[IPsec] FYI: A Novel Denial-of-Service Attack Against IKEv2 - HAL-Inria
Paul Wouters <paul@nohats.ca> Mon, 05 August 2019 22:47 UTC
Return-Path: <paul@nohats.ca>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D94EA120025 for <ipsec@ietfa.amsl.com>; Mon, 5 Aug 2019 15:47:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.997
X-Spam-Level:
X-Spam-Status: No, score=-1.997 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nohats.ca
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id u-aXIlJcQr1i for <ipsec@ietfa.amsl.com>; Mon, 5 Aug 2019 15:47:14 -0700 (PDT)
Received: from mx.nohats.ca (mx.nohats.ca [193.110.157.68]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 74FDB12000E for <ipsec@ietf.org>; Mon, 5 Aug 2019 15:47:14 -0700 (PDT)
Received: from localhost (localhost [IPv6:::1]) by mx.nohats.ca (Postfix) with ESMTP id 462Xvg0tZTzFDB; Tue, 6 Aug 2019 00:47:11 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nohats.ca; s=default; t=1565045231; bh=pr2qZa8uXeTkYbVvwVhfq4RAz7rLr9Gd3WlGms4DFLQ=; h=Date:From:To:cc:Subject; b=hU1Xhk3AT4A21J1lNh9BuhdqveHnjI/OIq+uIj+VwSxkzMMTgVG7o90oNOM6zB8MG /OI6w+F0VeEjom1z9CfGD/mGaRLOlZDyibv/nAY0u3SBBMGFbs6xj/qwN6uf2ou+uv fUOb87iyJMQzqJrfqH57qkefjIayJ8aJOM8tDax8=
X-Virus-Scanned: amavisd-new at mx.nohats.ca
Received: from mx.nohats.ca ([IPv6:::1]) by localhost (mx.nohats.ca [IPv6:::1]) (amavisd-new, port 10024) with ESMTP id mLK6YvooE9HI; Tue, 6 Aug 2019 00:47:08 +0200 (CEST)
Received: from bofh.nohats.ca (bofh.nohats.ca [76.10.157.69]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx.nohats.ca (Postfix) with ESMTPS; Tue, 6 Aug 2019 00:47:07 +0200 (CEST)
Received: by bofh.nohats.ca (Postfix, from userid 1000) id 457945C853; Mon, 5 Aug 2019 18:47:06 -0400 (EDT)
DKIM-Filter: OpenDKIM Filter v2.11.0 bofh.nohats.ca 457945C853
Received: from localhost (localhost [127.0.0.1]) by bofh.nohats.ca (Postfix) with ESMTP id 3D6EE40A7022; Mon, 5 Aug 2019 18:47:06 -0400 (EDT)
Date: Mon, 05 Aug 2019 18:47:06 -0400
From: Paul Wouters <paul@nohats.ca>
To: "ipsec@ietf.org WG" <ipsec@ietf.org>
cc: tristan.ninet@inria.fr
Message-ID: <alpine.LRH.2.21.1908051444150.17397@bofh.nohats.ca>
MIME-Version: 1.0
Content-Type: text/plain; format="flowed"; charset="US-ASCII"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/-xT8RclsMtdmFNzCAAR2PSGAPN0>
Subject: [IPsec] FYI: A Novel Denial-of-Service Attack Against IKEv2 - HAL-Inria
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 05 Aug 2019 22:47:17 -0000
https://hal.inria.fr/hal-01980276/document "A Novel Denial-of-Service Attack Against IKEv2 - HAL-Inria" (I've CC:ed the first author of the paper on this email) I've read through the paper, and I believe is very much misrepresents what it deems is a DoS attack against the IKEv2 protocol. The DoS attack described seems to think it can change the IP address and cause Initiator to be authenticated by a different peer than intended (ignoring all of IDi / IDr payloads it is relaying). Then the different peer is happy, but the last IKE_AUTH reply to the initiator would signify a failure. Then when the initiator sends an Informational message with a Delete payload and AUTHENTICATION_FAILED notify, the attacker drops the message. Now the different peer has "lost resources" since its IKE SA (and possibly IPsec SA) is up. A proper implementation would send a Liveness probe if its IPsec SA counters remain zero. It would also put an idle limit on an childless SA that resulted from a TS_UNAVAILABLE (as opposed to a by design childless IKE SA) It makes more wrong assumptions like "(TS negotiation will fail in most cases)" which I guess they think would fail because the different peer's have different IPsec SA configurations, but really if they are that different, they will also have different IDi/IDr payloads because a peer's configuration with many other peers for specific subnets would be configured with local/remote IDs as to not tie these to hardcoded IP addresses. Without explicit ID, the ID used is normally the ID_IPvx, and if that is used, using an IP address X with ID_IPv4 Y will also cause an IKE failure of the victim peer because for IP address X it would then expect ID_IPv4 X. It then "proves" this by using the strongswan/libreswan option uniqueids=no, which is an non-standard override used to allow multiple IDs to establish more than one connection. Obviously, such connections MUST use liveness/dpd to kick out idle connections, because you cannot detect a reconnect from behind NAT from a different user behind the same NAT, and you would accumulate a lot of connections from restarting clients that you wouldn't be able to cleanup otherwise. Assuming all peers are on dynamic IPs, so no ACL's kick in between the peers (which would really only happen on a mesh cloud encryption, where an attacker would be extremely unlikely able to selectively NAT or DROP packets), the DoS attack would still fail. If peer A tries to talk to peer B and ends up talking to peer C, then the attack would fail if peer A sends the IDr payload. If it does not send an IDr payload, then it likely expects the ID_IPv4 later which wouldn't match when it got redirected to a different peer, using a different ID_IPv4. But even we assume all of this is true, and the attacker can block the packets from peer A's delete request to peer C, then yes peer C uses one connection resource. If peer A attempts a new connection because its connection failed, the attacker can try this again, but peer C will replace the existing IKE/IPsec SA in the normal case. So doing the attack twice from the same peer (who is still trying to connect) will still only lead to one extra unused connection of peer C. So you would need many peers to get any real amount of memory wasted on peer C. But if peer C is expecting to be part of a mesh with _many_ peers, it will have the resources to setup connections with a large number of peers. Deflecting a few peers through other peers isn't going to present a different scale level. In the case where repeated attempts would not replace the existing connection (which they emulate using the strongswan/libreswan uniqueids=no option on peer C), peer C would indeed end up using another one connection of memory. Peer A would do some kind of back-off on the failures, so maybe you get a one connection per minute rate. You would still need a lot of peers to DoS peer C, which again means that peer C is already expected to talk to a lot of peers. At best you could double the load by sending each peer configured through another peer. And all this assumes peer C does not remove idle IKE/IPsec SA's, and does not use liveness/DPD. Which in a mesh peer to peer enterprise network encryption you would use. In a remote access VPN scenario, there is no "redirect to a different peer" as all peers only connect to the one security gateway (or a set of gateways with identical credentials) so 'redirecting' a peer is not possible. It goes on to say the attack is not possible with PSKs, which I don't understand. They also then mumbled about asymmetric authentication, which I don't understand, but regardless is basically only employed with EAPTLS and Remote Access VPNs, so it does not apply to this attack. When using PSK with a Group-ID, this "attack" is in fact the actual normal deployment that implementations already handle. A groupID plus PSK, at least on libreswan, implies uniqueids=no for free because otherwise each client would kick of the next client. Now imagine a client on flaky wifi that keeps dropping and reconnecting. It would actually set up duplicate connections faster than this entire peer redirection attack. Those configurations better better use liveness/dpd already to ensure an often reconnecting client is not generating hundreds of new IKE/IPsec SA's without cleaning up the old ones. (initial contact cannot be used when using groupID with PSK as all different clients identify the same). They link to proof of concept code at gitlab.com/deviation/demo but I cannot access this - it is a private repository. But from the description in the paper, they only show 3 VMs and one of these connection tricks - and don't show any of this at scale using containers to see how the target would respond when this happens at a scale of which this becomes an actual attack. In conclusion, I wish the authors of the paper would have contacted the IPsec community at IETF or the opensource vendors of strongswan or libreswan before publication. It also shows the limitations of formal proofs in the absence of understanding operational deployments and implementation details. And that one should never describe one's own inventions as "novel". Leave that praise to others. Paul
- [IPsec] FYI: A Novel Denial-of-Service Attack Aga… Paul Wouters
- Re: [IPsec] FYI: A Novel Denial-of-Service Attack… Tristan Ninet
- Re: [IPsec] FYI: A Novel Denial-of-Service Attack… Valery Smyslov
- Re: [IPsec] FYI: A Novel Denial-of-Service Attack… Tero Kivinen
- Re: [IPsec] FYI: A Novel Denial-of-Service Attack… Tristan Ninet