Re: [IPsec] Review of draft-ietf-ipsecme-ddos-protection-06
Paul Wouters <paul@nohats.ca> Thu, 23 June 2016 02:20 UTC
Return-Path: <paul@nohats.ca>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 26B9712DEBB for <ipsec@ietfa.amsl.com>; Wed, 22 Jun 2016 19:20:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.526
X-Spam-Level:
X-Spam-Status: No, score=-2.526 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_ADSP_ALL=0.8, RP_MATCHES_RCVD=-1.426] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xEdn8ObxMCFy for <ipsec@ietfa.amsl.com>; Wed, 22 Jun 2016 19:20:56 -0700 (PDT)
Received: from mx.nohats.ca (mx.nohats.ca [193.110.157.68]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D4B9D12DEBA for <ipsec@ietf.org>; Wed, 22 Jun 2016 19:20:55 -0700 (PDT)
Received: from localhost (localhost [IPv6:::1]) by mx.nohats.ca (Postfix) with ESMTP id 3rZlYm6y5gzlR; Thu, 23 Jun 2016 04:20:44 +0200 (CEST)
X-Virus-Scanned: amavisd-new at mx.nohats.ca
Received: from mx.nohats.ca ([IPv6:::1]) by localhost (mx.nohats.ca [IPv6:::1]) (amavisd-new, port 10024) with ESMTP id CO9RQwxUvIb8; Thu, 23 Jun 2016 04:20:43 +0200 (CEST)
Received: from bofh.nohats.ca (206-248-139-105.dsl.teksavvy.com [206.248.139.105]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx.nohats.ca (Postfix) with ESMTPS; Thu, 23 Jun 2016 04:20:43 +0200 (CEST)
Received: by bofh.nohats.ca (Postfix, from userid 1000) id 6998F3522C4; Wed, 22 Jun 2016 22:20:42 -0400 (EDT)
DKIM-Filter: OpenDKIM Filter v2.10.3 bofh.nohats.ca 6998F3522C4
Received: from localhost (localhost [127.0.0.1]) by bofh.nohats.ca (Postfix) with ESMTP id 4E2074001693; Wed, 22 Jun 2016 22:20:42 -0400 (EDT)
Date: Wed, 22 Jun 2016 22:20:42 -0400
From: Paul Wouters <paul@nohats.ca>
To: Valery Smyslov <svanru@gmail.com>
In-Reply-To: <A6682BC2468947F1A1669A9B9D558BF5@buildpc>
Message-ID: <alpine.LRH.2.20.1606222214230.27151@bofh.nohats.ca>
References: <alpine.LRH.2.20.1605311635540.16809@bofh.nohats.ca> <4200F5373D5542C985F3D4C51609213C@buildpc> <alpine.LRH.2.20.1606022148040.23132@bofh.nohats.ca> <E61D75BBDD0F4A159352B3258BBAA7DE@buildpc> <alpine.LRH.2.20.1606031155230.11420@bofh.nohats.ca> <A6682BC2468947F1A1669A9B9D558BF5@buildpc>
User-Agent: Alpine 2.20 (LRH 67 2015-01-07)
MIME-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"; format="flowed"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/MV2T5c0ztuM5zWJWEj_l69mCST4>
Cc: ipsec@ietf.org, Yoav Nir <ynir.ietf@gmail.com>
Subject: Re: [IPsec] Review of draft-ietf-ipsecme-ddos-protection-06
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 23 Jun 2016 02:20:58 -0000
On Mon, 6 Jun 2016, Valery Smyslov wrote:
>> > When it has good reasons :-)
>> >
>> > Seriously, consider the situation when the responder finds itself
>> > under attack and switches to only respond to IKE_SA_RESUME
>> > requests. In this case it will leave legitimate clients without
>> > resumption tickets (e.g. ticket expired) out of scope. I think there is
>> > no reasom to put MUST here, since in any case
>> > it is a local policy which dictates the responder's behaviour,
>> > and ther are no interoperability issues whether is is MAY, SHOULD or
>> > MUST, it is just the responder's local policy matter.
>> > So SHOULD is just good advise.
>>
>> Actually, what you are describing is something else:
>>
>> When the Responder is under attack, it MUST NOT prefer previously
>> authenticated peers who present a Session Resumption ticket [RFC5723]
>> as that could cause a complete lock-out of legitimate clients that
>> have no session to resume.
>>
>> Although that is probably better rewritten a bit:
>>
>> When the Responder is under attack, it SHOULD prefer previously
>> authenticated peers who present a Session Resumption ticket [RFC5723]
>> unless the attack itself consists of sending bogus resumption requests,
>> in which case it SHOULD treat resumption and new session requests
>> equally to avoid locking out a class of legitimate clients.
>
> I'd rather change it a bit:
>
> When the Responder is under attack, it SHOULD prefer previously
> authenticated peers who present a Session Resumption ticket [RFC5723].
> However, the Responder SHOULD NOT swich to resumed clients
> completely (and thus refuse every IKE_SA_INIT request),
> so that legitimate initiators without resumption tickets still have
> chances to connect.
Ok, minor change:
When the Responder is under attack, it SHOULD prefer previously
authenticated peers who present a Session Resumption ticket [RFC5723].
However, the Responder SHOULD NOT serve resumed Initiators exclusively
because dropping all IKE_SA_INIT requests would lock out legitimate
Initiators that have no resumption ticket.
>> > Well, I think the proper approach is to measure the rate of such
>> > exchanges (per SA or course). So, just reset the counter every second
>> > and measure how many exchanges happened within
>> > the second. If the number looks abusive, take measures.
>>
>> From our implementation point of view "per SA" is difficult, because we
>> delete failed SA states, and then lose the count of those. So in that
>> sense, using global counters makes more sense. For us, a rekey means
>> that the old state is replaced with a new state.
>
> I don't see any problem here. We are talking not about failed exchanges
> (after which the SA must be deleted), but about an abusive number of
> unnecessary exchanges, which are successful from IKEv2 point of view.
> You can very well count their number per SA and it is not a big deal
> to reset counters when IKE SA is rekeyed.
I don't think you would want to reset the counters, but I know that our
implementation, which creates a new state object for the rekeyed state,
would lose information unless we specifically added code to copy those.
>> so perhaps it is useful to elaborate a little more?
>
> Isn't all this a local matter of implementation?
> I don't think we need to mandate how implementations
> decide whether they are under attack.
I agree, this discussion does not need to be in the document.
Paul
- Re: [IPsec] Review of draft-ietf-ipsecme-ddos-pro… Valery Smyslov
- Re: [IPsec] Review of draft-ietf-ipsecme-ddos-pro… Tero Kivinen
- Re: [IPsec] Review of draft-ietf-ipsecme-ddos-pro… Valery Smyslov
- Re: [IPsec] Review of draft-ietf-ipsecme-ddos-pro… Paul Wouters
- Re: [IPsec] Review of draft-ietf-ipsecme-ddos-pro… Valery Smyslov
- Re: [IPsec] Review of draft-ietf-ipsecme-ddos-pro… Paul Wouters
- Re: [IPsec] Review of draft-ietf-ipsecme-ddos-pro… Waltermire, David A. (Fed)
- Re: [IPsec] Review of draft-ietf-ipsecme-ddos-pro… Valery Smyslov
- [IPsec] Review of draft-ietf-ipsecme-ddos-protect… Paul Wouters
- Re: [IPsec] Review of draft-ietf-ipsecme-ddos-pro… Valery Smyslov
- Re: [IPsec] Review of draft-ietf-ipsecme-ddos-pro… Paul Wouters
- Re: [IPsec] Review of draft-ietf-ipsecme-ddos-pro… Valery Smyslov
- Re: [IPsec] Review of draft-ietf-ipsecme-ddos-pro… Paul Wouters
- Re: [IPsec] Review of draft-ietf-ipsecme-ddos-pro… Valery Smyslov