IETF Logo Mail Archive

[Hipsec] Comments on hiccups draft

Tobias Heer <heer@cs.rwth-aachen.de> Mon, 27 July 2009 14:26 UTC

Return-Path: <heer@informatik.rwth-aachen.de>
X-Original-To: hipsec@core3.amsl.com
Delivered-To: hipsec@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 180DB28C185 for <hipsec@core3.amsl.com>; Mon, 27 Jul 2009 07:26:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.801
X-Spam-Level:
X-Spam-Status: No, score=-4.801 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HELO_EQ_DE=0.35, HELO_MISMATCH_DE=1.448, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wHFs5-ebCBIX for <hipsec@core3.amsl.com>; Mon, 27 Jul 2009 07:26:12 -0700 (PDT)
Received: from mta-2.ms.rz.rwth-aachen.de (mta-2.ms.rz.RWTH-Aachen.DE [134.130.7.73]) by core3.amsl.com (Postfix) with ESMTP id DF87628C1E4 for <hipsec@ietf.org>; Mon, 27 Jul 2009 07:26:11 -0700 (PDT)
MIME-version: 1.0
Content-transfer-encoding: 7bit
Content-type: text/plain; charset="US-ASCII"; format="flowed"; delsp="yes"
Received: from ironport-out-1.rz.rwth-aachen.de ([134.130.5.40]) by mta-2.ms.rz.RWTH-Aachen.de (Sun Java(tm) System Messaging Server 6.3-7.04 (built Sep 26 2008)) with ESMTP id <0KNG00KEO2RLZR50@mta-2.ms.rz.RWTH-Aachen.de> for hipsec@ietf.org; Mon, 27 Jul 2009 16:26:09 +0200 (CEST)
X-IronPort-AV: E=Sophos;i="4.43,276,1246831200"; d="scan'208";a="20522195"
Received: from relay-auth-1.ms.rz.rwth-aachen.de (HELO relay-auth-1) ([134.130.7.78]) by ironport-in-1.rz.rwth-aachen.de with ESMTP; Mon, 27 Jul 2009 16:26:09 +0200
Received: from dhcp-11f5.meeting.ietf.org ([unknown] [130.129.17.245]) by relay-auth-1.ms.rz.rwth-aachen.de (Sun Java(tm) System Messaging Server 7.0-3.01 64bit (built Dec 9 2008)) with ESMTPA id <0KNG006V52RKSM00@relay-auth-1.ms.rz.rwth-aachen.de> for hipsec@ietf.org; Mon, 27 Jul 2009 16:26:08 +0200 (CEST)
Message-id: <6512FD53-0253-4B49-BC0D-41022DBB9644@cs.rwth-aachen.de>
From: Tobias Heer <heer@cs.rwth-aachen.de>
To: hip WG <hipsec@ietf.org>
Date: Mon, 27 Jul 2009 16:26:05 +0200
X-Mailer: Apple Mail (2.935.3)
Subject: [Hipsec] Comments on hiccups draft
X-BeenThere: hipsec@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the official IETF Mailing List for the HIP Working Group." <hipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/hipsec>, <mailto:hipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hipsec>
List-Post: <mailto:hipsec@ietf.org>
List-Help: <mailto:hipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hipsec>, <mailto:hipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 27 Jul 2009 14:26:13 -0000

Some comments on the hiccups draft. In general I find the approach  
interesting and worth pursuing. Below are some questions that mostly  
focus on security:

Conceptual comments and questions:
----------------------------------

Section 3: Existence of the HMAC in the packet:
The hiccups draft states that "[the payload is] protected by a  
PAYLOAD_HMAC parameter". To me it is unclear how such protection can  
possibly work. Since there is no previous handshake there are no keys  
for use in the HMAC. Jan explained that the HMAC is merely used as a  
way to create a digest over the packet for making the signature more  
efficient. However, if it is only used for creating the digest, I  
wonder why it is actually transmitted in the packet because without a  
secret included in the packet, the digest can easily be calculated and  
transmitting the digest in a packet seems to be a unnecessary waste of  
space. Am I missing something here? It would be nice if the draft was  
more precise about the nature and the use of the HMAC.

Section 4.3: Sending R1 if receiver suspects an attack:
I guess that in this case, the receiver drops the data packet and its  
content should be retransmitted (by a higher-layer mechanism?)? If  
yes, this could be mentioned somewhere.

Replay protection:
The draft talks about a immediate replays of DATA packets in the  
context of DoS attacks targeted at ACK signature generation. However,  
it does not talk about replays after a longer time (e.g. to mess with  
upper-layer state machines).
How can hosts shelter against replays of valid but old hiccups  
packets? The sequence number only works from the second packet on and  
still complete sequences of HIP DATA packets can be replayed. Caching  
packets or keeping state for every ever-received packet is probably  
not feasible. Is there a solution? If not, this should also be stated  
in the text and the security considerations.

Various sections: DoS resistance:
The draft briefly mentions that the protocol is susceptible to DoS  
attacks. This statement is rather vague and only mentions the absence  
of "half-stateless DoS protection nature of the base exchange" and  
immediate replays. However, CPU targeted DoS attacks (verification of  
PK-sigantures without a puzzle or working HMAC to shelter against  
floods of HIP DATA packets - not necessarily replays) seem much more  
realistic to me than state a space exhaustion attacks. Using HIP DATA  
packet creates a computational asymmetry between the attacker and the  
victim (receiver). This imbalance could be mentioned in a more  
explicit way.


Editorial comments:
-------------------

Section 4.3: "The host MAY responds" -> "The host MAY respond"

Best regards,
Tobias






--  

Dipl.-Inform. Tobias Heer, Ph.D. Student
Distributed Systems Group
RWTH Aachen University, Germany
tel: +49 241 80 207 76
web: http://ds.cs.rwth-aachen.de/members/heer

v2.31.3 | Report a Bug | By Email | System Status