IETF Logo Mail Archive

Re: [IPsec] [Last-Call] Secdir last call review of draft-ietf-ipsecme-rfc8229bis-06

"touch@strayalpha.com" <touch@strayalpha.com> Mon, 30 May 2022 18:04 UTC

Return-Path: <touch@strayalpha.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 320EBC15AAD1; Mon, 30 May 2022 11:04:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.328
X-Spam-Level:
X-Spam-Status: No, score=-1.328 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_NEUTRAL=0.779, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=strayalpha.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id V0fx3wtkiPaI; Mon, 30 May 2022 11:04:08 -0700 (PDT)
Received: from server217-1.web-hosting.com (server217-1.web-hosting.com [198.54.114.226]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E4293C14F725; Mon, 30 May 2022 11:03:41 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=strayalpha.com; s=default; h=To:References:Message-Id:Cc:Date:In-Reply-To: From:Subject:Mime-Version:Content-Type:Sender:Reply-To: Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=0hbEv0op9dTLxajyv4y2qqac1PsvqGbriQNMcHM25P0=; b=RPAjViVQh9Sp0oE817dGcGnm/A /5MnzmBhKcof7BPWkEjdGVASml/ZwnM3s2zLXE4Y/ajtpv7z5cHTaYSiPnOw5v0bDYH1B6WYiRGiW JRD34W74I/8QT7MRTqK45pLfz65VOl7cSpwbQ0KKYthsjChN/6Zv6hSPv7T34xaA5gLf8Hg74QWsT SiwCBtVQK1obeGxcsmYkj6Q5a3rSWrolZrmeUxgcCUoi56cXPVvzRKAFiPZt+i4lqtYGKyUynvYU+ DcKkdqHNfAYZO3DrSHWRb8qjXpSf2a7bhPQhbKOhovPFbFRRHAgMyUU/dnXC0OQ2ev+t9RbM4HQgK t7rL8dkQ==;
Received: from cpe-172-114-237-88.socal.res.rr.com ([172.114.237.88]:59095 helo=smtpclient.apple) by server217.web-hosting.com with esmtpsa (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from <touch@strayalpha.com>) id 1nvjjs-00Fq70-6j; Mon, 30 May 2022 14:03:40 -0400
Content-Type: multipart/alternative; boundary="Apple-Mail=_AC89736C-0181-4965-88BF-05FEE4A83285"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3696.100.31\))
From: "touch@strayalpha.com" <touch@strayalpha.com>
In-Reply-To: <081301d87441$5cb483e0$161d8ba0$@elvis.ru>
Date: Mon, 30 May 2022 11:03:31 -0700
Cc: Christian Huitema <huitema@huitema.net>, secdir@ietf.org, draft-ietf-ipsecme-rfc8229bis.all@ietf.org, ipsec@ietf.org, last-call@ietf.org
Message-Id: <1EB553CB-EA5A-4C64-B039-8655830D753F@strayalpha.com>
References: <165377251630.6282.16767658545384357479@ietfa.amsl.com> <077301d8741b$c0fe9b40$42fbd1c0$@elvis.ru> <9d37d517-b6ff-6965-40a2-67f5c2a3e476@huitema.net> <183D552C-A06A-4DD4-92B9-6FEF7B9DCED1@strayalpha.com> <07de01d87439$d8889fe0$8999dfa0$@elvis.ru> <63F2C9A3-AB50-4447-853B-AAA2899CFA56@strayalpha.com> <081301d87441$5cb483e0$161d8ba0$@elvis.ru>
To: Valery Smyslov <svan@elvis.ru>
X-Mailer: Apple Mail (2.3696.100.31)
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - server217.web-hosting.com
X-AntiAbuse: Original Domain - ietf.org
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - strayalpha.com
X-Get-Message-Sender-Via: server217.web-hosting.com: authenticated_id: touch@strayalpha.com
X-Authenticated-Sender: server217.web-hosting.com: touch@strayalpha.com
X-Source:
X-Source-Args:
X-Source-Dir:
X-From-Rewrite: unmodified, already matched
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/3j8Quz7-iyueePe3bTIV8afsXDo>
Subject: Re: [IPsec] [Last-Call] Secdir last call review of draft-ietf-ipsecme-rfc8229bis-06
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 30 May 2022 18:04:12 -0000

...
> On May 30, 2022, at 9:21 AM, Valery Smyslov <svan@elvis.ru> wrote:
> 
>  
> From: touch@strayalpha.com <mailto:touch@strayalpha.com> [mailto:touch@strayalpha.com <mailto:touch@strayalpha.com>] 
> Sent: Monday, May 30, 2022 7:00 PM
> To: Valery Smyslov
> Cc: Christian Huitema; secdir@ietf.org <mailto:secdir@ietf.org>; draft-ietf-ipsecme-rfc8229bis.all@ietf.org <mailto:draft-ietf-ipsecme-rfc8229bis.all@ietf.org>; ipsec@ietf.org <mailto:ipsec@ietf.org>; last-call@ietf.org <mailto:last-call@ietf.org>
> Subject: Re: [Last-Call] Secdir last call review of draft-ietf-ipsecme-rfc8229bis-06
>  
> It might be useful to add that most of those injection attacks are similar to the kind of attack possible when IPsec is carried inside IP tunnels or UDP tunnels when IPsec messages are split across tunnel messages. In those cases, the vulnerability depends on the predictability of the fragment identifier, which can be much smaller than the predictability of being within the TCP receive window sequence space, esp. for long-lived TCP connections.
>  
>           Do you mean that fragmented packets will never be re-assembled at receiving end and thus dropped?

Or reassembled with incorrect data, then IPsec will decide they fail decryption. Either way, it’s an attack that non-fragmented packets aren’t susceptible to.

>  
>           We can add the following sentence after the list in the text below:
>  
>           Note, that data injection attacks are also possible on IP level (e.g. when IP fragmentation is used)
>           resulting in DoS attack even if TCP encapsulation is not used.

The useful addition is that the TCP injection attack is easier to do than the IP fragmentation injection attack (or even a GRE fragmentation injection). TCP keeps a long receive window open that’s a sitting target for such attacks (the first byte to the last byte of the entire window of bytes). IP fragmentation does not need to use sequence numbers in order, and even when ti does its “target” “window” is only the number of fragment IDs in round trip, which is a much smaller attack surface.

Joe

v2.23.0 | Report a Bug | By Email