IETF Logo Mail Archive

Re: [IPsec] WGLC on draft-ietf-ipsecme-ddos-protection-04

"Waltermire, David A. (Fed)" <david.waltermire@nist.gov> Sun, 06 March 2016 19:12 UTC

Return-Path: <david.waltermire@nist.gov>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1096A1B3155 for <ipsec@ietfa.amsl.com>; Sun, 6 Mar 2016 11:12:30 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.902
X-Spam-Level:
X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3u8YP5TNqqiJ for <ipsec@ietfa.amsl.com>; Sun, 6 Mar 2016 11:12:24 -0800 (PST)
Received: from gcc01-CY1-obe.outbound.protection.outlook.com (mail-cy1gcc01on0100.outbound.protection.outlook.com [23.103.200.100]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AC71E1B3153 for <ipsec@ietf.org>; Sun, 6 Mar 2016 11:12:23 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nistgov.onmicrosoft.com; s=selector1-nist-gov; h=From:To:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=q0bKximuV209y/kHo7KX6RisTxWEC2HahedBJ6kJ4ZI=; b=Ej6E1HmWZNVvmb0CIE+muDmFrM+6SZy1URLoNFtCCm4W91voUu6UsCt/xJ/oR0GIarKgdDbKR3H6KuGbyJz1lNCaQR+J38Lf6Xe6a6R0jTlHLL7c0FE2duy1S32R3Q3GgHtkUshmp7MTcmUv9+uCN3keDqBw6Gy3Oyjv8/libaE=
Received: from DM2PR09MB0365.namprd09.prod.outlook.com (10.160.247.18) by DM2PR09MB0365.namprd09.prod.outlook.com (10.160.247.18) with Microsoft SMTP Server (TLS) id 15.1.427.16; Sun, 6 Mar 2016 19:12:16 +0000
Received: from DM2PR09MB0365.namprd09.prod.outlook.com ([10.160.247.18]) by DM2PR09MB0365.namprd09.prod.outlook.com ([10.160.247.18]) with mapi id 15.01.0427.019; Sun, 6 Mar 2016 19:12:16 +0000
From: "Waltermire, David A. (Fed)" <david.waltermire@nist.gov>
To: "tpauly@apple.com" <tpauly@apple.com>, Valery Smyslov <svanru@gmail.com>
Thread-Topic: [IPsec] WGLC on draft-ietf-ipsecme-ddos-protection-04
Thread-Index: AdFzz6vWEN1mpUdbReie8Bmkunv/FQCHPdIAAA9+PoAAAz2MAAABE/gAAAEUH4AAIW1KAAAgvecAACSki5A=
Date: Sun, 06 Mar 2016 19:12:16 +0000
Message-ID: <DM2PR09MB0365600F899FB62D723E3B20F0B00@DM2PR09MB0365.namprd09.prod.outlook.com>
References: <BY1PR09MB03587C3829A33D76ECE8EF1BF0BB0@BY1PR09MB0358.namprd09.prod.outlook.com> <CADnPsE-RfHiRdof82CPokYXXVaEa74ssXw2XQ5v7hYpdFYQ7=Q@mail.gmail.com> <alpine.LFD.2.20.1603041020030.29534@bofh.nohats.ca> <A9AD397B-49C3-48AA-BB09-E23E907F1194@apple.com> <EBE443B3-3EE6-47FC-B459-A3C6585AB3F9@gmail.com> <CB618816-2A4E-492A-B385-CAFD80DC2B07@apple.com> <7CC6BEAF37124C56930D7769EF7B9848@chichi> <B4389E4E-EA55-4652-A4B7-6C942A70136B@apple.com>
In-Reply-To: <B4389E4E-EA55-4652-A4B7-6C942A70136B@apple.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: apple.com; dkim=none (message not signed) header.d=none;apple.com; dmarc=none action=none header.from=nist.gov;
x-originating-ip: [129.6.224.58]
x-ms-office365-filtering-correlation-id: b4905fb9-14a8-4615-eaeb-08d345f33b81
x-microsoft-exchange-diagnostics: 1; DM2PR09MB0365; 5:XJivpXm3fgm6Y+ygfi7ma6d04dXv7phlbMKoSXd4pGCfsMF5bZpDhj+wGgH/1e/CHhnSThe8btuyNLd9bDQX4RlRKOqkqqKyq5aekgg4wa9slgSxdY5llhGuuJYwBdlLiqlFWj4Bo859NDvFLSzEnw==; 24:OLjZYBqD52zFaEe4wgu75C7qI0Fvo9JKMy5CoZQRLDCkqS7AKjnkAWw49NfypMT3V00nX5q8yy57r/lLawLvvpuEs0bto63Pr5sx0KkW8K8=
x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:DM2PR09MB0365;
x-microsoft-antispam-prvs: <DM2PR09MB0365D29351968ACE9B7A928CF0B00@DM2PR09MB0365.namprd09.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:;
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(601004)(2401047)(5005006)(8121501046)(3002001)(10201501046); SRVR:DM2PR09MB0365; BCL:0; PCL:0; RULEID:; SRVR:DM2PR09MB0365;
x-forefront-prvs: 087396016C
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(6009001)(377454003)(13464003)(24454002)(51444003)(164054003)(6116002)(86362001)(102836003)(3846002)(586003)(93886004)(1220700001)(1096002)(2950100001)(11100500001)(33656002)(2900100001)(15975445007)(77096005)(5008740100001)(345774005)(230783001)(54356999)(76176999)(50986999)(189998001)(66066001)(10400500002)(5003600100002)(40100003)(122556002)(92566002)(5002640100001)(87936001)(19580405001)(74316001)(3280700002)(76576001)(2501003)(4326007)(99286002)(3660700001)(2906002)(5001770100001)(19580395003)(81166005)(7059030); DIR:OUT; SFP:1102; SCL:1; SRVR:DM2PR09MB0365; H:DM2PR09MB0365.namprd09.prod.outlook.com; FPR:; SPF:None; MLV:sfv; LANG:en;
spamdiagnosticoutput: 1:23
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: nist.gov
X-MS-Exchange-CrossTenant-originalarrivaltime: 06 Mar 2016 19:12:16.4298 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 2ab5d82f-d8fa-4797-a93e-054655c61dec
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM2PR09MB0365
Archived-At: <http://mailarchive.ietf.org/arch/msg/ipsec/-x8CjIkXUK7M6iqbHjc2oGngwKQ>
Cc: "ipsec@ietf.org" <ipsec@ietf.org>, Paul Wouters <paul@nohats.ca>, Yoav Nir <ynir.ietf@gmail.com>
Subject: Re: [IPsec] WGLC on draft-ietf-ipsecme-ddos-protection-04
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 06 Mar 2016 19:12:30 -0000

With my hat off, I like the idea of reorganizing the puzzle oriented content in the draft to after the current section 4-6 content. IMHO, I think this could improve the flow and organization of the document.

Dave

> -----Original Message-----
> From: tpauly@apple.com [mailto:tpauly@apple.com]
> Sent: Saturday, March 05, 2016 8:38 PM
> To: Valery Smyslov <svanru@gmail.com>
> Cc: Yoav Nir <ynir.ietf@gmail.com>; ipsec@ietf.org; Paul Wouters
> <paul@nohats.ca>; Waltermire, David A. (Fed) <david.waltermire@nist.gov>
> Subject: Re: [IPsec] WGLC on draft-ietf-ipsecme-ddos-protection-04
> 
> Hi Valery,
> 
> Responses inline.
> 
> Thanks!
> Tommy
> 
> > On Mar 5, 2016, at 2:00 AM, Valery Smyslov <svanru@gmail.com> wrote:
> >
> > Hi Tommy,
> >
> > thank you for your comments.
> >
> >>>> I tend to agree with Paul that I find it unlikely, from an
> >>>> implementor’s standpoint, that many Initiators will choose to
> >>>> implement the puzzle logic, especially ones that are running on mobile
> devices. It is unlikely that the phones will be able to solve the puzzles quickly
> enough to beat out botnets, and it would be hard to justify the battery
> consumption necessary.
> >>>> That being said, the document does a very good job of explaining
> >>>> the problem space, and the other parts of its solution
> >>>> (rate-limiting and suggesting session resumption) make good sense.
> Perhaps there can be more focus on how a responder can best protect itself
> if indeed the majority of its clients do not support puzzles?
> >
> > Sections 4 - 6 describe measures other than puzzles that the responder can
> use to defend itself against DDoS attack.
> > Do you think it is not enough? Puzzles are a new thing, that's why
> > more text is needed to explain how they are fit into the protocol. However
> the draft is not solely about puzzles, and I think it covers other defending
> techniques in sufficient details.
> 
> Perhaps it would be useful to rearrange the sections to highlight this more
> clearly. The first section about a solution is Puzzles (section 3), followed by
> sections 4-6 which cover other aspects of DDoS avoidance strategies, which is
> then followed by an in-depth explanation of the Puzzles in the protocol
> (sections 7-9). Since the other aspects and sandwiched in between sections
> purely focused on puzzles, the draft really feels like it is about puzzles. What
> if the other approaches were moved before the first puzzles section, so the
> entire section on puzzles can be contiguous?
> 
> >
> >>>> One question on section 7.1.2:
> >>>>
> >>>> If the received message contains a PUZZLE notification and doesn't
> >>>> contain a COOKIE notification, then this message is malformed
> >>>> because it requests to solve the puzzle, but doesn't provide enough
> >>>> information to do it.  In this case the Initiator SHOULD resend
> >>>> IKE_SA_INIT request.  If this situation repeats several times, then
> >>>> it means that something is wrong and the IKE SA cannot be
> >>>> established.
> >>>>
> >>>> I am concerned that the suggestion for the initiator reacting to
> malformed IKE_SA_INIT packets is to send more traffic to the responder.
> >>>> The responder should not legitimately send a PUZZLE notification
> without a COOKIE notification, since this would be invalid.
> >>>> If the initiator sees this, it can either assume that (a) the
> >>>> responder’s implementation is out of spec, or (b) some malicious
> >>>> third party is deliberately modifying the unencrypted packet. In
> >>>> the first case, trying to send the IKE_SA_INIT again would be in vain; in
> the second case, we have provided a way for a third party to cause initiators
> to send more traffic to the responder, thus providing an attack vector. What
> are your thoughts on this?
> >>>>
> >>> A proper responder would not send a malformed packet. An attacker
> >>> could send a malformed response immediately after the initiator sends
> the request. By the time the initiator gets the real responder’s response, it
> has lost state.
> >>>
> >>> That is why it is always a good idea (not just in this context) for the
> initiator to ignore malformed responses until the timeout is reached.
> >>>
> >> That makes sense. The wording, however, could imply that the Initiator
> should resend the request as if in response to the malformed packet.
> >> Based on your comment, the Initiator should wait for the usual amount of
> time before retrying, rather than immediately retrying the packet.
> >> It may be useful to clarify this in the text.
> >
> > You are right that the Initiator should wait for the retransission timer to
> expire before resending message.
> > I agree that the wording is ambiguous about that. How about the
> following?
> >
> >  If the received message contains a PUZZLE notification and doesn't
> > contain a COOKIE notification, then this message is malformed because
> > it requests to solve the puzzle, but doesn't provide enough
> > information to do it.  In this case the Initiator MUST ignore  the
> > received message and continue to wait until either the valid one  is
> > received or the retransmission timer fires. If it fails to receive the
> > valid  message after several retransmissions of IKE_SA_INIT request,
> > then  it means that something is wrong and the IKE SA cannot be
> established.
> 
> I think that is more clear, thanks!
> >
> > Regards,
> > Valery.
> >
> >> Thanks,
> >> Tommy
> >
> > _______________________________________________
> > IPsec mailing list
> > IPsec@ietf.org
> > https://www.ietf.org/mailman/listinfo/ipsec

v2.23.0 | Report a Bug | By Email