IETF Logo Mail Archive

Re: [IPsec] Secdir last call review of draft-ietf-ipsecme-rfc8229bis-06

Tero Kivinen <kivinen@iki.fi> Mon, 30 May 2022 19:25 UTC

Return-Path: <kivinen@iki.fi>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5B3BBC15AAC8; Mon, 30 May 2022 12:25:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.986
X-Spam-Level:
X-Spam-Status: No, score=-3.986 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, NICE_REPLY_A=-1.876, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=iki.fi
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LBuFJnNQEteL; Mon, 30 May 2022 12:25:54 -0700 (PDT)
Received: from lahtoruutu.iki.fi (lahtoruutu.iki.fi [185.185.170.37]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9D781C15AAFE; Mon, 30 May 2022 12:25:52 -0700 (PDT)
Received: from fireball.acr.fi (fireball.acr.fi [83.145.195.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) (Authenticated sender: kivinen@iki.fi) by lahtoruutu.iki.fi (Postfix) with ESMTPSA id 590CD1B000E0; Mon, 30 May 2022 22:25:48 +0300 (EEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=iki.fi; s=lahtoruutu; t=1653938748; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=DaVqxLMbMkfhLC/m8/q3FwTEBjC58X8XJg20nqkPb2A=; b=QAtQ56g35VG//9EOPLyweEaHh4SH5RjJ6OgI+Sw1SYRn5gnsnUnQQUmJYSoZAyLnksdknZ TQy7FPoJpXHT+Tz6wDrwdngaUAVwXY2qy6frIFZnrhc86CWA9UarO2pzJMgnzsIlGRKJIN F5rp7SO8tZKmBDGp0mnSukEO/eryLFHyR1BB55euL0p1NnAGh2f7aE8rupxoLQOyMWj7SQ Fi/zvwqmIet+gk4xKV6W0xB/TyiNFZS/rY19Bv1jrbn92JQx618/HTSqETAVQ/QzHAUARj F4vFxZFO5sBOZ3ahbMnPUGxnK6k6oDuO76sYghansANM2ReCLA72QMYY4yM13g==
Received: by fireball.acr.fi (Postfix, from userid 15204) id AD0D425C12E4; Mon, 30 May 2022 22:25:47 +0300 (EEST)
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Message-ID: <25237.6715.619617.181961@fireball.acr.fi>
Date: Mon, 30 May 2022 22:25:47 +0300
From: Tero Kivinen <kivinen@iki.fi>
To: Valery Smyslov <svan@elvis.ru>
Cc: 'Christian Huitema' <huitema@huitema.net>, secdir@ietf.org, draft-ietf-ipsecme-rfc8229bis.all@ietf.org, ipsec@ietf.org, last-call@ietf.org
In-Reply-To: <077301d8741b$c0fe9b40$42fbd1c0$@elvis.ru>
References: <165377251630.6282.16767658545384357479@ietfa.amsl.com> <077301d8741b$c0fe9b40$42fbd1c0$@elvis.ru>
X-Mailer: VM 8.2.0b under 26.3 (x86_64--netbsd)
X-Edit-Time: 12 min
X-Total-Time: 17 min
ARC-Seal: i=1; s=lahtoruutu; d=iki.fi; t=1653938748; a=rsa-sha256; cv=none; b=Chvt3/w3PcSZWmNW3/WvFyU+gTON9qnYrHixLsMbwgRBHy7jt08hWlm7UZ+BgxqtGWPcuZ pl6ZL9ElYteL/RK5NXxvvf15K8unisx+bnL7tv5ogw8bH/kD6Cm8/gj15WHtQTHr4VHXrk 5g70B7GKqMPCPo2AUNn2mmW+yGEmPZmna9qF0KJ9HNZOvi3uiUYxpWRRxEGA8MA79DweiV Wp45HofmXSskuHBTD3pYwh7pzU9NRncC341Oleaoxb9rfmYeDuZjGZXixhEeUUQ74Dl+9u RRZpry4mY/ZisWpzuEylqmE6CqBRK9DcsgRwFfi6ubAFbWWNUOGss5igeyFfQg==
ARC-Authentication-Results: i=1; ORIGINATING; auth=pass smtp.auth=kivinen@iki.fi smtp.mailfrom=kivinen@iki.fi
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=iki.fi; s=lahtoruutu; t=1653938748; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=DaVqxLMbMkfhLC/m8/q3FwTEBjC58X8XJg20nqkPb2A=; b=IDmaao6SAmiYC8SDK5Yt0wXcyy99s7j8jbBNPlu4I+qmozhDRkB3xNn4RD7IZv299TF+68 BCYcMV4NBJIMLjIcsALLD8d7HQI9W9sqAxsnjtkgor5Bgib0WrvSpxYdaGWcaJfhqdYFmS NThCIm3WyILRq5SxR+y8aJR9ceoXoUbIMfLgQOMlTAVsyys3KNQ1xHSajWLec3iOgmxTtI UZnPKj6ATV1DgKij6KZUqI1JGchWNaUMph7PBZ7n7i7hrwIzQ4WpzCJnPY5+nHkyYmEjDZ Hr7OOg7bNMyyeiJGpU72T/XtlfurvWK2WMI0HjopEgQ8cKEhiIs9dvTxVqF5yA==
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/QUxAbgrix7PlCetSXyjTDk1k5DU>
Subject: Re: [IPsec] Secdir last call review of draft-ietf-ipsecme-rfc8229bis-06
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 30 May 2022 19:25:55 -0000

Valery Smyslov writes:
> If the TCP connection is abandoned (for any reason) and the
> associated IKE SA is still up, then the IKE initiator will re-create
> it. So, it is not a big deal, but definitely can influence
> performance. On the other hand, an attacker who is able to alter the
> packets on the wire (TCP, UDP, any) can make IKE peers to tear down
> IKE SA (e.g. by spoiling every packet). So, I'm not sure using TCP
> gives significant advantages for an attacker here, in most cases it
> will result in DoS.

Actually just messing up any length octets on the wire will completely
mess up the packet structure, as there is no way of recovering that
except to tear down the TCP and start over, so this makes it easier to
attack than to attack against UDP.

For udp you would need to modify every single udp packet to cause them
to fail to authenticate. For tcp, you need to take single TCP packet,
and modify length bytes (for example simply flip one bit there), and
that will mess up the whole stream and most likely tear down the whole
IKE SA.

I.e., if you change the length bytes of 100 byte IKE packet to 200
bytes, then receiver will keep waiting until it has 100 extra bytes
after the IKE packet (from the next IKE or ESP packet in tcp tunnel),
and then try to parse the IKE packet and notices it is only 100 bytes
long (the authentication of the IKE packet will succeed, as it was not
modified, and the IKE packet has length inside, so it will know that
IKE packet was only 100 bytes long).

Now after that it will read two random bytes from the stream, and
assume they are then length field, and wait for that long and so on.
I.e., it will never really recover (except by accident).

Receiver can notice that, i.e., if it sees that there is extra data
after the IKE SA packet, or the length field of the TCP stream is less
than what is expected by the IKE packet, it knows something is wrong,
and can restart the TCP connection.

Detecting this on ESP packets is harder, but if the packets after the
length field does not look like ESP packet, then we know that
something is messed up and we need to restart the TCP stream.

And as others already pointed out, it is very easy to just send few
bytes in to the TCP stream, or just modify one frame by modifying the
length fields.

I think we need to add text explaining how to detect when the TCP
length framing gets messed up by attacks, and how to recover (i.e.,
close down the TCP channel and recreate the TCP channel). 
-- 
kivinen@iki.fi

v2.23.0 | Report a Bug | By Email