bit sequence number space).
The RFC1323 timestamp option would seem to help, but packets without
the RFC1323 timestamp option can still cause disruption---RSTs
without a timestamp option generally need to be accepted and
processed (e.g. in case a dialup user hangs up and a new dialup user
sends RSTs in response to arriving TCP packets). Also note that no
known implementations include a timestamp option on RST packets.
Shepard Expires January 13, 2005 [Page 2]
draft-shepard-tcp-reassign-port-number-00.txt July 2004
In most cases, TCP connections as implemented and used by
applications today are robust against spoofing attacks simply because
the attacker has no way of learning or knowing of the existence of
the TCP connection (identified by the two IP addresses and the two
16-bit port numbers). The vulnerability comes when the off-path
attacker can, for a long-lived TCP connection, obtain or surmise the
IP addresses and port numbers involved, or sufficiently narrow the
possibilities so that the search space is small enough to allow the
attacker to exhaustively enumerate the remaining possibilities. In
particular, this can happen if the IP addresses involved and one of
the port numbers are known, leaving only one 16-bit port number
unknown. In the case of some services listening on a well-known port
(such as BGP, SSH, or XMPP), this situation is typical.
This memo suggest that the way to secure TCPs from spoofed packets
sent by off-path attackers is:
1. Don't reveal the port numbers, and
2. Use good random values for both port numbers.
The difficulty with doing this today is that typically a well-known
port number is used to find the server, and this would be difficult
to change. The remainder of this memo describes a TCP option which
can be used to negotiate a reassignment of the well-known port number
to a randomly assigned value as part of the SYN/SYN-ACK handshake
that occurs at the beginning of the connection.
The Reassign Port Number option carried on the SYN
A client wishing to have the server reassign the well-known port
number to a random value may include a Reassign Port Number option on
the segment that carries the SYN.
+---------+---------+
| Kind=99 |Length=2 |
+---------+---------+
(note: 99 is here as a place holder until an IANA assignment)
This option requests that the server reassign the port it will use
for this connection to a random value. The Destination Port field in
the TCP header itself will carry the normal well-known port number on
which the server is expected to be listening.
If the server does not implement this option, it will be ignored, and
the TCP connection will continue without any reassignment of port
Shepard Expires January 13, 2005 [Page 3]
draft-shepard-tcp-reassign-port-number-00.txt July 2004
numbers.
The Reassign Port Number option carried on the SYN ACK
If a server receives a SYN carrying the Reassign Port Number option,
then it will (as usual) use the Destination Port field in the segment
carrying the SYN to identify which listening socket it should be
associated with, but when creating the established socket, it may (if
it implements this option) reassign a random value to the local port
number, and return a SYN ACK with the newly assigned port number, and
include the Reassign Port Number option with the SYN ACK:
+---------+---------+---------+---------+
| Kind=99 |Length=4 | original port num |
+---------+---------+---------+---------+
(note: 99 is here as a place holder until an IANA assignment)
This SYN ACK will be received by the host that sent the SYN with the
Reassign Port Number request, and will have a pair of port numbers in
the TCP header which will not correspond to the port numbers in any
connection block the host has. The option, however, will provide the
client with the original port number of the server and allow the
connection block to be found. The client should process this
option on a SYN ACK when it fails to find a corresponding connection
block for TCP segment with both the SYN and ACK control bits turned
on. If the ACK of the client's SYN is correct, then the connection
block on the client can have the foreign port number overwritten with
the Source Port number from the TCP header.
Note that until the server receives an ACK of its SYN, and for some
time after that, it will need to be prepared to process any received
retransmissions of the original SYN which would still be directed at
the listening port number, and the server MUST ensure that the
processing of any such duplicate SYNs gets the same reassignment,
even if the duplicate SYNs do not carry the Reassign Port Number
option.
Steps a client may take to ensure robustness
The client MAY, upon any retransmission of the SYN, try removing the
Reassign Port Number option. A better strategy to cope with a broken
path (e.g. containing a NAT or some other connection tracking
middlebox that does not understand the remapping) would be for the
client, upon failure to establish a connection with the Reassign Port
Number option, would be to retry the connection from a new port
number without the Reassign Port Number option.
Shepard Expires January 13, 2005 [Page 4]
draft-shepard-tcp-reassign-port-number-00.txt July 2004
Implementors should carefully consider whether or not this option
should be on by default for all TCP connections. Most TCP
connections are already protected by their natural obscurity and/or
short lifetime. Setting this option on by default in a general
purpose operating system would probably cause many more failed
connections due to the meddling of middleboxes than connections saved
from spoofing attacks. In other words, there is potential to do more
harm then good.
Applications (such as BGP, JABBER, and perhaps SSH) may benefit from
code which explicitly requests the use of this option and carefully
manages the fallback to a connection attempt without this option.
Firewall and NAT considerations
(More thought may be needed here.)
Simple sorts of firewalls that disallow incoming TCP segments which
do not have an ACK control bit set (to disallow the initiation of TCP
connections from machines beyond the firewall) should not cause any
problem for this scheme.
Firewalls that track TCP connections, and NATs, will need to be aware
of this option and track the connection to the new port number. Any
such firewalls or NATs on the path that have not been upgraded to
handle this option will likely cause connection attempts using this
option to fail.
Upgrading firewalls and NATs to track this option should be
straightforward. (The simplest upgrade to a firewall that avoids
blocking connection attempts carrying this option would be to simply
strip this option from the TCP SYN segment, though that would leave
such connections more vulnerable to spoofed packets.)
Security Considerations
This memo describes a method of making it more difficult for an off-
path attacker to slip a spoofed packet into a TCP connection by
randomizing the port numbers involved (including what would normally
be a well-known port number), and recommends that the port numbers
not be revealed publicly (e.g. through any publicly-readable network
management databases). This method provides only a limited
enhancement of security, and does not come close to the robustness
that can be achieved by techniques employing end-to-end encryption of
the TCP segments (such as IPSEC).
Shepard Expires January 13, 2005 [Page 5]
draft-shepard-tcp-reassign-port-number-00.txt July 2004
IANA Considerations
A single new TCP option value will need to be assigned for the
Reassign Port Number option described above.
Author's Address:
Tim Shepard
122 Beech Street
Belmont, MA 02478
+1 617 489 7135
shep@alum.mit.edu
Full Copyright Statement
Copyright (C) The Internet Society (2004). This document is subject
to the rights, licenses and restrictions contained in BCP 78, and
except as set forth therein, the authors retain all their rights.
This document and the information contained herein are provided on an
"AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Shepard Expires January 13, 2005 [Page 6]
| PAFTECH AB 2003-2026 | 2026-04-21 01:37:55 |