IETF Logo Mail Archive

Re: [IPsec] IPsec Digest, Vol 123, Issue 21

Les Leposo <leposo@gmail.com> Sat, 16 August 2014 09:48 UTC

Return-Path: <leposo@gmail.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 25FB21A8724 for <ipsec@ietfa.amsl.com>; Sat, 16 Aug 2014 02:48:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 2.155
X-Spam-Level: **
X-Spam-Status: No, score=2.155 tagged_above=-999 required=5 tests=[BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, FU_ENDS_2_WRDS=0.255, J_CHICKENPOX_31=0.6, J_CHICKENPOX_41=0.6, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8rTnhi5S3Wqh for <ipsec@ietfa.amsl.com>; Sat, 16 Aug 2014 02:48:21 -0700 (PDT)
Received: from mail-we0-x235.google.com (mail-we0-x235.google.com [IPv6:2a00:1450:400c:c03::235]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EED481A8720 for <ipsec@ietf.org>; Sat, 16 Aug 2014 02:48:20 -0700 (PDT)
Received: by mail-we0-f181.google.com with SMTP id k48so3103770wev.26 for <ipsec@ietf.org>; Sat, 16 Aug 2014 02:48:19 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=content-type:mime-version:subject:from:in-reply-to:date :content-transfer-encoding:message-id:references:to; bh=etl+CyPaHoD+77nQ+qjTC5eRM2tiFEbCp9ahFAHB55U=; b=cfyFHv044JvmdC8L/tiFHiz/BnX4a51ZPkMOfR9Ccpt8j/FN5+SkRBZXDTwyANIwrp xntWYsL8YQnka+4f8jR+0Nw1RMbEclQ8AIJCl0u0SvPV9ot+eo0V7WRfvCqVy1FKGNow vjYPdtcJd+e/3RSPacmDaV4s5pVDiEfqhdusT8C3aQstW+4S9doQhgaLaxKpENS82xKp VTNovhnPx3f3ng5uIa9gwNf7xMIXeLOo+g8bPv8S19zklKvbUS4OwnhjBFY1tD9auVs6 +4PmtTAaR+6rRLtVPG6mCf4QH0wTWkNSCfpH5NuIEtMshgoA7FUACcMcsUVi28/0QR/C jtwA==
X-Received: by 10.180.206.38 with SMTP id ll6mr27221290wic.40.1408182499531; Sat, 16 Aug 2014 02:48:19 -0700 (PDT)
Received: from [192.168.0.17] ([197.237.48.207]) by mx.google.com with ESMTPSA id wr6sm25357324wjc.24.2014.08.16.02.48.17 for <ipsec@ietf.org> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Sat, 16 Aug 2014 02:48:18 -0700 (PDT)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.6\))
From: Les Leposo <leposo@gmail.com>
In-Reply-To: <mailman.4236.1406823571.13632.ipsec@ietf.org>
Date: Sat, 16 Aug 2014 12:48:13 +0300
Content-Transfer-Encoding: quoted-printable
Message-Id: <A0463391-0BB4-408F-874B-A6B91ED6D102@gmail.com>
References: <mailman.4236.1406823571.13632.ipsec@ietf.org>
To: ipsec@ietf.org
X-Mailer: Apple Mail (2.1878.6)
Archived-At: http://mailarchive.ietf.org/arch/msg/ipsec/a45yHcg-gV5nHfnLurzdQNSOm_o
Subject: Re: [IPsec] IPsec Digest, Vol 123, Issue 21
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 16 Aug 2014 09:48:23 -0000

Hi

some points of discussion below.

On Jul 31, 2014, at 7:19 PM, ipsec-request@ietf.org wrote:

> Send IPsec mailing list submissions to
> 	ipsec@ietf.org
> 
> To subscribe or unsubscribe via the World Wide Web, visit
> 	https://www.ietf.org/mailman/listinfo/ipsec
> or, via email, send a message with subject or body 'help' to
> 	ipsec-request@ietf.org
> 
> You can reach the person managing the list at
> 	ipsec-owner@ietf.org
> 
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of IPsec digest..."
> 
> 
> Today's Topics:
> 
>   1. Re: Puzzles draft - another idea (Paul Wouters)
>   2. Re: Puzzles draft - another idea (Yaron Sheffer)
>   3. Confusion about NAT traversal in RFC5996 (Zhenjie Huang)
> 
> 
> ----------------------------------------------------------------------
> 
> Message: 1
> Date: Wed, 30 Jul 2014 15:02:56 -0400 (EDT)
> From: Paul Wouters <paul@nohats.ca>
> To: Yoav Nir <ynir.ietf@gmail.com>
> Cc: ipsec <ipsec@ietf.org>
> Subject: Re: [IPsec] Puzzles draft - another idea
> Message-ID: <alpine.LFD.2.10.1407301457180.25462@bofh.nohats.ca>
> Content-Type: TEXT/PLAIN; charset=windows-1252; format=flowed
> 
> On Wed, 30 Jul 2014, Yoav Nir wrote:
> 
>> Suppose our half-open SA table can hold 100,000 entries and we clear them out after 10 seconds. That allows 10,000 entries per
>> second. More realistic number are 18 bits for the iPhone and 20 bits for the attacker, so to block out those iPhones, the attacker
>> would have to perform 10,000 * 2^20 SHA-256 hashes per second, or about 10 billion hashes. That?s about 400 server-class hardware
>> working full-time, or a 10,000-way botnet. The draft is all about increasing the work for the attacker, and I believe this is doing
>> it well. The baseline is sending 20,000 packets per second while only copying the cookie (no PK or hash operations at all).
>> 
>> It is possible to do as in the current draft, and set a single difficulty level (say, 18 bits). This allows the attacker a nice and
>> deterministic way to keep the half-open SA table full, which blocks out all clients, not just the iPhones.?
> 
> The iphone (which is only rumored to do IKEv2 with iOS8 likely to be
> released in September this year) currently has a
> terrible record of continuously re-establishing connections. Like
> whenever the screen saver hits it will tear down the tunnel. With
> an always-on profile, that means if I unblanc the screen, it will
> start a new IKE session.
> 
ikev2 "session resumption" promised some improvements over ikev1 - frankly that is part of the spec that needs to be 'MUST' and not 'SHOULD', for all servers.

> A scheme like this would drain the battery on top of the current
> re-establishing draining, that already prevents me from using an
> always-on profile - my iphone won't last for 4 hours.
> 
> Perhaps we should look at other types of puzzles that do not depend on
> raw CPU power?
Great question.

imho, if the hash calculations (and ike) are a big enough culprits, then perhaps the mobile SoC folks should consider bringing onboard IP that  accelerates/offloads the hash calculations (and other aspects of ike) to more energy efficient component/sub-system?

Or, a crazier idea... find ways to permit/standardise some types of cheating at the peers.
e.g. By allow "scripted/seeded" connections to be established and policed. i.e. peers are negotiating using a "scripted" sequence of nonces, hashes, e.t.c,
As follows:
- The client 1st connects to a trusted entity, gets the "script/seeds", which is also (concurrently) pushed down to the ikev2 server (may be the same machine). 
	- The peers need to store these "scripts/seeds" securely (i.e. sandboxing is a must).
	- The trusted entity needs to be very fast (probably with hardware acceleration) at generating these "scripts/seeds". Perhaps a new product category for servers.
- Then the client and server do the scripted dance all day - which is more energy efficient but results in a tunnel should be policed (as less secure than "unscripted" connections).

some $.02

> 
> Paul
> 
> 
> 
> ------------------------------
> 
> Message: 2
> Date: Wed, 30 Jul 2014 12:12:20 -0700
> From: Yaron Sheffer <yaronf.ietf@gmail.com>
> To: Yoav Nir <ynir.ietf@gmail.com>
> Cc: ipsec <ipsec@ietf.org>
> Subject: Re: [IPsec] Puzzles draft - another idea
> Message-ID: <53D94394.10703@gmail.com>
> Content-Type: text/plain; charset=utf-8; format=flowed
> 
> Makes sense to me.
> 
> 	Yaron
> 
> On 07/30/2014 11:45 AM, Yoav Nir wrote:
>> Hi, Yaron
>> 
>> Suppose our half-open SA table can hold 100,000 entries and we clear
>> them out after 10 seconds. That allows 10,000 entries per second. More
>> realistic number are 18 bits for the iPhone and 20 bits for the
>> attacker, so to block out those iPhones, the attacker would have to
>> perform 10,000 * 2^20 SHA-256 hashes per second, or about 10 billion
>> hashes. That?s about 400 server-class hardware working full-time, or a
>> 10,000-way botnet. The draft is all about increasing the work for the
>> attacker, and I believe this is doing it well. The baseline is sending
>> 20,000 packets per second while only copying the cookie (no PK or hash
>> operations at all).
>> 
>> It is possible to do as in the current draft, and set a single
>> difficulty level (say, 18 bits). This allows the attacker a nice and
>> deterministic way to keep the half-open SA table full, which blocks out
>> all clients, not just the iPhones.
>> 
>> Yoav
>> 
>> On Jul 30, 2014, at 6:40 PM, Yaron Sheffer <yaronf.ietf@gmail.com
>> <mailto:yaronf.ietf@gmail.com>> wrote:
>> 
>>> Hi Yoav,
>>> 
>>> this is a nice idea, but I think it actually performs worse than the
>>> baseline.
>>> 
>>> With the previous solution all clients had to expend the same number
>>> of cycles, but would be served FCFS so from time to time, the "good"
>>> ones would be served. With this proposal the attacker can push out the
>>> legitimate weak clients in a *deterministic* way. If I know all Check
>>> Point iPhone clients do 10 bits (I assume most implementations will
>>> choose a value and stick to it, because they do not have any
>>> information about the effort currently needed), I will configure my
>>> botnet to always do 11, and push out any legitimate clients.
>>> 
>>> Thanks,
>>> Yaron
>>> 
>>> On 07/30/2014 07:45 AM, Yoav Nir wrote:
>>>> Hi all
>>>> 
>>>> After the meeting on Friday, I talked to Tero and Brian Weis, and Tero
>>>> suggested a different sort of puzzle that could make it easier to
>>>> support both strong and weak clients. This is sort of like the
>>>> proof-of-work used by BitCoin.
>>>> 
>>>> 1. Calculate the cookie as before. For an example, let?s assume the
>>>>   cookie is fdbcfa5a430d7201282358a2a034de0013cfe2ae (20 octets).
>>>> 2. A ?legacy? initiator will return this exact cookie.
>>>> 3. A newer initiator will return the cookie, with some extra bytes.
>>>> 4. The ?value? of a returned cookie is determined by the number of
>>>>   trailing zero bits in the SHA-256 hash of the transmitted cookie:
>>>> 
>>>>   Cookie || extra data
>>>> 
>>>>   hash
>>>> 
>>>>   # trailing zero bits
>>>>   fdbcfa5a430d7201282358a2a034de0013cfe2ae
>>>> 
>>>>   ec2f327dae577a31152e3de2ac0f2f798e21f02e1afb04d33ff79bdd5d30eede
>>>> 
>>>>   1
>>>>   fdbcfa5a430d7201282358a2a034de0013cfe2ae0182
>>>> 
>>>>   71d3e8c09fbb8db5315e6364dce3ebd56ad35c96e284296e2ffffa256bdfa800
>>>> 
>>>>   11
>>>>   fdbcfa5a430d7201282358a2a034de0013cfe2ae022b3d
>>>> 
>>>>   3b4bdf201105e059e09f65219021738b8f6a148896b2e1be2fdc726aeb6e0000
>>>> 
>>>>   17
>>>>   fdbcfa5a430d7201282358a2a034de0013cfe2ae0aa679
>>>> 
>>>>   c352e914a41615496e3498e5ecb87b992be1ad40620f48af85428996c1f00000
>>>> 
>>>>   20
>>>>   fdbcfa5a430d7201282358a2a034de0013cfe2ae5c2880
>>>> 
>>>>   155319280d687074d0f78511f63c77c568a5418dd44e6467d8fc37723d800000
>>>> 
>>>>   23
>>>>   fdbcfa5a430d7201282358a2a034de0013cfe2ae022bffc8
>>>> 
>>>>   6469faf4455cf9a51b04edeea8195f27771d56b95f2d874764a71e2948000000
>>>> 
>>>>   27
>>>> 
>>>> 
>>>> 5. Initiators are limited (by the construction of the cookie) in the
>>>>   amount of time they can spend. So powerful clients will manage 23
>>>>   bits, while weaker clients will only manage 17.
>>>> 6. When an Initial request arrives with a cookie, first the first 20
>>>>   bytes are validated, and then the result is queued by ?value?.
>>>> 7. When the responder can handle a packet (has room in the half-open SA
>>>>   table) it processes the entry with the highest value in the queue.
>>>>   Entries expire after some time even if not handled.
>>>> 
>>>> 
>>>> I think if this algorithm is chosen, an attacker can still expend little
>>>> effort, get some 5-6 bits, and use that to push out all legacy clients.
>>>> We could counter that by having a minimum threshold at something like
>>>> 10-12 bits, some value that all supported platforms can easily manage in
>>>> under 0.5 seconds, and consider all values below that to be equal to
>>>> zero (not enough effort to matter).
>>>> 
>>>> This could get some more tweaks. But what do people think of this?
>>>> 
>>>> Thanks
>>>> 
>>>> Yoav
>>>> 
>>>> P.S. This is the first time I tried to send a table pasted into Apple
>>>> Mail to a mailing list. I apologize in advance if it comes out looking
>>>> horrific.
>>>> 
>>>> 
>>>> 
>>>> _______________________________________________
>>>> IPsec mailing list
>>>> IPsec@ietf.org <mailto:IPsec@ietf.org>
>>>> https://www.ietf.org/mailman/listinfo/ipsec
>> 
> 
> 
> 
> ------------------------------
> 
> Message: 3
> Date: Thu, 31 Jul 2014 16:19:22 +0000
> From: Zhenjie Huang <zhenjie.huang@ericsson.com>
> To: "ipsec@ietf.org" <ipsec@ietf.org>
> Subject: [IPsec] Confusion about NAT traversal in RFC5996
> Message-ID:
> 	<6CCF0B32EEB49742A558E6A2BA50E7B6555C6ADB@ESGSCMB101.ericsson.se>
> Content-Type: text/plain; charset="us-ascii"
> 
> 
> Dear IPsec experts,
> 
> I am a System Engineer from Ericsson.
> I am currently reading your RFC5996. However, I feel confused with the following words about NAT traversal:
> 
> Section 2.23:
> A host behind a NAT SHOULD NOT do this type of dynamic address update if a validated packet has
> different port and/or address values because it opens a possible DoS attack (such as allowing an
> attacker to break the connection with a single packet).
> 
> It is very difficult to understand this case. Could you give me some hint why it opens a possible DoS attack when the host is behind a NAT?
> Your different opinions are really appreciated for my better understanding. Thank you very much!
> 
> Kind regards,
> Jerry Huang
> 
> 
> [Ericsson]<http://www.ericsson.com/>
> 
> ZHENJIE HUANG
> System Engineer
> CGC/X
> 
> Ericsson
> 13/F, ShuGuang Building, Nanshan
> Shenzhen, China
> Phone 0755-86925204
> Mobile 18576627893
> zhenjie.huang@ericsson.com
> www.ericsson.com
> 
> 
> [http://www.ericsson.com/current_campaign]<http://www.ericsson.com/current_campaign>
> 
> Legal entity: N/A, registered office in N/A. This Communication is Confidential. We only send and receive email on the basis of the terms set out at www.ericsson.com/email_disclaimer<http://www.ericsson.com/email_disclaimer>
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <http://www.ietf.org/mail-archive/web/ipsec/attachments/20140731/7b167a7a/attachment.html>
> -------------- next part --------------
> A non-text attachment was scrubbed...
> Name: image001.gif
> Type: image/gif
> Size: 2367 bytes
> Desc: image001.gif
> URL: <http://www.ietf.org/mail-archive/web/ipsec/attachments/20140731/7b167a7a/attachment.gif>
> -------------- next part --------------
> A non-text attachment was scrubbed...
> Name: image002.gif
> Type: image/gif
> Size: 22330 bytes
> Desc: image002.gif
> URL: <http://www.ietf.org/mail-archive/web/ipsec/attachments/20140731/7b167a7a/attachment-0001.gif>
> 
> ------------------------------
> 
> Subject: Digest Footer
> 
> _______________________________________________
> IPsec mailing list
> IPsec@ietf.org
> https://www.ietf.org/mailman/listinfo/ipsec
> 
> 
> ------------------------------
> 
> End of IPsec Digest, Vol 123, Issue 21
> **************************************

v2.23.0 | Report a Bug | By Email