IETF Logo Mail Archive

Re: [Hipsec] Comments on hiccups draft

Jan Melen <Jan.Melen@nomadiclab.com> Tue, 28 July 2009 14:30 UTC

Return-Path: <Jan.Melen@nomadiclab.com>
X-Original-To: hipsec@core3.amsl.com
Delivered-To: hipsec@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 09E643A6FB2 for <hipsec@core3.amsl.com>; Tue, 28 Jul 2009 07:30:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uG56LpxRz-jw for <hipsec@core3.amsl.com>; Tue, 28 Jul 2009 07:30:52 -0700 (PDT)
Received: from n2.nomadiclab.com (n2.nomadiclab.com [IPv6:2001:14b8:400:101::2]) by core3.amsl.com (Postfix) with ESMTP id 523B63A6FB0 for <hipsec@ietf.org>; Tue, 28 Jul 2009 07:30:52 -0700 (PDT)
Received: from n2.nomadiclab.com (localhost [127.0.0.1]) by n2.nomadiclab.com (Postfix) with ESMTP id 586B11EF28F; Tue, 28 Jul 2009 17:30:52 +0300 (EEST)
Received: from despair.unknown.com (inside.nomadiclab.com [193.234.219.2]) by n2.nomadiclab.com (Postfix) with ESMTP id 1098D1EF28E; Tue, 28 Jul 2009 17:30:52 +0300 (EEST)
Message-ID: <4A6F0B98.5000006@nomadiclab.com>
Date: Tue, 28 Jul 2009 17:30:48 +0300
From: Jan Melen <Jan.Melen@nomadiclab.com>
User-Agent: Thunderbird 2.0.0.7pre (X11/20090418)
MIME-Version: 1.0
To: Tobias Heer <heer@cs.rwth-aachen.de>
References: <6512FD53-0253-4B49-BC0D-41022DBB9644@cs.rwth-aachen.de>
In-Reply-To: <6512FD53-0253-4B49-BC0D-41022DBB9644@cs.rwth-aachen.de>
Content-Type: text/plain; charset="US-ASCII"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Virus-Scanned: ClamAV using ClamSMTP
Cc: hip WG <hipsec@ietf.org>
Subject: Re: [Hipsec] Comments on hiccups draft
X-BeenThere: hipsec@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the official IETF Mailing List for the HIP Working Group." <hipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/hipsec>, <mailto:hipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hipsec>
List-Post: <mailto:hipsec@ietf.org>
List-Help: <mailto:hipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hipsec>, <mailto:hipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 28 Jul 2009 14:30:54 -0000

Hi,

Tobias Heer wrote:
> Some comments on the hiccups draft. In general I find the approach 
> interesting and worth pursuing. Below are some questions that mostly 
> focus on security:
>
> Conceptual comments and questions:
> ----------------------------------
>
> Section 3: Existence of the HMAC in the packet:
> The hiccups draft states that "[the payload is] protected by a 
> PAYLOAD_HMAC parameter". To me it is unclear how such protection can 
> possibly work. Since there is no previous handshake there are no keys 
> for use in the HMAC. Jan explained that the HMAC is merely used as a 
> way to create a digest over the packet for making the signature more 
> efficient. However, if it is only used for creating the digest, I 
> wonder why it is actually transmitted in the packet because without a 
> secret included in the packet, the digest can easily be calculated and 
> transmitting the digest in a packet seems to be a unnecessary waste of 
> space. Am I missing something here? It would be nice if the draft was 
> more precise about the nature and the use of the HMAC.
>

Yes, it is only a message authentication code of the packet and I know 
that you don't have to send it but it is less prone to errors if you do 
send it as the receiving end doesn't have to generate the actual 
parameter that was used to create MAC code in order to verify the signature.

> Section 4.3: Sending R1 if receiver suspects an attack:
> I guess that in this case, the receiver drops the data packet and its 
> content should be retransmitted (by a higher-layer mechanism?)? If 
> yes, this could be mentioned somewhere.

Yes, I will add that to the draft.

>
> Replay protection:
> The draft talks about a immediate replays of DATA packets in the 
> context of DoS attacks targeted at ACK signature generation. However, 
> it does not talk about replays after a longer time (e.g. to mess with 
> upper-layer state machines).
> How can hosts shelter against replays of valid but old hiccups 
> packets? The sequence number only works from the second packet on and 
> still complete sequences of HIP DATA packets can be replayed. Caching 
> packets or keeping state for every ever-received packet is probably 
> not feasible. Is there a solution? If not, this should also be stated 
> in the text and the security considerations.
>
> Various sections: DoS resistance:
> The draft briefly mentions that the protocol is susceptible to DoS 
> attacks. This statement is rather vague and only mentions the absence 
> of "half-stateless DoS protection nature of the base exchange" and 
> immediate replays. However, CPU targeted DoS attacks (verification of 
> PK-sigantures without a puzzle or working HMAC to shelter against 
> floods of HIP DATA packets - not necessarily replays) seem much more 
> realistic to me than state a space exhaustion attacks. Using HIP DATA 
> packet creates a computational asymmetry between the attacker and the 
> victim (receiver). This imbalance could be mentioned in a more 
> explicit way.

These are known attacks and that is why we have said in the security 
considerations section that host should consider carefully when to 
accept HIP data packets.


> Editorial comments:
> -------------------
>
> Section 4.3: "The host MAY responds" -> "The host MAY respond"

Thanks for the comments
Jan

v2.31.3 | Report a Bug | By Email | System Status