Slashdot Mirror
Vista's TCP/IP Promises and Perils
boyko.at.netqos tips us to a new writeup on Vista's TCP/IP stack, which is called Compound TCP/IP (CTCP). From the article: "...security policy will come from a centralized source. When you get your DHCP lease, your computer will report to the stack what OS you're using, what version level, what patches, what anti-virus software that's active — all that kind of stuff. It will have the ability to restrict your network access if you have a down-level machine... We could see a lot of our customers with much higher WAN network utilization because of this new TCP/IP stack... CTCP can be enabled/disabled from the command prompt but there has been no mention of tuning parameters which leads us to ask the question: How are you supposed to configure this setting in Vista?... What worries us... is that Microsoft is basing this on packet round trip time. The round-trip time from the client-side will have the server processing time in it; but the clients aren't likely going to be the running the CTCP at first. If you have a server-to-server backup running, for example, CTCP may think its part of the round-trip time and it'll throw the delay window through the roof..."
Article summary:
We haven't used Vista.
We haven't tested the features we're talking about.
We think they're actually probably very good.
We don't know (and nor does anyone) because we haven't tested them.
They could be bad.
They could do nasty stuff to your networks.
But we don't know because we haven't tested anything.
Sounds good in theory though.
And all the MS guys that have ever wrote about it say it works.
We don't think it'll work perfectly first time.
But we don't know because we haven't tested anything at all in any way.
We advise others to test before they make any decision.
Good article. (That was sarcasm. At least I think it was but I haven't tested it myself yet).
I don't get it. If you're just going to be querying the OS for information about its configuration (antivirus, patch state, version level, etc.) why don't you just implement it at a higher level? I don't see any reason to bury this sort of stuff down in the network stack. It could just as easily run as an application-level service rather than being built in down on the transport level. (And in fact I know of systems which do this sort of thing running as userspace tools.)
The goal here seems to just be a way to allow corporate networks like WANs to restrict access based on the version of Windows that's running and the security software being implemented on the client. Setting aside how a rootkit would just fake the responses (and I don't believe for a second that there won't be rootkits for Vista once it gets mainstream), why does this have to be in the network stack? It could be easily implemented as part of the higher-level networking services like WINS or Active Directory, as a requirement before the user is allowed access to particular network resources.
This whole concept seems rather flawed, unless there's some large part of it that I'm missing, and it just seems like it's going to require other OSes to rewrite their perfectly good TCP/IP stacks in order to inter-operate with Windows networks. Maybe that's the whole point?
"Ladies and gentlemen, my killbot features Lotus Notes and a machine gun. It is the finest available."
I haven't read TFA, but based on blurb it will be horrible.
Compound TCP is not a TCP/IP stack! It's congestion avoidance/recovery algorithm for TCP streams. It's one of many (Vega, Reno, BIC, CUBIC etc. etc.). It's also available for Linux (but was removed from standard kernel some time ago).
Other things mentioned are parts of Network Access Control, which is already deployed in many companies. There are many software and hardware solutions available, Vista isn't special. It becoming must-have in corporate environment, praising Vista for having it is like claiming that DHCP client in OS is innovation.
:wq
I discover NAC/NAP. Network Admission Control and Network Access Protection. While the idea is noble, its going to be costly (for customers) to implement in mixed networks. They also don't discuss non PC network clients (Printers, Scanners, hand held etc). Even worse (see below), your going to have to pay for a 3rd party network stack for Windows 2000.
f 717-d752-4fa2-a77a-ab29f0b29266/NAC-NAP_Whitepaper .pdf
t rans/network/06_0914_tn_network.mspx
White paper here: http://download.microsoft.com/download/d/0/8/d08d
Interesting chat transcript here: http://www.microsoft.com/technet/community/chats/
From the transcript:
Q: NAP seems to fulfill the pre-admission health/integrity check very well. Can customers use the same NAP infrastructure to support post-admission NAC? e.g. with NAP today I can check a desktop PC is healthy when it joins, but what about 24 hours later?
A: Post-admission enforcement depends on the enforcement mechanism you're using. For instance, health will be re-evaluated when a client attempts to renew their IP address when using DHCP as the enforcement mechanism. For IPSec, it will happen when health certs expire. For 802.1x, it will happen when re-authentication occurs. For VPN, it will happen when clients reconnect. Any health change on the client will trigger re-evaluation of the health state, too.
Q: What is the likelihood of a NAP agent for Windows 2000 clients in the network?
A: We are not planning to implement a Windows 2000 NAP client. However, we are licensing our protocols to 3rd party companies so that they can offer NAP clients on Windows 2000 (and other OS's like Mac, Linux, etc.)
Enjoy,
It's just the normal noises in here.
Using the new 'walled garden' features in the Windows Server series to direct the machines traffic to an isolated subnet that allows it to communicate only with the Windows Update Services software you can download and run. That machine gets the patches, and seeds them to your local machines on a schedule you control.
When the machine is updated, it can be rebooted and then brought back into the fold.
-Steve Gray
It's just more vendor-specific fields in the DHCP request and response, plus some ioctl() hooks into the network stack. Basically a CTCP client brings up a normal unrestricted TCP stack and sends it's info in fields in the DHCP request. The DHCP server sees the fields, analyzes them and sends back configuration info in the DHCP response. The client then interprets the configuration info and uses the CTCP API to tell the network stack to impose the rules the server sent.
Of course, you can see several gaping holes in this scheme already. As is only to be expected from Yet Another Harebrained Scheme Out Of Redmond.
The buzzword "quarantine network" has been tossed around for at least the last six months. The theory behind the technology is that a client that fails to meet the policy requirements will be directed to a completely seperate subnet (think DMZ) where it will have access to a server that will push down the necessary patches and AV upgrades to bring the client into compliance. In otherwords, if your network is on 10.1.1.x then the quarantine network might be 10.2.1.x and any client that fails to meet the policy will get a DHCP lease for the 10.2.1.x netowrk. Of course dedicated attackers will be able to eventually circumvent the technology, but fundementally it is pretty sound. It will definitely address the problem of Joe Blow bringing in his laptop from home full of virii. It should also help mitigate the issue of "rogue" laptops that aren't members of the domain. The first time a Linux box receives a query that it doesn't know how to respond to, it will be quarantined. Of course there are probably ways around that (maybe you could configure Samba to respond to the requests?), but it will take a dedicated attacker with thorough knowledge of the network and local access to it.
A better way to handle the whole problem is to put machines into a quarantined VLAN and then dynamically change their port's VLAN after authorization has been established via any number of criteria.
You might want to take a look at what Cisco is up to. They are the company that is really driving the whole quarantine network ideal and making it a reality.
I seem to have missed your Networking 101. Maybe that's good, because it seems your Networking 101 has garbled your understanding of layers and abstraction within a protocol stack.
As CTCP is a protocol carried in IP, there should be no impact within the network, as practically nothing does deep introspection of packets other than firewalls (for policy) and end systems (for multiplexing and demultiplexing). Intermediate systems (i.e., IP routers) simply won't care or necessarily even notice that the IP datagrams they're forwarding have something other than TCP or UDP or GRE or UTI or, well, there are a hundred other "layer 4" (transport layer) possibilities counting only those with assigned numbers from IANA. Internet routers examine and forward "layer 3" (network layer) packets.
Your ethernet switches and other varieties of LAN equipment will see frames carrying only one network layer protocol for any of these: IP. These switches examine and forward "layer 2" packets.
AppleTalk, IPX, XNS and so forth are separate network layer protocols ("layer 3") from IP, and it is extremely unlikely that CTCP ("layer 4") will be defined for any of these other than IPv6, and it's unlikely that any of them (possibly including IPv6) will be carried natively (i.e., not tunnelled) across more than the tiniest fraction of wide area networking infrastructure.
Using a single network layer ("layer 3") protocol is operationally easier than using multiple network layer protocols, and operator skill has not scaled nearly as well as either bandwidth or forwarding performance since multiprotocol WANs were common (late 1980s, early 1990s). This is especially true for very large scale networks, like international backbones and national network operators, and even larger regional and metro operators.
The trade-off favouring reduced operator knowledge ("we just move IP very very quickly") at the expense of encapsulation overhead (computation in the end systems, bandwidth everywhere else) has been an economic one, not a technical one. Indeed, many technical people, particularly IPv6 and MPLS proponents, really like the idea of a multiprotocol big-I Internet in order to experiment with possible future network-based services like finer-grained addressability or explicit routing. I am not one of these people, but my objections are almost entirely economic (well, I do think both MPLS and IPv6 are weak and overly conservative hacks at operational problems which unsurprisingly have evolved faster and further than these two protocol suites can reasonably be expected to cope with).
RFC 2001 describes the congestion-avoiding system at the heart of TCP, which is the Internet's dominant bulk transfer protocol. Any other bulk transfer protocol with a similar system to RFC 2001's slow start and congestion avoidance could reasonably say that it is designed for "TCP fairness" in that -- on average -- the occupancy of a pure tail-drop FIFO queue in front of a chronic bottleneck will be inversely proportional to the number of congestion-avoiding flows traversing that bottleneck at the same time.
This sort of fairness is easy to demonstrate both in simulation and live across a WAN or the Internet, and is done regularly, since improving TCP specifically or bulk transfer performance in general is an active area of networking research.
With respect to intermediate systems, their operators generally won't care about well-behaved (in the fairness sense) flows, since they should be nondisruptive and should not require special handling of the IP packets they're carried in.
Badly behaved flows are generally counterproductive. Most "greedy" and "impatient" bulk transfer protocols do not perform well in comparison with TCP, and usually end up generating more traffic and take more time to do the same work. Unfortunately, such flows can also slow down TCP bulk transfers by causing and increasing actual network congestion.
Queueing discip