review for tcpoison

===== Review =====

*** Novelty: How new/surprising/creative are the results/ideas presented?
Top 25%, but not top 10% (3)

*** Technical Merit: Please rate the correctness and soundness of the
scientific methodology.
Top 25%, but not top 10% (3)

*** Readability: Effectiveness of presentation and readability
Top 25%, but not top 10% (3)

*** Relevance: Please quantify the paper's relevance to the conference,
keeping in mind our focus on protocol-relevant results and technologies.
Couldn't be better (4)

*** Reviewer Confidence: How confident are you in your evaluation?
Informed outsider (2)

*** Overall Rating: Summary score
Likely accept (very good, top 15% but not top 8%) (4)

*** Short summary assessment: (REQUIRED) What are the main contributions
of this paper? Do you consider the issues addressed
important and/or interesting? Comment on novelty, creativity, impact and
technical depth(1-5 sentences)

This paper presents some interesting ideas of how to make it really hard
for attackers to poison TCP connections with only minor changes to the TCP
stack. The three key elements of their approach are first, to slightly
delay the handling of an incoming packet instead of immideately change the
state of the TCP prototcol machine as it is done now. This allows to detect
attacks becaue the attackers packets do not "match" the set of regular
packets. The second element is the idea of using forward and backward
nonces based on random numbers. Thus, an attacker cannot simply inject a
single packet to tear down the connection. Finnaly, TCPs self clocking
property is leverage to distinguish between correct and attacker packtet
trains.

*** Strengths:: (REQUIRED) What are the most important reasons to accept
this paper? (1-3 sentences)

I am not an security expert, but I find the idea applealing. Furthermore,
the paper is well written the idea is good explained (even understandable
for me) and the authors give also some evaluation of their work - which is
always not trivial for security related issues.

*** Weaknesses:: (REQUIRED) What are the most important reasons NOT to
accept this paper? (1-3 sentences).

I don not really see any reason why not to accept this paper. The only
thing I could wish to additionally see is some kind of analysis of how much
higher this approach raises the bar for attackes to harm TCP connections.

*** Detailed Comment to the Authors: (REQUIRED) Please provide detailed
comments that can be used by the authors to improve this paper.
Specifically, if you gave a low originality grade please support with
relevant citations. Also if you gave a low technical merit grade please
specify the location of error(s) in the paper.

Besides the comments above I have only some minor comments:
item (ii) on page one is unclear to me - may be a reformulation would
help.
I thing you dont need footnote 1.
Please explain the abbreviation RST when you use it first time.
It is a bit strange to have some kind of sub heading whith "?:"

===== Review =====

*** Novelty: How new/surprising/creative are the results/ideas presented?
Top 10% (4)

*** Technical Merit: Please rate the correctness and soundness of the
scientific methodology.
Top 10% (4)

*** Readability: Effectiveness of presentation and readability
Top 10% (4)

*** Relevance: Please quantify the paper's relevance to the conference,
keeping in mind our focus on protocol-relevant results and technologies.
Couldn't be better (4)

*** Reviewer Confidence: How confident are you in your evaluation?
Fairly confident, well-versed in this area (3)

*** Overall Rating: Summary score
Likely accept (very good, top 15% but not top 8%) (4)

*** Short summary assessment: (REQUIRED) What are the main contributions
of this paper? Do you consider the issues addressed
important and/or interesting? Comment on novelty, creativity, impact and
technical depth(1-5 sentences)

The paper addresses a type of attack on TCP connections, where the
attacker can sniff a TCP stream, and inject bogus TCP packets (e.g. to
reset the TCP connection). As a countermeasure, the authors propose 3
techniques: defer protocol reaction so subsequent packets trigger
suspicion; forward nonces to distinguish the legitimate from malicious
sub-stream; and packet inter-arrival correlations of data and ACKs
(leveraging TCP's self-clocking) to identify the malicious sub-stream.

The problem assumes no ingress filtering so packets can be forged by the
attacker. If we buy this assumption, then the solution relies only on
protocol design techniques.

*** Strengths:: (REQUIRED) What are the most important reasons to accept
this paper? (1-3 sentences)

Interesting use of protocol design techniques: deferred actions, detecting
malicious sub-stream using end-to-end nonces and delay measurements.

Deferral is compensated for by adapting the increase/decrease factors of
AIMD, so modified resilient TCP flows get their fair share of bandwidth.

*** Weaknesses:: (REQUIRED) What are the most important reasons NOT to
accept this paper? (1-3 sentences).

One has to buy the assumption that ingress filtering is not deployed. The
authors write "ISPs must pay for a system that only benefits others", but
one may argue that they should otherwise be sued!

*** Detailed Comment to the Authors: (REQUIRED) Please provide detailed
comments that can be used by the authors to improve this paper.
Specifically, if you gave a low originality grade please support with
relevant citations. Also if you gave a low technical merit grade please
specify the location of error(s) in the paper.

How is deferral compensated for in the case of short TCP flows? At least a
reference to a technical report should be provided.

You should show confidence intervals for your simulation results.

Sec III-B-3: "the attacker would have to send hundreds of Mbps bursts to
the victim" -- clarify why.

A reference that supports the assumption that ingress filtering is not
widely deployed will go a long way.

===== Review =====

*** Novelty: How new/surprising/creative are the results/ideas presented?
Bottom 50% (1)

*** Technical Merit: Please rate the correctness and soundness of the
scientific methodology.
Top 50%, but not top 25% (2)

*** Readability: Effectiveness of presentation and readability
Bottom 50% (1)

*** Relevance: Please quantify the paper's relevance to the conference,
keeping in mind our focus on protocol-relevant results and technologies.
Of interest to those working on protocols (3)

*** Reviewer Confidence: How confident are you in your evaluation?
Fairly confident, well-versed in this area (3)

*** Overall Rating: Summary score
Likely reject (top 50%, but not top 25%) (2)

*** Short summary assessment: (REQUIRED) What are the main contributions
of this paper? Do you consider the issues addressed
important and/or interesting? Comment on novelty, creativity, impact and
technical depth(1-5 sentences)

The paper deals with the problem of poisoning TCP attacks. It analyzes
these attacks from the perspective of the attackers' constraints and
proposes a change to the TCP header in order to reduce the possibility for
such attacks.

*** Strengths:: (REQUIRED) What are the most important reasons to accept
this paper? (1-3 sentences)

The problem is interesting. The paper is clear and the proposed scheme
technically sounds.

*** Weaknesses:: (REQUIRED) What are the most important reasons NOT to
accept this paper? (1-3 sentences).

The paper does not address the problem in a scientific manner. It is too
verbal, and it is not clear what are the advantages of the proposed scheme
compared to existing schemes.

*** Detailed Comment to the Authors: (REQUIRED) Please provide detailed
comments that can be used by the authors to improve this paper.
Specifically, if you gave a low originality grade please support with
relevant citations. Also if you gave a low technical merit grade please
specify the location of error(s) in the paper.

Loosely speaking, traffic in the Internet can be divided into two classes:
traffic that has to be protected against various malicious activities and
traffic that does not have to be protected against such activities. For the
first class (e.g. on line banking and shopping), SSL (Secure Socket Layer)
is used for several years efficiently and successfully. Indeed, the main
role of SSL is encrypting and authenticating application layer data.
However, it also has mechanisms to protect against some of the attacks
considered in this paper. For example, it protects against replay attacks
by inserting an encrypted SSL sequence number into every packet. Indeed,
SSL cannot protect against an impersonated RST packet. But this means that
this paper had to consider a much smaller set of possible attacks (on the
TCP control plane only), the most important of which is SYN attack.
However, this is a different game, because there are many papers that
already considered attacks on the TCP control plane, and the authors should
have discussed the advantages of their scheme compared to these works.

But even if one thinks that protecting TCP without using SSL is important,
this paper should have been structured in a different way. First, present
your main assumptions. Then, present the proposed scheme and finally, prove
that the new scheme indeed addresses the main concerns. In its current form
the paper is too verbal and less scientific. The simulation study is really
not convincing.

Finally, I don't understand why the authors present the Related Work at
the end of their paper. This section must be shifted to the beginning of
the paper (as Section II). It is important to explain as early as possible
what are the advantages of the new scheme compared to previously known
schemes (and not only compared to IPsec).