INTERNET-DRAFT W A Simpson DayDreamer Intended status: Informational 4 July 2010 TCP Cookie Transactions (TCPCT) Sockets Application Program Interface (API) draft-simpson-tcpct-api-00 Abstract TCP Cookie Transactions (TCPCT) deter spoofing of connections and prevent resource exhaustion, eliminating Responder (server) state during the initial handshake. The Initiator (client) has sole responsibility for ensuring required delays between connections. The cookie exchange may carry data, limited to inhibit amplification and reflection denial of service attacks. This document provides a sockets Application Program Interface (API) to support "basic" and "advanced" TCPCT applications. TCP/IP applications written using the sockets API have enjoyed a high degree of portability. Copyright Notice Copyright (c) 2010 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. This document may not be modified, and derivative works of it may not be created, except to format it for publication as an RFC or to translate it into languages other than English. Status of this Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is Simpson expires January 4, 2011 [Page i] DRAFT TCPCT API 4 July 2010 at http://datatracker.ietf.org/drafts/current. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . 1 1.1 Terminology . . . . . . . . . . . . . . . . . . . 1 2. sysctl . . . . . . . . . . . . . . . . . . . . . . . . . 1 3. Socket Option . . . . . . . . . . . . . . . . . . . . . 2 3.1 struct tcp_cookie_transactions . . . . . . . . . . 2 3.2 more ... . . . . . . . . . . . . . . . . . . . . 4 IANA CONSIDERATIONS . . . . . . . . . . . . . . . . . . . . . . 4 SECURITY CONSIDERATIONS . . . . . . . . . . . . . . . . . . . . 5 NORMATIVE REFERENCES . . . . . . . . . . . . . . . . . . . . . 5 CONTACTS . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 Simpson expires January 4, 2011 [Page ii] DRAFT TCPCT API 4 July 2010 1. Introduction This specification is based upon prior work product by the author for a Linux implementation, and previous internal documents Copyright (C) William Allen Simpson (2009-2010). 1.1. Terminology The key words "MAY", "MUST, "MUST NOT", "OPTIONAL", "RECOMMENDED", "REQUIRED", "SHOULD", and "SHOULD NOT" in this document are to be interpreted as described in [RFC 2119]. 2. sysctl tcp_cookie_size - INTEGER Default size of TCP Cookie Transactions (TCPCT) option, that may be overridden on a per socket basis by the TCPCT socket option. Values greater than the maximum (16) are interpreted as the maximum. Values greater than zero and less than the minimum (8) are interpreted as the minimum. Odd values are interpreted as the next even value. Default: 0 (off). When tcp_cookie_size is 0, the TCP stack will not send the Cookie Option, and any incoming Cookie Option will be silently discarded. When tcp_cookie_size is greater than 0, the TCP stack will always send the Cookie Option, and any incoming Cookie Option will be processed. This is most useful for single purpose systems, such as DNS or HTTP servers. Either case may be modified on a per socket basis. Simpson expires January 4, 2011 [Page 1] DRAFT TCPCT API 4 July 2010 3. Socket Option #define TCP_COOKIE_TRANSACTIONS When present, the TCP Cookie Transactions (TCPCT) socket option is available. 3.1. struct tcp_cookie_transactions /* for TCP_COOKIE_TRANSACTIONS (TCPCT) socket option */ #define TCP_COOKIE_MIN 8 /* 64-bits */ #define TCP_COOKIE_MAX 16 /* 128-bits */ #define TCP_COOKIE_PAIR_SIZE (2*TCP_COOKIE_MAX) /* Flags for both getsockopt and setsockopt */ #define TCP_COOKIE_IN_ALWAYS (1 << 0) #define TCP_COOKIE_OUT_NEVER (1 << 1) #define TCP_S_DATA_IN (1 << 2) #define TCP_S_DATA_OUT (1 << 3) #define TCP_EXTEND_TIMESTAMP (7 << 4) /* mask */ #define TCP_EXTEND_TIMESTAMP32 (1 << 4) /* default */ #define TCP_EXTEND_TIMESTAMP64 (1 << 5) #define TCP_EXTEND_TIMESTAMP128 (1 << 6) /* TCP_COOKIE_TRANSACTIONS data */ struct tcp_cookie_transactions { uint16_t tcpct_flags; uint8_t __tcpct_pad1; uint8_t tcpct_cookie_desired; uint16_t tcpct_s_data_desired; uint16_t tcpct_used; uint8_t tcpct_value[TCP_COOKIE_PAIR_SIZE]; }; The structure is 64-bit aligned. tcpct_flags TCP_COOKIE_IN_ALWAYS Default: 0 (off). Silently discard any incoming or that is missing the Cookie option on a per port basis. TCP_COOKIE_OUT_NEVER Default: 0 (off). Refuse to send (override) the Cookie option Simpson expires January 4, 2011 [Page 2] DRAFT TCPCT API 4 July 2010 on a per port basis. This supercedes any other settings to the contrary. TCP_S_DATA_IN getsockopt() Indicates or data has been received. setsockopt() Ignored. TCP_S_DATA_OUT getsockopt() Indicates or data has been sent. setsockopt() The tcpct_value has been filled with constant data that will be sent with the or . Do not wait for additional data before sending. TCP_EXTEND_TIMESTAMP Default: TCP_EXTEND_TIMESTAMP32. If other symbols are defined, may send 64-bit (or future 128-bit) timestamps extension. Otherwise, 64-bit (or future 128-bit) timestamps have not been implemented. __tcpct_pad1 Reserved; MUST be zero. tcpct_cookie_desired Values: 0 (default), 8, 10, 12, 14, 16. Send the Cookie option with the or on a per port basis. Defaults to tcp_cookie_size instead. tcpct_s_data_desired TCP_SYN_DATA_LIMIT Default: 0. Maximum: 496. The maximum amount of data transmitted with the on a per port basis. Wait for data before sending. TCP_SYN_ACK_DATA_LIMIT Default: 0. Maximum: 1220. The maximum amount of data Simpson expires January 4, 2011 [Page 3] DRAFT TCPCT API 4 July 2010 transmitted with the on a per port basis. Wait for data before sending. tcpct_used Number of bytes in tcpct_value. tcpct_value getsockopt() Returns the current value of the cookie or cookie pair. setsockopt() If TCP_S_DATA_OUT is set, the constant data that will be sent with the or . The ultimate size of the field will depend on the actual amount of data present, up to TCP_SYN_DATA_LIMIT or TCP_SYN_ACK_DATA_LIMIT. Otherwise, the Initiator cookie. Note that the minimum size of this field is TCP_COOKIE_PAIR_SIZE, although only half that space will be used. 3.2. more ... IANA Considerations This specification registers two new TCP options. These (previously unpublished) options were specifically selected to avoid conflicts, and IANA was advised in advance. TCP Cookie Option Kind: 31 Length: variable. TCP Timestamps Extended Option Kind: 32 Length: 3. Notes: Kind 31 is a prime number, particularly appropriate for a security enhancement. Kind 32 is a multiple of TCP Timestamps Option (Kind 8); Kind 16 was already registered. Simpson expires January 4, 2011 [Page 4] DRAFT TCPCT API 4 July 2010 Security Considerations First and foremost, the cookie exchange improves operational security for vulnerable servers against flooding attacks. All other semantics are subordinate. TCPCT provides a number of new security mechanisms that need to be accessible to applications. Normative References [RFC 2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, March 1997. [TCPCT] Simpson, W. A., "TCP Cookie Transactions (TCPCT)", June 2010. http://tools.ietf.org/html/draft-simpson-tcpct Author's Address Questions about this document can be directed to: William Allen Simpson DayDreamer Computer Systems Consulting Services 1384 Fontaine Madison Heights, Michigan 48071 William.Allen.Simpson@Gmail.com Simpson expires January 4, 2011 [Page 5]