Re: [CGA-EXT] Possible DoS attack to DAD in SEND ?

Tony Cheneau <tony.cheneau@it-sudparis.eu> Thu, 26 November 2009 22:46 UTC

Return-Path: <tony.cheneau@it-sudparis.eu>
X-Original-To: cga-ext@core3.amsl.com
Delivered-To: cga-ext@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 851F93A6B12 for <cga-ext@core3.amsl.com>; Thu, 26 Nov 2009 14:46:06 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[AWL=-0.150, BAYES_00=-2.599, HELO_EQ_FR=0.35, MIME_8BIT_HEADER=0.3]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TeIHHX6kzNkh for <cga-ext@core3.amsl.com>; Thu, 26 Nov 2009 14:46:05 -0800 (PST)
Received: from smtp4.int-evry.fr (smtp4.int-evry.fr [157.159.10.71]) by core3.amsl.com (Postfix) with ESMTP id 876483A687E for <cga-ext@ietf.org>; Thu, 26 Nov 2009 14:46:05 -0800 (PST)
Received: from smtp2.int-evry.fr (smtp2.int-evry.fr [157.159.10.45]) by smtp4.int-evry.fr (Postfix) with ESMTP id 9F77AFE1939; Thu, 26 Nov 2009 23:45:57 +0100 (CET)
Received: from smtp-ext.int-evry.fr (smtp-ext.int-evry.fr [157.159.11.17]) by smtp2.int-evry.fr (Postfix) with ESMTP id C736A405090; Thu, 26 Nov 2009 23:45:50 +0100 (CET)
Received: from alf94-6-82-226-232-167.fbx.proxad.net (alf94-6-82-226-232-167.fbx.proxad.net [82.226.232.167]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by smtp-ext.int-evry.fr (Postfix) with ESMTP id A90BE90103; Thu, 26 Nov 2009 23:45:50 +0100 (CET)
Date: Thu, 26 Nov 2009 23:46:01 +0100 (CET)
From: Tony Cheneau <tony.cheneau@it-sudparis.eu>
X-X-Sender: shad@localhost.localdomain
To: =?ISO-8859-15?Q?Alberto_Garc=EDa?= <alberto@it.uc3m.es>
In-Reply-To: <BA2095E910AB454F9408A7EF7B249BD9@bombo>
Message-ID: <alpine.LNX.2.00.0911262254210.11124@localhost.localdomain>
References: <BA2095E910AB454F9408A7EF7B249BD9@bombo>
User-Agent: Alpine 2.00 (LNX 1167 2008-08-23)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; CHARSET=US-ASCII; FORMAT=flowed
Content-ID: <alpine.LNX.2.00.0911262307291.11124@localhost.localdomain>
X-INT-MailScanner-Information: Please contact the ISP for more information
X-INT-MailScanner-ID: C736A405090.A988D
X-INT-MailScanner: Found to be clean
X-INT-MailScanner-SpamCheck: n'est pas un polluriel, SpamAssassin (not cached, score=0.805, requis 6.01, BAYES_00 -2.60, FH_HELO_EQ_D_D_D_D 0.00, HELO_DYNAMIC_IPADDR 2.43, RCVD_IN_SORBS_DUL 0.88, RDNS_DYNAMIC 0.10)
X-INT-MailScanner-From: tony.cheneau@it-sudparis.eu
Cc: cga-ext@ietf.org
Subject: Re: [CGA-EXT] Possible DoS attack to DAD in SEND ?
X-BeenThere: cga-ext@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: CGA and SeND Extensions <cga-ext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/cga-ext>, <mailto:cga-ext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/cga-ext>
List-Post: <mailto:cga-ext@ietf.org>
List-Help: <mailto:cga-ext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/cga-ext>, <mailto:cga-ext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 26 Nov 2009 22:46:06 -0000

Hello Alberto,

> I was wondering if the following is really an issue for SEND hosts doing
> DAD, and if it is worth to be protected (this arose when defining SAVI
> operation for SEND):

This is the attack I described to the list in this mail:
http://www.ietf.org/mail-archive/web/cga-ext/current/msg00057.html
And then a thread (providing some other solutions):
http://www.ietf.org/mail-archive/web/cga-ext/current/msg00075.html

> I don't see in RFC 3971 any countermeasure to this. Am I right?
The spec does not say how to counter this. However, in a current
implementations, adding a fix seems pretty straightforward.

>
> Do you think this is a problem? If so, do you think it needs to be fixed?

IMHO, RFC 3971-bis should explicitly provide a solution to counter this 
attack.



> A simple solution would be for the possible victim to discard received DAD
> NSOLs for the same address that it has in tentative state that have equal
> <public key, nonce, timestamp> than the DAD NSOL that it had sent before.
> (The probability of a legitimate collision in which another host that
> generates a DAD NSOL with the same public address, nonce and timestamp
> should be really low).
Just comparing the nonce value should suffice.


> For ND (unsecured), this case is also a problem, but for ND you can't decide
> by looking to a received DAD NSOL when it is an attack or just a real
> collision (and this could be also an incentive to use SEND, of course).
Plain ND is not secure anyway.
Some scenario are using a network setup where each nodes are on a
different port of a switch. If the switch was to support Multicast
Listener Discovery, the attacker will never get to receive the DAD NS
message to begin with. As stated in:
http://www.ietf.org/mail-archive/web/cga-ext/current/msg00077.html
Hence, it will preclude the attack. Am I wrong ?

Regards,
 	Tony