IETF Logo Mail Archive

Re: [Int-area] Adam Roach's Discuss on draft-ietf-intarea-provisioning-domains-10: (with DISCUSS and COMMENT)

Adam Roach <adam@nostrum.com> Wed, 22 January 2020 21:51 UTC

Return-Path: <adam@nostrum.com>
X-Original-To: int-area@ietfa.amsl.com
Delivered-To: int-area@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7DE8512008A; Wed, 22 Jan 2020 13:51:13 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.404
X-Spam-Level:
X-Spam-Status: No, score=-1.404 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_INVALID=0.1, DKIM_SIGNED=0.1, HTML_MESSAGE=0.001, KHOP_HELO_FCRDNS=0.275, T_SPF_HELO_PERMERROR=0.01, T_SPF_PERMERROR=0.01] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=fail (1024-bit key) reason="fail (message has been altered)" header.d=nostrum.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LVmwaLbIyM1L; Wed, 22 Jan 2020 13:51:11 -0800 (PST)
Received: from nostrum.com (raven-v6.nostrum.com [IPv6:2001:470:d:1130::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7273A12001B; Wed, 22 Jan 2020 13:51:11 -0800 (PST)
Received: from Zephyrus.local (99-152-146-228.lightspeed.dllstx.sbcglobal.net [99.152.146.228]) (authenticated bits=0) by nostrum.com (8.15.2/8.15.2) with ESMTPSA id 00MLp7cN003307 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NO); Wed, 22 Jan 2020 15:51:08 -0600 (CST) (envelope-from adam@nostrum.com)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=nostrum.com; s=default; t=1579729869; bh=wUty26KkxRhDCQ1OTrutmFLd8qcig+gkXdtxoNVPQYk=; h=Subject:To:Cc:References:From:Date:In-Reply-To; b=g9MrVz85k9z6kXgz8HM63ks6hlqFMfMhydyH5e8VAdoFHc02RYobGlJzp5myMGp2g 0ZyAoc8HmrfcGL12YC0mDDu3dSQ/uPTcQTl2aOs+K9gwPGNmRiOn5W48zCyviWslAj UrCW+vwwWNy3y86roejynBlxa0S46DvHHzE/z9pA=
X-Authentication-Warning: raven.nostrum.com: Host 99-152-146-228.lightspeed.dllstx.sbcglobal.net [99.152.146.228] claimed to be Zephyrus.local
To: Tommy Pauly <tpauly@apple.com>
Cc: The IESG <iesg@ietf.org>, ek@loon.com, draft-ietf-intarea-provisioning-domains@ietf.org, int-area@ietf.org, intarea-chairs@ietf.org
References: <157967080772.28909.16443816599872682093.idtracker@ietfa.amsl.com> <6AFB6A09-59BF-411D-816F-914BAAF86A9B@apple.com>
From: Adam Roach <adam@nostrum.com>
Message-ID: <a1daf959-3331-e86d-2734-1f63a98d7625@nostrum.com>
Date: Wed, 22 Jan 2020 15:51:02 -0600
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:60.0) Gecko/20100101 Thunderbird/60.9.1
MIME-Version: 1.0
In-Reply-To: <6AFB6A09-59BF-411D-816F-914BAAF86A9B@apple.com>
Content-Type: multipart/alternative; boundary="------------E18E3DAA62B3F4EE3CB278DB"
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/int-area/44G9SxT3-1ImRxGLXuzGgkHiDhQ>
Subject: Re: [Int-area] Adam Roach's Discuss on draft-ietf-intarea-provisioning-domains-10: (with DISCUSS and COMMENT)
X-BeenThere: int-area@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF Internet Area Mailing List <int-area.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/int-area>, <mailto:int-area-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/int-area/>
List-Post: <mailto:int-area@ietf.org>
List-Help: <mailto:int-area-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/int-area>, <mailto:int-area-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 22 Jan 2020 21:51:14 -0000

Thanks! The new text is good, but I don't think it's sufficient. I have 
two remaining concerns in particular:

  * The mitigation for wildcarded web hosts appears inadequate,
    especially given:
  * The mechanism clearly anticipates a scale where it can generate
    *single* short torrential burst sufficient to knock an average
    server over (hence the random delay mechanism for fetching data over
    HTTP). Given that fact, simple rate-limiting will never be enough if
    a single tight burst of traffic can be orchestrated.

The more I think about it, the more I believe the TXT-based opt-in 
solution I proposed in my earlier email is a reasonable approach to 
protect general-purpose web servers from PvD-client-based attacks.

One further comment inline below.

/a

On 1/22/20 15:17, Tommy Pauly wrote:
> Hi Adam,
>
> Thanks again for bringing this up! I've updated our text to include 
> mitigations for this attack. It can be found here 
> (https://github.com/IPv6-mPvD/mpvd-ietf-drafts/pull/25), but here's an 
> overview of the proposed text:
>
> In Section 4.1, I've added two new paragraphs. The first describes 
> time limits on fetching PvD info:
>
>     In addition to adding a random delay when fetching Additional
>     Information, hosts
>     MUST enforce a minimum time between requesting Additional Information
>     for a given PvD on the same network. This minimum time is RECOMMENDED
>     to be 10 seconds, in order to avoid hosts causing a
>     denial-of-service on the
>     PvD server. Hosts also MUST limit the number of requests that are
>     made to
>     different PvD Additional Information servers on the same network
>     within a short
>     period of time. A RECOMMENDED value is to issue no more than five PvD
>     Additional Information requests in total on a given network within
>     10 seconds.
>     For more discussion, see {{security}}.
>
> The second also makes clear the behavior to take in case of failure, 
> which will be the case for non-PvD web servers:
>
>
>     If the request for PvD Additional Information fails due to a TLS
>     error,
>     an HTTP error, or because the retrieved file does not contain
>     valid PvD JSON,
>     hosts MUST close any connection used to fetch the PvD Additional
>     Information,
>     and MUST NOT request the information for that PvD ID again for the
>     duration
>     of the local network attachment. For more discussion, see
>     {{security}}.
>
> In addition, I added text to the Security Considerations:
>
>     An attacker generating RAs on a local network can use the H-flag
>     and the PvD ID
>     to cause hosts on the network to make requests for PvD Additional
>     Information
>     from servers. This can become a denial-of-service attack if not
>     mitigated.
>

This doesn't really convey the amplification involved, which I think is 
highly relevant.


>     To mitigate
>     this attack, hosts MUST limit the rate at which they fetch a
>     particular PvD's
>     Additional Information, limit the rate at which they fetch any PvD
>     Additional
>     Information on a given local network, and stop making requests to
>     any PvD ID
>     that does not respond with valid JSON. Details are provided in
>     {{retr}}. This attack
>     can be targeted at generic web servers, in which case the host
>     behavior of stopping
>     requesting for any server that doesn't behave like a PvD
>     Additional Information server
>     is critical. For cases in which an attacker is pointing hosts at a
>     valid PvD Additional
>     Information server (but one that is not actually associated with
>     the local network),
>     the server SHOULD reject any requests that do not originate from
>     the expected IPv6
>     prefix as described in {{serverop}}.
>
> The existing text referenced here about server behavior is:
>
>     The server providing the JSON files SHOULD also check whether the
>     client address is contained by the prefixes listed in the additional
>     information, and SHOULD return a 403 response code if there is no
>     match.
>
> Let me know if this addresses your concerns!
>
> Best,
> Tommy
>
>> On Jan 21, 2020, at 9:26 PM, Adam Roach via Datatracker 
>> <noreply@ietf.org <mailto:noreply@ietf.org>> wrote:
>>
>> ----------------------------------------------------------------------
>> DISCUSS:
>> ----------------------------------------------------------------------
>>
>> Thanks to the authors and working group for their work on this 
>> document.  I
>> have one major concern about the ability for this mechanism to be 
>> abused to
>> form DDoS attacks, described below. Unfortunately, while I have 
>> identified the
>> attack, I don't have an easy solution to propose that mitigates it 
>> satisfactorily.
>>
>> I also have a handful of mostly editorial comments on the document.
>>
>> ---------------------------------------------------------------------------
>>
>> §6:
>>
>> I was expecting to see a discussion of the DDoS attack that may 
>> result from a
>> large network (or a rogue host on such a network) sending out a PvD ID
>> containing the hostname of a victim machine, and setting the "H" flag.
>>
>> Since the messages used to trigger these HTTP connections are extremely
>> lightweight, unauthenticated UDP messages, and the resulting HTTP 
>> connections
>> require the exchange of a significant number of packets in addition to a
>> number of cryptographic operations, this is a very high ratio 
>> amplification
>> attack, both in terms of network and CPU resources.
>>
>> Given that the delay setting comes from the network instead of being
>> independently computed by the host, such an attack could be honed to be
>> particularly devastating.  Although it isn't a complete mitigation, one
>> approach to consider would be moving computation of the delay upper 
>> bound to
>> the host, or specifying a minimum upper bound of several minutes (where a
>> smaller value will cause the host to use this minimum upper bound).
>>
>> Regardless of how this is ultimately handled, I think this is a 
>> pretty severe
>> risk that needs addressing in the document prior to publication.
>>
>

v2.23.0 | Report a Bug | By Email