IETF Logo Mail Archive

Re: [core] Consensus on using Echo to mitigate NoSec amplification?

Achim Kraus <achimkraus@gmx.net> Wed, 26 February 2020 06:50 UTC

Return-Path: <achimkraus@gmx.net>
X-Original-To: core@ietfa.amsl.com
Delivered-To: core@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B210B3A0F04 for <core@ietfa.amsl.com>; Tue, 25 Feb 2020 22:50:25 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=gmx.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JLeHddNDaPY9 for <core@ietfa.amsl.com>; Tue, 25 Feb 2020 22:50:24 -0800 (PST)
Received: from mout.gmx.net (mout.gmx.net [212.227.17.20]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 933083A0F02 for <core@ietf.org>; Tue, 25 Feb 2020 22:50:23 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=gmx.net; s=badeba3b8450; t=1582699818; bh=B2+7vChqOEDuLJhqGIh2kTc5Y0gN5vmcz1SfuBg0yK4=; h=X-UI-Sender-Class:Subject:To:References:From:Date:In-Reply-To; b=fINkUhfa6YKpYk4/Fv6sQNDxaOz8GE/kUSfoT/iwr6JjKAlMfRz7ebpHNckJxfZXs /NQzxvcMaXno/His/nwsXMNGZoNQ/PJorHxGMX7XJlbPcp6A8eH98YFy2JWwPaWSh4 8rg2EhiazEhFtDFmNZyY9Nq9Mf9y6cLAk8QnNTUQ=
X-UI-Sender-Class: 01bb95c1-4bf8-414a-932a-4f6e2808ef9c
Received: from [192.168.178.45] ([94.216.229.249]) by mail.gmx.com (mrgmx104 [212.227.17.168]) with ESMTPSA (Nemesis) id 1M8ygY-1j0mQg0HWI-00698l; Wed, 26 Feb 2020 07:45:04 +0100
To: Carsten Bormann <cabo@tzi.org>, Core <core@ietf.org>
References: <2554B0B8-1C32-453E-AB28-90AB61242450@tzi.org>
From: Achim Kraus <achimkraus@gmx.net>
Message-ID: <3c35523f-6e31-f74e-51bb-7b63e5ea7bb4@gmx.net>
Date: Wed, 26 Feb 2020 07:45:01 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.4.1
MIME-Version: 1.0
In-Reply-To: <2554B0B8-1C32-453E-AB28-90AB61242450@tzi.org>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Language: en-US
Content-Transfer-Encoding: quoted-printable
X-Provags-ID: V03:K1:mc4AD2itn6EP0XoeAj5fldrj6dj2Fqw7fl6l04eh/kyxc+rYRJW ahjvRZ+KtbRDwjWzLGkXVxo8CTcRj7YxXpj84y26slLyaN8PQLKuwSLkUf6eyzkAYGMJQvv C9hws3PThM2XsDCPNFkW/Ux7gJG5ac211Ox1sQj8FgMmIqaujo+cdlkRd5KxIKDRY4InMUy 8BX7XlrF+WDpCXKNOAeXQ==
X-UI-Out-Filterresults: notjunk:1;V03:K0:7z+i2LqKS0U=:ROukKIv5fuREOcFRs0zqKI td/G4o03fC0BokP4IHeMTMnEv//VLgMeo6jWbyMxQqkz1jioI12eNeW+pbzB96a6UtarF7pyF jLjpDTlVpVFb2lCM/tNaolxZKe1QbUOn/IPtiFxHJDfmY0U8LHoT22s2yK80bHEFF/arfyB0n hl3VPgrzOoZ8TphnAnPcpi9dXXACpEGT/1ftEy0yXNqFPSNeoiggtcglB4gYJ+OOZPzEU57Ek LgH6KPCL+KUirTSF7TLEj1SFZMbP8Zvz/UbOnHT5+d6wMri/NeFEu/udQr4XX8K5sciy7tgw7 xvMAk8CRobsVRUV9FwTM3TE3QfGlBvmyvhoedbFKWxDjyPYxMDksfNoAxg60GoqyiEdxWas2a ub9vPBmq33doTwXhPYJfvBhECbfC7HtctImJ+Y/+NhePTiFr8mgbkXThqNLjtDQCOfiBsdmcw x6mlhXqsG/hQzhIGXuKDVU31VMJTmiRbpi3Rx9+bWyTHMyYB63b21lDyiLisWD5DrcmmDWVQe PhEuFXRtj3saCSPwfwRHSrXpsMdEU92j04cRJ5MBk62iDDFy454TYc+xJMCUhaC4KbitKeOjh 9WpMSBTpdnOYKepRH02wo/v8TM3Hv2B/jHmiM+KhC/yhdkHVIEAyQyfbpDcWYh5s/B75iBxkA pC2WF8ZVnzuMuhcWZweLt8QRapNvRSTZ1nI0wJ2/AfZiI4RU3ycG0iuFbm+s5hpCKJWSlaMJN vx83hUI/1YcwNehHTZTusyyB2vYH7H75Qiz/sCod2Ue6iHRtjBWjAc4GufhvOCdfpu5gMvY25 BbznpntLWLekfSlpCqHuQHuDexiI2Lgk1bty9vNyeKyeMdsPsZPvVXVd5viRLKTwB0zLoFYY4 k58v2czMX7XFXlan2pfQ2kx/cGgB01tHba9a+EAzq9Q2vO7YFxeD9SlP3Za+x0M6Yo5aYpMzI CTa5jZx8gRR78+r9QIcfo88KvOB5uKWyvF8/8+98o0Yd/zh4WNO2/l8dQ1SdtEwrmWboGMpzZ hnRA2/DBX/03rozy+b9/z/Z/Y02/mF5/j9eoYkhHVQca9KbqdEdsXhkPi77rHqr9GaklJvVXo UbcjZooMkBYyfEHy/6qgHHp4UFJrVH6kRrOHvEntc17alqFKASWpeAMkttfmFS+gM9nsc/K3V Tdo+gRgCLGNgxozvZSCAcNV9gqMWR3RXPdM5GE8o2YjwumONH/+oDTrFKwpZxaog+zJwT5F2c XTYzOsVUPvHIkXHcS
Archived-At: <https://mailarchive.ietf.org/arch/msg/core/4U3gdLFWWnJa5ft9wZ1_VP6q6j4>
Subject: Re: [core] Consensus on using Echo to mitigate NoSec amplification?
X-BeenThere: core@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Constrained RESTful Environments \(CoRE\) Working Group list" <core.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/core>, <mailto:core-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/core/>
List-Post: <mailto:core@ietf.org>
List-Help: <mailto:core-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/core>, <mailto:core-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 26 Feb 2020 06:50:26 -0000

Hello Carsten
Hello List,

 > There are now people out there that believe CoAP ranks with DNS and
NTP in the DDoS threat generated.

It seems to be indeed important to have such security mechanisms at a
prominent place. Otherwise researchers may fail to read it.

For example, the document "The Fragility of Industrial IoT's Data
Backbone" from late 2018, cites on page 24, the RFC 7959, page 6, with
"Both sides have a say in the block size that actually will be used."
and concludes "This means that the attacker could craft a request packet
asking for the maximum block size.". That conclusion is not according
RFC7959. The researcher would have to read through page 10-11 to find
"(The effect is that, if the server uses the smaller of (1) its
preferred block size and (2) the block size requested, all blocks for a
body use the same block size.)"

So, have it in a prominent place, will really pay off.

best regards
Achim Kraus


Am 25.02.20 um 14:19 schrieb Carsten Bormann:
> In draft-ietf-core-echo-request-tag-08.txt, Section 2.4 item 3 places a SHOULD on a "server that sends large responses to unauthenticated peers” to mitigate the amplification threat using the Echo Option procedure.
>
> draft-ietf-core-echo-request-tag already is flagged to update RFC7252, but this is called out in the abstract and introduction only for Token processing.  The SHOULD in Section 2.4 item 3 is a bit hidden for my taste.  My esteemed co-chair pointed out to me that we don’t really advertise a mitigation for the substantial amplification opportunities posed by those installations that do not translate the discussion in Section 11.3 of RFC 7252 into active behavior.  There are now people out there that believe CoAP ranks with DNS and NTP in the DDoS threat generated.
>
> <chair hat>
> Would the CoRE WG be fine with expanding the “updates 7252” text in draft-ietf-core-echo-request-tag to also include recommending this mitigation?  If you have a position on this, please reply to the list (or to the chairs) by March 2nd.
>
> Grüße, Carsten
>
> _______________________________________________
> core mailing list
> core@ietf.org
> https://www.ietf.org/mailman/listinfo/core
>

v2.23.0 | Report a Bug | By Email