IETF Logo Mail Archive

Re: [IPsec] Review of draft-ietf-ipsecme-ddos-protection-06

"Valery Smyslov" <svanru@gmail.com> Mon, 06 June 2016 07:26 UTC

Return-Path: <svanru@gmail.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 58A6212B078 for <ipsec@ietfa.amsl.com>; Mon, 6 Jun 2016 00:26:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.93
X-Spam-Level:
X-Spam-Status: No, score=-1.93 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_SORBS_WEB=0.77, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uNJiObWQH1_t for <ipsec@ietfa.amsl.com>; Mon, 6 Jun 2016 00:26:31 -0700 (PDT)
Received: from mail-lf0-x234.google.com (mail-lf0-x234.google.com [IPv6:2a00:1450:4010:c07::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6699712B02E for <ipsec@ietf.org>; Mon, 6 Jun 2016 00:26:30 -0700 (PDT)
Received: by mail-lf0-x234.google.com with SMTP id b73so88588867lfb.3 for <ipsec@ietf.org>; Mon, 06 Jun 2016 00:26:30 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:from:to:cc:references:subject:date:mime-version :content-transfer-encoding; bh=2yufaZrzbJTq5enXRlmg9QnPLn9rmOybpm3kbNr38TA=; b=op/6YWHt5dC3w2bfncb76CMiALY7cpc7WuKrhqTokRKOVLThRTD3VmxHYTE8PVF4qA lceGDcSA9SH0USkGq1WfFI4J6yshvV3iKTdS6CT55lKJBwrlGbnIx2l/9AqliRS45Amw YbdmwnrCeEWdQU1pJt0FE5QkAwS7v19swsVn2M3knLHLGbybOOhcVtd31/U2qHGUrkLp 8XNsvhArcxrh6IHio7eCS5cKclB32R9aQrI3pft11/NzLs0IzbUse7ulRz+jBm8B36Ke BMHw6jRCo/4J9IyRTfNq/u2cNUbbEpeDfbXxtXStPTu7VWJ/LGNJxZX7tzmbLPA0vPk9 QQ3g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:message-id:from:to:cc:references:subject:date :mime-version:content-transfer-encoding; bh=2yufaZrzbJTq5enXRlmg9QnPLn9rmOybpm3kbNr38TA=; b=lUCGz+2zdysOYttzjCncoWWgNKRcpy4l+E9A1KSzfHhwD7SD9pYaFg+INMiuLVhtIs 78NvtZFN65+//10wgQ3A5gHtr8EleAxmIUhnvA3IyNoxCunTFk5oJRW+Xrf2tXjpR67i m2m2cRJVCBHuAs5K0CuQ0uBbnvsGzqIxv20Ri+7+90wcnpD8ANtfkX0eZ6ZdcxZu+olx D4ASbjPA1Ym6h5YgoSsW3sPQWREb8WqoSR5DC9qyJNc27F66jCV41WAx8+Nam2psHYPq fvTc1FTg8n/xjPxDg47vAelIWmpgBGEjD2qlbVq1aGNvCSJVokLHP9yCoVB68QcmDBLv wQ9w==
X-Gm-Message-State: ALyK8tKhE+0Y4lev5hRwGIGDWfL5kSDiekSXj4WJGWgr8MS2ZSXlwUnzyNjZppj1nQeT3w==
X-Received: by 10.25.25.2 with SMTP id 2mr1064810lfz.149.1465197988412; Mon, 06 Jun 2016 00:26:28 -0700 (PDT)
Received: from buildpc ([82.138.51.4]) by smtp.gmail.com with ESMTPSA id m8sm1749007lfe.15.2016.06.06.00.26.26 (version=TLSv1/SSLv3 cipher=OTHER); Mon, 06 Jun 2016 00:26:27 -0700 (PDT)
Message-ID: <A6682BC2468947F1A1669A9B9D558BF5@buildpc>
From: Valery Smyslov <svanru@gmail.com>
To: Paul Wouters <paul@nohats.ca>
References: <alpine.LRH.2.20.1605311635540.16809@bofh.nohats.ca> <4200F5373D5542C985F3D4C51609213C@buildpc> <alpine.LRH.2.20.1606022148040.23132@bofh.nohats.ca> <E61D75BBDD0F4A159352B3258BBAA7DE@buildpc> <alpine.LRH.2.20.1606031155230.11420@bofh.nohats.ca>
Date: Mon, 06 Jun 2016 10:26:17 +0300
MIME-Version: 1.0
Content-Type: text/plain; format="flowed"; charset="iso-8859-1"; reply-type="response"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.5931
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.6157
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/AOHbnhqkBHoiISFStJbVCfN2Aus>
Cc: ipsec@ietf.org, Yoav Nir <ynir.ietf@gmail.com>
Subject: Re: [IPsec] Review of draft-ietf-ipsecme-ddos-protection-06
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 06 Jun 2016 07:26:33 -0000

> [ cut everything we agreed ]
> 
>>> > >      Depending on the Responder implementation, this can be repeated 
>>> > >      with
>>> > >      the same half-open SA.
>>> > > 
>>> > >   I don't think this "depends on the implemention". Since any on-path
>>> > >   attacker can spoof rubbish, a Responder MUST ignore the failed packet
>>> > >   and remain ready to accept the real one for a certain about of time. 
>>> > 
>>> >  "Depending on the Responder implementation" means here that if along 
>>> >  with discarding the failed packet the Responder also discards the 
>>> >  computed SK_* keys, then it will need to re-calculate them again
>>> >  when the next IKE_AUTH packet is received, so the attack can be
>>> >  repeated. The SK_* keys don't depend on IKE_AUTH messages,
>>> >  so in general there is no need to discard them even if the received
>>> >  IKE_AUTH packet failed to decrypt properly, and the draft advises to 
>>> >  keep them in this case. However, implementations may have good reasons 
>>> >  to do this (e.g. to free hardware resources if crypto is performed in 
>>> >  HW).
>>>
>>>  Oh, I didnt realise you talked about re-using DH components. Ok, in that
>>>  case it makes sense but you might want to say it only applies to those
>>>  who re-use DH calculations between different IKE peers. Our software
>>>  never does that (and I think FIPS also puts additional constraints on
>>>  this)
>>
>> No, it is not about re-using DH private key with different peers. I probably 
>> poorly explained. Let me try again.
>>
>> Once the IKE_SA_INIT is complete the responder has all needed data
>> to calculate SKEYSEED and SK_* keys. However, it is a CPU consuming
>> operations, so the responder may want to postpone them until the keys are
>> really needed, i.e. until it receives the IKE_AUTH request from the 
>> initiator.
>> This behaviour allows responder not to waste resources in case IKE_SA_INIT 
>> was from an attacker and IKE_AUTH request never comes. 
>> Once IKE_AUTH request arrives the responder performs DH, calculates SKEYSEED 
>> and SK_* keys that allows him to decrypt and verify this request. In case it 
>> fails
>> to decrypt IKE_AUTH request, the responder has two possibilities - keep just 
>> calculated SK_* keys until the next (hopely proper) IKE_AUTH
>> request is received or discard them (e.g. to save crypto resources) and
>> recalculate them again once the next IKE_AUTH request is received (note
>> that re-calculating will result in EXACTLY the same keys, since they don't
>> depent on any data from IKE_AUTH). The draft recommends to keep the keys 
>> until the proper IKE_AUTH request is received (or until the exchange timed 
>> out). This advise may look obvious, but I think is still worth to mention.
>>
>> I recall we've already discussed this while reviewing the -05 version...
> 
> Ohh okay. I vaguely remember. I guess reading this explanation, I would
> say it should not be needed to mention it in this document, but it you
> want to do it anyway, how about:
> 
> OLD:
> 
> Depending on the Responder implementation, this can be repeated with
> the same half-open SA.
> 
> NEW:
> 
> If a Responder does not hold on to the calculated SKEYSEED and SK_*
> keys (which it should in case a valid IKE_AUTH comes in later) this
> attack might be repeated on the same half-open SA.

OK.

>>>  This does not so much relate to IPv6 but to whether you rather
>>>  overestimate or underestimate the attacker's IP space. If you
>>>  underestimate, you will take longer to punish the attacking IPs. If you
>>>  overestimate you will needlessly slow down legitimate clients.
>>>
>>>  I don't know which of the two is better, hence my objection to "it makes
>>>  sense" because I don't see that.
>>
>> What's your suggestion for this text? Just remove "it make sense" or 
>> completely rewrite the para? If the latter, please provide the text.
> 
> Something like:
> 
> For IPv6, ISPs assign between a /48 and a /64, so it does not make sense
> for rate-limiting to work on single IPv6 IPs. Instead, ratelimits should
> be done based on either the /48 or /64 of the misbehaving IPv6 address
> observed.

OK.

>>> > >      When the Responder is under attack, it MAY choose to prefer
>>> > >      previously authenticated peers who present a Session Resumption
>>> > >      ticket (see [RFC5723] for details).
>>> > > 
>>> > >   Why is this only a MAY? Why is it not a SHOULD or MUST?
>>> > 
>>> >  A good question. I think the idea was not to force the Responder
>>> >  to serve only resumed clients and to let him(her) prioterize
>>> >  clients according to its own policy. In my opinion MUST is too strong, 
>>> >  but SHOULD is probably OK.
>>>
>>>  In the famous words of Steve Kent, if you say SHOULD instead of MUST,
>>>  explain when the Responder should not.
>>
>> When it has good reasons :-)
>>
>> Seriously, consider the situation when the responder finds itself
>> under attack and switches to only respond to IKE_SA_RESUME
>> requests. In this case it will leave legitimate clients without
>> resumption tickets (e.g. ticket expired) out of scope. 
>> I think there is no reasom to put MUST here, since in any case
>> it is a local policy which dictates the responder's behaviour,
>> and ther are no interoperability issues whether is is MAY, SHOULD or MUST, it 
>> is just the responder's local policy matter.
>> So SHOULD is just good advise.
> 
> Actually, what you are describing is something else:
> 
> When the Responder is under attack, it MUST NOT prefer previously
> authenticated peers who present a Session Resumption ticket [RFC5723]
> as that could cause a complete lock-out of legitimate clients that
> have no session to resume.
> 
> Although that is probably better rewritten a bit:
> 
> When the Responder is under attack, it SHOULD prefer previously
> authenticated peers who present a Session Resumption ticket [RFC5723]
> unless the attack itself consists of sending bogus resumption requests,
> in which case it SHOULD treat resumption and new session requests
> equally to avoid locking out a class of legitimate clients.

I'd rather change it a bit:

    When the Responder is under attack, it SHOULD prefer previously
    authenticated peers who present a Session Resumption ticket [RFC5723].
    However, the Responder SHOULD NOT swich to resumed clients
    completely (and thus refuse every IKE_SA_INIT request),
    so that legitimate initiators without resumption tickets still have 
    chances to connect.

>>>  That also
>>>  avoids what to do when rekey's happen because that would likely reset
>>>  the counter because it is a new state?
>>
>> Well, I think the proper approach is to measure the rate of such
>> exchanges (per SA or course). So, just reset the counter every second and 
>> measure how many exchanges happened within
>> the second. If the number looks abusive, take measures.
> 
> From our implementation point of view "per SA" is difficult, because we
> delete failed SA states, and then lose the count of those. So in that
> sense, using global counters makes more sense. For us, a rekey means
> that the old state is replaced with a new state.

I don't see any problem here. We are talking not about failed exchanges
(after which the SA must be deleted), but about an abusive number of 
unnecessary exchanges, which are successful from IKEv2 point of view.
You can very well count their number per SA and it is not a big deal
to reset counters when IKE SA is rekeyed.

> so perhaps it is useful to elaborate a little more?

Isn't all this a local matter of implementation?
I don't think we need to mandate how implementations
decide whether they are under attack. 

> Paul

Regards,
Valery.

v2.23.0 | Report a Bug | By Email