Re: [ippm] Eric Rescorla's No Objection on draft-ietf-ippm-6man-pdm-option-09: (with COMMENT)
Nalini J Elkins <nalini.elkins@insidethestack.com> Mon, 22 May 2017 15:41 UTC
Return-Path: <nalini.elkins@insidethestack.com>
X-Original-To: ippm@ietfa.amsl.com
Delivered-To: ippm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 85BBB12EAFF for <ippm@ietfa.amsl.com>; Mon, 22 May 2017 08:41:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 3.111
X-Spam-Level: ***
X-Spam-Status: No, score=3.111 tagged_above=-999 required=5 tests=[BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FORGED_MUA_MOZILLA=2.309, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=yahoo.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ABTOYFj_pzMw for <ippm@ietfa.amsl.com>; Mon, 22 May 2017 08:41:16 -0700 (PDT)
Received: from sonic304-31.consmr.mail.gq1.yahoo.com (sonic304-31.consmr.mail.gq1.yahoo.com [98.137.68.212]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BA14F1293D9 for <ippm@ietf.org>; Mon, 22 May 2017 08:41:16 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1495467676; bh=1k5IPL9AtEXHlGZArXKRixGQjuMAyGKkQdxAWBFYtlw=; h=Date:From:Reply-To:To:Cc:In-Reply-To:References:Subject:From:Subject; b=CISVf7dCJ6JM76kJK0VK2vR6wEjQfNqPImOqT6AcbbCaQ/WjSBIJ+I3H8t2k3mwIBeCv+aVpTpBCnbOp7rBI7juIFhAb7UDqI5BVApMyM3KP6dUUJSTSiUoBnsbHWluS2jsyB2+WP75lyCDX7NyT2n2SusDzvL4G/QlO8YRfPLcKENY7xLfN3n51cNNIhWKcwRCerEoCOhmxj8dvRZo3skhEDRh5osa4nHKu689/HF4A/hQ0OGNaDRiYHd5veNdc6B9o6ZMRpzJ6MdP2+sLDVvIqoAHxsGWm5QOVeu62fwwOB6/uMcC3PwMNRvZJ7WyQxM10Hb90H4dMlrQ9uBiJ8w==
X-YMail-OSG: RwHbZOQVM1lfZt1jLdhVRIxshvd9EMmPpIputZ78uiiaYedIueqNVwTZ.F3sk5v .Yi_CFucLmrXfMxptOEFbZaLBbBM9K5cEC4ZfR.ZiszSYIF_QSAyKb00y0rSoyw.K37sOlrOPl0R DQEm913JaRyQISHc6iEtMwL3hQff1tpoQgS0z9eZnYLvcBsOX4UG5XpS1pKqSHO9EDSX1gvHbBND EPgHo1KPhbkPXO7JIFAfgw0DH_RTm.nVfAl4tY4vgNq4_Ae43vhC36C7BHnqwhG6jY7RfslWQrkr EZ4SB_t5RCOdqZNpLdXi6.ebKgyTL.3JR2Pjm12m.ZsihfbIrZ_VHw8SK6Fr3_m9XCs3uIlhWBkP QR4LzkJg1_PBpzArQP8iMfwB3i7Fgtsb23hlAomnSr0bu3Lz_Wsjzj14ZdAHchkGVM5LxPviawGv UZqdpjdbyvKOWbaGip64f0wQ94KrBl__WN2FbiBXNPg3HkeHAfmpDqCrYcFsXcXntFC4sn4sClPW VbsdVpuQhg1.aFhtX20CBXFNLbhUZarZbmdf0KoRuVCjpz34GQocBRd2pcVsPaGf5qdR8LJOP1fZ ns5hPM7wxHOWro2YAG99.w52Kg0bcdsYilW.8mB0LmG9Hwl9tDB4rhyiSnQ--
Received: from sonic.gate.mail.ne1.yahoo.com by sonic304.consmr.mail.gq1.yahoo.com with HTTP; Mon, 22 May 2017 15:41:16 +0000
Date: Mon, 22 May 2017 15:40:58 +0000
From: Nalini J Elkins <nalini.elkins@insidethestack.com>
Reply-To: Nalini J Elkins <nalini.elkins@insidethestack.com>
To: Eric Rescorla <ekr@rtfm.com>, The IESG <iesg@ietf.org>
Cc: "draft-ietf-ippm-6man-pdm-option@ietf.org" <draft-ietf-ippm-6man-pdm-option@ietf.org>, Al Morton <acmorton@att.com>, Bill Cerveny <ietf@wjcerveny.com>, "ippm-chairs@ietf.org" <ippm-chairs@ietf.org>, "ippm@ietf.org" <ippm@ietf.org>
Message-ID: <1119101915.4268397.1495467658355@mail.yahoo.com>
In-Reply-To: <149195586781.15796.5030067129991289423.idtracker@ietfa.amsl.com>
References: <149195586781.15796.5030067129991289423.idtracker@ietfa.amsl.com>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_Part_4268396_425439693.1495467658348"
X-Mailer: WebService/1.1.9679 YahooMailNeo Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36
Archived-At: <https://mailarchive.ietf.org/arch/msg/ippm/bSuBskwt1-nRiFpiWSXjeMbYEjg>
Subject: Re: [ippm] Eric Rescorla's No Objection on draft-ietf-ippm-6man-pdm-option-09: (with COMMENT)
X-BeenThere: ippm@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF IP Performance Metrics Working Group <ippm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ippm>, <mailto:ippm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ippm/>
List-Post: <mailto:ippm@ietf.org>
List-Help: <mailto:ippm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ippm>, <mailto:ippm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 22 May 2017 15:41:19 -0000
>Eric Rescorla has entered the following ballot position for draft-ietf-ippm-6man-pdm-option-09: No Objection >Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html >for more information about IESG DISCUSS and COMMENT positions. >The document, along with other ballot positions, can be found here: >https://datatracker.ietf.org/doc/draft-ietf-ippm-6man-pdm-option/ >---------------------------------------------------------------------- >COMMENT: >---------------------------------------------------------------------- >I think the description of timing attacks could use a bit more work. >Specifically: >- I am assuming that you should discard rather than using as timestamp > sources packets which fail ESP. This shouldn't be an issue for > transport mode because you process ESP first, but in tunnel mode > you allow either order, so it's a potential issue. I believe some of this is addressed in section 4.3. I can add that thedestination host may also wish to look at this behavior and to discard such packets. OLD------ 4.3 PDM as a Covert Channel PDM provides a set of fields in the packet which could be used to leak data. But, there is no real reason to suspect that PDM would be chosen rather than another part of the payload or another Extension Header. A firewall or another device could sanity check the fields within the PDM but randomly assigned sequence numbers and delta times might be expected to vary widely. The biggest problem though is how an attacker would get access to PDM in the first place to leak data. The attacker would have to either compromise the end host or have Man in the Middle (MitM). It is possible that either one could change the fields. But, then the other end host would get sequence numbers and deltas that don't make any sense. It is conceivable that someone could compromise an end host and make it start sending packets with PDM without the knowledge of the host. But, again, the bigger problem is the compromise of the end host. Once that is done, the attacker probably has better ways to leak data. Having said that, if a PDM aware middle box or an implementation detects some number of "nonsensical" sequence numbers it could take action to block (or alert on) this traffic. New------ 4.3 PDM as a Covert Channel PDM provides a set of fields in the packet which could be used to leak data. But, there is no real reason to suspect that PDM would be chosen rather than another part of the payload or another Extension Header. A firewall or another device could sanity check the fields within the PDM but randomly assigned sequence numbers and delta times might be expected to vary widely. The biggest problem though is how an attacker would get access to PDM in the first place to leak data. The attacker would have to either compromise the end host or have Man in the Middle (MitM). It is possible that either one could change the fields. But, then the other end host would get sequence numbers and deltas that don't make any sense. It is conceivable that someone could compromise an end host and make it start sending packets with PDM without the knowledge of the host. But, again, the bigger problem is the compromise of the end host. Once that is done, the attacker probably has better ways to leak data. Having said that, if a PDM aware middle box or an implementation (destination host) detects some number of "nonsensical" sequence numbers or timing information, it could take action to block, discard, or alert on this traffic. >- It seems like you could use this technique for fine-grained> timing of the cryptographic operations traffic keys as well (cf. Lucky 13),> not just long-term keys as you say in S 4.4. > Note that both of these attacks are not ameliorated by restricting > to host and ports because one assumes that the attacker controls > the network per 3552 I can change the language in section 4.4 as follows: Old---- Depending on the nature of the cryptographic protocol used, it may be possible to leak the long term credentials of the device. For example, if an attacker is able to create an attack which causes the enterprise to turn on PDM to diagnose the attack, then the attacker might use PDM during that debugging time to launch a timing attack against the long term keying material used by the cryptographic protocol. New---- Depending on the nature of the cryptographic protocol used, it may be possible to leak the credentials of the device. For example, if an attacker is able to create an attack which causes the enterprise to turn on PDM to diagnose the attack, then the attacker might use PDM during that debugging time to launch a timing attack against the keying material used by the cryptographic protocol. Thanks, Nalini Elkins CEO and Founder Inside Products, Inc. www.insidethestack.com (831) 659-8360
- [ippm] Eric Rescorla's No Objection on draft-ietf… Eric Rescorla
- Re: [ippm] Eric Rescorla's No Objection on draft-… Nalini J Elkins
- Re: [ippm] Eric Rescorla's No Objection on draft-… Spencer Dawkins at IETF
- Re: [ippm] Eric Rescorla's No Objection on draft-… Nalini J Elkins