IETF Logo Mail Archive

Re: [Int-area] Adam Roach's Discuss on draft-ietf-intarea-provisioning-domains-10: (with DISCUSS and COMMENT)

Tommy Pauly <tpauly@apple.com> Wed, 22 January 2020 23:51 UTC

Return-Path: <tpauly@apple.com>
X-Original-To: int-area@ietfa.amsl.com
Delivered-To: int-area@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5F34112004F; Wed, 22 Jan 2020 15:51:06 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=apple.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GTG2HYF8g6px; Wed, 22 Jan 2020 15:51:02 -0800 (PST)
Received: from nwk-aaemail-lapp01.apple.com (nwk-aaemail-lapp01.apple.com [17.151.62.66]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3C6D212007A; Wed, 22 Jan 2020 15:51:02 -0800 (PST)
Received: from pps.filterd (nwk-aaemail-lapp01.apple.com [127.0.0.1]) by nwk-aaemail-lapp01.apple.com (8.16.0.27/8.16.0.27) with SMTP id 00MNW638005178; Wed, 22 Jan 2020 15:51:01 -0800
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=apple.com; h=sender : from : message-id : content-type : mime-version : subject : date : in-reply-to : cc : to : references; s=20180706; bh=zLqH+OKuabox1qjhPkA6pEbKr4YR4wBiqLgpuTUDyj4=; b=QQ96/Jl91kOjJsfm4NtpFKc6s9ef4QQgha+uADTYU4cAOcQDdmnWU+dFyMwqQIQNo8Jk k9QZhB0cGdXPpnJLiVrqWNDt1GRCrnGpigwG9xxh0heAp8AnC+CGnbVLXwGqJX68DYFF In1EeOzmT/aSN+7X29WMWH+sQtBx60vJvzr6Jqo1mzvCmTC+HlXjwRzmcE3Y7YpckwLk 5XwjfufS46/H1wzt5ZYFpr9Qgs1QFZhYR0qDariIzc94QXw0vQEXg5mCOckPGmH7sVmF 9X+g2vnxVoATtGkEm2Ftruvwnd3378T8fiM2OUg9x7EMTpZCT+w5FooiOONHsf9gvOzT xQ==
Received: from ma1-mtap-s01.corp.apple.com (ma1-mtap-s01.corp.apple.com [17.40.76.5]) by nwk-aaemail-lapp01.apple.com with ESMTP id 2xm1u5nr19-7 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NO); Wed, 22 Jan 2020 15:51:01 -0800
Received: from nwk-mmpp-sz10.apple.com (nwk-mmpp-sz10.apple.com [17.128.115.122]) by ma1-mtap-s01.corp.apple.com (Oracle Communications Messaging Server 8.0.2.4.20190507 64bit (built May 7 2019)) with ESMTPS id <0Q4J00KSS8WYCL00@ma1-mtap-s01.corp.apple.com>; Wed, 22 Jan 2020 15:51:00 -0800 (PST)
Received: from process_milters-daemon.nwk-mmpp-sz10.apple.com by nwk-mmpp-sz10.apple.com (Oracle Communications Messaging Server 8.0.2.4.20190507 64bit (built May 7 2019)) id <0Q4J001007S8JH00@nwk-mmpp-sz10.apple.com>; Wed, 22 Jan 2020 15:50:59 -0800 (PST)
X-Va-A:
X-Va-T-CD: f3fe944e6c679f2c3d972f4bd0691c8b
X-Va-E-CD: d60a7396dd592520d25d54063e76f07d
X-Va-R-CD: bd63ceb45b8fd24fe4c278576743557a
X-Va-CD: 0
X-Va-ID: 38a0edfb-20a7-4c5b-a959-b4e56309dfd9
X-V-A:
X-V-T-CD: f3fe944e6c679f2c3d972f4bd0691c8b
X-V-E-CD: d60a7396dd592520d25d54063e76f07d
X-V-R-CD: bd63ceb45b8fd24fe4c278576743557a
X-V-CD: 0
X-V-ID: d88b06b3-5550-4db9-8e26-2e4fc68c9c91
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:,, definitions=2020-01-22_08:,, signatures=0
Received: from [17.230.170.238] by nwk-mmpp-sz10.apple.com (Oracle Communications Messaging Server 8.0.2.4.20190507 64bit (built May 7 2019)) with ESMTPSA id <0Q4J00F7H8WXD590@nwk-mmpp-sz10.apple.com>; Wed, 22 Jan 2020 15:50:58 -0800 (PST)
Sender: tpauly@apple.com
From: Tommy Pauly <tpauly@apple.com>
Message-id: <6A108BAC-9748-4A93-9909-ACD87E8059B4@apple.com>
Content-type: multipart/alternative; boundary="Apple-Mail=_BAD779BA-DA98-4F86-AF55-F09C6A619F40"
MIME-version: 1.0 (Mac OS X Mail 13.0 \(3594.4.17\))
Date: Wed, 22 Jan 2020 15:50:54 -0800
In-reply-to: <3c3fb029-be06-02a2-1ac2-d23a3183d09a@nostrum.com>
Cc: The IESG <iesg@ietf.org>, ek@loon.com, draft-ietf-intarea-provisioning-domains@ietf.org, int-area@ietf.org, intarea-chairs@ietf.org
To: Adam Roach <adam@nostrum.com>
References: <157967080772.28909.16443816599872682093.idtracker@ietfa.amsl.com> <6AFB6A09-59BF-411D-816F-914BAAF86A9B@apple.com> <a1daf959-3331-e86d-2734-1f63a98d7625@nostrum.com> <BF4953C0-2502-4E08-B8B3-B55D04475416@apple.com> <3c3fb029-be06-02a2-1ac2-d23a3183d09a@nostrum.com>
X-Mailer: Apple Mail (2.3594.4.17)
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:, , definitions=2020-01-22_08:, , signatures=0
Archived-At: <https://mailarchive.ietf.org/arch/msg/int-area/XHROCUF66zV0XQzWFcJJkzRnbGc>
X-Mailman-Approved-At: Wed, 29 Jan 2020 09:11:00 -0800
Subject: Re: [Int-area] Adam Roach's Discuss on draft-ietf-intarea-provisioning-domains-10: (with DISCUSS and COMMENT)
X-BeenThere: int-area@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF Internet Area Mailing List <int-area.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/int-area>, <mailto:int-area-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/int-area/>
List-Post: <mailto:int-area@ietf.org>
List-Help: <mailto:int-area-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/int-area>, <mailto:int-area-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 22 Jan 2020 23:51:06 -0000

Hi Adam,

Thanks for the feedback! The updated paragraph in the retrieval section, to indicate a maximum failure count per attachment, is:

If the request for PvD Additional Information fails due to a TLS error,
an HTTP error, or because the retrieved file does not contain valid PvD JSON,
hosts MUST close any connection used to fetch the PvD Additional Information,
and MUST NOT request the information for that PvD ID again for the duration
of the local network attachment. If a host detects 10 or more such failures
to fetch PvD Additional Information, the local network is assumed to be
misconfigured or under attack, and the host MUST NOT make any further
requests for PvD Additional Information, belonging to any PvD ID, for
the duration of the local network attachment. For more discussion, see {{security}}.

I've also expanded the security considerations DoS section as follows:

An attacker generating RAs on a local network can use the H-flag and the PvD ID
to cause hosts on the network to make requests for PvD Additional Information
from servers. This can become a denial-of-service attack, in which an attacker
can amplify its attack by triggering TLS connections to arbitrary servers in response
to sending UDP packets containing RA messages. To mitigate this attack, hosts
MUST:

- limit the rate at which they fetch a particular PvD's Additional Information;
- limit the rate at which they fetch any PvD Additional Information on a given local
network;
- stop making requests for a PvD ID that does not respond with valid JSON;
- stop making requests for all PvD IDs once a certain number of failures is reached
on a particular network.

Details are provided in {{retr}}. This attack can be targeted at generic web servers,
in which case the host behavior of stopping requesting for any server that doesn't
behave like a PvD Additional Information server is critical. Limiting requests for
a specific PvD ID might not be sufficient if the attacker changes the PvD ID values
quickly, so hosts also need to stop requesting if they detect consistent failure when
on a network that is under attack. For cases in which an attacker is pointing hosts at
a valid PvD Additional Information server (but one that is not actually associated
with the local network), the server SHOULD reject any requests that do not originate
from the expected IPv6 prefix as described in {{serverop}}.

For the delay calculation, you make a good point that the larger values get pretty unnecessarily large! I'm a bit concerned about making the minimum fetch range be ~4 seconds, as that could end up being user visible for some valid scenarios. How about making the formula "2**(10 + Delay)":

The target time for the delay is calculated
as a random time between zero and 2**(10 + Delay) milliseconds,
where 'Delay' corresponds to the 4-bit unsigned integer in
the last received PvD Option.

This limits it to 1 second as what the RA can request for fastest frequency bound. This isn't incredibly fast, and with the overall limits for how many requests can be made by a client (which provide the larger portion of the DoS prevention, I'd argue), I think this strikes a good balance between usability and precaution. Thoughts?

I've updated the GitHub text for anyone wanting to see the full flow: https://github.com/IPv6-mPvD/mpvd-ietf-drafts/pull/25

Thanks,
Tommy

> On Jan 22, 2020, at 2:58 PM, Adam Roach <adam@nostrum.com> wrote:
> 
> Thanks for the explanation and the further proposed mitigation.
> 
> Allowing the RA to specify an arbitrarily small "Delay" parameter seems to still allow for a pretty big burst of traffic. If I read the proposed interpretation of the "Delay" bits correctly (2**(Delay * 2)), the current behavior is specified to allow a delay upper bound selected from one of the following (approximate) values:
> 
> 1 ms
> 4 ms
> 16 ms
> 64 ms
> 256 ms
> 1 second
> 4 seconds
> 16 seconds
> 1 minute
> 4 minutes
> 17 minutes
> 70 minutes
> 4 hours, 40 minutes
> 18 hours 38 minutes
> 3 days, 3 hours
> 1 week, 5 days
> 
> That's a pretty breathtaking scope, and it's hard to imagine that the first six or so are strictly needed, while all six are in a range that might overload a DDoS target. The final several seem a bit questionable as well, given normal operational timelines for network attachment. If the formula were revised to, e.g., "2**(Delay + 12)" instead of the current formula, you would have an enforced lower bound of roughly four seconds (which should be enough to blunt most DDoS attacks), and an upper bound of roughly 37 hours (which still seems excessive, although not quite as much as the previous upper bound).
> 
> Assuming the additional mitigation you propose below (10 maximum failures per attachment) as well as some means of achieving a lower-bound for "Delay" on the order of multiple seconds, I think I'm good clearing when a new version comes out.
> 
> Thanks for your work in thinking through practical solutions to this issue.
> 
> /a
> 
> On 1/22/20 16:22, Tommy Pauly wrote:
>> Hi Adam,
>> 
>> Thanks for taking a look! I'd like to avoid adding extra checks, such as looking for particular DNS records, to avoid deployment complexity and more opportunities for incomplete configuration. As such, I'd like to dig into this a bit further.
>> 
>> If the attacker in this case is a rogue actor on a local network sending out RAs on their local link, any given attacking host would be restricted in their scope to the devices they can reach. Of course, there could be coordination across many different local networks simultaneously, but that also requires more work on the side of the attacker.
>> 
>> The reason for the delay was to limit the impact on a relatively low-powered and unsophisticated local HTTPS server for serving PvD information, which may itself be on the router. I imagine that any large web server deployment would not have any issue with the load generated from a particular local network. Specifically, if we are limiting any given host to requesting only a few times within a 10 second window on the network at all, and the number of hosts on the network is bounded, the number of opportunities for the attacker to cause load on the servers is limited.
>> 
>> Another option, to avoid remaining concern about hitting wildcarded hosts, is to simply say that if the host keeps receiving PvD IDs with bogus (failing) servers, it disables all fetching of additional information for the duration of the network attachment. Networks that do implement better control over RAs (RA-guard, etc) presumably won't have this issue, and since the additional info is optional, it shouldn't cause any major connectivity issues.
>> 
>> If we require such a limit (you only get to fail to fetch 10 times total per attachment, say), does that mitigate things?
>> 
>> Thanks,
>> Tommy
>> 
>>> On Jan 22, 2020, at 1:51 PM, Adam Roach <adam@nostrum.com <mailto:adam@nostrum.com>> wrote:
>>> 
>>> Thanks! The new text is good, but I don't think it's sufficient. I have two remaining concerns in particular:
>>> The mitigation for wildcarded web hosts appears inadequate, especially given:
>>> The mechanism clearly anticipates a scale where it can generate *single* short torrential burst sufficient to knock an average server over (hence the random delay mechanism for fetching data over HTTP). Given that fact, simple rate-limiting will never be enough if a single tight burst of traffic can be orchestrated.
>>> The more I think about it, the more I believe the TXT-based opt-in solution I proposed in my earlier email is a reasonable approach to protect general-purpose web servers from PvD-client-based attacks.
>>> 
>>> One further comment inline below.
>>> 
>>> /a
>>> 
>>> On 1/22/20 15:17, Tommy Pauly wrote:
>>>> Hi Adam,
>>>> 
>>>> Thanks again for bringing this up! I've updated our text to include mitigations for this attack. It can be found here (https://github.com/IPv6-mPvD/mpvd-ietf-drafts/pull/25 <https://github.com/IPv6-mPvD/mpvd-ietf-drafts/pull/25>), but here's an overview of the proposed text:
>>>> 
>>>> In Section 4.1, I've added two new paragraphs. The first describes time limits on fetching PvD info:
>>>> 
>>>> In addition to adding a random delay when fetching Additional Information, hosts
>>>> MUST enforce a minimum time between requesting Additional Information
>>>> for a given PvD on the same network. This minimum time is RECOMMENDED
>>>> to be 10 seconds, in order to avoid hosts causing a denial-of-service on the
>>>> PvD server. Hosts also MUST limit the number of requests that are made to
>>>> different PvD Additional Information servers on the same network within a short
>>>> period of time. A RECOMMENDED value is to issue no more than five PvD
>>>> Additional Information requests in total on a given network within 10 seconds.
>>>> For more discussion, see {{security}}.
>>>> 
>>>> The second also makes clear the behavior to take in case of failure, which will be the case for non-PvD web servers:
>>>> 
>>>> If the request for PvD Additional Information fails due to a TLS error,
>>>> an HTTP error, or because the retrieved file does not contain valid PvD JSON,
>>>> hosts MUST close any connection used to fetch the PvD Additional Information,
>>>> and MUST NOT request the information for that PvD ID again for the duration
>>>> of the local network attachment. For more discussion, see {{security}}.
>>>> 
>>>> In addition, I added text to the Security Considerations:
>>>> 
>>>> An attacker generating RAs on a local network can use the H-flag and the PvD ID
>>>> to cause hosts on the network to make requests for PvD Additional Information
>>>> from servers. This can become a denial-of-service attack if not mitigated.
>>> 
>>> This doesn't really convey the amplification involved, which I think is highly relevant.
>>> 
>>> 
>>> 
>>>> To mitigate
>>>> this attack, hosts MUST limit the rate at which they fetch a particular PvD's
>>>> Additional Information, limit the rate at which they fetch any PvD Additional
>>>> Information on a given local network, and stop making requests to any PvD ID
>>>> that does not respond with valid JSON. Details are provided in {{retr}}. This attack
>>>> can be targeted at generic web servers, in which case the host behavior of stopping
>>>> requesting for any server that doesn't behave like a PvD Additional Information server
>>>> is critical. For cases in which an attacker is pointing hosts at a valid PvD Additional
>>>> Information server (but one that is not actually associated with the local network),
>>>> the server SHOULD reject any requests that do not originate from the expected IPv6
>>>> prefix as described in {{serverop}}.
>>>> 
>>>> The existing text referenced here about server behavior is:
>>>> 
>>>> The server providing the JSON files SHOULD also check whether the
>>>> client address is contained by the prefixes listed in the additional
>>>> information, and SHOULD return a 403 response code if there is no
>>>> match.
>>>> 
>>>> Let me know if this addresses your concerns!
>>>> 
>>>> Best,
>>>> Tommy
>>>> 
>>>>> On Jan 21, 2020, at 9:26 PM, Adam Roach via Datatracker <noreply@ietf.org <mailto:noreply@ietf.org>> wrote:
>>>>> 
>>>>> ----------------------------------------------------------------------
>>>>> DISCUSS:
>>>>> ----------------------------------------------------------------------
>>>>> 
>>>>> Thanks to the authors and working group for their work on this document.  I
>>>>> have one major concern about the ability for this mechanism to be abused to
>>>>> form DDoS attacks, described below. Unfortunately, while I have identified the
>>>>> attack, I don't have an easy solution to propose that mitigates it satisfactorily.
>>>>> 
>>>>> I also have a handful of mostly editorial comments on the document.
>>>>> 
>>>>> ---------------------------------------------------------------------------
>>>>> 
>>>>> §6:
>>>>> 
>>>>> I was expecting to see a discussion of the DDoS attack that may result from a
>>>>> large network (or a rogue host on such a network) sending out a PvD ID
>>>>> containing the hostname of a victim machine, and setting the "H" flag.
>>>>> 
>>>>> Since the messages used to trigger these HTTP connections are extremely
>>>>> lightweight, unauthenticated UDP messages, and the resulting HTTP connections
>>>>> require the exchange of a significant number of packets in addition to a
>>>>> number of cryptographic operations, this is a very high ratio amplification
>>>>> attack, both in terms of network and CPU resources.
>>>>> 
>>>>> Given that the delay setting comes from the network instead of being
>>>>> independently computed by the host, such an attack could be honed to be
>>>>> particularly devastating.  Although it isn't a complete mitigation, one
>>>>> approach to consider would be moving computation of the delay upper bound to
>>>>> the host, or specifying a minimum upper bound of several minutes (where a
>>>>> smaller value will cause the host to use this minimum upper bound).
>>>>> 
>>>>> Regardless of how this is ultimately handled, I think this is a pretty severe
>>>>> risk that needs addressing in the document prior to publication.
>>>>> 
>>>> 
>>> 
>> 
>

v2.23.0 | Report a Bug | By Email