Re: [PATCH] tcp: sysctl to disable TCP simultaneous connect
From: Willy Tarreau
Date: Fri Feb 15 2013 - 02:58:19 EST
On Thu, Feb 14, 2013 at 11:10:46PM -0800, Eric W. Biederman wrote:
> Kees Cook <keescook@xxxxxxxxxxxx> writes:
> > On Thu, Feb 14, 2013 at 9:30 PM, Eric W. Biederman
> > <ebiederm@xxxxxxxxxxxx> wrote:
> >> Kees Cook <keescook@xxxxxxxxxxxx> writes:
> >>> The patch would not break it -- it defaults the sysctl to staying enabled.
> >>> If you mean the documentation should be updated, sure, that's easy to do.
> >>> David: I know you aren't a fan of this patch, but I'd like to try to
> >>> convince you. :) This leaves the feature enabled and add a toggle for
> >>> systems (like Chrome OS) that don't want to risk this DoS at all.
> >>> There are so very many other toggle, I don't see why this one would be
> >>> a problem to add.
> >> Chrome OS has no plans to implement webrtc? Last I had read that
> >> support had been added to the release versions of Chrome, and was in the
> >> development builds of firefox. I really don't belive that there are
> >> many systems that don't intend to run a web browser.
> > I haven't looked at the internals of webrtc. Are you implying some
> > feature in it relies on the TCP simultaneous connect?
> I am saying that yes.
> webrtc is built on ICE (interactivity connectivity establishment). ICE
> support for TCP (RFC6544) uses TCP simultaneous connect. webrtc
> supports tcp connections.
Then I suspect that a large number of firewalls will need updates after
significant rework for this proposal to succeed. I'm not saying this will
not eventually happen, but there are significant risks associated with
this feature. Netfilter had this in the window tracking patches around
2002-2003 and this had to be reverted because a client was able to establish
complete connections by sending SYN-SYN/ACK-ACK itself. Other products will
fall through these cracks.
And last but not least, it's the only behaviour in TCP which allows a
random attacker to prevent a connection from establishing by guessing
only a 16-bit port, regardless of any sequence number. Considering how
we've been bothered by people who considered that our sequence numbers
were not random enough, I already expect that the absolute lack of need
of a sequence number will bring new funny articles.
Back then, I did a PoC which permanently prevented an anti-virus proxy
from establishing any connection to its update server, and it did not
require a lot of traffic obviously. People running such proxies probably
don't need webrtc with its assorted lot of issues.
I'm not advocating for pushing the patch, I understand it's not desired.
I just want to ensure that people understand what simultaneous connect
means in terms of DoS for a feature which is rarely used and rarely
technically possible at all.
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/