Re: [IPsec] Review of draft-ietf-ipsecme-rfc8229bis
Paul Wouters <paul.wouters@aiven.io> Mon, 10 January 2022 14:58 UTC
Return-Path: <paul.wouters@aiven.io>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7603D3A11F9 for <ipsec@ietfa.amsl.com>; Mon, 10 Jan 2022 06:58:22 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=aiven.io
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iOaDkWSzbiJY for <ipsec@ietfa.amsl.com>; Mon, 10 Jan 2022 06:58:18 -0800 (PST)
Received: from mail-ed1-x52d.google.com (mail-ed1-x52d.google.com [IPv6:2a00:1450:4864:20::52d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DAB763A11F6 for <ipsec@ietf.org>; Mon, 10 Jan 2022 06:58:17 -0800 (PST)
Received: by mail-ed1-x52d.google.com with SMTP id k15so54486022edk.13 for <ipsec@ietf.org>; Mon, 10 Jan 2022 06:58:17 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=aiven.io; s=google; h=date:from:to:cc:subject:in-reply-to:message-id:references :mime-version; bh=fC2YDKEgrY5iAPNN5TN8G7azRRXJ9i2VJ5oxCXEvy2k=; b=Ol81BqAFIRp3Jqc8v+e4SOPcLXfvts2YdWjZOvNmfCM4HGAS6zddhkgleGUla0vC3f mSaa/yvXUG/hvf9xClFherNep/duxIotvcKUkNbZ/My6NqBaSAkJ2KJixm5jeRkl4I+o KjwP99K3IZXhvP9FRO5sLpbPhZvS+W4gPauDY=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:date:from:to:cc:subject:in-reply-to:message-id :references:mime-version; bh=fC2YDKEgrY5iAPNN5TN8G7azRRXJ9i2VJ5oxCXEvy2k=; b=y45VfmJCzoqCDvNQml3Dx/r8LbO0QDStu3OeEXSJaZsNc0OGs8WACF44ZYHZxKKJay OIxpBLxtVugUJB431jJnkX8xvwUD7JRzFWH0GL7nLSAammRc4i3RKVkmSYHuwONXbyz2 wm+NLS/T7J/XQxWIANoXTFc0eKZpQZ4bNT+ptIzmm0cGRjHTKU09wbBQBx1BJAMzA05C z/rc6m1orIU3whXXtIA3wtPsTpXUWRiSTdUyr0mLYuIArxAEo3JkfXy4L0XsyEiity7e WbVfJ+0aitI4a1mMa6NQNaNSLhN6sREVafVNMCOkj+p7z/UtwLPiiFzKGEdZ4TB0J8Pp BTOg==
X-Gm-Message-State: AOAM533FvIXZFFI53p+996KcDm3eITy6qRvOPRMxwyftnqUSjssCPH0L JJYEpXD+pLgVUoDmon/b9ebMlyC1h9nQf2J+PXk=
X-Google-Smtp-Source: ABdhPJzskf6ne9c6qiVRYUAwwFRZMw4gFg6HyIm5UFB4tt6Kd/rqQpSyRPFvwejt+bFCOUmGE9UbdA==
X-Received: by 2002:a17:906:3e8a:: with SMTP id a10mr111091ejj.612.1641826693976; Mon, 10 Jan 2022 06:58:13 -0800 (PST)
Received: from bofh.nohats.ca (bofh.nohats.ca. [193.110.157.194]) by smtp.gmail.com with ESMTPSA id e4sm2508068eje.103.2022.01.10.06.58.13 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 10 Jan 2022 06:58:13 -0800 (PST)
Date: Mon, 10 Jan 2022 09:58:10 -0500
From: Paul Wouters <paul.wouters@aiven.io>
To: Valery Smyslov <smyslov.ietf@gmail.com>
cc: "ipsec@ietf.org WG" <ipsec@ietf.org>, Tommy Pauly <tpauly@apple.com>
In-Reply-To: <026601d80627$55c05970$01410c50$@gmail.com>
Message-ID: <db1078ca-51ce-ad90-4869-6c7ae8cfe715@nohats.ca>
References: <acea85f6-1c72-3b79-a7f6-d4c234b9e7c@nohats.ca> <026601d80627$55c05970$01410c50$@gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; format="flowed"; charset="US-ASCII"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/J7IAXn5Cd48rm7aD6x7ZeCuo0Cw>
Subject: Re: [IPsec] Review of draft-ietf-ipsecme-rfc8229bis
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 10 Jan 2022 14:58:23 -0000
On Mon, 10 Jan 2022, Valery Smyslov wrote: >> I am not sure this is a good idea. Tearing down and requiring a new 3way >> handshake just to deliver the cookie seems useless. What is wrong with >> using the existing TCP stream to reply? > > The responder does use an existing TCP connection to reply, > but once it replies with cookie request, it should close this connection. > If it keeps this connection, then it keeps TCP state until the client > resends IKE_SA_INIT request (if ever) and thus thwarts the idea of being stateless. > > This is probably not so important for cookies, because the client > has already proved during TCP handshake, that its IP is a real IP address, > but it is more important in case of puzzles. But in both cases > I think that keeping responder stateless is a good idea. Yes, stateless is good in those cases, but reality is we already used state to setup the TCP connection. So why drop all that state now. It is in a way too late for the "state creation savings". Instead, you are now creating _more_ work for a server that might be under a DoS attack. >> This might also make the code more complex, as currently, the TCP state >> is kept during the entire negotiation. > > No, RFC 8229 allows the responder to close TCP session at any time (Section 6). > Moreover, an attacker may reset TCP connection on its will. > In this case the TCP originator would restore it. So, no additional code complexity, > you must already be able to handle this situation. That's fair. I guess I have to test this on our code base :) >> Additionally, a NAT router could give the client a different IP address >> for a new TCP stream, making the COOKIE invalid. > > Yes, it is possible and this situation is covered in the draft. > But if we choose between keeping the responder stateless and > the possibility of occasional failure of cookie verification, > I'd choose the former as more important. I am choosing the other way around :) > I think we can slightly change this recommendation: > > o if the Responder chooses to send Cookie request (possibly along > with Puzzle request), then the TCP connection that the IKE_SA_INIT > request message was received over SHOULD be closed after the Responder sends its reply > and no repeated requests are received within some short period of time, so that the > Responder remains stateless. Note that if this TCP connection is > closed, the Responder MUST NOT include the Initiator's TCP port > into the Cookie calculation (*), since the Cookie will be returned > over a new TCP connection with a different port. > > Does it address your concern? I don't really see much difference. If the attacker can setup a TCP session, surely it can write 15 lines of python to replay the cookie back as well. The question is really whether the responder under attack is better of not needing as many TCP 3way handshakes versus keeping some state. Since the document says to basically ignore cookies as much as possible, it seems inline to just keep the TCP connection. >> Thus, in case of TCP encapsulation, an Initiator SHOULD NOT wait for >> additional messages in case it receives error notification from the >> Responder in the IKE_SA_INIT exchange. >> >> This is true, but the code handlling this might not be aware of the >> transport used. I'd rather see "an Initiator MAY skip the waiting time >> for additional messages" so that this advice becomes "a good idea" and >> not a "RFC violation" if not done. > > Hmm, I think that "SHOULD NOT wait" leaves you a possibility to wait > if you have good reasons for it, without being accused in "RFC violation" :-) > > I have no problems with MAY in general, but I think that it's better > to encourage implementers to make this optimization > (which MAY does not). I'm looking at the damage here. There is again no good reason to tear down the TCP connection for an INVALID_KE, so why tell implementations to do that. Even if simple implementations might do that just because that's how they do it for UDP (kill entire exchange, start a fresh one) But I'd like to see us re-using the same TCP when receiving INVALID_KE, even if it was only for the reduced latency of another 3way handshake. >> Implementations that implement >> both MOBIKE and TCP encapsulation MUST support dynamically enabling >> and disabling TCP encapsulation as interfaces change. >> >> I'm not sure of the MUST here. Nice for sure, but perhaps the >> implementation supports MOBIKE or TCP and not both at once ? >> Perhaps restate as "if MOBIKE and TCP encapsulation are allowed for a >> configuration, the implementation MUST support ...... > > OK. So, the text would look like: > > Implementations that implement both MOBIKE and TCP > encapsulation and both are allowed for a configuration > MUST support dynamically enabling and disabling TCP > encapsulation as interfaces change. sure, just slightly different start: Implementations that implement both MOBIKE and TCP encapsulation within the same connection configuration MUST .... >> In case of TCP the NO_NATS_ALLOWED >> notification SHOULD be ignored because TCP generally has no problems >> with NAT boxes. >> >> I would re-state it as: >> >> In case of TCP the NO_NATS_ALLOWED notification MUST be ignored. >> >> Although, re-reading why NO_NATS_ALLOWED was introduced, I think in >> general this payload should be retired entirely, both for UDP and TCP. >> (disclosure: libreswan completely ignores it) > > I think "MUST be ignored" is quite a radical change to RFC 4555. > I prefer the current text since it leaves a possibility to not ignore > this notification , thus be compliant with RFC 4555. Otherwise > we would need to update it with this draft... Fair enough. >> 8.3. IKEv2 Session Resumption >> >> This section says that if a TCP encap session was suspended, that the >> client MUST use TCP to resume this. I don't understand why. It is likely >> that a resuming client has moved networks, and might be on a network >> that would properly support ESP or ESPinUDP. The resumption is really >> mostly meant to skip over DH and AUTH phases as these are costly. I see >> no reason to tie the transport to this. If I missed a valid reason >> for this to be needed, clarify what needs to happen when the server no >> longer can or wants to resume the session. Does the client close the TCP >> and go back to UDP? > > I believe you are correct. The idea was to speed up SA resumption > (we know that this responder didn't support UDP, but worked with UDP), > however you are right that the situation may change. > > So the correct recommendation for the client would be - act as if this is the IKE_SA_INIT exchange. Yes, perfect. Paul
- [IPsec] Review of draft-ietf-ipsecme-rfc8229bis Paul Wouters
- Re: [IPsec] Review of draft-ietf-ipsecme-rfc8229b… Valery Smyslov
- Re: [IPsec] Review of draft-ietf-ipsecme-rfc8229b… Paul Wouters
- Re: [IPsec] Review of draft-ietf-ipsecme-rfc8229b… Tero Kivinen
- Re: [IPsec] Review of draft-ietf-ipsecme-rfc8229b… Valery Smyslov
- Re: [IPsec] Review of draft-ietf-ipsecme-rfc8229b… Valery Smyslov
- Re: [IPsec] Review of draft-ietf-ipsecme-rfc8229b… Tero Kivinen
- Re: [IPsec] Review of draft-ietf-ipsecme-rfc8229b… Valery Smyslov
- Re: [IPsec] Review of draft-ietf-ipsecme-rfc8229b… Valery Smyslov
- Re: [IPsec] Review of draft-ietf-ipsecme-rfc8229b… Paul Wouters