IETF Logo Mail Archive

Re: [Int-area] Adam Roach's Discuss on draft-ietf-intarea-provisioning-domains-10: (with DISCUSS and COMMENT)

Adam Roach <adam@nostrum.com> Wed, 22 January 2020 16:51 UTC

Return-Path: <adam@nostrum.com>
X-Original-To: int-area@ietfa.amsl.com
Delivered-To: int-area@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DF2CB120142; Wed, 22 Jan 2020 08:51:13 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.404
X-Spam-Level:
X-Spam-Status: No, score=-1.404 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_INVALID=0.1, DKIM_SIGNED=0.1, HTML_MESSAGE=0.001, KHOP_HELO_FCRDNS=0.275, T_SPF_HELO_PERMERROR=0.01, T_SPF_PERMERROR=0.01] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=fail (1024-bit key) reason="fail (message has been altered)" header.d=nostrum.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id naQQIzzmjfzI; Wed, 22 Jan 2020 08:51:12 -0800 (PST)
Received: from nostrum.com (raven-v6.nostrum.com [IPv6:2001:470:d:1130::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5CB6D12011B; Wed, 22 Jan 2020 08:51:12 -0800 (PST)
Received: from Zephyrus.local (99-152-146-228.lightspeed.dllstx.sbcglobal.net [99.152.146.228]) (authenticated bits=0) by nostrum.com (8.15.2/8.15.2) with ESMTPSA id 00MGp9OG052265 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NO); Wed, 22 Jan 2020 10:51:10 -0600 (CST) (envelope-from adam@nostrum.com)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=nostrum.com; s=default; t=1579711871; bh=STQU3exrUfgamtlj6cpOxUIV6goV2fuzH1MEnmBGM64=; h=Subject:To:Cc:References:From:Date:In-Reply-To; b=cNLgwJtUfAzG1ReHgZ7Lg0Jc5rZ0DzTjWYwlTtAzKWgVkshvYX7icZq+1drejYTES ZIC/Ye+JQYdgRwVBRdhccXt0m8lOZlEoNkK8bNRYAuF8Xy7o0WYC6Gyv9zWiY8nMLu V2OZ8gnwTy14yuiVvfzjGGFmq2RcyG3Wdu/shcz0=
X-Authentication-Warning: raven.nostrum.com: Host 99-152-146-228.lightspeed.dllstx.sbcglobal.net [99.152.146.228] claimed to be Zephyrus.local
To: Tommy Pauly <tpauly=40apple.com@dmarc.ietf.org>, Warren Kumari <warren@kumari.net>
Cc: Erik Kline <ek@loon.com>, draft-ietf-intarea-provisioning-domains@ietf.org, Internet Area <int-area@ietf.org>, The IESG <iesg@ietf.org>, intarea-chairs <intarea-chairs@ietf.org>
References: <157967080772.28909.16443816599872682093.idtracker@ietfa.amsl.com> <CAHw9_iJM3+PGYJTOKR_RYpughCB5OOHfCjEQrt3wWn0L-Aguug@mail.gmail.com> <5D6F756D-16CB-430F-904C-7A5A21EE6AB9@apple.com>
From: Adam Roach <adam@nostrum.com>
Message-ID: <8a69214e-7be3-7012-56c0-d905ad705b98@nostrum.com>
Date: Wed, 22 Jan 2020 10:51:04 -0600
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:60.0) Gecko/20100101 Thunderbird/60.9.1
MIME-Version: 1.0
In-Reply-To: <5D6F756D-16CB-430F-904C-7A5A21EE6AB9@apple.com>
Content-Type: multipart/alternative; boundary="------------C15F2CF91D3B266C9D716CE6"
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/int-area/RxyZp9DP_yZ4esSXVp529pW-0rw>
Subject: Re: [Int-area] Adam Roach's Discuss on draft-ietf-intarea-provisioning-domains-10: (with DISCUSS and COMMENT)
X-BeenThere: int-area@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF Internet Area Mailing List <int-area.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/int-area>, <mailto:int-area-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/int-area/>
List-Post: <mailto:int-area@ietf.org>
List-Help: <mailto:int-area-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/int-area>, <mailto:int-area-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 22 Jan 2020 16:51:14 -0000

On 1/22/20 09:52, Tommy Pauly wrote:
>
> There should certainly be a minimum time between fetches, which we can specify here.
>
> Beyond this, I think there's actually a relatively straightforward solution that's latent in the text but needs to be called out in the security considerations.
>
> The privacy considerations note that the Additional Information server should limit access to valid clients (and if it checks the client public address, this can prevent the NAT66 trick):
>
> Network operators SHOULD restrict access to PvD Additional
> Information to only expose it to hosts that are connected to the local
> network... [this] can be implemented by
> whitelisting access from the addresses and prefixes that the router provides
> for the PvD, which will match the prefixes contained in the PvD Additional
> Information.


To be clear, I'm far less concerned about DDoS attacks on PvD Additional 
Information servers [1]  than I am about attacks on general-purpose web 
servers.


> In addition, the client is told to "abandon" requests and consider that a PvD has no additional info if it receives HTTP 400 errors:
>
> If the HTTP status of the answer is greater than or equal to 400
> the host MUST abandon and consider that there is no additional PvD
> information.
>
> My thought is to specify that the server rejects clients with a 400-level if they are not indeed from its own PvD; and similarly to specify that clients don't retry and effectively blacklist the PvD Additional Info in this case, or if they don't get valid JSON back.
>

Durable blocklisting (e.g., blocks that survive reboots) of specific PvD 
IDs on 400-class errors certainly helps in some cases (non-PvD servers 
will likely return 401, 403, or 410 for PvD requests), but it falls down 
in the fairly common case of web servers pointed to by wildcard DNS 
records. For example, an attacker could flood github.io by first sending 
out a PvD id of "1.github.io" and then, milliseconds later, sending out 
a PvD id of "2.github.io", and so on, indefinitely.

So, a few additional thoughts to throw into the hopper -- all of which 
have some drawbacks -- would be to consider:

  * Instead of blocklisting individual PvD IDs, blocklist all hosts
    under a corresponding eTLD [2]
  * If a PvD Additional Information server returns a 400-class response,
    persistently block the sender of the RA (I don't know offhand how
    one might do this in a way that can't be evaded, though. Source IP
    address clearly won't work, and source MAC is probably too easy to
    change as well)
  * Add a mechanism to the RA interaction that requires at least as much
    work on the attacker's part (both in terms of network usage and
    computational complexity) as the HTTPS connections themselves, thus
    eliminating the amplification (think challenge/response
    proof-of-work approaches here).
  * Add a large, global (i.e., not per-PvD ID) throttle (on the order of
    minutes or hours) between acting on received PvD RAs
  * Require clients to check in DNS (or some other highly scalable
    database) that the PvD Additional Information server has opted in to
    being a PvD Additional Information server. As an example of one
    possible way to do this: for the PvD ID foo.example.com, clients
    would have to first check for the presence of a DNS TXT record
    _pvd.foo.example.com. (See RFC 8552 if you choose to do something
    like this).

/a

____
[1] The optional nature of the information they serve makes them 
non-critical
[2] I know you know what this is, but for the benefit of others, see 
https://en.wikipedia.org/wiki/Public_Suffix_List

v2.23.0 | Report a Bug | By Email