Re: [Hipsec] Improving the resiliency of HIP against packet loss

Robert Moskowitz <rgm@htt-consult.com> Fri, 21 May 2010 16:50 UTC

Return-Path: <rgm@htt-consult.com>
X-Original-To: hipsec@core3.amsl.com
Delivered-To: hipsec@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 8A1B528C243 for <hipsec@core3.amsl.com>; Fri, 21 May 2010 09:50:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.196
X-Spam-Level:
X-Spam-Status: No, score=-0.196 tagged_above=-999 required=5 tests=[AWL=-0.797, BAYES_50=0.001, J_CHICKENPOX_32=0.6]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mhYu7ascgfIO for <hipsec@core3.amsl.com>; Fri, 21 May 2010 09:50:05 -0700 (PDT)
Received: from klovia.htt-consult.com (klovia.htt-consult.com [208.83.67.149]) by core3.amsl.com (Postfix) with ESMTP id 62EB43A8315 for <hipsec@ietf.org>; Fri, 21 May 2010 07:20:13 -0700 (PDT)
Received: from localhost (unknown [127.0.0.1]) by klovia.htt-consult.com (Postfix) with ESMTP id 949BC68C51 for <hipsec@ietf.org>; Fri, 21 May 2010 14:13:21 +0000 (UTC)
Received: from klovia.htt-consult.com ([127.0.0.1]) by localhost (klovia.htt-consult.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SJ4SsAePkhTb for <hipsec@ietf.org>; Fri, 21 May 2010 10:13:12 -0400 (EDT)
Received: from nc2400.htt-consult.com (h155.home.htt [208.83.67.155]) (Authenticated sender: rgm@htt-consult.com) by klovia.htt-consult.com (Postfix) with ESMTPSA id 6E68468B65 for <hipsec@ietf.org>; Fri, 21 May 2010 10:13:12 -0400 (EDT)
Message-ID: <4BF69688.9060002@htt-consult.com>
Date: Fri, 21 May 2010 10:19:52 -0400
From: Robert Moskowitz <rgm@htt-consult.com>
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.9) Gecko/20100330 Fedora/3.0.4-1.fc12 Thunderbird/3.0.4
MIME-Version: 1.0
To: "hipsec@ietf.org" <hipsec@ietf.org>
References: <4BF61389.1090509@htt-consult.com>
In-Reply-To: <4BF61389.1090509@htt-consult.com>
Content-Type: text/plain; charset="us-ascii"; format="flowed"
Content-Transfer-Encoding: 7bit
Subject: Re: [Hipsec] Improving the resiliency of HIP against packet loss
X-BeenThere: hipsec@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the official IETF Mailing List for the HIP Working Group." <hipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/hipsec>, <mailto:hipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hipsec>
List-Post: <mailto:hipsec@ietf.org>
List-Help: <mailto:hipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hipsec>, <mailto:hipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 21 May 2010 16:50:06 -0000

On 05/21/2010 01:00 AM, Robert Moskowitz wrote:
> Tobias pointed out to me that currently HIP "is rather slow in cases 
> of packet loss".
>
> What might we change to address this?

I think I have worked out a proposal. I will include it in DEX, but only 
BEX if there is a humm for it. See below.

>
> Consider standard Internet packet lose and separately high packet lose 
> over lousy (eg 802.15.4) networks.
>
> I should point out that the design for IEEE 11073 is that it will take 
> a number of tries to get the data from a sensor to a controller. This 
> protocol just keeps on polling until it gets a response.

I sends I1 every n msec until it gets an R1 or ICMP error or some sec 
incase it is sending out to nothing.
R sends R1 every n msec until it gets an I2 or ICMP error or some sec 
incase it is sending out to nothing.
I sends I2 every n msec until it gets an R2 or some sec incase R 
disappeared.
R sends R2 every n msec until it gets an ESP payload using the SA or 
some sec incase I disappeared..

A very simple send/send/send, oh, ACK received.

Now there is an attack here. Malice can send an I1 to R with Q's HIT and 
IP addr. This then becomes a potential attack on Q's battery. But it is 
one of a lot of attacks where device M sends packets to sensor Q to wake 
it up and use up its battery.

If M sends an I1 to R with Q's HIT&IP, R will start sending R1's until 
either Q replies or R times out. Q can reply with an ICMP error (hey, I 
don't do HIP) or something else. Since Q never sent an I1, what is the 
state machine at? Does Q already have an SA with R and what does 
receiving an R1 without ever sending an I1? I think the R1 is ignored in 
all cases. Eventually R times out and stops sending R1s. Just one more 
battery draining attack.