Re: [beepwg] A couple of features to limit BEEP no reply attack

David Kramer <dkramer@apple.com> Fri, 13 March 2009 21:31 UTC

Return-Path: <beepwg-bounces@beepcore.org>
X-Original-To: ietfarch-beep-archive@core3.amsl.com
Delivered-To: ietfarch-beep-archive@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 4CA6228C0EE for <ietfarch-beep-archive@core3.amsl.com>; Fri, 13 Mar 2009 14:31:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.598
X-Spam-Level:
X-Spam-Status: No, score=-102.598 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, UNPARSEABLE_RELAY=0.001, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vclaziOuWrGj for <ietfarch-beep-archive@core3.amsl.com>; Fri, 13 Mar 2009 14:31:17 -0700 (PDT)
Received: from hl27.dinaserver.com (hl27.dinaserver.com [82.98.144.26]) by core3.amsl.com (Postfix) with ESMTP id DFB203A6B24 for <beep-archive@lists.ietf.org>; Fri, 13 Mar 2009 14:31:16 -0700 (PDT)
Received: from hl27.dinaserver.com (localhost [127.0.0.1]) by hl27.dinaserver.com (Postfix) with ESMTP id 4C3BF75F4A4; Fri, 13 Mar 2009 22:31:52 +0100 (CET)
X-Original-To: beepwg@beepcore.org
Delivered-To: beepwg-lista@hl27.dinaserver.com
Received: from mail-out3.apple.com (mail-out3.apple.com [17.254.13.22]) by hl27.dinaserver.com (Postfix) with ESMTP id 4E6B978DE87 for <beepwg@beepcore.org>; Fri, 13 Mar 2009 22:31:37 +0100 (CET)
Received: from relay14.apple.com (relay14.apple.com [17.128.113.52]) by mail-out3.apple.com (Postfix) with ESMTP id BB1E2568DF50; Fri, 13 Mar 2009 14:31:36 -0700 (PDT)
Received: from relay14.apple.com (unknown [127.0.0.1])A3908280AA; Fri, 13 Mar 2009 14:31:36 -0700 (PDT)
X-AuditID: 11807134-ab060bb000000ff0-60-49bad0b8df06
Received: from dkramer.apple.com (dkramer.apple.com [17.224.20.97]) by relay14.apple.com (Apple SCV relay) with ESMTP id 7327A28087; Fri, 13 Mar 2009 14:31:36 -0700 (PDT)
Subject: Re: [beepwg] A couple of features to limit BEEP no reply attack
Mime-Version: 1.0 (Apple Message framework v1047)
Content-Transfer-Encoding: 7bit
From: David Kramer <dkramer@apple.com>
Message-Id: <9471C896-E007-4745-8A49-885D51B6B130@apple.com>
In-Reply-To: <1236942381.17324.180.camel@vulcan.aspl.local>
Date: Fri, 13 Mar 2009 14:31:36 -0700
References: <1236942381.17324.180.camel@vulcan.aspl.local>
Content-Type: text/plain; delsp=yes; charset=us-ascii; format=flowed
To: Francis Brosnan Blazquez <francis@aspl.es>
X-Mailer: Apple Mail (2.1047)
X-Brightmail-Tracker: AAAAAA==
X-DinaScanner: Libre de Virus, Este E-Mail no ha sido analizado.
X-DinaScanner-SpamCheck: no es spam, SpamAssassin (not cached, puntaje=-6.599, requerido 6, autolearn=not spam, BAYES_00 -2.60, RCVD_IN_DNSWL_MED -4.00),
cc: BEEPwg <beepwg@beepcore.org>
X-BeenThere: beepwg@beepcore.org
X-Mailman-Version: 2.1
Precedence: list
List-Id: <beepwg.beepcore.org>
List-Help: <mailto:beepwg-request@beepcore.org?subject=help>
List-Post: <mailto:beepwg@beepcore.org>
List-Subscribe: <http://beepcore.org/mailman/listinfo/beepwg>, <mailto:beepwg-request@beepcore.org?subject=subscribe>
List-Unsubscribe: <http://beepcore.org/mailman/listinfo/beepwg>, <mailto:beepwg-request@beepcore.org?subject=unsubscribe>
Sender: beepwg-bounces@beepcore.org
Errors-To: beepwg-bounces@beepcore.org
X-DinaScanner-Information: DinaScanner. Filtro anti-Spam y anti-Virus
X-MailScanner-ID: 4C3BF75F4A4.EB08B
X-DinaScanner-From: beepwg-bounces@beepcore.org

Francis,

I read your draft proposal for the reply-limit and no-reply features  
and have a few questions and comments.

First, regarding reply-limit:

* The reply-limit feature could be implemented by the library  
implementing the BEEP protocol.  The library could automatically  
terminate the session whenever it determined that the remote peer was  
taking too long to reply to requests.  Clients using the library could  
override this timeout value on a per-session and per-channel basis.   
Can you provide an example showing why it is better to make this a  
feature of the BEEP protocol instead of just implementing this in the  
library?

* When using reply-limit, if peer A takes longer than the limit to  
reply, is it considered a protocol violation if peer B doesn't  
terminate the session?  In other words, who's responsibility is it to  
enforce the reply-limit?  Both peers?  Or just the receiving peer?

Regarding "no-reply":

* Because the "no-reply" feature still allows replies, a downside of  
using "no-reply" instead of NFN messages is that each peer still has  
to keep track of all of the un-replied-to messages it has sent, in  
order to verify that each RPY that does arrive has a valid msgno.  The  
peer's memory usage will increase for each message it sends that the  
remote peer does not reply to.  Do you agree that this feature would  
be unusable in low-memory environments, unless the peer stopped  
validating the msgno of incoming RPY messages?

* The issue you mention about the NFN scheme not supporting  
correlation between requests and replies was first raised because I  
suggested that the NFN scheme could be used to implement support for  
out-of-order replies.  As was pointed out to me, and I agree, the  
application would have to do extra work to correlate these out-of- 
order replies, which could instead be handled by the msgno value in  
the frame header if the protocol were changed to allow out of order  
RPYs.  But in the cases where you do not want a reply, this issue does  
not apply.

* The "no-reply" feature seems mis-named.  You are not creating a  
channel in which there are no replies, you are creating a channel in  
which replies are optional, and the choice is made by the receiver,  
not the sender.  This does not seem like a useful feature to me.  I  
would understand a feature that allowed for a channel on which replies  
were not allowed at all (eg, it is against the rules to send a RPY  
when you receive a MSG on the channel) and I would understand a  
feature that allowed for channel on which the sender specified whether  
or not a RPY was needed (eg, the sender could send a NFN if it didn't  
want a RPY, and it could send a MSG if it did want a RPY)... but I  
don't understand the "no-reply" feature, because it allows the  
receiver to decide whether or not to respond.  Can you provide an  
example protocol where it is useful to allow the receiving peer the  
option to decide whether or not it replies?  Also, I suggest renaming  
the feature to "optional-reply".

Regarding the over-all goal of limiting BEEP no reply attack:

* Anytime a remote peer does not behave the way you want, you have the  
right to terminate the session.  Why is this not sufficient for  
protecting against the no reply attack?  Can't all of this just be  
implemented by the library?  For example, if the client of the library  
asks to close a channel, and the remote peer refuses, the library  
could automatically terminate the session -- or it could terminate the  
session on the third failed attempt -- or whatever policy you want.   
And if the client of the library sends a message but receives no reply  
after some timeout, the library could automatically terminate the  
session.  Does any of this have to be part of the protocol?  What is  
the advantage of broadcasting your reply-limit to the other peer?  If  
I tell you my reply-limit is 10, and you take 11 seconds to reply on  
channel 0, I'll terminate the session.  But I could do the same even  
if I didn't tell you what my reply-limit is, right?  What is the  
difference?

* In the case where a peer is is performing the permanent negative  
close attack on only one channel, I could see the use for a "channel  
terminate" message that the peer could send over channel 0 to indicate  
that it would no longer consider valid any messages sent with that  
channel number.  Do you think this would solve the problem  
effectively?  If the remote peer is performing the permanent negative  
close attach on all channels (or just on channel 0) then terminating  
the session is already the appropriate response, right?

You goal of limiting BEEP no reply attacks is good, but I don't yet  
see any compelling reasons to make the features you have described  
part of the protocol.  If you can describe some profiles where these  
features would be useful it might be easier for me to understand the  
purpose of the features and comment on them more effectively.

Thanks,
David

On Mar 13, 2009, at 4:06 AM, Francis Brosnan Blazquez wrote:

> Hi,
>
> I've been working on a couple of features that will allow limiting how
> BEEP implements some reply requirements that may be used to setup an
> attack.
>
> It would be great to known your opinion about this.
>
> Cheers!
> -- 
> Francis Brosnan Blazquez <francis@aspl.es>
> Advanced Software Production Line, S.L.
> <draft-brosnan-beep-limit-close.txt>