Re: [IPsec] Security consideration for DTLS: Adversarial packet loss/reordering

Yaron Sheffer <yaronf.ietf@gmail.com> Fri, 11 February 2011 21:05 UTC

DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:content-type:content-transfer-encoding; b=wcDsi3NFepjRZCZDy9MOj2cpiAD/ZZjSlQYXjvWllrlV3kN3vS4hLhjxkfW+SXDm4x YyaE6I0GlmaCjqhzwiy223bZFyJLkNWa3sl+YYjALf3G4ZxwIB8j56DNYU7Sm6JPa05B nkYb4X/7PTjoVvo8nOLQ9xrg1m1UOUzzQANSc=
Message-ID: <4D55A4A2.7020900@gmail.com>
Date: Fri, 11 Feb 2011 23:05:38 +0200
From: Yaron Sheffer <yaronf.ietf@gmail.com>
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.13) Gecko/20101208 Lightning/1.0b2 Thunderbird/3.1.7
MIME-Version: 1.0
To: tls@ietf.org
References: <mailman.2682.1297453737.4701.tls@ietf.org>
In-Reply-To: <mailman.2682.1297453737.4701.tls@ietf.org>
Content-Type: text/plain; charset="us-ascii"; format="flowed"
Content-Transfer-Encoding: 7bit
Cc: IPsecme WG <ipsec@ietf.org>
Subject: Re: [IPsec] Security consideration for DTLS: Adversarial packet loss/reordering
Precedence: list

Hi Steve,

[Cross-posted to ipsecme]

I have always wondered about these sequence numbers, and the concept of 
anti-replay in IPsec.

- IPsec is architecturally a "plug-in replacement" for IP. And IP allows 
for arbitrary packet deletion, duplication and reordering.
- Anti-replay counters are giving us no end of trouble in clustered 
environments (e.g. 
http://tools.ietf.org/wg/ipsecme/draft-ietf-ipsecme-ipsecha-protocol/).
- IPsec (unfortunately) does not have an application API, at least in 
most implementations. Such an API might indeed have put this feature to 
good use.
- And lastly, IPsec anti-replay is optional, which signifies to me that 
it's always been an iffy feature.

I have looked at RFC 4301 again (the IPsec architecture), and it 
provides only weak justification for this feature. Can you please point 
me to a more convincing reasoning?

Thanks,
	Yaron

> ------------------------------
>
> Message: 2
> Date: Thu, 10 Feb 2011 19:51:08 -0500
> From: Steven Bellovin<smb@cs.columbia.edu>
> Subject: Re: [TLS] Security consideration for DTLS: Adversarial packet
> 	loss/reordering
> To: Eric Rescorla<ekr@rtfm.com>
> Cc: Paul Hoffman<paul.hoffman@vpnc.org>, tls@ietf.org
> Message-ID:<DE870EA2-AB00-48E8-B9D6-D711569F7C1C@cs.columbia.edu>
> Content-Type: text/plain; charset=us-ascii
>
>
> On Feb 10, 2011, at 3:03 21PM, Eric Rescorla wrote:
>
>> On Thu, Feb 10, 2011 at 12:03 PM, Eric Rescorla<ekr@rtfm.com>  wrote:
>>> On Thu, Feb 10, 2011 at 11:31 AM, Paul Hoffman<paul.hoffman@vpnc.org>  wrote:
>>>> On 2/10/11 9:49 AM, Matt McCutchen wrote:
>>>>>
>>>>> Here's an issue that might be worth adding as a security consideration
>>>>> in the next version of the DTLS specification.  It may affect IPsec too;
>>>>> I haven't looked into that.  Thoughts?
>>>>
>>>> I disagree with this suggestion, at least as it is proposed.
>>>>
>>>>> DTLS does not prevent an attacker from dropping or reordering records.
>>>>> Datagram applications are generally designed to tolerate random packet
>>>>> loss and reordering, but care must be taken to ensure that adversarial
>>>>> loss and reordering cannot break the desired higher-level security
>>>>> properties.
>>>>
>>>> That "care" sounds like it is care in the DTLS-using protocol, but no
>>>> suggestion is given how such a protocol can show care. This makes the
>>>> suggestion little more than "be careful", which is not useful.
>>>
>>> DTLS does deliver order information, of course. It just doesn't impose
>>> reordering.
>>>
>>> Perhaps the take-home for DTLS itself is that it would be nice if
>>> packets came with
>>> their sequence numbers attached.
>>>
>>
>> In the API, I mean.
>>
> Given the importance of sequence numbers for IPsec, I very much agree.
>
>
> 		--Steve Bellovin, http://www.cs.columbia.edu/~smb
>

Re: [IPsec] Security consideration for DTLS: Adve… Yaron Sheffer
Re: [IPsec] Security consideration for DTLS: Adve… Stephen Kent