INTERNET-DRAFT W A Simpson DayDreamer Intended status: Informational 2 January 2011 TCP Cookie Transactions (TCPCT) Sockets Application Program Interface (API) draft-simpson-tcpct-api-01 | Abstract TCP Cookie Transactions (TCPCT) deter spoofing of connections and prevent resource exhaustion, eliminating Responder (server) state during the initial handshake. The Initiator (client) has sole responsibility for ensuring required delays between connections. The cookie exchange may carry data, limited to inhibit amplification and reflection denial of service attacks. This document provides a sockets Application Program Interface (API) to support "basic" and "advanced" TCPCT applications. TCP/IP applications written using the sockets API have enjoyed a high degree of portability. Copyright Notice Copyright (c) 2010 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. This document may not be modified, and derivative works of it may not be created, except to format it for publication as an RFC or to translate it into languages other than English. Status of this Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is Simpson expires July 2, 2011 [Page i] DRAFT TCPCT API 2 January 2011 at http://datatracker.ietf.org/drafts/current. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . 1 1.1 Terminology . . . . . . . . . . . . . . . . . . . 1 2. sysctl . . . . . . . . . . . . . . . . . . . . . . . . . 1 3. -data limits . . . . . . . . . . . . . . . . . . . 1 4. Socket Option . . . . . . . . . . . . . . . . . . . . . 2 4.1 struct tcp_cookie_transactions . . . . . . . . . . 2 4.2 struct tcpct_full and struct tcpct_half . . . . . 5 4.3 more ... . . . . . . . . . . . . . . . . . . . . 5 ACKNOWLEDGMENTS . . . . . . . . . . . . . . . . . . . . . . . . 6 IANA CONSIDERATIONS . . . . . . . . . . . . . . . . . . . . . . 6 SECURITY CONSIDERATIONS . . . . . . . . . . . . . . . . . . . . 6 NORMATIVE REFERENCES . . . . . . . . . . . . . . . . . . . . . 7 INFORMATIVE REFERENCES . . . . . . . . . . . . . . . . . . . . 7 CONTACTS . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 Simpson expires July 2, 2011 [Page ii] DRAFT TCPCT API 2 January 2011 1. Introduction This specification is based upon prior work product by the author for a Linux implementation, and previous internal documents Copyright (C) William Allen Simpson (2009-2011). | 1.1. Terminology The key words "MAY", "MUST, "MUST NOT", "OPTIONAL", "RECOMMENDED", "REQUIRED", "SHOULD", and "SHOULD NOT" in this document are to be | interpreted as described in [RFC2119]. 2. sysctl tcp_cookie_size - INTEGER Default size of TCP Cookie Transactions (TCPCT) option, that may be overridden on a per socket basis by the TCPCT socket option. Values greater than the maximum (16) are interpreted as the maximum. Values greater than zero and less than the minimum (8) are interpreted as the minimum. Odd values are interpreted as the next even value. Default: 0 (off). When tcp_cookie_size is 0, the TCP stack will not send the Cookie Option, and any incoming Cookie Option will be silently discarded. When tcp_cookie_size is greater than 0, the TCP stack will always send the Cookie Option, and any incoming Cookie Option will be processed. This is most useful for single purpose systems, such as DNS or HTTP servers. Either case may be modified on a per socket basis. 3. -data limits + /* Implementation-specific data limits */ + #define TCP_SYN_DATA_LIMIT (496) + #define TCP_SYN_ACK_DATA_LIMIT (1220) + When present, the TCP Cookie Transactions (TCPCT) -data facility + is available. + Note that usage of -data requires the socket option. + As a matter of policy, these limits MAY be considerably smaller. + Simpson expires July 2, 2011 [Page 1] DRAFT TCPCT API 2 January 2011 4. Socket Option #define TCP_COOKIE_TRANSACTIONS When present, the TCP Cookie Transactions (TCPCT) socket option is + available. 4.1. struct tcp_cookie_transactions /* for TCP_COOKIE_TRANSACTIONS (TCPCT) socket option */ #define TCP_COOKIE_MIN 8 /* 64-bits */ #define TCP_COOKIE_MAX 16 /* 128-bits */ #define TCP_COOKIE_PAIR_SIZE (2*TCP_COOKIE_MAX) /* Flags for both getsockopt and setsockopt */ #define TCP_COOKIE_IN_ALWAYS (1 << 0) #define TCP_COOKIE_OUT_NEVER (1 << 1) #define TCP_S_DATA_IN (1 << 2) #define TCP_S_DATA_OUT (1 << 3) /* reserved for future use: bits 4 .. 6 */ + #define TCP_EXTENDED_OPTION (1 << 7) + /* Extended Option flags for both getsockopt and setsockopt */ | #define TCP_EXTEND_SIZE (0x7) /* mask */ | #define TCP_EXTEND_TIMESTAMP32 (0x1) /* default */ | #define TCP_EXTEND_TIMESTAMP64 (0x2) | #define TCP_EXTEND_TIMESTAMP128 (0x4) | /* TCP_COOKIE_TRANSACTIONS socket option header */ | struct tcp_cookie_transactions { uint16_t tcpct_flags; uint8_t tcpct_extended; | uint8_t tcpct_cookie_desired; uint16_t tcpct_s_data_desired; uint16_t tcpct_used; }; The structure is 64 bits. | tcpct_flags TCP_COOKIE_IN_ALWAYS Default: 0 (off). Silently discard any incoming or that is missing the Cookie option on a per port basis. Simpson expires July 2, 2011 [Page 2] DRAFT TCPCT API 2 January 2011 TCP_COOKIE_OUT_NEVER Default: 0 (off). Refuse to send (override) the Cookie option on a per port basis. This supercedes any other settings to the contrary. TCP_S_DATA_IN getsockopt() Indicates or data has been received. setsockopt() Ignored. TCP_S_DATA_OUT getsockopt() Indicates or data has been sent on the | connection. | When tcpct_s_data_desired is zero, constant data was sent. setsockopt() Indicates or constant data MAY be sent; | tcpct_used contains the total number of bytes. Do not wait for additional data before sending; | tcpct_s_data_desired MUST be zero. TCP_EXTENDED_OPTION | Indicates tcpct_extended field contains a non-default value. | Unused bits MUST be zero. | tcpct_extended | TCP_EXTEND_SIZE | Mask for Size field in Extended Option. If Size is set to an | unrecognized value (or zero), the TCP Timestamps Extended | Option MUST NOT be sent, and MUST be ignored upon receipt. | TCP_EXTEND_TIMESTAMP32 | Use 32-bit timestamps extension (default). | TCP_EXTEND_TIMESTAMP64 | Use 64-bit timestamps extension. | Simpson expires July 2, 2011 [Page 3] DRAFT TCPCT API 2 January 2011 TCP_EXTEND_TIMESTAMP128 | Use 128-bit timestamps extension. | If the TCP_EXTENDED_OPTION flag is not set (default), this field | MUST be ignored, but SHOULD be set to either the default value or | zero. | tcpct_cookie_desired Values: 0 (default), 8, 10, 12, 14, 16. Send the Cookie option with the or on a per port basis. Defaults to tcp_cookie_size instead. tcpct_s_data_desired TCP_SYN_DATA_LIMIT Default: 0. Maximum: 496. The maximum amount of data transmitted with the on a per port basis. TCP_SYN_ACK_DATA_LIMIT Default: 0. Maximum: 1220. The maximum amount of data transmitted with the on a per port basis. Whenever this field is non-zero, wait for data before sending. + tcpct_used Default: 0. Number of bytes used in the variable length data | value. | This header is optionally followed by variable length data. | Simpson expires July 2, 2011 [Page 4] DRAFT TCPCT API 2 January 2011 4.2. struct tcpct_full and struct tcpct_half | /* TCP_COOKIE_TRANSACTIONS cookie values */ | struct tcpct_full { | struct tcp_cookie_transactions soh; | uint8_t tcpct_value[TCP_COOKIE_PAIR_SIZE]; | }; | struct tcpct_half { | struct tcp_cookie_transactions soh; | uint8_t tcpct_value[TCP_COOKIE_MAX]; | }; | The structures are a multiple of 64 bits. These are provided for | convenience, such as stack allocation. tcpct_value getsockopt() The current cookie or cookie pair value; tcpct_used contains | the total number of bytes. Use tcpct_full. | For an established connection, tcpct_cookie_desired will | contain the cookie size. setsockopt() The constant cookie or cookie pair value; tcpct_used contains | the total number of bytes. Use tcpct_full or tcpct_half as | appropriate. | TCP_S_DATA_OUT is not set (MUST be zero). | To distinguish a maximal cookie from a minimal cookie pair, | tcpct_cookie_desired MUST NOT be zero. Unused bytes MUST be zero. + 4.3. more ... Simpson expires July 2, 2011 [Page 5] DRAFT TCPCT API 2 January 2011 Acknowledgments + Andre Broido suggested the capability to set cookies for Transport + Layer Security (TLS) session identifiers, in place of the [RFC5077] + ticket. Rapid TLS session resumption would improve both latency and + privacy, but is beyond the scope of this specification. + IANA Considerations This specification registers two new TCP options. These (previously unpublished) options were specifically selected to avoid conflicts, and IANA was advised in advance. TCP Cookie Option Kind: 31 Length: variable. TCP Timestamps Extended Option Kind: 32 Length: 4. | Notes: Kind 31 is a prime number, particularly appropriate for a security enhancement. Kind 32 is a multiple of TCP Timestamps Option (Kind 8); Kind 16 was already registered. Security Considerations First and foremost, the cookie exchange improves operational security for vulnerable servers against flooding attacks. All other semantics are subordinate. TCPCT provides a number of new security mechanisms that need to be accessible to applications. Simpson expires July 2, 2011 [Page 6] DRAFT TCPCT API 2 January 2011 Normative References [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | Requirement Levels", BCP 14, March 1997. [TCPCT] Simpson, W. A., "TCP Cookie Transactions (TCPCT)", | December 2010. http://tools.ietf.org/html/draft-simpson- tcpct Informative References [RFC5077] Salowey, J., Zhou, H., Eronen, P., and H. Tschofenig, + "Transport Layer Security (TLS) Session Resumption + without Server-Side State", January 2008. Author's Address Questions about this document can be directed to: William Allen Simpson DayDreamer Computer Systems Consulting Services 1384 Fontaine Madison Heights, Michigan 48071 William.Allen.Simpson@Gmail.com Simpson expires July 2, 2011 [Page 7]