Re: [core] FW: New Version Notification for draft-mattsson-core-coap-attacks-00.txt

Achim Kraus <achimkraus@gmx.net> Thu, 20 May 2021 13:35 UTC

Return-Path: <achimkraus@gmx.net>
X-Original-To: core@ietfa.amsl.com
Delivered-To: core@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 25D093A1732; Thu, 20 May 2021 06:35:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, NICE_REPLY_A=-0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=gmx.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aCWZu-BmyLHd; Thu, 20 May 2021 06:34:59 -0700 (PDT)
Received: from mout.gmx.net (mout.gmx.net [212.227.15.15]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AFD0F3A172E; Thu, 20 May 2021 06:34:58 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=gmx.net; s=badeba3b8450; t=1621517682; bh=C4mvzyrhXI4u/+IUwg58IhvH+AOG08lk1mhKf+Uc06E=; h=X-UI-Sender-Class:Subject:To:Cc:References:From:Date:In-Reply-To; b=S9Vsv6pLlbzuOkroeyNeZ0EnvdYDhfHjX1g0mN06/xXaL224HGW+NBOTO4cebnuHr Q0vSH81aaS/1SqwRu0pP+u8ISAUAGns5r3yPS1fQbQtMKli/Pq5C+IMZs/HfktnVTs qNZruSyNQjclsXb7qoLL/4pBNgogIBJn3nHqDVuA=
X-UI-Sender-Class: 01bb95c1-4bf8-414a-932a-4f6e2808ef9c
Received: from [192.168.178.10] ([88.152.184.201]) by mail.gmx.net (mrgmx004 [212.227.17.190]) with ESMTPSA (Nemesis) id 1MnJhO-1l0ixC00m4-00jMsy; Thu, 20 May 2021 15:34:42 +0200
To: John Mattsson <john.mattsson=40ericsson.com@dmarc.ietf.org>, "core@ietf.org" <core@ietf.org>
Cc: Benjamin Kaduk <kaduk@mit.edu>
References: <162118463178.7394.3689900002808274496@ietfa.amsl.com> <885D9BEC-2A2A-4710-97BB-1BBB0CD6D22D@ericsson.com>
From: Achim Kraus <achimkraus@gmx.net>
Message-ID: <0b473b47-c689-a0e5-c68c-585ce496bbce@gmx.net>
Date: Thu, 20 May 2021 15:34:40 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.10.0
MIME-Version: 1.0
In-Reply-To: <885D9BEC-2A2A-4710-97BB-1BBB0CD6D22D@ericsson.com>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Language: de-AT-frami
Content-Transfer-Encoding: quoted-printable
X-Provags-ID: V03:K1:jEP5hKPtuF0YIHpnEcgnXSAy5uudUaZwvNUZY5XGuu0bgVCSV+I xoJZ1IkwAxG4TqnjR0KYgoLxOAdPxQQK5mAqamHiu2Xea7cMSG4Ey2wnOP5o8ayntmn77tc xH4G8qrsz3K17RChwkio4VMKZ2oGQICpEdgGw9UxZk9sJAfwilacgMlO6+1yj5UYYGhQe1f 4pwHxUU0Nra9fyp1sph/w==
X-UI-Out-Filterresults: notjunk:1;V03:K0:z6GMjQwgLdM=:+tDm37NPFEQSbZnMN1Zt8D LnlqVxQbaBIKf3FKTGS8bj0mL2u7zlKnloxIoHRNcUVejn4Jhm6+ubmjz4s6GtMG37/1Ozv0h YvYzGxyvDJCuYccduOsO8JXMexjt3nggx2+pvtJK1FW+/sHwvlrzI6TcAz5uNnax3zsl+yjHo B/3eNYApGOhLNbhIWss4jzbNLqIago0L2bPQReR68hoNVvN6/dJqO67xzuREsh6EkV+CZLoJy c5HrC80epLZzm6rApFkb8q6MCmtbRVo/GpVQPsoQUTnbccIIFBIcFBQk58MRkFpIYe3ziKotr +gFxUAjRNiPb4FEfZxYGNP8B6b1ZypP04YHI1/HsbpFQiqSSt7I1IYtHD0cN4IgQJbp31E+gO q8LOHARvkVh+dKNotpJ2/xANDu9x0NsHXrA2QVmNaS0X1DWAoib/fHWBpaHQyZwD2G37jnxLX uDRw4kxiYm0oxGdavbY+jW6qCnM6AIvn10zcM/I9J7yzd2ziSvRTYhAS4fH3pTsTqValdvA51 ioREvHw5dEoGZlw1fBOej2jhvdkbYF4mPYHk7Dkw4SlFgXKyHhP5RX92yzfniueNQh7wAXF8q mvSXznI8Fp+rjDG/577PwCu4y+7iMBVGbtd8VwezCnQHxpwIpfQ09jVJfqmczDYPfhcOJT9Wh oLEKKBHib/JwBnP7OLBbnxp+iXsmCJ+Yqh/hCA9lmzuKR7aiGYtZqSqwjQXXuMoDxh/ijwASJ KgQ1TwCIdB85n2QZuqvj5uZtwmRoQOWvD6C2Ex36zwZ/nQx/p0cCeCB0CseU8D59aazknjrRk ohKYNN93mCod6aUKQXM1ko3vvHert10MfOHHN8v6xrNC0BhEDLueuIqA/53r74Cawx9Dss4jh PaNFpeIGCKRfjVq/V1WBy4EhK6gwSBivCEcIVNIYRm96bFb7Ang0yKIxTTbt8EDhrA2AsW4+b wfFhuyqs5k9rVRB6o3xn/Bo/mLV5a8SOx5uLSy/6WhT9aM0ap1GLyUwu2CILKgoniBijbVEdX Kmt4WpMI4zsu+CmxfUzpguW/MOmmG34xqP0Qe6SSSogk0l++oG8jL0S8KPqgXNHRee+21Sta6 +o+S/HE2yCCaC8VGTjjRaCT9gSn9JQgm4ryTeA4J/l0F67p4MipXzKOCzyKDEqUFl37prt4NZ vVml+TPCo+eWt/EuAfesDAL1A4o7nZWrp0A52JgsGibF1QDF9gFQJrF3D+oC5lEAWRVbo=
Archived-At: <https://mailarchive.ietf.org/arch/msg/core/R0RrzXAwJcxDlJD6Io_7b2UglKg>
Subject: Re: [core] FW: New Version Notification for draft-mattsson-core-coap-attacks-00.txt
X-BeenThere: core@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Constrained RESTful Environments \(CoRE\) Working Group list" <core.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/core>, <mailto:core-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/core/>
List-Post: <mailto:core@ietf.org>
List-Help: <mailto:core-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/core>, <mailto:core-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 20 May 2021 13:35:05 -0000

Hello John,

great work!

I left some comments as issue in

https://github.com/EricssonResearch/coap-actuators

Generally, I personally prefer, if the attack's descriptions also
includes, if some assumption tends to be "can not be excluded" or "can
be demonstrated".

best regards
Achim Kraus

Am 19.05.21 um 05:07 schrieb John Mattsson:
> Hi,
>
> I made an updated to draft-mattsson-core-coap-actuators, renamed the document and submitted it as draft-mattsson-core-coap-attacks-00. Except a few editorial updates, the big addition is a new section on amplification attacks. I think draft-mattsson-core-coap-attacks should be published as an informal document similar to e.g. RFC 7457.
>
> I think CORE needs to discuss and take more concrete action against amplification attacks. Typical CoAP deployments have quite high amplification factors 10-100, CoAP amplification attacks are happening in the wild, and they are getting quite much media attention:
>
> https://www.netscout.com/blog/asert/coap-attacks-wild
>
> https://www.zdnet.com/article/the-coap-protocol-is-the-next-big-thing-for-ddos-attacks/
>
> https://www.zdnet.com/article/fbi-warns-of-new-ddos-attack-vectors-coap-ws-dd-arms-and-jenkins/
>
> https://www.helpnetsecurity.com/2019/03/08/iot-coap-ddos-weapon/
>
> https://blog.mazebolt.com/understanding-the-coap-ddos-attack-vector
>
> https://www.securityweek.com/attackers-use-coap-ddos-amplification
>
> https://medium.com/nsc42/what-is-coap-and-is-it-the-next-ddos-for-iot-de8ee97e57e6
>
> https://www.globaldots.com/resources/blog/iot-devices-using-coap-increasingly-used-in-ddos-attacks/
>
> CORE has considered amplification attacks since the start, but the current recommendations are quite soft. There might be reason to strengthen the recommendations or even enforce certain behavior. QUIC has e.g. decided on a maximum amplification factor of 3.... Observe and multicast has the risk of significantly increasing amplification.
>
> I have already received some comments from Carsten who also helped transforming the XML to markdown. I will submit -01 version before the cutoff. Big thanks Carsten! (I never want to manually edit XML again....).
>
> A repository for the draft can be found here:
> https://github.com/EricssonResearch/coap-actuators
> (The draft does not compile after the name change and format change, we will fix that in the coming weeks).
>
> This was previously discussed here
> https://mailarchive.ietf.org/arch/msg/core/i6bf9C0ObT5FIplkHPms9gaC47U/
>
> Cheers,
> John
>
> -----Original Message-----
> From: "internet-drafts@ietf.org" <internet-drafts@ietf.org>
> Date: Sunday, 16 May 2021 at 19:04
> To: Christian Amsüss <c.amsuess@energyharvesting.at>at>, Göran Selander <goran.selander@ericsson.com>om>, John Mattsson <john.mattsson@ericsson.com>om>, Christian Amsuess <c.amsuess@energyharvesting.at>at>, Francesca Palombini <francesca.palombini@ericsson.com>om>, Göran Selander <goran.selander@ericsson.com>om>, John Fornehed <john.fornehed@ericsson.com>om>, John Mattsson <john.mattsson@ericsson.com>
> Subject: New Version Notification for draft-mattsson-core-coap-attacks-00.txt
>
>
> A new version of I-D, draft-mattsson-core-coap-attacks-00.txt
> has been successfully submitted by =?utf-8?q?John_Preu=C3=9F_Mattsson?= and posted to the
> IETF repository.
>
> Name:		draft-mattsson-core-coap-attacks
> Revision:	00
> Title:		Summarizing Known Attacks on CoAP
> Document date:	2021-05-16
> Group:		Individual Submission
> Pages:		21
> URL:            https://www.ietf.org/archive/id/draft-mattsson-core-coap-attacks-00.txt
> Status:         https://datatracker.ietf.org/doc/draft-mattsson-core-coap-attacks/
> Htmlized:       https://datatracker.ietf.org/doc/html/draft-mattsson-core-coap-attacks
> Htmlized:       https://tools.ietf.org/html/draft-mattsson-core-coap-attacks-00
>
>
> Abstract:
>     Being able to trust information from sensors and to securely control
>     actuators are essential in a world of connected and networking things
>     interacting with the physical world.  This document summarizes known
>     attacks, and show that just using CoAP with a security protocol like
>     DTLS, TLS, or OSCORE is not enough for secure operation.  The goal
>     with this document is motivating generic and protocol-specific
>     recommendations on the usage of CoAP.  Several of the discussed
>     attacks can be mitigated with the solutions in
>     [I-D.ietf-core-echo-request-tag].
>
>
>
>
> Please note that it may take a couple of minutes from the time of submission
> until the htmlized version and diff are available at tools.ietf.org.
>
> The IETF Secretariat
>
>
>
> _______________________________________________
> core mailing list
> core@ietf.org
> https://www.ietf.org/mailman/listinfo/core
>