IETF Logo Mail Archive

Re: [IPsec] Secdir last call review of draft-ietf-ipsecme-rfc8229bis-06

Valery Smyslov <svan@elvis.ru> Tue, 31 May 2022 11:14 UTC

Return-Path: <svan@elvis.ru>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 388C7C14F74E; Tue, 31 May 2022 04:14:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.106
X-Spam-Level:
X-Spam-Status: No, score=-7.106 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=elvis.ru
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zulz5TfkYaKB; Tue, 31 May 2022 04:14:24 -0700 (PDT)
Received: from akmail.elvis.ru (akmail.elvis.ru [82.138.51.97]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8A458C14F746; Tue, 31 May 2022 04:14:21 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=elvis.ru; s=mail; h=Content-Transfer-Encoding:Content-Type:MIME-Version:Message-ID: Date:Subject:In-Reply-To:References:CC:To:From:Sender:Reply-To:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=0pQyXxBdjEI0Eq3YZfwCjL7zGvXLX3zV/i+HmfMbfE0=; b=oLgZ3gfoVxjafghqU6n4Ja5Paj vXd9mRog1jT0myh6JFgWWBelsFSoZw3zvs7BT1pMYbShjq3UXMeT//p069emt+tqTE+rayObW5l0G njP2p28eOecxjGYirsCQEufOFJO+6AnLu+pRqu+OhJB+PzbtMNphkNc69lckIiLy8zow=;
Received: from kmail.elvis.ru ([93.188.44.208]) by akmail.elvis.ru with esmtp (Exim 4.92) (envelope-from <svan@elvis.ru>) id 1nvzpH-0005um-JR; Tue, 31 May 2022 14:14:15 +0300
Received: from mail16.office.elvis.ru ([10.111.1.29] helo=mail.office.elvis.ru) by kmail.elvis.ru with esmtp (Exim 4.92) (envelope-from <svan@elvis.ru>) id 1nvzpH-0007gE-D5; Tue, 31 May 2022 14:14:15 +0300
Received: from MAIL16.office.elvis.ru (10.111.1.29) by MAIL16.office.elvis.ru (10.111.1.29) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.1779.2; Tue, 31 May 2022 14:14:15 +0300
Received: from buildpc (10.111.10.33) by MAIL16.office.elvis.ru (10.111.1.29) with Microsoft SMTP Server id 15.1.1779.2 via Frontend Transport; Tue, 31 May 2022 14:14:15 +0300
From: Valery Smyslov <svan@elvis.ru>
To: 'Tero Kivinen' <kivinen@iki.fi>
CC: 'Christian Huitema' <huitema@huitema.net>, secdir@ietf.org, draft-ietf-ipsecme-rfc8229bis.all@ietf.org, ipsec@ietf.org, last-call@ietf.org
References: <165377251630.6282.16767658545384357479@ietfa.amsl.com> <077301d8741b$c0fe9b40$42fbd1c0$@elvis.ru> <25237.6715.619617.181961@fireball.acr.fi>
In-Reply-To: <25237.6715.619617.181961@fireball.acr.fi>
Date: Tue, 31 May 2022 14:14:16 +0300
Message-ID: <08f501d874df$90e95750$b2bc05f0$@elvis.ru>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Outlook 14.0
Content-Language: ru
Thread-Index: AQKKl9px7X7eA1CQ6TUrJpeus4VMBQFqn8/DAb05IO2ru0LB8A==
X-CrossPremisesHeadersFilteredBySendConnector: MAIL16.office.elvis.ru
X-OrganizationHeadersPreserved: MAIL16.office.elvis.ru
X-KLMS-AntiSpam-Interceptor-Info: not scanned
X-KLMS-Rule-ID: 1
X-KLMS-Message-Action: clean
X-KLMS-AntiSpam-Status: not scanned, disabled by settings
X-KLMS-AntiPhishing: Clean, bases: 2022/05/31 10:19:00
X-KLMS-AntiVirus: Kaspersky Security for Linux Mail Server, version 8.0.3.30, bases: 2022/05/31 05:46:00 #19627614
X-KLMS-AntiVirus-Status: Clean, skipped
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/7z687W1JI8QgIT2xxozU0WrCqHI>
Subject: Re: [IPsec] Secdir last call review of draft-ietf-ipsecme-rfc8229bis-06
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 31 May 2022 11:14:28 -0000

Hi Tero,

> -----Original Message-----
> From: Tero Kivinen [mailto:kivinen@iki.fi]
> Sent: Monday, May 30, 2022 10:26 PM
> To: Valery Smyslov
> Cc: 'Christian Huitema'; secdir@ietf.org; draft-ietf-ipsecme-rfc8229bis.all@ietf.org; ipsec@ietf.org; last-
> call@ietf.org
> Subject: RE: Secdir last call review of draft-ietf-ipsecme-rfc8229bis-06
> 
> Valery Smyslov writes:
> > If the TCP connection is abandoned (for any reason) and the
> > associated IKE SA is still up, then the IKE initiator will re-create
> > it. So, it is not a big deal, but definitely can influence
> > performance. On the other hand, an attacker who is able to alter the
> > packets on the wire (TCP, UDP, any) can make IKE peers to tear down
> > IKE SA (e.g. by spoiling every packet). So, I'm not sure using TCP
> > gives significant advantages for an attacker here, in most cases it
> > will result in DoS.
> 
> Actually just messing up any length octets on the wire will completely
> mess up the packet structure, as there is no way of recovering that
> except to tear down the TCP and start over, so this makes it easier to
> attack than to attack against UDP.

Agree, that's what is in the suggested text:

   o  if an attacker alters the content of the Length field that
      separates packets, then the receiver will incorrectly identify the
      margins of the following packets and will drop all of them or even
      tear down the TCP connection if the content of the Length field
      happens to be 0 or 1 (see Section 3)

> For udp you would need to modify every single udp packet to cause them
> to fail to authenticate. For tcp, you need to take single TCP packet,
> and modify length bytes (for example simply flip one bit there), and
> that will mess up the whole stream and most likely tear down the whole
> IKE SA.
> 
> I.e., if you change the length bytes of 100 byte IKE packet to 200
> bytes, then receiver will keep waiting until it has 100 extra bytes
> after the IKE packet (from the next IKE or ESP packet in tcp tunnel),
> and then try to parse the IKE packet and notices it is only 100 bytes
> long (the authentication of the IKE packet will succeed, as it was not
> modified, and the IKE packet has length inside, so it will know that
> IKE packet was only 100 bytes long).
> 
> Now after that it will read two random bytes from the stream, and
> assume they are then length field, and wait for that long and so on.
> I.e., it will never really recover (except by accident).
> 
> Receiver can notice that, i.e., if it sees that there is extra data
> after the IKE SA packet, or the length field of the TCP stream is less
> than what is expected by the IKE packet, it knows something is wrong,
> and can restart the TCP connection.
> 
> Detecting this on ESP packets is harder, but if the packets after the
> length field does not look like ESP packet, then we know that
> something is messed up and we need to restart the TCP stream.
> 
> And as others already pointed out, it is very easy to just send few
> bytes in to the TCP stream, or just modify one frame by modifying the
> length fields.
> 
> I think we need to add text explaining how to detect when the TCP
> length framing gets messed up by attacks, and how to recover (i.e.,
> close down the TCP channel and recreate the TCP channel).

I'm not sure we must go so far and this complication is really needed. Let us 
make a distinction between on-the-path attackers and off-the-path ones.
On-the-path attackers who are able to read, modify and inject (or even drop) packets
can do a lot of bad things and modifying specifically the length 
field is not the easiest way to disrupt communication between peers.
On contrast, it's quite a hard task for the off-the-path attacker, who
cannot read the TCP stream, to modify exactly those two bytes in the stream where 
the Length sits. So, most probably a larger part of the stream will be corrupted,
that will cause some packets drop, and, in case these are IKE packets,
most probably the IKE SA will be teared down by the peers (due to timeout).
Moreover, from my reading of RFC 5961, in many cases the result
of data injection attack will be that RST will be sent by one of the peers
(due to ACK war).

So, I'm not sure we should advise implementers to complicate their code for this specific case,
because the final result will be the same. I think that it is enough if we mention
the possibility of this event (as in the suggested text).

Regards,
Valery.


> --
> kivinen@iki.fi

v2.23.0 | Report a Bug | By Email