[theamk]

Reply to your message edits:

> 1) UDP leaks information, thereby violating the C in CIAA.

Which information? Properly encrypted UDP only shows destination IP and port number. Your protocol shows destination IP and protocol number (99) -- since very few people use it, protocol 99 is as distinct as UDP port.

Moreover, if you are concerned with UDP port leak, you can just use a random destination port on server, or masquerade as some other UDP protocol. There is no such option with current ControlMQ system

> TCP is subject to the SYN resource exhaustion attack, and is connection oriented which is brittle.

You do know about SYN cookies, right? And you know that SYN flood is easily defeated now -- for example, out of 5 most significant DDOS attacks in 2016 (https://www.tripwire.com/state-of-security/security-data-pro...) , none used SYN flood.

> Both are vulnerable to packet replay attacks, which is a particularly troubling problem for controls.

Any control connection should use encryption. Every popular encryption method (including TLS and QUIC) protects against replay attacks.

> 2) The pen testers that evaluated our technology we believe to be highly competent.

Well, all I have is front page quote, and I see the words "We were unable to [...] observe [...] the message traffic" and "TCP and all the UDP ports only list that they are open/unfiltered". This apparently means they could not even use wireshark to observe the IP message traffic -- they just ran "nmap" and found not ports. This is pretty sad for a pentester. I would expect to see mentions of DOS attacks and fuzz testing.

For example, what happens if I just start sending random packets to your daemon? How many packets per second it can handle before it fails over? What if I compromise a client, extract a session establishment key from it (assuming you have one), and start to establish new sessions? how many will your server handle before failing?

[dwviel]

Good points.

The port number typically indicates a service that is publicly known and repeatable. This is leaked information, as each service will have a unique port number. The IP protocol of 99 is used for all communications so no differentiation of network traffic can be made using this information.

SYN cookies can be a solution, but it has limitations, and to overcome those limitations requires changes to the TCP protocol. It is also preferable not to use TCP for controls in order to avoid the coupling caused by connections. The network between components may also be unreliable thus causing the need for regular reconnections.

Replay attacks protection by TLS, etc uses sequence numbers which expects a continuous connection. There is the setup phase that must be taken into account and then the entire series of packets from that point on can be replayed. The goal is to run on unreliable networks so connections would constantly need to be reestablished.

We consider DOS attacks to be attacks on the network rather than the component.

The number of packets/sec that the daemon can handle is computer resource determined. But, >1000/sec is typical in our testing on commodity H/W. It has never failed due to load in thousands of hours of testing.

If a client (first peer) is compromised then it can send any message it wants to the second peer with which it is configured to communicate. But, only properly formed, valid range messages will be accepted. Let’s say that the receiving component controls a motor that has a valid engineering range of 0 -1000 RPM. If a nefarious command came in to spin to 2000 RPM that would be rejected. The server (second peer) is not connection based so it will handle whatever packet arrive at the rate it can, and drop the rest on the floor.

So, overall we believe it is simpler and less error prone to use our protocol then set up all these complicated extra configurations.

[theamk]

I was going to type in the long, point-by-point response, but then I saw this:

> Replay attacks protection by TLS, etc uses sequence numbers which expects a continuous connection. There is the setup phase that must be taken into account and then the entire series of packets from that point on can be replayed.

WHAT? You do know that you cannot just "take setup phase into account" in TLS unless you have both server and client secret keys, right? There is the whole "key exchange" step make it impossible?

If you write stuff like this, for god's sake, do not design encryption protocols. I am horrified about what your code does if you do not know/don't understand key exchange concept.

[dwviel]

Yes, but the packet replay protection is due to the sequence number of the packet that happens after the session is established.

BTW, our technology uses pre-shared keys.

[theamk]

> Yes, but the packet replay protection is due to the sequence number of the packet that happens after the session is established.

The TLS does not use pre-shared keys. Instead, every time a client establishes a new connection, there is a "key exchange" phase. Here is a simplified explanation:

1. client generates a random number, does some math on it, encrypts with server's certifcate, and sends to server;

2. server generates another random number, does some math on it, and sends to client.

3. after more math (see https://en.wikipedia.org/wiki/Diffie%E2%80%93Hellman_key_exc... ), both client and server get the session key. If the exchange was not tampered with, both client and server get the same session key.

4. client and server exchange messages encrypted with session key. If they both have the same session key, they will be able to decrypt the message properly; otherwise, the connection is closed.

5. Now client can send a command, such as "open door"

The reason replay protection works is because every time session is established, the server will choose a different random number in step 2. So if you try to replay, then step 3 will generate different session keys, and step 4 will fail.

Once the connection is established, there is a separate counter for replay protection, but it does not have to be complicated -- because we know that the session key is unique to this session alone.

This is how TLS / DTLS / QUIC do replay protection. Do you agree that these protocols are fully replay-protected?

[dwviel]

Yes, I agree that TLS provides replay protection on a suitably reliable network. Don’t know about DTLS or QUIC but I will look further into these. We didn’t really look to much at TCP and TLS, etc. because early on we made design decisions to have components adopt an autonomous posture and work with unreliable networks, as can often be the case for controls. That led us to reject all connection based network protocols such as TCP to avoid the coupling it creates, and to create a very simple, one step protocol for robustness and simplicity. But, I can see where use of TCP and TLS could be useful, even for us, in some cases. To some extent this is a design philosophy that is biased towards simplicity. I’ve noticed that in the software industry there is a bias towards complexity. Almost a need among some to built “Rube Goldberg machines” for everything. Each time a new issue is raised the solution is to add new functionality or feature to handle it until the system is a complex monstrosity, instead of reevaluating the whole enterprise from first principles in light of new requirements. Our concentration is on design. As I like to say “Code is nice, but design is everything.”, and its corollary “No amount of code ever made up for a poor design.” Our concern was to remain compatible with standards to the extent needed to remain switchable and routable on Ethernet and IP networks, but to reduce the problem of controls messaging to the simplest possible level while retaining a high level of security.

[theamk]

Look, you keep saying "on a suitably reliable network". Where do you get this stuff? TLS replay protection is always present and does not depend on network reliability at all. You might not establish TLS connection if your network is super bad, but it does not mean replay is possible.

Can you PLEASE tell me how unreliable network allows TLS replay (or DTLS replay, or QUIC replay -- they all do key negotiation)