[IPsec] FYI: A Novel Denial-of-Service Attack Against IKEv2 - HAL-Inria

Paul Wouters <paul@nohats.ca> Mon, 05 August 2019 22:47 UTC

Return-Path: <paul@nohats.ca>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D94EA120025 for <ipsec@ietfa.amsl.com>; Mon, 5 Aug 2019 15:47:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.997
X-Spam-Level:
X-Spam-Status: No, score=-1.997 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nohats.ca
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id u-aXIlJcQr1i for <ipsec@ietfa.amsl.com>; Mon, 5 Aug 2019 15:47:14 -0700 (PDT)
Received: from mx.nohats.ca (mx.nohats.ca [193.110.157.68]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 74FDB12000E for <ipsec@ietf.org>; Mon, 5 Aug 2019 15:47:14 -0700 (PDT)
Received: from localhost (localhost [IPv6:::1]) by mx.nohats.ca (Postfix) with ESMTP id 462Xvg0tZTzFDB; Tue, 6 Aug 2019 00:47:11 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nohats.ca; s=default; t=1565045231; bh=pr2qZa8uXeTkYbVvwVhfq4RAz7rLr9Gd3WlGms4DFLQ=; h=Date:From:To:cc:Subject; b=hU1Xhk3AT4A21J1lNh9BuhdqveHnjI/OIq+uIj+VwSxkzMMTgVG7o90oNOM6zB8MG /OI6w+F0VeEjom1z9CfGD/mGaRLOlZDyibv/nAY0u3SBBMGFbs6xj/qwN6uf2ou+uv fUOb87iyJMQzqJrfqH57qkefjIayJ8aJOM8tDax8=
X-Virus-Scanned: amavisd-new at mx.nohats.ca
Received: from mx.nohats.ca ([IPv6:::1]) by localhost (mx.nohats.ca [IPv6:::1]) (amavisd-new, port 10024) with ESMTP id mLK6YvooE9HI; Tue, 6 Aug 2019 00:47:08 +0200 (CEST)
Received: from bofh.nohats.ca (bofh.nohats.ca [76.10.157.69]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx.nohats.ca (Postfix) with ESMTPS; Tue, 6 Aug 2019 00:47:07 +0200 (CEST)
Received: by bofh.nohats.ca (Postfix, from userid 1000) id 457945C853; Mon, 5 Aug 2019 18:47:06 -0400 (EDT)
DKIM-Filter: OpenDKIM Filter v2.11.0 bofh.nohats.ca 457945C853
Received: from localhost (localhost [127.0.0.1]) by bofh.nohats.ca (Postfix) with ESMTP id 3D6EE40A7022; Mon, 5 Aug 2019 18:47:06 -0400 (EDT)
Date: Mon, 5 Aug 2019 18:47:06 -0400 (EDT)
From: Paul Wouters <paul@nohats.ca>
To: "ipsec@ietf.org WG" <ipsec@ietf.org>
cc: tristan.ninet@inria.fr
Message-ID: <alpine.LRH.2.21.1908051444150.17397@bofh.nohats.ca>
MIME-Version: 1.0
Content-Type: text/plain; format=flowed; charset=US-ASCII
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/-xT8RclsMtdmFNzCAAR2PSGAPN0>
Subject: [IPsec] FYI: A Novel Denial-of-Service Attack Against IKEv2 - HAL-Inria
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 05 Aug 2019 22:47:17 -0000


https://hal.inria.fr/hal-01980276/document

"A Novel Denial-of-Service Attack Against IKEv2 - HAL-Inria"

(I've CC:ed the first author of the paper on this email)

I've read through the paper, and I believe is very much misrepresents
what it deems is a DoS attack against the IKEv2 protocol.

The DoS attack described seems to think it can change the IP address
and cause Initiator to be authenticated by a different peer than intended
(ignoring all of IDi / IDr payloads it is relaying). Then the different
peer is happy, but the last IKE_AUTH reply to the initiator would signify
a failure. Then when the initiator sends an Informational message with
a Delete payload and AUTHENTICATION_FAILED notify, the attacker drops
the message. Now the different peer has "lost resources" since its IKE
SA (and possibly IPsec SA) is up. A proper implementation would send a
Liveness probe if its IPsec SA counters remain zero. It would also put
an idle limit on an childless SA that resulted from a TS_UNAVAILABLE
(as opposed to a by design childless IKE SA)

It makes more wrong assumptions like "(TS negotiation will fail in most
cases)" which I guess they think would fail because the different peer's
have different IPsec SA configurations, but really if they are that
different, they will also have different IDi/IDr payloads because a
peer's configuration with many other peers for specific subnets would
be configured with local/remote IDs as to not tie these to hardcoded
IP addresses. Without explicit ID, the ID used is normally the ID_IPvx,
and if that is used, using an IP address X with ID_IPv4 Y will also
cause an IKE failure of the victim peer because for IP address X it
would then expect ID_IPv4 X.

It then "proves" this by using the strongswan/libreswan option
uniqueids=no, which is an non-standard override used to allow multiple
IDs to establish more than one connection. Obviously, such connections
MUST use liveness/dpd to kick out idle connections, because you cannot
detect a reconnect from behind NAT from a different user behind the
same NAT, and you would accumulate a lot of connections from restarting
clients that you wouldn't be able to cleanup otherwise.

Assuming all peers are on dynamic IPs, so no ACL's kick in between
the peers (which would really only happen on a mesh cloud encryption,
where an attacker would be extremely unlikely able to selectively NAT or
DROP packets), the DoS attack would still fail. If peer A tries to talk
to peer B and ends up talking to peer C, then the attack would fail if
peer A sends the IDr payload. If it does not send an IDr payload, then
it likely expects the ID_IPv4 later which wouldn't match when it got
redirected to a different peer, using a different ID_IPv4. But even we
assume all of this is true, and the attacker can block the packets from
peer A's delete request to peer C, then yes peer C uses one connection
resource. If peer A attempts a new connection because its connection
failed, the attacker can try this again, but peer C will replace the
existing IKE/IPsec SA in the normal case. So doing the attack twice from
the same peer (who is still trying to connect) will still only lead to one
extra unused connection of peer C. So you would need many peers to get
any real amount of memory wasted on peer C. But if peer C is expecting
to be part of a mesh with _many_ peers, it will have the resources to
setup connections with a large number of peers. Deflecting a few peers
through other peers isn't going to present a different scale level.

In the case where repeated attempts would not replace the existing
connection (which they emulate using the strongswan/libreswan uniqueids=no
option on peer C), peer C would indeed end up using another one connection
of memory. Peer A would do some kind of back-off on the failures, so
maybe you get a one connection per minute rate. You would still need
a lot of peers to DoS peer C, which again means that peer C is already
expected to talk to a lot of peers. At best you could double the load
by sending each peer configured through another peer.

And all this assumes peer C does not remove idle IKE/IPsec SA's, and
does not use liveness/DPD. Which in a mesh peer to peer enterprise
network encryption you would use. In a remote access VPN scenario,
there is no "redirect to a different peer" as all peers only connect
to the one security gateway (or a set of gateways with identical
credentials) so 'redirecting' a peer is not possible.

It goes on to say the attack is not possible with PSKs, which I don't
understand. They also then mumbled about asymmetric authentication,
which I don't understand, but regardless is basically only employed
with EAPTLS and Remote Access VPNs, so it does not apply to this attack.

When using PSK with a Group-ID, this "attack" is in fact the actual normal
deployment that implementations already handle. A groupID plus PSK, at
least on libreswan, implies uniqueids=no for free because otherwise each
client would kick of the next client. Now imagine a client on flaky wifi
that keeps dropping and reconnecting. It would actually set up duplicate
connections faster than this entire peer redirection attack. Those
configurations better better use liveness/dpd already to ensure an often
reconnecting client is not generating hundreds of new IKE/IPsec SA's
without cleaning up the old ones. (initial contact cannot be used when
using groupID with PSK as all different clients identify the same).

They link to proof of concept code at gitlab.com/deviation/demo but I
cannot access this - it is a private repository. But from the
description in the paper, they only show 3 VMs and one of these
connection tricks - and don't show any of this at scale using containers
to see how the target would respond when this happens at a scale of
which this becomes an actual attack.

In conclusion, I wish the authors of the paper would have contacted
the IPsec community at IETF or the opensource vendors of strongswan or
libreswan before publication. It also shows the limitations of formal
proofs in the absence of understanding operational deployments and
implementation details. And that one should never describe one's own
inventions as "novel". Leave that praise to others.

Paul