IETF Logo Mail Archive

Re: [Int-area] Adam Roach's Discuss on draft-ietf-intarea-provisioning-domains-10: (with DISCUSS and COMMENT)

Ted Lemon <mellon@fugue.com> Wed, 22 January 2020 16:53 UTC

Return-Path: <mellon@fugue.com>
X-Original-To: int-area@ietfa.amsl.com
Delivered-To: int-area@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CE2CE120142 for <int-area@ietfa.amsl.com>; Wed, 22 Jan 2020 08:53:27 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=fugue-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 52yKxmdgEM4a for <int-area@ietfa.amsl.com>; Wed, 22 Jan 2020 08:53:25 -0800 (PST)
Received: from mail-qk1-x741.google.com (mail-qk1-x741.google.com [IPv6:2607:f8b0:4864:20::741]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B21F412011B for <int-area@ietf.org>; Wed, 22 Jan 2020 08:53:24 -0800 (PST)
Received: by mail-qk1-x741.google.com with SMTP id p5so348545qki.8 for <int-area@ietf.org>; Wed, 22 Jan 2020 08:53:24 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fugue-com.20150623.gappssmtp.com; s=20150623; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=HcZT6TXp+bDIuJ/FTJSMum2zGvob50qkYee9ZnXykjM=; b=mhgrC5HLFLpAoTyDOnL/rMLowAZt6wdLgp5nffviml1UohN+BesOhxBr5MPOVAvtSE ongNA8sRjascgVZZnkQq5ZJ7daP40UW9rNCFWTGKx8xYScfPeMEXHUt7/rifPuLfmclB X/qsVXW0BqFxCBQI5fOrQOdYcHKwchc/9JAZ93Bg4atNJ3udi4tOZ9ZjQmyBAAscYSkH VaR9rxLluFf9OjoK+HrOo7XOhqLYBZznnW0RfGHnpKyPtRP0uB61CAZD/21yq76JQ1nK iUtb3uKOLt0La+7o/5LOyqQ0GyibQD5z6gepYtGhF7X9zykI/Odb2Q0eGBIxMF7sBnY2 XA0Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=HcZT6TXp+bDIuJ/FTJSMum2zGvob50qkYee9ZnXykjM=; b=bXleKbnV5/yzs9E/jqCZlqFPdPVojXpX++45oYNTRLXgkOf5cuGP8PRUBmcHWKYpW9 QnUQTyQ93lBNuT4GF4VRUDrtpr6uXEwt9xcMrnOHp6m1DrnivlDpS4aJiIh7ZnR4u6wI 8gBFu2g3xvHog8b4HshR8kQdlDDzWIJjlQeDo+pKT4np3dwqddzNBT3r5tR2+MfnNbDq sohbiG97AisCFSzSUgMMe91TyegPswBfuscHKWlv3YHwtlT2W7tpEpnbIWTsrRb3eRwA Jq9kYgMMN2Rjn5VAQDRgfeD5IA+goat4R1YLWcTLAzIF4CdnZ76gMXN6MYo8LZdIupPJ r/6w==
X-Gm-Message-State: APjAAAV8IJBliuueKdD+yieQr519Kk38PZq6YsriibMoqTah4TlaRSNi 9r6d1kubaqKKbvwXwo7ZRlEmqw==
X-Google-Smtp-Source: APXvYqw1QZoQyQ+1prEoIdFwPwMEA5s0E7wcKMlVyW7AEPHHiLkekHgfmMTBWUI93PTrFs1fTWAAlQ==
X-Received: by 2002:a37:bc04:: with SMTP id m4mr11259069qkf.224.1579712003669; Wed, 22 Jan 2020 08:53:23 -0800 (PST)
Received: from ?IPv6:2601:18b:300:36ee:f530:d7fe:78b4:aa4d? ([2601:18b:300:36ee:f530:d7fe:78b4:aa4d]) by smtp.gmail.com with ESMTPSA id a200sm2831190qkc.2.2020.01.22.08.53.22 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 22 Jan 2020 08:53:23 -0800 (PST)
From: Ted Lemon <mellon@fugue.com>
Message-Id: <17CA50CE-4D1F-4DC4-BCE7-87DDF11E2E32@fugue.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_371D54B4-AD47-4175-9908-2BC2C44AF8B0"
Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.80.4\))
Date: Wed, 22 Jan 2020 11:53:21 -0500
In-Reply-To: <C6FF8855-D633-43E0-BAED-399EBB9AED3B@apple.com>
Cc: Tommy Pauly <tpauly=40apple.com@dmarc.ietf.org>, draft-ietf-intarea-provisioning-domains@ietf.org, Adam Roach <adam@nostrum.com>, Erik Kline <ek@loon.com>, The IESG <iesg@ietf.org>, Internet Area <int-area@ietf.org>, intarea-chairs <intarea-chairs@ietf.org>
To: Tommy Pauly <tpauly@apple.com>
References: <5D6F756D-16CB-430F-904C-7A5A21EE6AB9@apple.com> <9856A903-AFBF-4FEA-9ABD-BE3A810C20EA@fugue.com> <C6FF8855-D633-43E0-BAED-399EBB9AED3B@apple.com>
X-Mailer: Apple Mail (2.3608.80.4)
Archived-At: <https://mailarchive.ietf.org/arch/msg/int-area/KTzTlodz7w8_I8vdRxHk_T_FREc>
Subject: Re: [Int-area] Adam Roach's Discuss on draft-ietf-intarea-provisioning-domains-10: (with DISCUSS and COMMENT)
X-BeenThere: int-area@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF Internet Area Mailing List <int-area.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/int-area>, <mailto:int-area-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/int-area/>
List-Post: <mailto:int-area@ietf.org>
List-Help: <mailto:int-area-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/int-area>, <mailto:int-area-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 22 Jan 2020 16:53:28 -0000

On Jan 22, 2020, at 11:44 AM, Tommy Pauly <tpauly@apple.com> wrote:
> The mitigations fall into two general categories: (1) ensuring that clients can be less easily tricked into being complicit in the attack; (2) and having the HTTP server protect itself.

For a DDoS attack, if you get to (2) you are already somewhat dead.

> The client adding a limit to its fetching frequency addresses part of (1). For the rest, there are two cases: either the host being pointed to is indeed a PvD Additional Information server (but not one working with the attacker), or else is some other server that has no idea about PvDs. If the case is the latter, trying to request the well-known PvD information won't work and will generate an error. That will let clients know that something's up and that they should stop trying to frequently fetch this file. If the case is the former, we can give advice to PvD Additional Information server to make sure it generates errors in cases that seem fishy. The client already validates that its RA prefixes match the additional info; and if the server validates that the client is coming from the expected prefix it manages, it can detect cases in which the attacker is trying to point load at it from other networks.
> 
> This validation isn't *exactly* the same as requiring that the HTTP server is local, but it's similar, and gets the same benefits of limiting the scope. The main thing it allows is the HTTP server to be a bit behind the local network, but still be aware of the expected prefixes, etc.

If the client has to contact the server to see that it’s an invalid server, then you have a DDoS attack.   I think if you do what you suggest, then the scope of the DDoS attack will be limited, to the extent that the server can at least say “you got the wrong number” and the client can then cache the info in the RA as “bogus” for some period of time, so that the DDoS is relatively brief.  But the server still needs to be able to answer in order for this to work.

It would be nice if there were a way for the client to validate the server information before contacting it.   I’m not convinced there’s a way to do that, but maybe some kind of DNSSEC info that has to be fetched first?   Of course, that could also be used as an attack vector, since the RA can include an RDNSS option.

Adam, do you think that randomizing the client connect time is enough to mitigate a Mira-style attack, when accompanied with the other mitigations Tommy has suggested?

v2.23.0 | Report a Bug | By Email