Re: [Int-area] Adam Roach's Discuss on draft-ietf-intarea-provisioning-domains-10: (with DISCUSS and COMMENT)
Adam Roach <adam@nostrum.com> Wed, 22 January 2020 21:51 UTC
Return-Path: <adam@nostrum.com>
X-Original-To: int-area@ietfa.amsl.com
Delivered-To: int-area@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7DE8512008A; Wed, 22 Jan 2020 13:51:13 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.404
X-Spam-Level:
X-Spam-Status: No, score=-1.404 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_INVALID=0.1, DKIM_SIGNED=0.1, HTML_MESSAGE=0.001, KHOP_HELO_FCRDNS=0.275, T_SPF_HELO_PERMERROR=0.01, T_SPF_PERMERROR=0.01] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=fail (1024-bit key) reason="fail (message has been altered)" header.d=nostrum.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LVmwaLbIyM1L; Wed, 22 Jan 2020 13:51:11 -0800 (PST)
Received: from nostrum.com (raven-v6.nostrum.com [IPv6:2001:470:d:1130::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7273A12001B; Wed, 22 Jan 2020 13:51:11 -0800 (PST)
Received: from Zephyrus.local (99-152-146-228.lightspeed.dllstx.sbcglobal.net [99.152.146.228]) (authenticated bits=0) by nostrum.com (8.15.2/8.15.2) with ESMTPSA id 00MLp7cN003307 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NO); Wed, 22 Jan 2020 15:51:08 -0600 (CST) (envelope-from adam@nostrum.com)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=nostrum.com; s=default; t=1579729869; bh=wUty26KkxRhDCQ1OTrutmFLd8qcig+gkXdtxoNVPQYk=; h=Subject:To:Cc:References:From:Date:In-Reply-To; b=g9MrVz85k9z6kXgz8HM63ks6hlqFMfMhydyH5e8VAdoFHc02RYobGlJzp5myMGp2g 0ZyAoc8HmrfcGL12YC0mDDu3dSQ/uPTcQTl2aOs+K9gwPGNmRiOn5W48zCyviWslAj UrCW+vwwWNy3y86roejynBlxa0S46DvHHzE/z9pA=
X-Authentication-Warning: raven.nostrum.com: Host 99-152-146-228.lightspeed.dllstx.sbcglobal.net [99.152.146.228] claimed to be Zephyrus.local
To: Tommy Pauly <tpauly@apple.com>
Cc: The IESG <iesg@ietf.org>, ek@loon.com, draft-ietf-intarea-provisioning-domains@ietf.org, int-area@ietf.org, intarea-chairs@ietf.org
References: <157967080772.28909.16443816599872682093.idtracker@ietfa.amsl.com> <6AFB6A09-59BF-411D-816F-914BAAF86A9B@apple.com>
From: Adam Roach <adam@nostrum.com>
Message-ID: <a1daf959-3331-e86d-2734-1f63a98d7625@nostrum.com>
Date: Wed, 22 Jan 2020 15:51:02 -0600
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:60.0) Gecko/20100101 Thunderbird/60.9.1
MIME-Version: 1.0
In-Reply-To: <6AFB6A09-59BF-411D-816F-914BAAF86A9B@apple.com>
Content-Type: multipart/alternative; boundary="------------E18E3DAA62B3F4EE3CB278DB"
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/int-area/44G9SxT3-1ImRxGLXuzGgkHiDhQ>
Subject: Re: [Int-area] Adam Roach's Discuss on draft-ietf-intarea-provisioning-domains-10: (with DISCUSS and COMMENT)
X-BeenThere: int-area@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF Internet Area Mailing List <int-area.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/int-area>, <mailto:int-area-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/int-area/>
List-Post: <mailto:int-area@ietf.org>
List-Help: <mailto:int-area-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/int-area>, <mailto:int-area-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 22 Jan 2020 21:51:14 -0000
Thanks! The new text is good, but I don't think it's sufficient. I have two remaining concerns in particular: * The mitigation for wildcarded web hosts appears inadequate, especially given: * The mechanism clearly anticipates a scale where it can generate *single* short torrential burst sufficient to knock an average server over (hence the random delay mechanism for fetching data over HTTP). Given that fact, simple rate-limiting will never be enough if a single tight burst of traffic can be orchestrated. The more I think about it, the more I believe the TXT-based opt-in solution I proposed in my earlier email is a reasonable approach to protect general-purpose web servers from PvD-client-based attacks. One further comment inline below. /a On 1/22/20 15:17, Tommy Pauly wrote: > Hi Adam, > > Thanks again for bringing this up! I've updated our text to include > mitigations for this attack. It can be found here > (https://github.com/IPv6-mPvD/mpvd-ietf-drafts/pull/25), but here's an > overview of the proposed text: > > In Section 4.1, I've added two new paragraphs. The first describes > time limits on fetching PvD info: > > In addition to adding a random delay when fetching Additional > Information, hosts > MUST enforce a minimum time between requesting Additional Information > for a given PvD on the same network. This minimum time is RECOMMENDED > to be 10 seconds, in order to avoid hosts causing a > denial-of-service on the > PvD server. Hosts also MUST limit the number of requests that are > made to > different PvD Additional Information servers on the same network > within a short > period of time. A RECOMMENDED value is to issue no more than five PvD > Additional Information requests in total on a given network within > 10 seconds. > For more discussion, see {{security}}. > > The second also makes clear the behavior to take in case of failure, > which will be the case for non-PvD web servers: > > > If the request for PvD Additional Information fails due to a TLS > error, > an HTTP error, or because the retrieved file does not contain > valid PvD JSON, > hosts MUST close any connection used to fetch the PvD Additional > Information, > and MUST NOT request the information for that PvD ID again for the > duration > of the local network attachment. For more discussion, see > {{security}}. > > In addition, I added text to the Security Considerations: > > An attacker generating RAs on a local network can use the H-flag > and the PvD ID > to cause hosts on the network to make requests for PvD Additional > Information > from servers. This can become a denial-of-service attack if not > mitigated. > This doesn't really convey the amplification involved, which I think is highly relevant. > To mitigate > this attack, hosts MUST limit the rate at which they fetch a > particular PvD's > Additional Information, limit the rate at which they fetch any PvD > Additional > Information on a given local network, and stop making requests to > any PvD ID > that does not respond with valid JSON. Details are provided in > {{retr}}. This attack > can be targeted at generic web servers, in which case the host > behavior of stopping > requesting for any server that doesn't behave like a PvD > Additional Information server > is critical. For cases in which an attacker is pointing hosts at a > valid PvD Additional > Information server (but one that is not actually associated with > the local network), > the server SHOULD reject any requests that do not originate from > the expected IPv6 > prefix as described in {{serverop}}. > > The existing text referenced here about server behavior is: > > The server providing the JSON files SHOULD also check whether the > client address is contained by the prefixes listed in the additional > information, and SHOULD return a 403 response code if there is no > match. > > Let me know if this addresses your concerns! > > Best, > Tommy > >> On Jan 21, 2020, at 9:26 PM, Adam Roach via Datatracker >> <noreply@ietf.org <mailto:noreply@ietf.org>> wrote: >> >> ---------------------------------------------------------------------- >> DISCUSS: >> ---------------------------------------------------------------------- >> >> Thanks to the authors and working group for their work on this >> document. I >> have one major concern about the ability for this mechanism to be >> abused to >> form DDoS attacks, described below. Unfortunately, while I have >> identified the >> attack, I don't have an easy solution to propose that mitigates it >> satisfactorily. >> >> I also have a handful of mostly editorial comments on the document. >> >> --------------------------------------------------------------------------- >> >> §6: >> >> I was expecting to see a discussion of the DDoS attack that may >> result from a >> large network (or a rogue host on such a network) sending out a PvD ID >> containing the hostname of a victim machine, and setting the "H" flag. >> >> Since the messages used to trigger these HTTP connections are extremely >> lightweight, unauthenticated UDP messages, and the resulting HTTP >> connections >> require the exchange of a significant number of packets in addition to a >> number of cryptographic operations, this is a very high ratio >> amplification >> attack, both in terms of network and CPU resources. >> >> Given that the delay setting comes from the network instead of being >> independently computed by the host, such an attack could be honed to be >> particularly devastating. Although it isn't a complete mitigation, one >> approach to consider would be moving computation of the delay upper >> bound to >> the host, or specifying a minimum upper bound of several minutes (where a >> smaller value will cause the host to use this minimum upper bound). >> >> Regardless of how this is ultimately handled, I think this is a >> pretty severe >> risk that needs addressing in the document prior to publication. >> >
- [Int-area] Adam Roach's Discuss on draft-ietf-int… Adam Roach via Datatracker
- Re: [Int-area] Adam Roach's Discuss on draft-ietf… Warren Kumari
- Re: [Int-area] Adam Roach's Discuss on draft-ietf… Tommy Pauly
- Re: [Int-area] Adam Roach's Discuss on draft-ietf… Ted Lemon
- Re: [Int-area] Adam Roach's Discuss on draft-ietf… Tommy Pauly
- Re: [Int-area] Adam Roach's Discuss on draft-ietf… Adam Roach
- Re: [Int-area] Adam Roach's Discuss on draft-ietf… Ted Lemon
- Re: [Int-area] Adam Roach's Discuss on draft-ietf… Adam Roach
- Re: [Int-area] Adam Roach's Discuss on draft-ietf… Adam Roach
- Re: [Int-area] Adam Roach's Discuss on draft-ietf… Tommy Pauly
- Re: [Int-area] Adam Roach's Discuss on draft-ietf… Tommy Pauly
- Re: [Int-area] Adam Roach's Discuss on draft-ietf… Adam Roach
- Re: [Int-area] Adam Roach's Discuss on draft-ietf… Tommy Pauly
- Re: [Int-area] Adam Roach's Discuss on draft-ietf… Adam Roach
- Re: [Int-area] Adam Roach's Discuss on draft-ietf… Tommy Pauly
- Re: [Int-area] Adam Roach's Discuss on draft-ietf… Adam Roach
- Re: [Int-area] Adam Roach's Discuss on draft-ietf… Tommy Pauly
- Re: [Int-area] Adam Roach's Discuss on draft-ietf… Suresh Krishnan
- Re: [Int-area] Adam Roach's Discuss on draft-ietf… Eric Vyncke (evyncke)
- Re: [Int-area] Adam Roach's Discuss on draft-ietf… Tommy Pauly