IETF Logo Mail Archive

Re: [IPsec] Review of draft-ietf-ipsecme-ddos-protection-06

"Valery Smyslov" <svanru@gmail.com> Thu, 02 June 2016 14:57 UTC

Return-Path: <svanru@gmail.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1CA1712D1CD for <ipsec@ietfa.amsl.com>; Thu, 2 Jun 2016 07:57:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.93
X-Spam-Level:
X-Spam-Status: No, score=-1.93 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_SORBS_WEB=0.77, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7o421GqFtYqS for <ipsec@ietfa.amsl.com>; Thu, 2 Jun 2016 07:57:50 -0700 (PDT)
Received: from mail-lf0-x22b.google.com (mail-lf0-x22b.google.com [IPv6:2a00:1450:4010:c07::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 500B212D14D for <ipsec@ietf.org>; Thu, 2 Jun 2016 07:57:50 -0700 (PDT)
Received: by mail-lf0-x22b.google.com with SMTP id b73so35782681lfb.3 for <ipsec@ietf.org>; Thu, 02 Jun 2016 07:57:50 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:from:to:cc:references:subject:date:mime-version :content-transfer-encoding; bh=RxjoGHPoeW2PTA5fmKghSupMExRwJcQe9dr10LlCPAA=; b=bHMjf2/wSv4nOOabpBCzVVk7765zV185GY7X5taxCglOW0lzQFFZP7hEOLso3HaW0n j8GJA7muxCmNJRGvlwBEC8A5KbDvjQMaGnPqp++9vmd0mXQt7pIRsAnixUlhfHnfFH8J rN3bMCxsaUyR3zLW+/eqZy8CITD7hXBtKkPlHXlZpBQNnjxCTtgM15gB14Iclr2h2pgY bOSOqWv86xdFV5KsVZVRCanFZbDDAb8sCatRp4sufgABRc+n0ofzl6m9oLFrgFnp3wi3 iqtL/C42NH71osQwm57LW54/lO/HnkatDH/ZKERSR5C9J7aUYdGl7A/u6nIsP2xulvJ/ 88mQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:message-id:from:to:cc:references:subject:date :mime-version:content-transfer-encoding; bh=RxjoGHPoeW2PTA5fmKghSupMExRwJcQe9dr10LlCPAA=; b=KONp9oJxYJTK9yNrenAmVWUV8CIeBNj+yOyBaCq3is5fvyo5a7P+u1un4/sYYQPrQF uQj5oHwzQ8ZjExFpM8wBvJymYCJA00gqZTw5QV4oFhqo+qhtBKqBc4vI0Ul7C6ayY2kY 37RTpvBmWIXZmb+oTFX1XA6amO5CvCkIRCKH263w8dJhV4bb+Sp8s6ROIXpkfsm1kbrd k64/QJGMVYEqG5bDsA6DrawPDGNfb+LdygsiHieFqFF0HfXw1uJRuvYw2QhX6J2e9lsz slro6VrdgZRWahrr93Yjc4qWS1t8duSY1YnSpKieZX7AweflHtGdiNWGU+S19Is67eLn doNg==
X-Gm-Message-State: ALyK8tIJmYCYSPwxs6HbPN70cmTDZQ+SsyOxQV2M3WX/YHjHaNmeispzicjChcSrGul8SQ==
X-Received: by 10.25.210.144 with SMTP id j138mr4243296lfg.77.1464879468322; Thu, 02 Jun 2016 07:57:48 -0700 (PDT)
Received: from buildpc ([82.138.51.4]) by smtp.gmail.com with ESMTPSA id g69sm4087638lji.20.2016.06.02.07.57.47 (version=TLSv1/SSLv3 cipher=OTHER); Thu, 02 Jun 2016 07:57:47 -0700 (PDT)
Message-ID: <4200F5373D5542C985F3D4C51609213C@buildpc>
From: Valery Smyslov <svanru@gmail.com>
To: Paul Wouters <paul@nohats.ca>, ipsec@ietf.org
References: <alpine.LRH.2.20.1605311635540.16809@bofh.nohats.ca>
Date: Thu, 02 Jun 2016 17:57:40 +0300
MIME-Version: 1.0
Content-Type: text/plain; format="flowed"; charset="iso-8859-1"; reply-type="response"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.5931
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.6157
Archived-At: <http://mailarchive.ietf.org/arch/msg/ipsec/Y-kY8JLQoa4CmXwYEmRbBkdXxa0>
Cc: Yoav Nir <ynir.ietf@gmail.com>
Subject: Re: [IPsec] Review of draft-ietf-ipsecme-ddos-protection-06
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 02 Jun 2016 14:57:53 -0000

Hi Paul,

thank you for the very thorough review (and especially - for the nits).

> This is a partial review of draft-ietf-ipsecme-ddos-protection-06
> up to Section 6. I hope to complete the rest in the next few days.
> 
> I think this document needs another revision before continuing.
> (and I would prefer it to be split in two)
> 
> Issues / Questions:
> 
>    An obvious defense, which is described in Section 4.2, is limiting
>    the number of half-open SAs opened by a single peer.  However, since
>    all that is required is a single packet, an attacker can use multiple
>    spoofed source IP addresses.
> 
> I am not sure why this is mentioned here in this way, because the attack
> of spoofed source IP is already handled effectively with DOS cookies. I
> think it is better to state "bot-nets are large enough that they have
> enough unique IP addresses" and avoid talking about spoofing in this
> section altogether.

Here are some general observations of IKEv2 vulnerabilities,
regardless of the existing and proposed defense mechanisms, 
which are described in subsequent sections.

>    Stage #3 includes public key operations, typically more than one.
> 
> It seems this sentence needs to say something that these operations are
> very expensive, similar to describing the "effort" in the previous
> sentences of stage #1 and stage #2.

OK. How about:

    Stage #3 may include public key operations if certificates are involved.
    These operations are often more computationly expensive than those 
    performed at stage #2.

>    It seems that the first thing cannot be dealt with at the IKE level.
>    It's probably better left to Intrusion Prevention System (IPS)
>    technology.
> 
> I would rewrite this more authoritively, and not use the word "seems"

OK. How about:

    If an attacker is so powerfull that it is able to overwhelm
    the Responder's CPU that deals with generating cookies,
    then the attack cannot be dealt with at the IKE level and
    must be handled by means of the Intrusion Prevention 
    System (IPS) technology.

>    Depending on the Responder implementation, this can be repeated with
>    the same half-open SA.
> 
> I don't think this "depends on the implemention". Since any on-path
> attacker can spoof rubbish, a Responder MUST ignore the failed packet
> and remain ready to accept the real one for a certain about of time. 

"Depending on the Responder implementation" means here that if 
along with discarding the failed packet the Responder also discards the 
computed SK_* keys, then it will need to re-calculate them again
when the next IKE_AUTH packet is received, so the attack can be
repeated. The SK_* keys don't depend on IKE_AUTH messages,
so in general there is no need to discard them even if the received
IKE_AUTH packet failed to decrypt properly, and the draft advises 
to keep them in this case. However, implementations may have 
good reasons to do this (e.g. to free hardware resources if 
crypto is performed in HW).

> And this also applies to this later section in the document:
> 
>    If the received IKE_AUTH message failed to decrypt correctly (or
>    failed to pass ICV check), then the Responder SHOULD still keep the
>    computed SK_* keys, so that if it happened to be an attack, then the
>    malicious Initiator cannot get advantage of repeating the attack
>    multiple times on a single IKE SA.

Please, see above.

Do you think more explanationa are needed here?

>    Retransmission policies in practice wait at least one or two seconds
>    before retransmitting for the first time.
> 
> I'm not sure if this is still true. Libreswan starts at 0.5s and doubles,
> and I know that iOS was faster too.

Well, there are different implementations and each has its own
retransmission policy. The Responder should take into account
the slowest sensible retransmission policy, which seems to be 
the one described in the draft.

Will the following text make you happy?

    Many retransmission policies in practice wait one or two seconds
    before retransmitting for the first time.

>    When not under attack, the half-open SA timeout SHOULD be set high
>    enough that the Initiator will have enough time to send multiple
>    retransmissions, minimizing the chance of transient network
>    congestion causing IKE failure.
> 
> I agree, but I'd like to note that this and the text just above mentioning
> "several minutes" is kind of archaic. We found a limit of 30 seconds on

That's what RFC 7296 recommends (Section 2.4).

> other implementations so common as a timeout, that we see no more value in
> keeping an IKE exchange around for more then 30 seconds. (we do re-start
> and try a new exchange from scratch for longer, in some configurations we
> try that forever)
> 
>    For IPv6, ISPs assign between a /48 and a /64, so it makes sense to use
>    a 64-bit prefix as the basis for rate limiting in IPv6.
> 
> Why does that make sense over using /48 ? Wouldn't you rather rate limit
> some innocent neighbours over not actually defending against the attack?
> If puzzles work as advertised, real clients on that /48 should still be
> able to connect.

Well, I'm not an IPv6 expert. Probably Michael Richardson (who suggested 
this change) or somebody else will comment on this.

>    Regardless of the type of rate-limiting used, there is a huge
>    advantage in blocking the DoS attack using rate-limiting for
>    legitimate clients that are away from the attacking nodes.  In such
>    cases, adverse impacts caused by the attack or by the measures used
>    to counteract the attack can be avoided.
> 
> I don't understand this paragraph at all. I guess "rate-limiting for
> legitimate clients" just confuses me. I think it might attempt to be
> saying "not blocking ranges with no attackers helps real clients", but
> it is very unclear.

Yoav?

>    to calculate the PRF
> 
> One does not "calculate" a PRF. One uses a PRF to calculate something.

OK.

> The section that starts with "Upon receiving this challenge," seems to
> be discussing the pros and conns of this method before it has explained
> the method. The reader is forced to skip this or forward to section 7
> and getting back to this part. I suggest to re-order some text to avoid
> this, or to give a better short summary of the puzzle nature just before
> this paragraph.

It describes the puzzles mechanism in general, while Sections 7 & 8
describe the particular instantiation of puzzles in IKEv2.
I'd rather to keep some background about puzzles here,
so that all possible defenses are described in one place.

>    When the Responder is under attack, it MAY choose to prefer
>    previously authenticated peers who present a Session Resumption
>    ticket (see [RFC5723] for details).
> 
> Why is this only a MAY? Why is it not a SHOULD or MUST?

A good question. I think the idea was not to force the Responder
to serve only resumed clients and to let him(her) prioterize
clients according to its own policy. In my opinion MUST is too strong, 
but SHOULD is probably OK.

>    The Responder MAY require such
>    Initiators to pass a return routability check by including the COOKIE
>    notification in the IKE_SESSION_RESUME response message, as allowed
>    by Section 4.3.2. of [RFC5723].
> 
> Perhaps this should say the responder SHOULD require COOKIEs for resumed
> sessions if it also requires COOKIEs for IKE_INIT requests. That is, it
> should not give preference to resumed sessions as those could be equally
> forged as IKE_INIT requests.

A good point. I tend to agree. Yoav?

>    With a typical setup and typical Child SA lifetimes, there
>    are typically no more than a few such exchanges, often less.
> 
> (ignoring the language) I do not believe this is true. This goes back to
> the discussion on how often people deploy liveness probes. Implementors
> seem to think 30s, while endusers want and do configure things like 1s.
> I don't think the text about the amount of IKE exchanges are typical
> are needed because the text below talks about specific abuse anyway,
> and not in terms of just number of exchanges.

Are you suggesting to remove it?

>       If the peer creates too many Child SA with the same or overlapping
>       Traffic Selectors, implementations can respond with the
>       NO_ADDITIONAL_SAS notification.
> 
> I think this requires normative language, eg: implementations MUST respond
> with a NO_ADDITIONAL_SAS notification. The same for the next bullet item
> where it says "implementations can introduce an artificial delay", which
> should be like: "MAY introduce an artificial delay" (or even SHOULD, or
> rewrite "too many" to "many" and use MAY)

I'd use MAY and keep "too many". "Too many" means here that 
a peer is at least misbehaved, while just "many" doesn't imply this
(in my reading).

> Section 5 switchs from talking about "the Responder" to "the implementation".
> I think it should be "the Responder" throughout the document.

OK.

>     the retransmitted messages should be silently discarded.
> 
> That should be normative too, MUST be discarded.

Agree.

I won't comment the nits.

Thank you,
Valery.

v2.23.0 | Report a Bug | By Email