IETF Logo Mail Archive

Re: [core] Consensus on using Echo to mitigate NoSec amplification?

Thomas Fossati <Thomas.Fossati@arm.com> Mon, 02 March 2020 16:16 UTC

Return-Path: <Thomas.Fossati@arm.com>
X-Original-To: core@ietfa.amsl.com
Delivered-To: core@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C830D3A0A0D for <core@ietfa.amsl.com>; Mon, 2 Mar 2020 08:16:13 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=armh.onmicrosoft.com header.b=0l9etV9W; dkim=pass (1024-bit key) header.d=armh.onmicrosoft.com header.b=0l9etV9W
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5Snfjl0QSm43 for <core@ietfa.amsl.com>; Mon, 2 Mar 2020 08:16:11 -0800 (PST)
Received: from EUR05-AM6-obe.outbound.protection.outlook.com (mail-am6eur05on20625.outbound.protection.outlook.com [IPv6:2a01:111:f400:7e1b::625]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2F2BA3A0A0C for <core@ietf.org>; Mon, 2 Mar 2020 08:16:11 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=armh.onmicrosoft.com; s=selector2-armh-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=EEKw94KPRPN+2OFEyS7ehKzQzuq+Dmc8vyaMh+WVnWo=; b=0l9etV9WqFWlKYEEU9lAF5jeZ9r5naehRN06bSCyThau27pVRPlqU1hsIukkYNWbEnmTxrt6eWGUpG2P+sm714MlYuqoMlYPEGKDY+OaD57qa1O9R7gp28DrHonYqSqeYYPyQNl1JpWckiNoa3LIxpOeUr9PsFE4voh2sYcWQLE=
Received: from VI1PR08CA0245.eurprd08.prod.outlook.com (2603:10a6:803:dc::18) by DB7PR08MB4601.eurprd08.prod.outlook.com (2603:10a6:10:30::24) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2772.14; Mon, 2 Mar 2020 16:16:05 +0000
Received: from AM5EUR03FT008.eop-EUR03.prod.protection.outlook.com (2a01:111:f400:7e08::204) by VI1PR08CA0245.outlook.office365.com (2603:10a6:803:dc::18) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2772.14 via Frontend Transport; Mon, 2 Mar 2020 16:16:05 +0000
Authentication-Results: spf=pass (sender IP is 63.35.35.123) smtp.mailfrom=arm.com; ietf.org; dkim=pass (signature was verified) header.d=armh.onmicrosoft.com;ietf.org; dmarc=bestguesspass action=none header.from=arm.com;
Received-SPF: Pass (protection.outlook.com: domain of arm.com designates 63.35.35.123 as permitted sender) receiver=protection.outlook.com; client-ip=63.35.35.123; helo=64aa7808-outbound-1.mta.getcheckrecipient.com;
Received: from 64aa7808-outbound-1.mta.getcheckrecipient.com (63.35.35.123) by AM5EUR03FT008.mail.protection.outlook.com (10.152.16.123) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2772.15 via Frontend Transport; Mon, 2 Mar 2020 16:16:05 +0000
Received: ("Tessian outbound 1f9bda537fdc:v42"); Mon, 02 Mar 2020 16:16:05 +0000
X-CheckRecipientChecked: true
X-CR-MTA-CID: 8c32c048c808946f
X-CR-MTA-TID: 64aa7808
Received: from 9278ca7255db.2 by 64aa7808-outbound-1.mta.getcheckrecipient.com id 9822C0A8-4098-44F6-9A0B-AED2D21587EE.1; Mon, 02 Mar 2020 16:15:59 +0000
Received: from EUR05-DB8-obe.outbound.protection.outlook.com by 64aa7808-outbound-1.mta.getcheckrecipient.com with ESMTPS id 9278ca7255db.2 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384); Mon, 02 Mar 2020 16:15:59 +0000
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=GgxIXAx7JJ7+qszRrcJuNPGx6WREM1HNmvDPE8ksOcqoLFAtqSpWBNAgHdxPq+YDd8qhKERj9J1iEVel8vQWZZgkpL3oSVDH32iKaIbm37HUeHIIHefTlGb/dQMtzDQVb1kRyxCkHHM46Fqe4Rl4+VauJrTi6OE9Mo+2JHMw2n/q2ePgjBFqiWzjYGyB3EsjcV/P/tHLjdaMnvXKaAIliD3LZ2HceTCWjOqx0T5AoUiH9UyKT8fciiE1QEUqyfUmjNpFOs4QqFgl2+QagxCZmRl/JcNaI33TI0MLW5OgmGUzKqO4G7/2rXesnqs7LexRWtWR7gBrM5dTCmO6EEimhw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;bh=EEKw94KPRPN+2OFEyS7ehKzQzuq+Dmc8vyaMh+WVnWo=; b=DZNa9PGnXFCKgMJ49BnvciW6pUcJPuJr5lzWC8uviUSstKDwRxA/D8QbettS0YCAAVhhIIq5fjHKJ5wrlcfBKBMv3euXfNzhHx2e5KcaHLkVShPkXzGXQppbibXjnzEajWpPv2wBRh/LZorHY+DQaJhctJoOQXskjb6/VjdkWiOl7MuTpLu3DR/FW2ImvXREePow2/J137wMVS30YB0QAzpxuLBShLNXuiDdRu56E/RbrUiuUpZxC40toFv20ZacfvytVOaLNiNFY6B9yDi+H91u5tbYirB6YaMALGDJL73U8XY/e6ZYDWQHyIdHhFshk3r5W4gQoT44HfWwSpyHTg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=arm.com; dmarc=pass action=none header.from=arm.com; dkim=pass header.d=arm.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=armh.onmicrosoft.com; s=selector2-armh-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=EEKw94KPRPN+2OFEyS7ehKzQzuq+Dmc8vyaMh+WVnWo=; b=0l9etV9WqFWlKYEEU9lAF5jeZ9r5naehRN06bSCyThau27pVRPlqU1hsIukkYNWbEnmTxrt6eWGUpG2P+sm714MlYuqoMlYPEGKDY+OaD57qa1O9R7gp28DrHonYqSqeYYPyQNl1JpWckiNoa3LIxpOeUr9PsFE4voh2sYcWQLE=
Received: from AM6PR08MB4231.eurprd08.prod.outlook.com (20.179.18.151) by AM6PR08MB3831.eurprd08.prod.outlook.com (20.178.89.78) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2772.14; Mon, 2 Mar 2020 16:15:58 +0000
Received: from AM6PR08MB4231.eurprd08.prod.outlook.com ([fe80::9807:78f0:434f:2b9f]) by AM6PR08MB4231.eurprd08.prod.outlook.com ([fe80::9807:78f0:434f:2b9f%7]) with mapi id 15.20.2772.018; Mon, 2 Mar 2020 16:15:58 +0000
From: Thomas Fossati <Thomas.Fossati@arm.com>
To: Christian Amsüss <christian@amsuess.com>, Carsten Bormann <cabo@tzi.org>
CC: Core <core@ietf.org>, Thomas Fossati <Thomas.Fossati@arm.com>
Thread-Topic: [core] Consensus on using Echo to mitigate NoSec amplification?
Thread-Index: AQHV694/28n98B10WkefpPSVvyYCvag1gVGAgAACqIA=
Date: Mon, 02 Mar 2020 16:15:57 +0000
Message-ID: <A59BB8D3-EB9B-4D6A-9192-454CF54EB9CE@arm.com>
References: <2554B0B8-1C32-453E-AB28-90AB61242450@tzi.org> <20200302160627.GB568382@hephaistos.amsuess.com>
In-Reply-To: <20200302160627.GB568382@hephaistos.amsuess.com>
Accept-Language: en-GB, en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/10.22.0.200209
Authentication-Results-Original: spf=none (sender IP is ) smtp.mailfrom=Thomas.Fossati@arm.com;
x-originating-ip: [82.11.185.80]
x-ms-publictraffictype: Email
X-MS-Office365-Filtering-HT: Tenant
X-MS-Office365-Filtering-Correlation-Id: 544e0214-f318-4d76-2d6b-08d7bec5023e
X-MS-TrafficTypeDiagnostic: AM6PR08MB3831:|AM6PR08MB3831:|DB7PR08MB4601:
x-ms-exchange-transport-forked: True
X-Microsoft-Antispam-PRVS: <DB7PR08MB46015B9A1628EEABF45201239CE70@DB7PR08MB4601.eurprd08.prod.outlook.com>
x-checkrecipientrouted: true
nodisclaimer: true
x-ms-oob-tlc-oobclassifiers: OLM:10000;OLM:10000;
x-forefront-prvs: 033054F29A
X-Forefront-Antispam-Report-Untrusted: SFV:NSPM; SFS:(10009020)(6029001)(4636009)(136003)(376002)(346002)(366004)(396003)(39860400002)(199004)(189003)(6506007)(53546011)(966005)(2616005)(2906002)(71200400001)(66574012)(26005)(478600001)(186003)(36756003)(6512007)(5660300002)(81166006)(33656002)(86362001)(66556008)(66476007)(76116006)(91956017)(8936002)(66946007)(4326008)(110136005)(64756008)(81156014)(66446008)(316002)(6486002)(8676002)(54906003); DIR:OUT; SFP:1101; SCL:1; SRVR:AM6PR08MB3831; H:AM6PR08MB4231.eurprd08.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: arm.com does not designate permitted sender hosts)
X-MS-Exchange-SenderADCheck: 1
X-Microsoft-Antispam-Untrusted: BCL:0;
X-Microsoft-Antispam-Message-Info-Original: DrKOOHNT3ADP17n7RST6AM4FwZZKY0YMSrnvlTEVPnfV9/0EBySSjOLEZBpZHXjDh2f368riMTcH6l1qKC+PsvvdkOAXKwoypC4tKcxJXN33mXitLIojE3+jDDQj+qaBIgmtYFwrhz0iKPi/fRBIjO8pzV1KdoNZ8jlPuNQwpieCSzPpAeJUT4GlZir2Yn8GDbpLs0AWUCOLUx01aJBib476ipB3OUAdKL55/F/U6uKFwAdQqwSlCgNQz7Xj/Fsas2ZtqvHZwJqyJ0pHIaJtM+vX6MRbpDC/N+8zwoILY6dWP1z/jpz1aoggLApnFhr9ap325ovbJjEYkOcrFmaJZTcTHLIuxprtazpyMmdULHc8Ailphf+2AaRWHarQnVlzuCvkGzEb+XDXg2lLWY7Sl0+v0K3JHDf9SsLoMb4S715m9IUXePQGfABZDUXsTrH/4RUWRvSU8Q3ZVC1WQ6fHofxVEc6ROtZz9UvIBa32HHmMeFI1tojgRy21Fh5pA07ts1jQ5RefkNoVsq0Wg196bg==
x-ms-exchange-antispam-messagedata: iUDfk3luvHclUFFlhxF31EMjD+0txx3EYafigSS3l66/GI96AT8djmE0BWA5dhwUeuD42DL44f/OYz9/Vleupl+vyOLhA+Y2l9O4YuSMQEW8BaN8fwNu5lb5NTu4X6x5ueHLU8i//AH+JwLl8/nPJA==
Content-Type: text/plain; charset="utf-8"
Content-ID: <34135707827E4F468B2F51CB12DF655C@eurprd08.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM6PR08MB3831
Original-Authentication-Results: spf=none (sender IP is ) smtp.mailfrom=Thomas.Fossati@arm.com;
X-EOPAttributedMessage: 0
X-MS-Exchange-Transport-CrossTenantHeadersStripped: AM5EUR03FT008.eop-EUR03.prod.protection.outlook.com
X-Forefront-Antispam-Report: CIP:63.35.35.123; IPV:CAL; SCL:-1; CTRY:IE; EFV:NLI; SFV:NSPM; SFS:(10009020)(6029001)(4636009)(136003)(39860400002)(346002)(376002)(396003)(189003)(199004)(36756003)(26826003)(2906002)(966005)(70586007)(5660300002)(70206006)(6486002)(478600001)(316002)(54906003)(356004)(81166006)(53546011)(86362001)(6512007)(33656002)(66574012)(8676002)(2616005)(8936002)(26005)(186003)(110136005)(6506007)(81156014)(4326008)(36906005)(336012); DIR:OUT; SFP:1101; SCL:1; SRVR:DB7PR08MB4601; H:64aa7808-outbound-1.mta.getcheckrecipient.com; FPR:; SPF:Pass; LANG:en; PTR:ec2-63-35-35-123.eu-west-1.compute.amazonaws.com; MX:1; A:1;
X-MS-Office365-Filtering-Correlation-Id-Prvs: 8e9be8ce-aa73-4f12-ad39-08d7bec4fdff
X-Forefront-PRVS: 033054F29A
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: kS6Jt5voI7mvFXhySx0tlPyJWgKGFXZe9HHRhZRrqgBy+Uqscgk2ZsqJcq+pKLHnN1u4c9ehRhmAq5+KlTlA9233hNGf6N6t03Mg13EVZdKMiaXUegttXZvJk5XGMMP6gIAykY6y30WF0A2Dt/vLQ49AlQ3IYWhekU+sdNnwvlaGW2lObeLUuQBEYYL6rXYunB2+yoAHzNKmkWvzILYiMNhBMvcxXBs6vsRH3cBX5+m7YNSPcln/hir6jTBjHRpqq1B6I62w5b4rCYCtOZpYS/baPwvfJsi+bH3iIywAITNFp8RqabYen0dJmoYNLKA826yy33wdEJIZUu9qcPAEZtKnMPP3RvGeDCBsim95s0F8rf8Bm83sZWfO5lInon2fOMEfXycQzb2t7tDC9ttsMFG72F9ZT5+oUhnPWQfWkwIGT40jFc5wQDJneubmFPdaKyUtOYjcKXbcW3EkMPHD2mJbVmzyyCt+f70JhyukDovd7TfI8niJHARqpKfy0utwJBWiCAaCGctU/DA49B43Ig==
X-OriginatorOrg: arm.com
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 02 Mar 2020 16:16:05.1108 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 544e0214-f318-4d76-2d6b-08d7bec5023e
X-MS-Exchange-CrossTenant-Id: f34e5979-57d9-4aaa-ad4d-b122a662184d
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=f34e5979-57d9-4aaa-ad4d-b122a662184d; Ip=[63.35.35.123]; Helo=[64aa7808-outbound-1.mta.getcheckrecipient.com]
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB7PR08MB4601
Archived-At: <https://mailarchive.ietf.org/arch/msg/core/VtF13moW-pdCRowbyngF0y9f5Kc>
Subject: Re: [core] Consensus on using Echo to mitigate NoSec amplification?
X-BeenThere: core@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Constrained RESTful Environments \(CoRE\) Working Group list" <core.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/core>, <mailto:core-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/core/>
List-Post: <mailto:core@ietf.org>
List-Help: <mailto:core-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/core>, <mailto:core-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 02 Mar 2020 16:16:14 -0000

Hi Christian,

On 02/03/2020, 16:08, "Christian Amsüss" <christian@amsuess.com> wrote:
> On Tue, Feb 25, 2020 at 02:19:33PM +0100, Carsten Bormann wrote:
> > Would the CoRE WG be fine with expanding the “updates 7252” text in
> > draft-ietf-core-echo-request-tag to also include recommending this
> > mitigation?  If you have a position on this, please reply to the list
> > (or to the chairs) by March 2nd.
>
> The current version stays as vague on what a larger response is as
> RFC7252, I'd like to sharpen that when incorporating the above. My
> current corner points are "a TCP SYN+ACK is 3 byte larger than a SYN",
> and that NTP had a factor-200 amplification built in earlier versions
> (though that's probably UDP-only, and headers'd make that more like
> factor-50).
>
> Is there any guidance that could be referenced, eg. an RFC that puts a
> number to what consitutes an amplification attack vector? Even [RFC4732]
> only talks of "significantly greater" packages.

QUIC seems to set the limit to 3x the request size [1].

[1] https://www.ietf.org/id/draft-ietf-quic-transport-27.html#section-10.3

IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.

v2.23.0 | Report a Bug | By Email