IETF Logo Mail Archive

Re: [IPsec] I-D Action: draft-ietf-ipsecme-ddos-protection-05.txt

"Valery Smyslov" <svanru@gmail.com> Mon, 28 March 2016 15:21 UTC

Return-Path: <svanru@gmail.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7EA4312DAA0 for <ipsec@ietfa.amsl.com>; Mon, 28 Mar 2016 08:21:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.93
X-Spam-Level:
X-Spam-Status: No, score=-1.93 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_SORBS_WEB=0.77, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lB_-IlxRnaQj for <ipsec@ietfa.amsl.com>; Mon, 28 Mar 2016 08:21:41 -0700 (PDT)
Received: from mail-lb0-x236.google.com (mail-lb0-x236.google.com [IPv6:2a00:1450:4010:c04::236]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CC44712D966 for <ipsec@ietf.org>; Mon, 28 Mar 2016 08:19:37 -0700 (PDT)
Received: by mail-lb0-x236.google.com with SMTP id vo2so31033411lbb.1 for <ipsec@ietf.org>; Mon, 28 Mar 2016 08:19:37 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:from:to:cc:references:subject:date:mime-version :content-transfer-encoding; bh=ejEk2/xj293O+MRwnqKwjUERoVCGMKIH/mGg6DEQ8PA=; b=xVTZbbCfa1GanMRZO0+Kzf6Rpq5WwryIM1+w7P8buVgg96jHyoeEm5se3mWnt0efNf xOVBA1FMw70G7GdxpLwcX609DsbXFZMfgy9fiBGghe4FVO7ydrl/UfuhAZgLJZvVTzVq xn1670or0VS/y6dE1G/iJXA+Zj6pWAVrxTafdXblWZBfvTmT/7NP0jOTNbL7YhszqVVw E5XRzPLI18yxGwvwtliLdoiDdrrU1rOCn269092+NCaOcM1ZD3+DLUBVPtEzpgcvbelI 6axSIEv/CEBTyxu1I+ILBDoejVTf+JlYkt6s31pMoU8r7BThh+O+VLbjpzIXQ/jk5Kq+ zngA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:message-id:from:to:cc:references:subject:date :mime-version:content-transfer-encoding; bh=ejEk2/xj293O+MRwnqKwjUERoVCGMKIH/mGg6DEQ8PA=; b=gHvdFFdPUNLs5YDdZ0J1bxx1FsIakGVdA8ZpfURYaDg/GpV0ial88RSItiC0r+uPeF df6+a9CnqeCy1WkQyPnt5RzbxV2eADm+v9TAUhe5SHcNlxLM7Xh9A+v8DIiOfWTZRbLM IdM4ohJzfi8A+//1vT2AqzcxlLINGts+3jnx234Nw3TMyYFOJyBPBWxcYwO3qn/+VpaM t60S5otvlKQR8lPbZR+S3dSBU5cfJfPYrqwiokLaLJqes22CW0qz2KxJwdaTg+Wo/FQ3 /wYaUsuXMg8sGJRtfOWi6aKHP2m8BBSg5nFghj24ADERCXwk0ome3kX/FYBOOxYHV0r0 09gQ==
X-Gm-Message-State: AD7BkJJAwalGjQKWxsReYWOwF6ZBtL4oTFenX6VMKclgBvs+AiwlsIWKNKHjOlH0SbQacQ==
X-Received: by 10.112.125.201 with SMTP id ms9mr10407209lbb.141.1459178376000; Mon, 28 Mar 2016 08:19:36 -0700 (PDT)
Received: from buildpc ([82.138.51.4]) by smtp.gmail.com with ESMTPSA id i2sm4504162lfd.43.2016.03.28.08.19.34 (version=TLSv1/SSLv3 cipher=OTHER); Mon, 28 Mar 2016 08:19:35 -0700 (PDT)
Message-ID: <8D8EBD80E21449B0838FA6562F195411@buildpc>
From: Valery Smyslov <svanru@gmail.com>
To: Paul Wouters <paul@nohats.ca>
References: <20160321201328.12185.28466.idtracker@ietfa.amsl.com> <alpine.LFD.2.20.1603212023560.16028@bofh.nohats.ca> <3A97CB619AEA41FE9EE901AF4FAF45CA@buildpc> <alpine.LFD.2.20.1603271303400.15492@bofh.nohats.ca> <22A743E8E50E402EBD698E354719C11C@buildpc> <alpine.LFD.2.20.1603281044420.1552@bofh.nohats.ca>
Date: Mon, 28 Mar 2016 18:19:30 +0300
MIME-Version: 1.0
Content-Type: text/plain; format="flowed"; charset="iso-8859-1"; reply-type="response"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.5931
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.6157
Archived-At: <http://mailarchive.ietf.org/arch/msg/ipsec/SRvbHaKIOkKNVy0B98d1xZ-2324>
Cc: ipsec@ietf.org
Subject: Re: [IPsec] I-D Action: draft-ietf-ipsecme-ddos-protection-05.txt
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 28 Mar 2016 15:21:43 -0000

>> The text is not exactly about this. 
>> Once the responder sent IKE_SA_INIT response it is able to calculate SKEYSEED 
>> and SK_* keys. However, it is a good
>> idea not to do it immeditely, but instead wait for the IKE_AUTH request to 
>> come.
>> The reason is that in case IKE_AUTH request never came (attack, network 
>> problem etc.), the responder would not spent quite a lot of CPU resources 
>> calculating D-H shared secret.
> 
> If we assume cookies take care of spoofed IPs, then an attacker trying
> to waste the responders resources would exchange an IKE_INIT round,
> and then just send a bunch of IKE_AUTH packets (with proper SPIs) that
> all will fail to decrypt. The responder has to try all of them because
> it could be a legitimate client. So I'm not sure if you actually buy
> anything by postponing the SKEYSEED and SK_* calculation?

Postponing SKEYSEED and SK_* calculation saves your resources
if IKE_AUTH request never come. It can be if there are some network
problems (for example, the IKE_AUTH message is too long, get fragmented
by IP and dropped by NAT, and the initiator doesn't support IKE fragmentation)
or if the initiator never mind to send IKE_AUTH (i.e. it is an attack 
on half-open SAs, that could be even with cookies - in case of botnets).

>> However, in this case careless implementations could
>> discard the just computed SK_* keys if the IKE_AUTH request failes to 
>> decrypt.
> 
> Like I said, that would be _really_ stupid. So stupid that I don't think
> it needs to go into an RFC. As you have to protect against the attack
> I list above anyway.

Mostly yes. However in some cases it is not so stupid. If you do all crypto in hardware
and this hardware may handle limited number of key handles, then
you'd probably discard the keys in this case not to exhaust crypto HW memory.
In this case you'll recalculate them once new IKE_AUTH arrives.
This a tradeoff and the draft recommends (with SHOULD) to keep the keys.

>>>  See other discussions. We sadly have a strong demand by operational
>>>  people to have really short liveness timers. While as implementor, we
>>>  have refused < 1s, people often do use 1s timers as a way to do High
>>>  Availability. So I think the advise of limiting the number of allowed
>>>  responses for an IKE SA in general is dangerous. There are many
>>>  unexpected use cases.
>>
>> No, there is no advises to limit the number of responses.
>> There is an advice to delay responce in case of there are too
>> many requests in order to limit the rate of requests. If your implementation 
>> relies on an immediate reply and no packets loss, then don't follow this 
>> advice.
> 
> Can you at least put in a small note on the issue of liveness probes and
> the risk of delaying these? Eg a 3 probe, 1s each liveness would die in
> 3 seconds, which seems to be well within the range in which you say
> implementations could delay things.

OK.

Regards,
Valery.

v2.23.0 | Report a Bug | By Email