Re: [p2p-hackers] IETF rejects Obfuscated TCP

[Eric Rescorla]

At Tue, 19 Aug 2008 20:57:33 -0700,
Alex Pankratov wrote:
 
 CC'ing cryptography mail list as it may be of some interest to the 
 folks over there.
 
  -Original Message-
  From: [EMAIL PROTECTED] [mailto:p2p-hackers-
  [EMAIL PROTECTED] On Behalf Of Lars Eggert
  Sent: August 19, 2008 5:34 PM
  To: David Barrett; theory and practice of decentralized computer
  networks
  Subject: Re: [p2p-hackers] IETF rejects Obfuscated TCP
  
  On 2008-8-19, at 17:20, ext David Barrett wrote:
   On Tue, 19 Aug 2008 4:19 pm, Lars Eggert wrote:
   Actually, in 1994, the IETF standardized Transactional TCP (T/TCP)
  in
   RFC1644, which allows just that. However, there are serious DDoS
   issues with T/TCP which have prevented it seeing significant
   deployment.
  
   Hm, I'm sorry I don't know the history there -- why is this more
   costly
   or abusive than SSL over standard TCP?  Is it due to something
   specific
   to SSL, or due to it a simple lack of congestion control on those
   first
   payloads?
  
  
  The issue is unrelated to a specific kind of SYN payload (SSL or
  otherwise.) The issue is that a SYN flood of SYNs with data consumes
  much more memory on the receiver than a regular SYN flood, because the
  receiver is obligated to cache the data if a T/TCP liveness check
  fails. You can't use SYN cookies with data SYNs, either.
 
 This is just a quick thought, but a variation of SYN cookies for TLS
 appears to be quite easy to do. It does require defining new record 
 type, but latter is permitted by TLS spec as per Section 6, RFC 2246.
 
 The idea, obviously, is to include a copy of ClientHello message in a
 second batch of records sent by the client. This should allow server
 to generate ServerKeyExchange parameters from the original ClientHello
 message (ClientHello.random + IP/port quintet + server cookie secret),
 then discard ClientHello and delay creating the state .. exactly the
 same way SYN cookies mechanism does it.

May I ask what you're trying to accomplish? Recall that TLS doesn't
start until a TCP connection has been established, so there's
aready a proof of the round trip.

That said, a mechanism of this type has already been described
for DTLS (RFC 4347), so no new invention would be needed.

-Ekr

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]

Re: [p2p-hackers] IETF rejects Obfuscated TCP

[[EMAIL PROTECTED]]

 May I ask what you're trying to accomplish?

I assume http://code.google.com/p/obstcp/ which uses the TCP
connection setup to do a key agreement. Slick but apparently
susceptible to DoS.

-Michael Heyman

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]

RE: [p2p-hackers] IETF rejects Obfuscated TCP

[Alex Pankratov]

 -Original Message-
 From: [EMAIL PROTECTED] [mailto:owner-
 [EMAIL PROTECTED] On Behalf Of Eric Rescorla
 Sent: August 20, 2008 10:31 AM
 To: Alex Pankratov
 Cc: 'theory and practice of decentralized computer networks';
 cryptography@metzdowd.com
 Subject: Re: [p2p-hackers] IETF rejects Obfuscated TCP

[snip]

 May I ask what you're trying to accomplish? Recall that TLS doesn't
 start until a TCP connection has been established, so there's
 aready a proof of the round trip.
 
 That said, a mechanism of this type has already been described
 for DTLS (RFC 4347), so no new invention would be needed.

My comment was in a context of a thread discussing Obfuscated TCP.

One of the suggestions was to piggyback SSL handshake on TCP 
handshake, to which someone pointed at an issue with SYN-flood 
like DoS attacks. My response was to the latter comment.

Alex

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]