Re: [IPsec] Review of draft-ietf-ipsecme-ddos-protection-06
Paul Wouters <paul@nohats.ca> Thu, 23 June 2016 02:20 UTC
Return-Path: <paul@nohats.ca>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 26B9712DEBB for <ipsec@ietfa.amsl.com>; Wed, 22 Jun 2016 19:20:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.526
X-Spam-Level:
X-Spam-Status: No, score=-2.526 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_ADSP_ALL=0.8, RP_MATCHES_RCVD=-1.426] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xEdn8ObxMCFy for <ipsec@ietfa.amsl.com>; Wed, 22 Jun 2016 19:20:56 -0700 (PDT)
Received: from mx.nohats.ca (mx.nohats.ca [193.110.157.68]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D4B9D12DEBA for <ipsec@ietf.org>; Wed, 22 Jun 2016 19:20:55 -0700 (PDT)
Received: from localhost (localhost [IPv6:::1]) by mx.nohats.ca (Postfix) with ESMTP id 3rZlYm6y5gzlR; Thu, 23 Jun 2016 04:20:44 +0200 (CEST)
X-Virus-Scanned: amavisd-new at mx.nohats.ca
Received: from mx.nohats.ca ([IPv6:::1]) by localhost (mx.nohats.ca [IPv6:::1]) (amavisd-new, port 10024) with ESMTP id CO9RQwxUvIb8; Thu, 23 Jun 2016 04:20:43 +0200 (CEST)
Received: from bofh.nohats.ca (206-248-139-105.dsl.teksavvy.com [206.248.139.105]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx.nohats.ca (Postfix) with ESMTPS; Thu, 23 Jun 2016 04:20:43 +0200 (CEST)
Received: by bofh.nohats.ca (Postfix, from userid 1000) id 6998F3522C4; Wed, 22 Jun 2016 22:20:42 -0400 (EDT)
DKIM-Filter: OpenDKIM Filter v2.10.3 bofh.nohats.ca 6998F3522C4
Received: from localhost (localhost [127.0.0.1]) by bofh.nohats.ca (Postfix) with ESMTP id 4E2074001693; Wed, 22 Jun 2016 22:20:42 -0400 (EDT)
Date: Wed, 22 Jun 2016 22:20:42 -0400
From: Paul Wouters <paul@nohats.ca>
To: Valery Smyslov <svanru@gmail.com>
In-Reply-To: <A6682BC2468947F1A1669A9B9D558BF5@buildpc>
Message-ID: <alpine.LRH.2.20.1606222214230.27151@bofh.nohats.ca>
References: <alpine.LRH.2.20.1605311635540.16809@bofh.nohats.ca> <4200F5373D5542C985F3D4C51609213C@buildpc> <alpine.LRH.2.20.1606022148040.23132@bofh.nohats.ca> <E61D75BBDD0F4A159352B3258BBAA7DE@buildpc> <alpine.LRH.2.20.1606031155230.11420@bofh.nohats.ca> <A6682BC2468947F1A1669A9B9D558BF5@buildpc>
User-Agent: Alpine 2.20 (LRH 67 2015-01-07)
MIME-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"; format="flowed"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/MV2T5c0ztuM5zWJWEj_l69mCST4>
Cc: ipsec@ietf.org, Yoav Nir <ynir.ietf@gmail.com>
Subject: Re: [IPsec] Review of draft-ietf-ipsecme-ddos-protection-06
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 23 Jun 2016 02:20:58 -0000
On Mon, 6 Jun 2016, Valery Smyslov wrote: >> > When it has good reasons :-) >> > >> > Seriously, consider the situation when the responder finds itself >> > under attack and switches to only respond to IKE_SA_RESUME >> > requests. In this case it will leave legitimate clients without >> > resumption tickets (e.g. ticket expired) out of scope. I think there is >> > no reasom to put MUST here, since in any case >> > it is a local policy which dictates the responder's behaviour, >> > and ther are no interoperability issues whether is is MAY, SHOULD or >> > MUST, it is just the responder's local policy matter. >> > So SHOULD is just good advise. >> >> Actually, what you are describing is something else: >> >> When the Responder is under attack, it MUST NOT prefer previously >> authenticated peers who present a Session Resumption ticket [RFC5723] >> as that could cause a complete lock-out of legitimate clients that >> have no session to resume. >> >> Although that is probably better rewritten a bit: >> >> When the Responder is under attack, it SHOULD prefer previously >> authenticated peers who present a Session Resumption ticket [RFC5723] >> unless the attack itself consists of sending bogus resumption requests, >> in which case it SHOULD treat resumption and new session requests >> equally to avoid locking out a class of legitimate clients. > > I'd rather change it a bit: > > When the Responder is under attack, it SHOULD prefer previously > authenticated peers who present a Session Resumption ticket [RFC5723]. > However, the Responder SHOULD NOT swich to resumed clients > completely (and thus refuse every IKE_SA_INIT request), > so that legitimate initiators without resumption tickets still have > chances to connect. Ok, minor change: When the Responder is under attack, it SHOULD prefer previously authenticated peers who present a Session Resumption ticket [RFC5723]. However, the Responder SHOULD NOT serve resumed Initiators exclusively because dropping all IKE_SA_INIT requests would lock out legitimate Initiators that have no resumption ticket. >> > Well, I think the proper approach is to measure the rate of such >> > exchanges (per SA or course). So, just reset the counter every second >> > and measure how many exchanges happened within >> > the second. If the number looks abusive, take measures. >> >> From our implementation point of view "per SA" is difficult, because we >> delete failed SA states, and then lose the count of those. So in that >> sense, using global counters makes more sense. For us, a rekey means >> that the old state is replaced with a new state. > > I don't see any problem here. We are talking not about failed exchanges > (after which the SA must be deleted), but about an abusive number of > unnecessary exchanges, which are successful from IKEv2 point of view. > You can very well count their number per SA and it is not a big deal > to reset counters when IKE SA is rekeyed. I don't think you would want to reset the counters, but I know that our implementation, which creates a new state object for the rekeyed state, would lose information unless we specifically added code to copy those. >> so perhaps it is useful to elaborate a little more? > > Isn't all this a local matter of implementation? > I don't think we need to mandate how implementations > decide whether they are under attack. I agree, this discussion does not need to be in the document. Paul
- Re: [IPsec] Review of draft-ietf-ipsecme-ddos-pro… Valery Smyslov
- Re: [IPsec] Review of draft-ietf-ipsecme-ddos-pro… Tero Kivinen
- Re: [IPsec] Review of draft-ietf-ipsecme-ddos-pro… Valery Smyslov
- Re: [IPsec] Review of draft-ietf-ipsecme-ddos-pro… Paul Wouters
- Re: [IPsec] Review of draft-ietf-ipsecme-ddos-pro… Valery Smyslov
- Re: [IPsec] Review of draft-ietf-ipsecme-ddos-pro… Paul Wouters
- Re: [IPsec] Review of draft-ietf-ipsecme-ddos-pro… Waltermire, David A. (Fed)
- Re: [IPsec] Review of draft-ietf-ipsecme-ddos-pro… Valery Smyslov
- [IPsec] Review of draft-ietf-ipsecme-ddos-protect… Paul Wouters
- Re: [IPsec] Review of draft-ietf-ipsecme-ddos-pro… Valery Smyslov
- Re: [IPsec] Review of draft-ietf-ipsecme-ddos-pro… Paul Wouters
- Re: [IPsec] Review of draft-ietf-ipsecme-ddos-pro… Valery Smyslov
- Re: [IPsec] Review of draft-ietf-ipsecme-ddos-pro… Paul Wouters
- Re: [IPsec] Review of draft-ietf-ipsecme-ddos-pro… Valery Smyslov