Re: [Int-area] Adam Roach's Discuss on draft-ietf-intarea-provisioning-domains-10: (with DISCUSS and COMMENT)
Tommy Pauly <tpauly@apple.com> Wed, 22 January 2020 16:44 UTC
Return-Path: <tpauly@apple.com>
X-Original-To: int-area@ietfa.amsl.com
Delivered-To: int-area@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E49A9120124; Wed, 22 Jan 2020 08:44:15 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.002
X-Spam-Level:
X-Spam-Status: No, score=-2.002 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=apple.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id I3ou6zAZfrdW; Wed, 22 Jan 2020 08:44:14 -0800 (PST)
Received: from nwk-aaemail-lapp03.apple.com (nwk-aaemail-lapp03.apple.com [17.151.62.68]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5AA00120169; Wed, 22 Jan 2020 08:44:14 -0800 (PST)
Received: from pps.filterd (nwk-aaemail-lapp03.apple.com [127.0.0.1]) by nwk-aaemail-lapp03.apple.com (8.16.0.27/8.16.0.27) with SMTP id 00MGgPSU023522; Wed, 22 Jan 2020 08:44:11 -0800
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=apple.com; h=sender : content-type : mime-version : subject : from : in-reply-to : date : cc : content-transfer-encoding : message-id : references : to; s=20180706; bh=9kSFQhnDmYEgQ5mNlwfKSnbYIPl/YVL6E/7OwUi6Mv4=; b=fquWy2Oq7/dG/jn/sirTFyD21B55NaPFkJOsfzPaNCTba2UV5OZ9aUML1wpWC/UFZTU1 Mo0xkS2I07kKtzF4ApTyIFITc7nqYQJarRt4Y016b4LQzAzMk+/ra1/L1hR3K8l2bqz2 K9yGv/sgIXzalhGWJfo1jhIl6RVB1FhKYvg+IdP4R0ck7EL1LBEudUvGlWOA97BOUh6a 9FFvFv+XID+rVc16vzwNefrAtGdVgbLgtYd6K5zggvSl8Qp+boIHOJWCrZSRN02EiEER FqgiFpmd8mO4Tf2qJA9Uao2MCDRhlpoqYYuPCj4cH9YzKjlLE+T03gcezxWKOYBLguFw ew==
Received: from ma1-mtap-s02.corp.apple.com (ma1-mtap-s02.corp.apple.com [17.40.76.6]) by nwk-aaemail-lapp03.apple.com with ESMTP id 2xmk4pdfpf-5 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NO); Wed, 22 Jan 2020 08:44:11 -0800
Received: from nwk-mmpp-sz12.apple.com (nwk-mmpp-sz12.apple.com [17.128.115.204]) by ma1-mtap-s02.corp.apple.com (Oracle Communications Messaging Server 8.0.2.4.20190507 64bit (built May 7 2019)) with ESMTPS id <0Q4I00DHXP5L1P20@ma1-mtap-s02.corp.apple.com>; Wed, 22 Jan 2020 08:44:11 -0800 (PST)
Received: from process_milters-daemon.nwk-mmpp-sz12.apple.com by nwk-mmpp-sz12.apple.com (Oracle Communications Messaging Server 8.0.2.4.20190507 64bit (built May 7 2019)) id <0Q4I00K00P1O1000@nwk-mmpp-sz12.apple.com>; Wed, 22 Jan 2020 08:44:10 -0800 (PST)
X-Va-A:
X-Va-T-CD: a17ff691283ebf009da5140641b3832f
X-Va-E-CD: d60a7396dd592520d25d54063e76f07d
X-Va-R-CD: bd63ceb45b8fd24fe4c278576743557a
X-Va-CD: 0
X-Va-ID: 6848e3e8-ced7-4e88-877f-a0b12d5f00a5
X-V-A:
X-V-T-CD: a17ff691283ebf009da5140641b3832f
X-V-E-CD: d60a7396dd592520d25d54063e76f07d
X-V-R-CD: bd63ceb45b8fd24fe4c278576743557a
X-V-CD: 0
X-V-ID: ffef25e4-d25c-4d7e-a109-79921cb089ed
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:,, definitions=2020-01-22_07:,, signatures=0
Received: from [17.230.170.238] by nwk-mmpp-sz12.apple.com (Oracle Communications Messaging Server 8.0.2.4.20190507 64bit (built May 7 2019)) with ESMTPSA id <0Q4I00M2RP5L9000@nwk-mmpp-sz12.apple.com>; Wed, 22 Jan 2020 08:44:10 -0800 (PST)
Sender: tpauly@apple.com
Content-type: text/plain; charset="utf-8"
MIME-version: 1.0 (Mac OS X Mail 13.0 \(3594.4.17\))
From: Tommy Pauly <tpauly@apple.com>
In-reply-to: <9856A903-AFBF-4FEA-9ABD-BE3A810C20EA@fugue.com>
Date: Wed, 22 Jan 2020 08:44:07 -0800
Cc: Tommy Pauly <tpauly=40apple.com@dmarc.ietf.org>, draft-ietf-intarea-provisioning-domains@ietf.org, Adam Roach <adam@nostrum.com>, Erik Kline <ek@loon.com>, The IESG <iesg@ietf.org>, Internet Area <int-area@ietf.org>, intarea-chairs <intarea-chairs@ietf.org>
Content-transfer-encoding: quoted-printable
Message-id: <C6FF8855-D633-43E0-BAED-399EBB9AED3B@apple.com>
References: <5D6F756D-16CB-430F-904C-7A5A21EE6AB9@apple.com> <9856A903-AFBF-4FEA-9ABD-BE3A810C20EA@fugue.com>
To: Ted Lemon <mellon@fugue.com>
X-Mailer: Apple Mail (2.3594.4.17)
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:, , definitions=2020-01-22_07:, , signatures=0
Archived-At: <https://mailarchive.ietf.org/arch/msg/int-area/xM4_1R2JVNYxbvKsan0fyF4q4Pc>
Subject: Re: [Int-area] Adam Roach's Discuss on draft-ietf-intarea-provisioning-domains-10: (with DISCUSS and COMMENT)
X-BeenThere: int-area@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF Internet Area Mailing List <int-area.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/int-area>, <mailto:int-area-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/int-area/>
List-Post: <mailto:int-area@ietf.org>
List-Help: <mailto:int-area-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/int-area>, <mailto:int-area-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 22 Jan 2020 16:44:16 -0000
As I understand the described attack, we are concerned with a case in which: - A rogue RA is sent by the attacker to one or more clients - The clients are being used to amplify by sending HTTP requests to a victim server - The HTTP server receives a high load of attack requests from unwilling clients The mitigations fall into two general categories: (1) ensuring that clients can be less easily tricked into being complicit in the attack; (2) and having the HTTP server protect itself. The client adding a limit to its fetching frequency addresses part of (1). For the rest, there are two cases: either the host being pointed to is indeed a PvD Additional Information server (but not one working with the attacker), or else is some other server that has no idea about PvDs. If the case is the latter, trying to request the well-known PvD information won't work and will generate an error. That will let clients know that something's up and that they should stop trying to frequently fetch this file. If the case is the former, we can give advice to PvD Additional Information server to make sure it generates errors in cases that seem fishy. The client already validates that its RA prefixes match the additional info; and if the server validates that the client is coming from the expected prefix it manages, it can detect cases in which the attacker is trying to point load at it from other networks. This validation isn't *exactly* the same as requiring that the HTTP server is local, but it's similar, and gets the same benefits of limiting the scope. The main thing it allows is the HTTP server to be a bit behind the local network, but still be aware of the expected prefixes, etc. Thanks, Tommy > On Jan 22, 2020, at 8:07 AM, Ted Lemon <mellon@fugue.com> wrote: > > On Jan 22, 2020, at 10:53, Tommy Pauly <tpauly=40apple.com@dmarc.ietf.org> wrote: >> Network operators SHOULD restrict access to PvD Additional >> Information to only expose it to hosts that are connected to the local >> network... [this] can be implemented by >> whitelisting access from the addresses and prefixes that the router provides >> for the PvD, which will match the prefixes contained in the PvD Additional >> Information. > > But does this help with the problem Adam is talking about? The attack is coming from the RA. A rogue RA will not be in control of the network operator. So the mitigation has to be on the recipient of the RA, I think. > > So your suggestion to abandon the query of the host gets a bad answer sounds okay-ish, but probably we could do better by randomizing the query time on the client and the like. > > Beyond that, is there any way to limit the scope of the query so that the attack isn’t useful? My first instinct about this is that the attack isn’t very useful because it requires an attacker on the local net, but we’ve seen the power of the Mira attack; this would be a significant increase in these attack’s effectiveness. > > Requiring the http listener to be local could make this pretty useless as an attack. It’s inconvenient, but probably doable. Is there a reason not to do it? > _______________________________________________ > Int-area mailing list > Int-area@ietf.org > https://www.ietf.org/mailman/listinfo/int-area
- [Int-area] Adam Roach's Discuss on draft-ietf-int… Adam Roach via Datatracker
- Re: [Int-area] Adam Roach's Discuss on draft-ietf… Warren Kumari
- Re: [Int-area] Adam Roach's Discuss on draft-ietf… Tommy Pauly
- Re: [Int-area] Adam Roach's Discuss on draft-ietf… Ted Lemon
- Re: [Int-area] Adam Roach's Discuss on draft-ietf… Tommy Pauly
- Re: [Int-area] Adam Roach's Discuss on draft-ietf… Adam Roach
- Re: [Int-area] Adam Roach's Discuss on draft-ietf… Ted Lemon
- Re: [Int-area] Adam Roach's Discuss on draft-ietf… Adam Roach
- Re: [Int-area] Adam Roach's Discuss on draft-ietf… Adam Roach
- Re: [Int-area] Adam Roach's Discuss on draft-ietf… Tommy Pauly
- Re: [Int-area] Adam Roach's Discuss on draft-ietf… Tommy Pauly
- Re: [Int-area] Adam Roach's Discuss on draft-ietf… Adam Roach
- Re: [Int-area] Adam Roach's Discuss on draft-ietf… Tommy Pauly
- Re: [Int-area] Adam Roach's Discuss on draft-ietf… Adam Roach
- Re: [Int-area] Adam Roach's Discuss on draft-ietf… Tommy Pauly
- Re: [Int-area] Adam Roach's Discuss on draft-ietf… Adam Roach
- Re: [Int-area] Adam Roach's Discuss on draft-ietf… Tommy Pauly
- Re: [Int-area] Adam Roach's Discuss on draft-ietf… Suresh Krishnan
- Re: [Int-area] Adam Roach's Discuss on draft-ietf… Eric Vyncke (evyncke)
- Re: [Int-area] Adam Roach's Discuss on draft-ietf… Tommy Pauly