IETF Logo Mail Archive

Re: [IPsec] [Last-Call] Secdir last call review of draft-ietf-ipsecme-rfc8229bis-06

"touch@strayalpha.com" <touch@strayalpha.com> Wed, 01 June 2022 14:42 UTC

Return-Path: <touch@strayalpha.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 328CBC14F6E5; Wed, 1 Jun 2022 07:42:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.328
X-Spam-Level:
X-Spam-Status: No, score=-1.328 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_NEUTRAL=0.779, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=strayalpha.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id e8hsLXv-X4W3; Wed, 1 Jun 2022 07:42:40 -0700 (PDT)
Received: from server217-1.web-hosting.com (server217-1.web-hosting.com [198.54.114.226]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8BEC5C14F692; Wed, 1 Jun 2022 07:42:40 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=strayalpha.com; s=default; h=To:References:Message-Id:Cc:Date:In-Reply-To: From:Subject:Mime-Version:Content-Type:Sender:Reply-To: Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=RsSA3LWOuboVObY/7VSD3VV8z1HwysmdWYA+xvFwTm4=; b=QUBIxrgwgBmHcyKgJWW4dXbn3J L56nmv1ja0fP5oKLWEh1LT6FxehQqUxtAmAjnElgE/lvhU6oPwaiaWCjE9Qtgc/6BSYZsfjzp331Q ohpBeBUOCIkVfeYc4PXW1FmZ/BMyh3+NDF0QetcdvUDmAgyJfJI4LXElPZiM4XXAodt2oF3w0npY5 0AgpLwxl6bYsaLte5YiJiUzn9+umtscpCr2zBkwp8eQfifl8WqNs4Vzb+Kt7+WofkLZ/zhsLgXHhj rJQwFyGqyxsu/cjES9XOFJUrtJn2josQ2xeG04KV7Y/YdoptjQROsFcxWo4voLrkj1kDJWfvzgSLB VP+Rgqrg==;
Received: from cpe-172-114-237-88.socal.res.rr.com ([172.114.237.88]:50274 helo=smtpclient.apple) by server217.web-hosting.com with esmtpsa (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from <touch@strayalpha.com>) id 1nwPYQ-009JxZ-58; Wed, 01 Jun 2022 10:42:39 -0400
Content-Type: multipart/alternative; boundary="Apple-Mail=_4C1B8FF2-B1C5-4AE9-BEC2-00E9114EB2F7"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3696.100.31\))
From: "touch@strayalpha.com" <touch@strayalpha.com>
In-Reply-To: <0b4301d875b9$ae525320$0af6f960$@elvis.ru>
Date: Wed, 01 Jun 2022 07:42:31 -0700
Cc: Tero Kivinen <kivinen@iki.fi>, Christian Huitema <huitema@huitema.net>, secdir@ietf.org, draft-ietf-ipsecme-rfc8229bis.all@ietf.org, ipsec@ietf.org, last-call@ietf.org
Message-Id: <C215CCAA-62D6-4C8D-88A1-248D17AB7E54@strayalpha.com>
References: <165377251630.6282.16767658545384357479@ietfa.amsl.com> <077301d8741b$c0fe9b40$42fbd1c0$@elvis.ru> <25237.6715.619617.181961@fireball.acr.fi> <08f501d874df$90e95750$b2bc05f0$@elvis.ru> <25238.13419.293263.562580@fireball.acr.fi> <0a1601d8750e$051083f0$0f318bd0$@elvis.ru> <25239.24036.317688.539399@fireball.acr.fi> <0b4301d875b9$ae525320$0af6f960$@elvis.ru>
To: Valery Smyslov <svan@elvis.ru>
X-Mailer: Apple Mail (2.3696.100.31)
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - server217.web-hosting.com
X-AntiAbuse: Original Domain - ietf.org
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - strayalpha.com
X-Get-Message-Sender-Via: server217.web-hosting.com: authenticated_id: touch@strayalpha.com
X-Authenticated-Sender: server217.web-hosting.com: touch@strayalpha.com
X-Source:
X-Source-Args:
X-Source-Dir:
X-From-Rewrite: unmodified, already matched
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/BNU1Psou1hAtohyy5cGQ2JB2jBo>
Subject: Re: [IPsec] [Last-Call] Secdir last call review of draft-ietf-ipsecme-rfc8229bis-06
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 01 Jun 2022 14:42:44 -0000

Hi, all,

Overall, it seems sufficient to:

- highlight how much more vulnerable this tunnel makes IPsec to DOS attacks
	i.e., that single packets can cause the entire connection to need to be reset

- indicate that there IS a way to avoid that hit by re-syncing
	the sync requires a scan, but that in some cases such a scan can be more 
	efficient in than starting a new connection, although it does mean that such 
	an attack may be more likely moving forward (note: restarting a connection
	might provide useful information to an attacker, where continuing may hide
	the impact of such an attack too, so resync has cons and pros).

	You can also note that there are ways to mitigate the cost of resync when
	this implementation is tightly coupled with TCP, e.g., by ensuring every Nth
	IPsec packet starts at the beginning of a new TCP packet.

Joe

—
Dr. Joe Touch, temporal epistemologist
www.strayalpha.com

> On Jun 1, 2022, at 6:15 AM, Valery Smyslov <svan@elvis.ru> wrote:
> 
> Hi Tero,
> 
>>> Thinking a bit more about the problem:
>>> - IPsec stream consists mostly of random data (as result of
>>> encryption) with uniform distribution
>>> - if an attacker manages to overwrite a single Length field, then
>>> the beginning of the next packet (including the next Length field)
>>> will be this random data
>>> 
>>> So:
>>> - with probability 1-1/2^32 all subsequent packets will be treated
>>> as ESP packets, and not as IKE packets (the probability for
>>> non-ESP marker to be non-zero)
>>> - the "SPIs "of these "ESP" packets will be random, so unless the
>>> receiver has very large number of active ESP SAs (say > 2^31),
>>> these "SPIs" will be unknown to the receiver
>>> 
>>> So, it's enough to check whether the SPI of the received ESP packet is valid.
>>> This is a simple check that will work in most cases. If an SPI is invalid,
>>> the receiver should immediately reset TCP connection. I think that
>>> receiving a single invalid SPI is enough reason to do this, since
>>> this should never happen in normal conditions.
>> 
>> The draft already covers most of these cases in section 7.1:
>> 
>>    	  	  	 If either the TCP Originator or TCP
>>   Responder detects corruption on a connection that was started with a
>>   valid stream prefix, it SHOULD close the TCP connection.  The
>>   connection can be determined to be corrupted if there are too many
>>   subsequent messages that cannot be parsed as valid IKE messages or
>>   ESP messages with known SPIs, or if the authentication check for an
>>   ESP message with a known SPI fails.  Implementations SHOULD NOT tear
>>   down a connection if only a single ESP message has an unknown SPI,
>>   since the SPI databases may be momentarily out of sync.
>> 
>> We might want to expand the "detects corruption" a bit more, i.e., add
>> explict sentence about length fields getting messed up and need for
>> resync causing this corruption.
> 
> I don't think this is needed. The corruption of Length field can only be determined
> indirectly by receiving invalid SPIs or failures to validate ICV, which are already mentioned.
> 
>> Also as was pointed out by you in the other parts of the thread, there
>> is a way to resync, by searching known spi + sequence number in window
>> from the stream (this gives us about 56 bits to check against). After
>> we find such candidate framing, we can check the length before, and
>> validate ICV. If ICV matches, we know this is valid packet, and we can
>> resync, of not, we can either search again, or simply close the TCP
>> stream.
>> 
>> On the other hand I do not think resync is needed in practice, but I
>> do not want to forbid by mandating that peer must tear down TCP
>> immediately when it receives unknown SPI, or has mismach between IKE
>> SA header length field and TCP stream length fields.
>> 
>> So I think we should add text explaining that implementation can try
>> to resync by by searching valid length + SPI + Sequence number + ICV
>> combination from the stream, or it can simply restart the TCP stream
>> (if it is TCP Originator, or it can close the TCP stream if it is TCP
>> Responder).
>> 
>> Then we can add text in security consideration section explaining this
>> bit more (you already had candidate text for that).
> 
> I still think that it's better to put the text about resync into the Security considerations.
> I think this method is specific for Length corruption which most probably
> will happen as a result of injection attack. So, the new para in the Security
> considerations would look like:
> 
>   If an attacker successfully mounts an injection attack on a TCP
>   connection encapsulating IPsec traffic, and a Length field in the TCP
>   stream is changed as a result of this attack, then the receiver in
>   most cases will not be able to correctly identify the boundaries of
>   the following packets in the stream, because it will try to parse an
>   arbitrary data (the result of encryption) as ESP (or IKE) header.
>   This will fail and for this reason all the following packets will be
>   dropped.  Eventually the situation should self-recover, but it may
>   take several minutes and may result in IKE SA deletion and re-
>   creation.  To speed up the recovery implementations are advised to
>   follow recommendations in Section 6.1 and to reset TCP connection in
>   case incoming packets contain an ESP SPI which doesn't correspond to
>   any incoming ESP SA they have.  Once the TCP connection is reset it
>   will be re-created by TCP Originator as described in Section 6.1.
>   Alternatively, implementations MAY try to re-sync after they received
>   unknown SPI by searching the TCP stream for a 64 bit binary vector
>   consisting of a combination of some SPI they know (first 32 bits) and
>   a valid (E)SN for this SPI (another 32 bits) and try to validate the
>   ICV of a packet candidate taking the preceding 16 bits as a Length
>   field.  They can also search for 4 bytes of zero (non-ESP marker)
>   followed by 128 bits of IKE SPIs of IKE SA associated with this
>   stream and try to validate ICV of this IKE message candidate taking
>   the preceding 16 bits as a Length field.
> 
> Regards,
> Valery.
> 
> 
>> --
>> kivinen@iki.fi
> 
> -- 
> last-call mailing list
> last-call@ietf.org
> https://www.ietf.org/mailman/listinfo/last-call

v2.23.0 | Report a Bug | By Email