Re: [IPsec] AD review of draft-ietf-ipsecme-ddos-protection
kathleen.moriarty.ietf@gmail.com Fri, 09 September 2016 20:06 UTC
Return-Path: <kathleen.moriarty.ietf@gmail.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2EA2812B1EB for <ipsec@ietfa.amsl.com>; Fri, 9 Sep 2016 13:06:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6Frec_NuRHU1 for <ipsec@ietfa.amsl.com>; Fri, 9 Sep 2016 13:06:50 -0700 (PDT)
Received: from mail-qk0-x229.google.com (mail-qk0-x229.google.com [IPv6:2607:f8b0:400d:c09::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B45DF12B189 for <ipsec@ietf.org>; Fri, 9 Sep 2016 13:06:50 -0700 (PDT)
Received: by mail-qk0-x229.google.com with SMTP id z190so78859776qkc.3 for <ipsec@ietf.org>; Fri, 09 Sep 2016 13:06:50 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=xLvi0RUHIIB6seuRKqO20+9kNxudzEx53ETXEv6twY4=; b=fv+z106yEPTUBe6BBHbqqqimnk0/NC6SCYngW8IX4knGHOI4sv1pQIvvLIJrjl5ukr 7rs5k5pA6CaUQ77MFW7vnSrycMb0qeZRpgXQIw/m6mv17+Zu/AojuMfXjRQU+2vwdpOi YeiS0l00xP22PPzXy0zJp1gavfNnTR4yS9mtE0IN6G6TQmcgts4m5yXIgZyRJoWouwOC NkQonFgJXBQdjPp+XwN0F911djrvt4c70q6k42MpDN6VhkbrK0a9WdfvsCNPIJhKR1If iuqkjd+uSX+H4HmqMtgk7Qno6FxrOlgxnhRknrIfQwOaDwjHY+U60XjfAz6M4ytKCWPA 7+2g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=xLvi0RUHIIB6seuRKqO20+9kNxudzEx53ETXEv6twY4=; b=hA7sotJ7iFy9awDKICBcs3YQRjRNYAZm1xr2hEMqFJgpvgab8OvpePMrhJqc7FgOep UzgixzmsN31dPOMue1Sq1lfAOSBCxUB+CqK0gXUvBJi6aWfZ9s5zav8b7rvsJnEUlmKC W9NQY1J0e5G9s2W0jQCNEiFKAc5m3/ajrSiDDtWg++ebEnFnVnaJ4ZdsVHf+pR0ncFXz DOqN/XMoUyjV71oCu2jeENi5JYGalgGNz6ppdkQf5Vdsszmkl9Mswbs+EXZfmG2PIV6j lnDCwFiLAtuaCcXKBQDGaCgsNAMRfV4mdMcIAKEljolkmZ/AhSkkMbp1qt7yk60iaotX b6gA==
X-Gm-Message-State: AE9vXwPGHCc/D3nvMml+17KfbFzFVI/B3LhqkblnWZaNdo5kUT2GtaHSzXKpvPR/Jilfog==
X-Received: by 10.55.168.78 with SMTP id r75mr6437820qke.19.1473451609904; Fri, 09 Sep 2016 13:06:49 -0700 (PDT)
Received: from [192.168.1.3] (209-6-124-204.c3-0.arl-ubr1.sbo-arl.ma.cable.rcn.com. [209.6.124.204]) by smtp.gmail.com with ESMTPSA id 62sm2998195qtg.14.2016.09.09.13.06.48 (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Fri, 09 Sep 2016 13:06:49 -0700 (PDT)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (1.0)
From: kathleen.moriarty.ietf@gmail.com
X-Mailer: iPhone Mail (13G36)
In-Reply-To: <F059BEF961BB49B6BFA4B38FE154E010@chichi>
Date: Fri, 09 Sep 2016 16:06:48 -0400
Content-Transfer-Encoding: quoted-printable
Message-Id: <F65624D0-77A5-41FB-B476-7EB940D33ECE@gmail.com>
References: <CAHbuEH7g-8RLZKQt1T1PsO33gpEAFgEQAbYM8LPrrM=g4t7=8Q@mail.gmail.com> <F059BEF961BB49B6BFA4B38FE154E010@chichi>
To: Valery Smyslov <svanru@gmail.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/39yiC-q8R8KJfAZP4ItNZqzdoxc>
Cc: ipsec@ietf.org
Subject: Re: [IPsec] AD review of draft-ietf-ipsecme-ddos-protection
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 09 Sep 2016 20:06:52 -0000
Hi Valery, Thanks for the quick response, inline. Please excuse typos, sent from handheld device > On Sep 9, 2016, at 4:01 PM, Valery Smyslov <svanru@gmail.com> wrote: > > Hi Kathleen, > > thank you for the review. I'll try to answer. > >> Hello, >> Thank you for you work on draft-ietf-ipsecme-ddos-protection. This is >> a good read that lays out the problem well and describes the solution >> well. Thanks for that! >> I have some nits and questions before we put this into IETF last call. >> Section 4.2 - >> This level of detail is great. Hopefully developers make sure logs >> and other ways to help with troubleshooting to determine the number of >> half open SA and failed IKE-Auth exchanges. Are these maintained with >> counters (SNMP/YANG) or log entries or some other way? Does this >> matter and does it need to be indicated here for developers so >> implementors have the tools needed to determine next steps? > > I think that it is a local matter how implementations measure the number of half-open SAs. It is possible to maintain some counters or parse local log files. Or, for example, just call size() method > for some kind of container (list, map) in case all half-open SAs are placed there. > > The only requirement is that implementations must do this measuring > periodically to get a picture of what is happening. Again, it is a local matter how often implementations should learn the number of half-open SAs, the draft doesn't impose any restrictions. > > Do you think some clarification is needed here? > No, it's fine to leave it out. I appreciate the explanation. >> Section 4.6: Suggest using some descriptive language instead of >> saying 'garbage' in the following sentence for non-native English >> speakers: >> The >> attacker can just send garbage in the IKE_AUTH message forcing the >> Responder to perform costly CPU operations to compute SK_* keys. > > How about: > > Instead of sending properly formed and encrypted IKE_AUTH message the > attacker can just send arbitrary data, forcing the Responder to perform costly CPU operations to compute SK_* keys. > (by the way, I'm a non-native English speaker, and the word "garbage" > doesn't shock me here, but I agree that more formal language is probably better) > >> Same in section 4.7, maybe "meaningless bits" or something along those lines? > > Great! Definitely better from my point of view, thank you. Thank you! > >> Malicious >> initiators can use this feature to mount a DoS attack on the >> responder by providing an URL pointing to a large file possibly >> containing garbage. >> Section 7.1.1.2: The following sentence could be cleaned up a bit >> (last paragraph): >> The >> initial request message sent by the Initiator contains an SA payload >> with the list of transforms the Initiator supports and is willing to >> use in the IKE SA being established. > > I'm not sure what's wrong with this sentence, but I'll try. Is the followng better? > > The > initial request message sent by the Initiator, contains an SA payload, > containing a list of transforms. The Initiator supports all transforms > from this list and can use any of them in the IKE SA being established. Yes, thank you! > >> Section 7.2.1.1 >> The first sentence of course fits in this section, but has already >> been said in the draft. This whole section seems repetitious. There >> are a few places where text is repeated, is it possible to reduce >> repetition? It might not be for clarity as the sections vary, but an >> effort to reduce it might make the latter part of the draft as easy to >> read as the start. > > Yes, this sentence almost duplicates the sentence from the second para > of previous Section (7.2). But I'd rather to keep it in 7.2.1.1 and just > remove from 7.2, because 7.2.1.1 gives more detailed instructions > to implementers while 7.2 is just an overview. > > Are you OK with this? Yes, thank you! > >> Section 7.2.4: 4th paragraph, 1st sentence doesn't read well. Can you >> break it up and phase the "non-first" differently? I don't think that >> is a term of art, is it? >> If the Initiator uses IKE Fragmentation, then it is possible, that >> due to packet loss and/or reordering the Responder could receive non- >> first IKE Fragment messages before receiving the first one containing >> the PS payload. > > How about: > > If the Initiator uses IKE Fragmentation, then it sends all IKE Fragment messages simultaneously. > Due to packets loss and/or reordering the Responder could receive subsequent IKE Fragment messages before receiving the first one, that contains the PS payload. Better, thanks! Let me know when you have the updated draft & I'll initiate IETF last call. Thanks, Kathleen > > Thank you, > Valery. > >> Thank you! >> -- >> Best regards, >> Kathleen >
- [IPsec] AD review of draft-ietf-ipsecme-ddos-prot… Kathleen Moriarty
- Re: [IPsec] AD review of draft-ietf-ipsecme-ddos-… Valery Smyslov
- Re: [IPsec] AD review of draft-ietf-ipsecme-ddos-… kathleen.moriarty.ietf