Late Binding =============== Aug 4, 2004 Overview -------- With late binding, the destination is computed at connection establishment time. The computation of the address can occur in a variety of ways including various router options. TCP has the following issues with any latebinding mechanism because it uses the first hop address as the destination address: 1. Checksum computation fails at the destination 2. PCB (Protocol Control Block) lookup fails at the source when the destination sends a IP packet. As the result of both the above, a connection can never be established. In case of UDP, only the checksum computation fails. Late Binding with TCP and UDP is achieved through the use of a 32-bit random number, called a nonce, that serves as the destination address for checksum and indexing purposes. TCP Nonce is included in the first packet (SYN). The destination uses this nonce in place of the destination address while computing the checksum. This nonce is copied into the first packet from destination to source (SYN/ACK). Upon receiving this message, the source updates the TCP control block with the correct address and the TCP control block is reindexed. The connection proceeds as usual with the second packet onwards. In case of UDP, the UDP Nonce is included in every packet and used exclusively for checksum computation purposes. Socket Flag ----------- A new flag SO_LATEBINDING can be set on socket to latebinding during TCP connection establishment and for computing checksum properly in case of UDP. Option ------ The option has standard type-lenth-value format. Since the nonce is used in place of IPv4 address, the nonce must be 32 bits long. The format of the option is the same in TCP and UDP except for the type code. TCP Nonce Option ================= TYPE LEN VALUE +--------+--------+---....---+ |xxxxxxxx|00000110| nonce | +--------+--------+---....---+ (TBA) (0x6) 0 8 16 24 32 +======+======+======+======+ ~ IP Header ~ +===========================+ ~ IP Options ~ +===========================+ ~ TCP Header ~ +===========================+ ~ TCP Options ~ ~ ~ + +------+------+ | | xxxx | 0x6 | +------+------+------+------+ [TCP Nonce] | Nonce | +------+------+------+------+ ~ ~ +===========================+ UDP Nonce Option ================= TYPE LEN VALUE +--------+--------+---....---+ |yyyyyyyy|00000110| nonce | +--------+--------+---....---+ (TBA) (0x6) 0 8 16 24 32 +======+======+======+======+ ~ IP Header ~ +===========================+ ~ IP Options ~ +===========================+ ~ UDP Header ~ +===========================+ ~ UDP Options ~ ~ ~ + +------+------+ | | yyyy | 0x6 | +------+------+------+------+ [UDP Nonce] | Nonce | +------+------+------+------+ ~ ~ +===========================+ Nonce ----- The generation of the nonce can happen at any time before sending the first packet. The nonce should not be predictable and it MUST not be set to zero. The nonce MUST also change on every connections. Processing ---------- The following assumes that latebinding is enabled. Anytime a nonce is included, it must be used in place of the destination while computing the checksum using the pseudo-header specified in RFC 793. fhaddr = Firsthop address faddr = Foreign/remote address laddr = Local address fport = Foreign/remote port lport = Local port TCP Connection Establishment ---------------------------- SRC ------------> FH (fhaddr, fport, laddr, lport)(SYN)(nonce) FH ------------> .... ... ------------> DST (faddr, fport, laddr, lport)(SYN)(nonce) SRC <------------ DST (laddr, lport, faddr, fport)(SYN/ACK)(nonce) SRC ------------> DST (faddr, fport, laddr, lport)(ACK)(nonce)(DATA) .... UDP Message passing ------------------- SRC ------------> FH (fhaddr, fport, laddr, lport)(nonce)(DATA) FH ------------> .... ... ------------> DST (faddr, fport, laddr, lport)(nonce)(DATA) SRC <------------ DST (laddr, lport, faddr, fport)(DATA) Outgoing Path ============= tcp_connect() typically assigns the destination address and port numbers to a TCP control block (TCB) and hashes the TCB into a TCB hash for easy lookup. The modified connect function uses nonce as the destination address to hash the TCB if SO_LATEBINDING is enabled on socket. While generating the SYN packet, tcp_output() includes TCP Nonce option if SO_LATEBINDING flag is enabled. [Ed. include text on udp processing as well.] ip_output() looks for the SO_LATEBINDING flag to decide whether to disable computation of checksum in hardware on the network interface. [Ed. Should this be moved to tcp_output()/udp_output()?] Incoming Path ============= TCP Syncache saves the nonce from the incoming SYN message and incorporates it into SYN/ACK. tcp_input() uses the nonce to compute the checksum but only if the TCP packet is a SYN/ACK. If the checksum and a lookup for the TCB using the nonce as the destination (instead of the actual address), then the TCB nonce is replaced by the actual address and the TCB reindexed. Issues ------ ipsec? Doesnt look like ipsec will make a difference. Hardware checksum: The checksum computation often happens on the card. However, it will have to be disabled because the pseudo header is different from that computed by the hardware using the IP header of the outgoing packet. Mechanisms that touch the TCP Checksum: TCP header compression NAT TCP Alternate Checksums - RFC 1146 The nonce should be part of the data option for the computing alternative checksum. Current allocation: http://www.iana.org/assignments/tcp-parameters ICMP error messages? Security -------- The security is no worse than what is available in TCP and UDP. To hijack a connection, the nonce must be correctly guessed or that the attacker must be on the path between the source and the destination.