IETF Logo Mail Archive

Re: [IPsec] I-D Action: draft-ietf-ipsecme-ddos-protection-05.txt

Paul Wouters <paul@nohats.ca> Mon, 28 March 2016 15:00 UTC

Return-Path: <paul@nohats.ca>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 22B6512DA86 for <ipsec@ietfa.amsl.com>; Mon, 28 Mar 2016 08:00:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.11
X-Spam-Level:
X-Spam-Status: No, score=-1.11 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_ADSP_ALL=0.8, T_RP_MATCHES_RCVD=-0.01] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 12uWQqg5Ppyh for <ipsec@ietfa.amsl.com>; Mon, 28 Mar 2016 08:00:01 -0700 (PDT)
Received: from mx.nohats.ca (mx.nohats.ca [193.110.157.68]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AB5E812DAAB for <ipsec@ietf.org>; Mon, 28 Mar 2016 07:57:57 -0700 (PDT)
Received: from localhost (localhost [IPv6:::1]) by mx.nohats.ca (Postfix) with ESMTP id 3qYcTZ6t2bzCJn; Mon, 28 Mar 2016 16:57:54 +0200 (CEST)
X-OPENPGPKEY: Message passed unmodified
X-Virus-Scanned: amavisd-new at mx.nohats.ca
Received: from mx.nohats.ca ([IPv6:::1]) by localhost (mx.nohats.ca [IPv6:::1]) (amavisd-new, port 10024) with ESMTP id GbAMvMnQnhQm; Mon, 28 Mar 2016 16:57:54 +0200 (CEST)
Received: from bofh.nohats.ca (206-248-139-105.dsl.teksavvy.com [206.248.139.105]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx.nohats.ca (Postfix) with ESMTPS; Mon, 28 Mar 2016 16:57:53 +0200 (CEST)
Received: by bofh.nohats.ca (Postfix, from userid 1000) id 09DF760007EA; Mon, 28 Mar 2016 10:57:53 -0400 (EDT)
DKIM-Filter: OpenDKIM Filter v2.10.3 bofh.nohats.ca 09DF760007EA
Received: from localhost (localhost [127.0.0.1]) by bofh.nohats.ca (Postfix) with ESMTP id 051B218D6F; Mon, 28 Mar 2016 10:57:53 -0400 (EDT)
Date: Mon, 28 Mar 2016 10:57:52 -0400
From: Paul Wouters <paul@nohats.ca>
To: Valery Smyslov <svanru@gmail.com>
In-Reply-To: <22A743E8E50E402EBD698E354719C11C@buildpc>
Message-ID: <alpine.LFD.2.20.1603281044420.1552@bofh.nohats.ca>
References: <20160321201328.12185.28466.idtracker@ietfa.amsl.com> <alpine.LFD.2.20.1603212023560.16028@bofh.nohats.ca> <3A97CB619AEA41FE9EE901AF4FAF45CA@buildpc> <alpine.LFD.2.20.1603271303400.15492@bofh.nohats.ca> <22A743E8E50E402EBD698E354719C11C@buildpc>
User-Agent: Alpine 2.20 (LFD 67 2015-01-07)
MIME-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"; format="flowed"
Archived-At: <http://mailarchive.ietf.org/arch/msg/ipsec/QNRGJQjdRSjmN0CnlSDhN1ZWWdI>
Cc: ipsec@ietf.org
Subject: Re: [IPsec] I-D Action: draft-ietf-ipsecme-ddos-protection-05.txt
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 28 Mar 2016 15:00:03 -0000

On Mon, 28 Mar 2016, Valery Smyslov wrote:

[ cutting a bunch of text since we seem to just disagree about whether
  puzzles are harmful or helpful ]

>>  It is an (obvious) attack but not a DDOS attack. eg:
>>
>>  client    IKE_INIT Request          --->
>>                                      <--- IKE_INIT Response  server
>>  attaker   IKE_AUTH Request (bogus)  --->  [fails]
>>  client    IKE_AUTH Request          --->
>>
>>  I think any implementor should really already handle this case in
>>  general. Any failures of unauthenticated packets must be dropped
>>  and the timeout timer continued to wait for the legitimate response.
>>  That's a core part of the IKEv2 spec, so I don't think that needs
>>  to be repeated in this document.
>
> The text is not exactly about this. 
> Once the responder sent IKE_SA_INIT response it is able to calculate SKEYSEED 
> and SK_* keys. However, it is a good
> idea not to do it immeditely, but instead wait for the IKE_AUTH request to 
> come.
> The reason is that in case IKE_AUTH request never came (attack, network 
> problem etc.), the responder would not spent quite a lot of CPU resources 
> calculating D-H shared secret.

If we assume cookies take care of spoofed IPs, then an attacker trying
to waste the responders resources would exchange an IKE_INIT round,
and then just send a bunch of IKE_AUTH packets (with proper SPIs) that
all will fail to decrypt. The responder has to try all of them because
it could be a legitimate client. So I'm not sure if you actually buy
anything by postponing the SKEYSEED and SK_* calculation?

> However, in this case careless implementations could
> discard the just computed SK_* keys if the IKE_AUTH request failes to 
> decrypt.

Like I said, that would be _really_ stupid. So stupid that I don't think
it needs to go into an RFC. As you have to protect against the attack
I list above anyway.

>>  See other discussions. We sadly have a strong demand by operational
>>  people to have really short liveness timers. While as implementor, we
>>  have refused < 1s, people often do use 1s timers as a way to do High
>>  Availability. So I think the advise of limiting the number of allowed
>>  responses for an IKE SA in general is dangerous. There are many
>>  unexpected use cases.
>
> No, there is no advises to limit the number of responses.
> There is an advice to delay responce in case of there are too
> many requests in order to limit the rate of requests. If your implementation 
> relies on an immediate reply and no packets loss, then don't follow this 
> advice.

Can you at least put in a small note on the issue of liveness probes and
the risk of delaying these? Eg a 3 probe, 1s each liveness would die in
3 seconds, which seems to be well within the range in which you say
implementations could delay things.

> However, I think that if implementations cannot tolerate
> 2-3 sec delay to requests, then they cannot operate reliably.

I've had long frustrating discussions with Large Clients that run things
that need to failover/restart within seconds, using very flaky third
world networking, and insisting on liveness timers of 1s. It happens :/
Apparently, it is more reliable for them to restart than to wait 30 seconds.

>>  So you are saying basically that this text should have appeared in the
>>  AUTH NULL RFC, but didn't. 
>
> The more general text was included there (Section 3.2), and you were the 
> author :-)

Oh, I am very fallible :)

>>  Perhaps then a separate section for AUTH NULL
>>  clients could be put in this document, and then also let it update that
>>  RFC?
>
> I don't think the update is needed. RFC 7619 has already referenced
> this document (as a draft) and has warnings that NULL auth
> clients are unauthenticated and thus can mount various attacks.

Ohh, you are right. it does reference it already. Still, putting the
"updates" in might work because it will cause an "updated by" clause
to appear at the top of 7619, so people are more convinced they need
to also read this document. But I'll let the chairs weight in on this.

Paul

v2.23.0 | Report a Bug | By Email