[core] FW: New Version Notification for draft-mattsson-core-coap-attacks-00.txt

John Mattsson <john.mattsson@ericsson.com> Wed, 19 May 2021 03:07 UTC

Return-Path: <john.mattsson@ericsson.com>
X-Original-To: core@ietfa.amsl.com
Delivered-To: core@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 54FFB3A1B0C for <core@ietfa.amsl.com>; Tue, 18 May 2021 20:07:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.799
X-Spam-Level:
X-Spam-Status: No, score=-2.799 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.698, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QzaXMRCvLtQ4 for <core@ietfa.amsl.com>; Tue, 18 May 2021 20:07:53 -0700 (PDT)
Received: from EUR05-AM6-obe.outbound.protection.outlook.com (mail-am6eur05on2069.outbound.protection.outlook.com [40.107.22.69]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F26C93A1B0B for <core@ietf.org>; Tue, 18 May 2021 20:07:52 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=C+pgUHBJb9gRaBydvDsS/1GjwHKZF6XalX/93IVEeBy/CMMPH81mAWBDleGvbyguIQ944UruT88wOeYUIhiYmmBhlbxmSpn3u828DAIyCMCDq/UwMptsOiVNwa+11F5s9Lcy9f21PvCYPJrA2yhR2cb184BOk58vFXhcEwSL2kgDuAbyx+yGBnp0ivJeXaVxloFqxFA0WvnVVRdutemHSgSJTPUVrKKW6F9f+mP0ewY+YHmD2S0AecTBWy8m4u5sXP0HvsRn4smG3vWqCB+ea9qVdkz5exy1Ajhj1DIqydu+nE7fgRitpoT7HMhjofk62gvnELxJlI3E0sRHsAHaMA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=vdBrlp/45SLcCswvwsg06DnhKQPRysryO1UNKTKNQE0=; b=TFn8sb72VfyikIMJCq3fqRCtUchR1LJhjhLoCfVIxEi5sUYGpZECNnUbG9pJe9Ily6AF1VJaFeI9i0/46NPNsJePq4wHus1XBdDLA8FbzPcbCQHragRxXU4JJvUYOqx1YKdtRi/CPb4mnugxnk9Vs7fD5jomUPyvH10No3eagjs9aHbAgtRDzEGMWoVqzVxE+TcUi/HgiQVXNA1162EvTpQfeZwElUzpy7MpQsf1HSUfOhsKZW3rcKu3IN8+NpsSlGz3FMZdSOMrgBk5kuRNbRzmpeEMbf0VVeYZxDAh3ldK3wkLBpHrQvn4nbQ/BiEc43dWY1lc7YZg3kut3V7hCQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=vdBrlp/45SLcCswvwsg06DnhKQPRysryO1UNKTKNQE0=; b=fb7PSlWIIs5UpnMTQc8jekGBjlalWiYwgp1M+kgYonCA/uTXTz3+WmeEOcil5JTo4f3A/YP+Kfwy9O1EYn1tD01fNc30I1auTNBplk8va6ZZrr//6sCoZIofWl81i5GSBgh29lQx+K5LMCb1+qE0EwRBcIs1UM1X+XvrX434HEc=
Received: from DB6PR0701MB3047.eurprd07.prod.outlook.com (2603:10a6:4:74::7) by DB6PR07MB3270.eurprd07.prod.outlook.com (2603:10a6:6:17::30) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4150.11; Wed, 19 May 2021 03:07:50 +0000
Received: from DB6PR0701MB3047.eurprd07.prod.outlook.com ([fe80::f0fb:72b:8eac:53e8]) by DB6PR0701MB3047.eurprd07.prod.outlook.com ([fe80::f0fb:72b:8eac:53e8%4]) with mapi id 15.20.4150.019; Wed, 19 May 2021 03:07:50 +0000
From: John Mattsson <john.mattsson@ericsson.com>
To: "core@ietf.org" <core@ietf.org>
CC: Benjamin Kaduk <kaduk@mit.edu>, Roman Danyliw <rdd@cert.org>
Thread-Topic: New Version Notification for draft-mattsson-core-coap-attacks-00.txt
Thread-Index: AQHXSnV4ZAucNTMViUWiB8vAbqceOqrqROWA
Date: Wed, 19 May 2021 03:07:50 +0000
Message-ID: <885D9BEC-2A2A-4710-97BB-1BBB0CD6D22D@ericsson.com>
References: <162118463178.7394.3689900002808274496@ietfa.amsl.com>
In-Reply-To: <162118463178.7394.3689900002808274496@ietfa.amsl.com>
Accept-Language: en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/16.49.21050901
authentication-results: ietf.org; dkim=none (message not signed) header.d=none;ietf.org; dmarc=none action=none header.from=ericsson.com;
x-originating-ip: [81.225.97.222]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 82dba3b3-c160-407f-f4c0-08d91a734938
x-ms-traffictypediagnostic: DB6PR07MB3270:
x-microsoft-antispam-prvs: <DB6PR07MB3270E6F45F09951EC5D911F2892B9@DB6PR07MB3270.eurprd07.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: hoKStoUNxh5IpbKJI9E6xH24BeRmZBvIufEm7Da9SjkaaN+d1jWsZAe1Ql0STTVw0s1A2taOpvjpvly4iN84LTlDLuQaRKLbmd7dLTE4y/euXlFV2lXiiMmaBo8q6g0KMTTo7yCqQ9CopXAcGqfAsNzOS1ysldParSIbzfm+z2Vv0KkU/A7SDipvLRdG/alUk3LzF2VrOzW4iJyzFbiY4h/Nivfhy6d7KRI9qxqU6NV8xZTMa4/XbYI43TPHw/2iuvj2WLG4YG3BXqQkAEPpnmtZtSkM55pro1fRXwaOXRyHRUUL2EmxtC+Msa8ttetFabZ850nbL0q2xX5+V4ptE1X/4kFRaNKO7SaLpM/JFNsp/sHZwEY32XtEyunKcPCPucQKl4IAqs6uTuB4ccb3WGXeMs69X0A8gjGY4iui8GQsqvxqiMXvwTNeDprInVGDtlX5nvPIY7IByZKJCNj/LOdWY2xDzc2jvWBVz4vVsJwLmsLvMCZLI8DZZcZe5mCxGD9TiQcPgSlumZehOD9QDAy5Hop9eoJ1Qoi6I3tpnJ8M9xBSs4doTXyCYXELBnJvHAFGImcgeX8XJgZaIKv8x16kj9VnzE73xWKLCo3rigA2acjo+ZAens8ruNslAWeC8s4xlUg+b7GVJ6/4GkGgu6XKnLBzy+Pv515Dp85gECwtCNRuPmj/eHPsmcgQdRQ7iOEWRtJ3km5qua1Dc+HbvqVhyzsy/iDb+Q6cgmCJLIw=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DB6PR0701MB3047.eurprd07.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(136003)(376002)(396003)(366004)(346002)(39860400002)(26005)(66446008)(66574015)(6506007)(86362001)(4326008)(66556008)(64756008)(8936002)(91956017)(2616005)(71200400001)(53546011)(76116006)(6486002)(316002)(186003)(66476007)(6512007)(36756003)(44832011)(2906002)(33656002)(54906003)(8676002)(38100700002)(478600001)(6916009)(66946007)(83380400001)(5660300002)(122000001)(15650500001)(966005)(45980500001); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: =?utf-8?B?SFdLS3VEeUJVZWlHRWlYcE9vT3J2Y1pYdmV4TE10NkZaSzdSQzZGU2ZvVFJt?= =?utf-8?B?Zm8yMVJkb3lKQUZEY3pJeVZaMEJJZlAzemRMVDQ4SE0xM1hiL3o4UGRCOFcw?= =?utf-8?B?bDVKVWswZXlIdG1hc2lHaXRwWWtDeVlvUTg5OFlBWk1mekI4cDhrOTdteEIv?= =?utf-8?B?d1ExQXVnK3kwU1V0VW1xdUZDQmcvUUp0NjlYcld3eVdoVis2TTg3ekJmUmVM?= =?utf-8?B?OG5SYUNwZ2kyRCsxNnhVekVjYjIvbXkxOHcxVGFQNVVmTDlDcG85dzJab3E0?= =?utf-8?B?bVlSVDU0cHY4cFNLaUpmaXZZQUlrWGxhTUh4U3FKd21nTXRtVnoveEFIYjZC?= =?utf-8?B?WTg5dmp1S1Q1WHVqSmtnZkRlbjRnSlZlcHVnbUEyODBEUWdkcURyQ2xBRG9y?= =?utf-8?B?bFV5OTgrTjAxdmFlRTlNNlQxQ1lqeUVMNmYraDdHZUhjRGsvZWlLVTJqQ2Fi?= =?utf-8?B?RlRXQmwvQXAzTmNqVkFXdU9iV1JpVVBFQURtNUZCaS94S0ZYWE4yaXRlSkNT?= =?utf-8?B?NWMrSyt4TUhnRlFiaXhTTkFxK2x0RWhiYnNJNkJzbTFBcXRzQUI5Z0VKc1lK?= =?utf-8?B?TmQxQ1RZNXJnck9jTm4yVVRhMTQyR21vc0pBRHRQZnFIY2N4S3BOZno2SHZv?= =?utf-8?B?RS9ma3d2SmJMbHM1ZCtlYU5LRjl0NG9ROFZUMVgwMmJ4VmpWSTJlVW5ndThq?= =?utf-8?B?QWV0YUtDMm5IVUlzYmpDd093QVV3K0g3RVRDWDlIOHBCODJrTFRDS21RR21r?= =?utf-8?B?bVNjUGthZjYzbWphNW9WMkhnMUlDd0huRFJxWHlneGZsSm1JZFVzdWY0ZTdW?= =?utf-8?B?Yk5WZlk5NDFGT1FHeXhocWh5Sk01bFdEQkVSR1hWbS96NUNadlFVQjREUEhv?= =?utf-8?B?eVNlVi9WaWZKalBOR0s5VUIxMUwvMUhBUldGSEZzTzQzckRFTU1VUE5ORTBq?= =?utf-8?B?bHUxWTBFdE1WL1ZqV1hRVTRhclBobC9zMlcrVTdpU2hUY2dFcmZZZ1JuaGdl?= =?utf-8?B?RlBvdThtTHVIbmJJMEZBbTU1cFdCVUtPcHBHQlNqclRFMGY5ZmkyK3R4QkV1?= =?utf-8?B?a0t6bkhzc0dYallCRnJ1RGc4cGJoeXJpL3BySVcvTXhEb2R2R0ZmU0xQQ3dP?= =?utf-8?B?MDNwaEZjZUpFaFJycEpkY3RsTllYaUQ2bXBzSU5zSXJZSFpxbTI2ZXBEekZa?= =?utf-8?B?NlZ5alFWM2xYYjk4WXJyRlhVVU52ZUhQaUpUWVZ4cXU5MmR1eU1zZm01TmYv?= =?utf-8?B?SitzdjgwUTI3SmVYUUJUZExlVzhJRks2Y1pzQVFzT2xKdkRpNk1CVmc2dzkx?= =?utf-8?B?L04yZkxRV1FkNE5UWkl2ZW8reTJURVh3OUNDTXpPTFN2bFR6cGczWHFPcUdO?= =?utf-8?B?aUFVL3dacmlyQWNaUFBkTm00TGk0WUVzWGNnR21GbzZFZHFxc0s3N3R1WGF2?= =?utf-8?B?YlNhU3VLUmZZZkUvbDdLaU9uUFVDbm5mUk1uTU5kUEhLdnNRc2svK1J0em15?= =?utf-8?B?TGYwVmFyWDFnMFMrRTAzbWdDOVlWMmM3bkVtTGJhQ3paYjNPT05Cd1h0Vkdt?= =?utf-8?B?SkFWb0U3UXFXNnFXeUMxVEtrOFhSbTZIMitVWVZPNVU2aTdnRk5PY3JuVEV1?= =?utf-8?B?dndCSnUyUEJ5aE5qTElITkFtZDc1V1dTM3YxOEhqL3NTbmFvUFNpMlY2UGFq?= =?utf-8?B?dVpoeHIvUmE4VjhsUHRkQnRiSVRqZ3BKUlh4NFVOWDNOWldzV0NScWJ2a005?= =?utf-8?Q?Ah2pJ9iJqdMTJojH3h6DGhKgN5h14TuPwvaZhz/?=
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="utf-8"
Content-ID: <62B20C6F500BDA4AB8AB700ECAE4786B@eurprd07.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: DB6PR0701MB3047.eurprd07.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 82dba3b3-c160-407f-f4c0-08d91a734938
X-MS-Exchange-CrossTenant-originalarrivaltime: 19 May 2021 03:07:50.0776 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: lw9yzE4VafxO3dCF0k6IbGcD5IPaDA1kF24TOWAXkcQVWObhBGDxMZN7+YhJFQ6PKyxN+O4jTMY3W0SNGZki5p5HL0RHMLinai3GqUQ+vAU=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB6PR07MB3270
Archived-At: <https://mailarchive.ietf.org/arch/msg/core/uDhzskRtnxu4-kL1aRubeeV6d1U>
Subject: [core] FW: New Version Notification for draft-mattsson-core-coap-attacks-00.txt
X-BeenThere: core@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Constrained RESTful Environments \(CoRE\) Working Group list" <core.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/core>, <mailto:core-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/core/>
List-Post: <mailto:core@ietf.org>
List-Help: <mailto:core-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/core>, <mailto:core-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 19 May 2021 03:07:59 -0000

Hi,

I made an updated to draft-mattsson-core-coap-actuators, renamed the document and submitted it as draft-mattsson-core-coap-attacks-00. Except a few editorial updates, the big addition is a new section on amplification attacks. I think draft-mattsson-core-coap-attacks should be published as an informal document similar to e.g. RFC 7457. 

I think CORE needs to discuss and take more concrete action against amplification attacks. Typical CoAP deployments have quite high amplification factors 10-100, CoAP amplification attacks are happening in the wild, and they are getting quite much media attention: 

https://www.netscout.com/blog/asert/coap-attacks-wild

https://www.zdnet.com/article/the-coap-protocol-is-the-next-big-thing-for-ddos-attacks/

https://www.zdnet.com/article/fbi-warns-of-new-ddos-attack-vectors-coap-ws-dd-arms-and-jenkins/

https://www.helpnetsecurity.com/2019/03/08/iot-coap-ddos-weapon/

https://blog.mazebolt.com/understanding-the-coap-ddos-attack-vector

https://www.securityweek.com/attackers-use-coap-ddos-amplification

https://medium.com/nsc42/what-is-coap-and-is-it-the-next-ddos-for-iot-de8ee97e57e6

https://www.globaldots.com/resources/blog/iot-devices-using-coap-increasingly-used-in-ddos-attacks/

CORE has considered amplification attacks since the start, but the current recommendations are quite soft. There might be reason to strengthen the recommendations or even enforce certain behavior. QUIC has e.g. decided on a maximum amplification factor of 3.... Observe and multicast has the risk of significantly increasing amplification.

I have already received some comments from Carsten who also helped transforming the XML to markdown. I will submit -01 version before the cutoff. Big thanks Carsten! (I never want to manually edit XML again....).

A repository for the draft can be found here:
https://github.com/EricssonResearch/coap-actuators
(The draft does not compile after the name change and format change, we will fix that in the coming weeks).

This was previously discussed here
https://mailarchive.ietf.org/arch/msg/core/i6bf9C0ObT5FIplkHPms9gaC47U/

Cheers,
John

-----Original Message-----
From: "internet-drafts@ietf.org" <internet-drafts@ietf.org>
Date: Sunday, 16 May 2021 at 19:04
To: Christian Amsüss <c.amsuess@energyharvesting.at>at>, Göran Selander <goran.selander@ericsson.com>om>, John Mattsson <john.mattsson@ericsson.com>om>, Christian Amsuess <c.amsuess@energyharvesting.at>at>, Francesca Palombini <francesca.palombini@ericsson.com>om>, Göran Selander <goran.selander@ericsson.com>om>, John Fornehed <john.fornehed@ericsson.com>om>, John Mattsson <john.mattsson@ericsson.com>
Subject: New Version Notification for draft-mattsson-core-coap-attacks-00.txt


A new version of I-D, draft-mattsson-core-coap-attacks-00.txt
has been successfully submitted by =?utf-8?q?John_Preu=C3=9F_Mattsson?= and posted to the
IETF repository.

Name:		draft-mattsson-core-coap-attacks
Revision:	00
Title:		Summarizing Known Attacks on CoAP
Document date:	2021-05-16
Group:		Individual Submission
Pages:		21
URL:            https://www.ietf.org/archive/id/draft-mattsson-core-coap-attacks-00.txt
Status:         https://datatracker.ietf.org/doc/draft-mattsson-core-coap-attacks/
Htmlized:       https://datatracker.ietf.org/doc/html/draft-mattsson-core-coap-attacks
Htmlized:       https://tools.ietf.org/html/draft-mattsson-core-coap-attacks-00


Abstract:
   Being able to trust information from sensors and to securely control
   actuators are essential in a world of connected and networking things
   interacting with the physical world.  This document summarizes known
   attacks, and show that just using CoAP with a security protocol like
   DTLS, TLS, or OSCORE is not enough for secure operation.  The goal
   with this document is motivating generic and protocol-specific
   recommendations on the usage of CoAP.  Several of the discussed
   attacks can be mitigated with the solutions in
   [I-D.ietf-core-echo-request-tag].




Please note that it may take a couple of minutes from the time of submission
until the htmlized version and diff are available at tools.ietf.org.

The IETF Secretariat