Re: [IPsec] IPsec Digest, Vol 123, Issue 21
Les Leposo <leposo@gmail.com> Sat, 16 August 2014 09:48 UTC
Return-Path: <leposo@gmail.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 25FB21A8724 for <ipsec@ietfa.amsl.com>; Sat, 16 Aug 2014 02:48:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 2.155
X-Spam-Level: **
X-Spam-Status: No, score=2.155 tagged_above=-999 required=5 tests=[BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, FU_ENDS_2_WRDS=0.255, J_CHICKENPOX_31=0.6, J_CHICKENPOX_41=0.6, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8rTnhi5S3Wqh for <ipsec@ietfa.amsl.com>; Sat, 16 Aug 2014 02:48:21 -0700 (PDT)
Received: from mail-we0-x235.google.com (mail-we0-x235.google.com [IPv6:2a00:1450:400c:c03::235]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EED481A8720 for <ipsec@ietf.org>; Sat, 16 Aug 2014 02:48:20 -0700 (PDT)
Received: by mail-we0-f181.google.com with SMTP id k48so3103770wev.26 for <ipsec@ietf.org>; Sat, 16 Aug 2014 02:48:19 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=content-type:mime-version:subject:from:in-reply-to:date :content-transfer-encoding:message-id:references:to; bh=etl+CyPaHoD+77nQ+qjTC5eRM2tiFEbCp9ahFAHB55U=; b=cfyFHv044JvmdC8L/tiFHiz/BnX4a51ZPkMOfR9Ccpt8j/FN5+SkRBZXDTwyANIwrp xntWYsL8YQnka+4f8jR+0Nw1RMbEclQ8AIJCl0u0SvPV9ot+eo0V7WRfvCqVy1FKGNow vjYPdtcJd+e/3RSPacmDaV4s5pVDiEfqhdusT8C3aQstW+4S9doQhgaLaxKpENS82xKp VTNovhnPx3f3ng5uIa9gwNf7xMIXeLOo+g8bPv8S19zklKvbUS4OwnhjBFY1tD9auVs6 +4PmtTAaR+6rRLtVPG6mCf4QH0wTWkNSCfpH5NuIEtMshgoA7FUACcMcsUVi28/0QR/C jtwA==
X-Received: by 10.180.206.38 with SMTP id ll6mr27221290wic.40.1408182499531; Sat, 16 Aug 2014 02:48:19 -0700 (PDT)
Received: from [192.168.0.17] ([197.237.48.207]) by mx.google.com with ESMTPSA id wr6sm25357324wjc.24.2014.08.16.02.48.17 for <ipsec@ietf.org> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Sat, 16 Aug 2014 02:48:18 -0700 (PDT)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.6\))
From: Les Leposo <leposo@gmail.com>
In-Reply-To: <mailman.4236.1406823571.13632.ipsec@ietf.org>
Date: Sat, 16 Aug 2014 12:48:13 +0300
Content-Transfer-Encoding: quoted-printable
Message-Id: <A0463391-0BB4-408F-874B-A6B91ED6D102@gmail.com>
References: <mailman.4236.1406823571.13632.ipsec@ietf.org>
To: ipsec@ietf.org
X-Mailer: Apple Mail (2.1878.6)
Archived-At: http://mailarchive.ietf.org/arch/msg/ipsec/a45yHcg-gV5nHfnLurzdQNSOm_o
Subject: Re: [IPsec] IPsec Digest, Vol 123, Issue 21
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 16 Aug 2014 09:48:23 -0000
Hi some points of discussion below. On Jul 31, 2014, at 7:19 PM, ipsec-request@ietf.org wrote: > Send IPsec mailing list submissions to > ipsec@ietf.org > > To subscribe or unsubscribe via the World Wide Web, visit > https://www.ietf.org/mailman/listinfo/ipsec > or, via email, send a message with subject or body 'help' to > ipsec-request@ietf.org > > You can reach the person managing the list at > ipsec-owner@ietf.org > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of IPsec digest..." > > > Today's Topics: > > 1. Re: Puzzles draft - another idea (Paul Wouters) > 2. Re: Puzzles draft - another idea (Yaron Sheffer) > 3. Confusion about NAT traversal in RFC5996 (Zhenjie Huang) > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Wed, 30 Jul 2014 15:02:56 -0400 (EDT) > From: Paul Wouters <paul@nohats.ca> > To: Yoav Nir <ynir.ietf@gmail.com> > Cc: ipsec <ipsec@ietf.org> > Subject: Re: [IPsec] Puzzles draft - another idea > Message-ID: <alpine.LFD.2.10.1407301457180.25462@bofh.nohats.ca> > Content-Type: TEXT/PLAIN; charset=windows-1252; format=flowed > > On Wed, 30 Jul 2014, Yoav Nir wrote: > >> Suppose our half-open SA table can hold 100,000 entries and we clear them out after 10 seconds. That allows 10,000 entries per >> second. More realistic number are 18 bits for the iPhone and 20 bits for the attacker, so to block out those iPhones, the attacker >> would have to perform 10,000 * 2^20 SHA-256 hashes per second, or about 10 billion hashes. That?s about 400 server-class hardware >> working full-time, or a 10,000-way botnet. The draft is all about increasing the work for the attacker, and I believe this is doing >> it well. The baseline is sending 20,000 packets per second while only copying the cookie (no PK or hash operations at all). >> >> It is possible to do as in the current draft, and set a single difficulty level (say, 18 bits). This allows the attacker a nice and >> deterministic way to keep the half-open SA table full, which blocks out all clients, not just the iPhones.? > > The iphone (which is only rumored to do IKEv2 with iOS8 likely to be > released in September this year) currently has a > terrible record of continuously re-establishing connections. Like > whenever the screen saver hits it will tear down the tunnel. With > an always-on profile, that means if I unblanc the screen, it will > start a new IKE session. > ikev2 "session resumption" promised some improvements over ikev1 - frankly that is part of the spec that needs to be 'MUST' and not 'SHOULD', for all servers. > A scheme like this would drain the battery on top of the current > re-establishing draining, that already prevents me from using an > always-on profile - my iphone won't last for 4 hours. > > Perhaps we should look at other types of puzzles that do not depend on > raw CPU power? Great question. imho, if the hash calculations (and ike) are a big enough culprits, then perhaps the mobile SoC folks should consider bringing onboard IP that accelerates/offloads the hash calculations (and other aspects of ike) to more energy efficient component/sub-system? Or, a crazier idea... find ways to permit/standardise some types of cheating at the peers. e.g. By allow "scripted/seeded" connections to be established and policed. i.e. peers are negotiating using a "scripted" sequence of nonces, hashes, e.t.c, As follows: - The client 1st connects to a trusted entity, gets the "script/seeds", which is also (concurrently) pushed down to the ikev2 server (may be the same machine). - The peers need to store these "scripts/seeds" securely (i.e. sandboxing is a must). - The trusted entity needs to be very fast (probably with hardware acceleration) at generating these "scripts/seeds". Perhaps a new product category for servers. - Then the client and server do the scripted dance all day - which is more energy efficient but results in a tunnel should be policed (as less secure than "unscripted" connections). some $.02 > > Paul > > > > ------------------------------ > > Message: 2 > Date: Wed, 30 Jul 2014 12:12:20 -0700 > From: Yaron Sheffer <yaronf.ietf@gmail.com> > To: Yoav Nir <ynir.ietf@gmail.com> > Cc: ipsec <ipsec@ietf.org> > Subject: Re: [IPsec] Puzzles draft - another idea > Message-ID: <53D94394.10703@gmail.com> > Content-Type: text/plain; charset=utf-8; format=flowed > > Makes sense to me. > > Yaron > > On 07/30/2014 11:45 AM, Yoav Nir wrote: >> Hi, Yaron >> >> Suppose our half-open SA table can hold 100,000 entries and we clear >> them out after 10 seconds. That allows 10,000 entries per second. More >> realistic number are 18 bits for the iPhone and 20 bits for the >> attacker, so to block out those iPhones, the attacker would have to >> perform 10,000 * 2^20 SHA-256 hashes per second, or about 10 billion >> hashes. That?s about 400 server-class hardware working full-time, or a >> 10,000-way botnet. The draft is all about increasing the work for the >> attacker, and I believe this is doing it well. The baseline is sending >> 20,000 packets per second while only copying the cookie (no PK or hash >> operations at all). >> >> It is possible to do as in the current draft, and set a single >> difficulty level (say, 18 bits). This allows the attacker a nice and >> deterministic way to keep the half-open SA table full, which blocks out >> all clients, not just the iPhones. >> >> Yoav >> >> On Jul 30, 2014, at 6:40 PM, Yaron Sheffer <yaronf.ietf@gmail.com >> <mailto:yaronf.ietf@gmail.com>> wrote: >> >>> Hi Yoav, >>> >>> this is a nice idea, but I think it actually performs worse than the >>> baseline. >>> >>> With the previous solution all clients had to expend the same number >>> of cycles, but would be served FCFS so from time to time, the "good" >>> ones would be served. With this proposal the attacker can push out the >>> legitimate weak clients in a *deterministic* way. If I know all Check >>> Point iPhone clients do 10 bits (I assume most implementations will >>> choose a value and stick to it, because they do not have any >>> information about the effort currently needed), I will configure my >>> botnet to always do 11, and push out any legitimate clients. >>> >>> Thanks, >>> Yaron >>> >>> On 07/30/2014 07:45 AM, Yoav Nir wrote: >>>> Hi all >>>> >>>> After the meeting on Friday, I talked to Tero and Brian Weis, and Tero >>>> suggested a different sort of puzzle that could make it easier to >>>> support both strong and weak clients. This is sort of like the >>>> proof-of-work used by BitCoin. >>>> >>>> 1. Calculate the cookie as before. For an example, let?s assume the >>>> cookie is fdbcfa5a430d7201282358a2a034de0013cfe2ae (20 octets). >>>> 2. A ?legacy? initiator will return this exact cookie. >>>> 3. A newer initiator will return the cookie, with some extra bytes. >>>> 4. The ?value? of a returned cookie is determined by the number of >>>> trailing zero bits in the SHA-256 hash of the transmitted cookie: >>>> >>>> Cookie || extra data >>>> >>>> hash >>>> >>>> # trailing zero bits >>>> fdbcfa5a430d7201282358a2a034de0013cfe2ae >>>> >>>> ec2f327dae577a31152e3de2ac0f2f798e21f02e1afb04d33ff79bdd5d30eede >>>> >>>> 1 >>>> fdbcfa5a430d7201282358a2a034de0013cfe2ae0182 >>>> >>>> 71d3e8c09fbb8db5315e6364dce3ebd56ad35c96e284296e2ffffa256bdfa800 >>>> >>>> 11 >>>> fdbcfa5a430d7201282358a2a034de0013cfe2ae022b3d >>>> >>>> 3b4bdf201105e059e09f65219021738b8f6a148896b2e1be2fdc726aeb6e0000 >>>> >>>> 17 >>>> fdbcfa5a430d7201282358a2a034de0013cfe2ae0aa679 >>>> >>>> c352e914a41615496e3498e5ecb87b992be1ad40620f48af85428996c1f00000 >>>> >>>> 20 >>>> fdbcfa5a430d7201282358a2a034de0013cfe2ae5c2880 >>>> >>>> 155319280d687074d0f78511f63c77c568a5418dd44e6467d8fc37723d800000 >>>> >>>> 23 >>>> fdbcfa5a430d7201282358a2a034de0013cfe2ae022bffc8 >>>> >>>> 6469faf4455cf9a51b04edeea8195f27771d56b95f2d874764a71e2948000000 >>>> >>>> 27 >>>> >>>> >>>> 5. Initiators are limited (by the construction of the cookie) in the >>>> amount of time they can spend. So powerful clients will manage 23 >>>> bits, while weaker clients will only manage 17. >>>> 6. When an Initial request arrives with a cookie, first the first 20 >>>> bytes are validated, and then the result is queued by ?value?. >>>> 7. When the responder can handle a packet (has room in the half-open SA >>>> table) it processes the entry with the highest value in the queue. >>>> Entries expire after some time even if not handled. >>>> >>>> >>>> I think if this algorithm is chosen, an attacker can still expend little >>>> effort, get some 5-6 bits, and use that to push out all legacy clients. >>>> We could counter that by having a minimum threshold at something like >>>> 10-12 bits, some value that all supported platforms can easily manage in >>>> under 0.5 seconds, and consider all values below that to be equal to >>>> zero (not enough effort to matter). >>>> >>>> This could get some more tweaks. But what do people think of this? >>>> >>>> Thanks >>>> >>>> Yoav >>>> >>>> P.S. This is the first time I tried to send a table pasted into Apple >>>> Mail to a mailing list. I apologize in advance if it comes out looking >>>> horrific. >>>> >>>> >>>> >>>> _______________________________________________ >>>> IPsec mailing list >>>> IPsec@ietf.org <mailto:IPsec@ietf.org> >>>> https://www.ietf.org/mailman/listinfo/ipsec >> > > > > ------------------------------ > > Message: 3 > Date: Thu, 31 Jul 2014 16:19:22 +0000 > From: Zhenjie Huang <zhenjie.huang@ericsson.com> > To: "ipsec@ietf.org" <ipsec@ietf.org> > Subject: [IPsec] Confusion about NAT traversal in RFC5996 > Message-ID: > <6CCF0B32EEB49742A558E6A2BA50E7B6555C6ADB@ESGSCMB101.ericsson.se> > Content-Type: text/plain; charset="us-ascii" > > > Dear IPsec experts, > > I am a System Engineer from Ericsson. > I am currently reading your RFC5996. However, I feel confused with the following words about NAT traversal: > > Section 2.23: > A host behind a NAT SHOULD NOT do this type of dynamic address update if a validated packet has > different port and/or address values because it opens a possible DoS attack (such as allowing an > attacker to break the connection with a single packet). > > It is very difficult to understand this case. Could you give me some hint why it opens a possible DoS attack when the host is behind a NAT? > Your different opinions are really appreciated for my better understanding. Thank you very much! > > Kind regards, > Jerry Huang > > > [Ericsson]<http://www.ericsson.com/> > > ZHENJIE HUANG > System Engineer > CGC/X > > Ericsson > 13/F, ShuGuang Building, Nanshan > Shenzhen, China > Phone 0755-86925204 > Mobile 18576627893 > zhenjie.huang@ericsson.com > www.ericsson.com > > > [http://www.ericsson.com/current_campaign]<http://www.ericsson.com/current_campaign> > > Legal entity: N/A, registered office in N/A. This Communication is Confidential. We only send and receive email on the basis of the terms set out at www.ericsson.com/email_disclaimer<http://www.ericsson.com/email_disclaimer> > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: <http://www.ietf.org/mail-archive/web/ipsec/attachments/20140731/7b167a7a/attachment.html> > -------------- next part -------------- > A non-text attachment was scrubbed... > Name: image001.gif > Type: image/gif > Size: 2367 bytes > Desc: image001.gif > URL: <http://www.ietf.org/mail-archive/web/ipsec/attachments/20140731/7b167a7a/attachment.gif> > -------------- next part -------------- > A non-text attachment was scrubbed... > Name: image002.gif > Type: image/gif > Size: 22330 bytes > Desc: image002.gif > URL: <http://www.ietf.org/mail-archive/web/ipsec/attachments/20140731/7b167a7a/attachment-0001.gif> > > ------------------------------ > > Subject: Digest Footer > > _______________________________________________ > IPsec mailing list > IPsec@ietf.org > https://www.ietf.org/mailman/listinfo/ipsec > > > ------------------------------ > > End of IPsec Digest, Vol 123, Issue 21 > **************************************
- Re: [IPsec] IPsec Digest, Vol 123, Issue 21 Les Leposo
- Re: [IPsec] IPsec Digest, Vol 123, Issue 21 Yoav Nir
- Re: [IPsec] IPsec Digest, Vol 123, Issue 21 Les Leposo
- Re: [IPsec] IPsec Digest, Vol 123, Issue 21 Tero Kivinen
- Re: [IPsec] IPsec Digest, Vol 123, Issue 21 Paul Wouters
- Re: [IPsec] IPsec Digest, Vol 123, Issue 21 Les Leposo
- Re: [IPsec] IPsec Digest, Vol 123, Issue 21 Les Leposo
- Re: [IPsec] IPsec Digest, Vol 123, Issue 21 Paul Wouters
- Re: [IPsec] IPsec Digest, Vol 123, Issue 21 Les Leposo
- Re: [IPsec] IPsec Digest, Vol 123, Issue 21 Tero Kivinen
- Re: [IPsec] IPsec Digest, Vol 123, Issue 21 Tero Kivinen
- Re: [IPsec] IPsec Digest, Vol 123, Issue 21 Les Leposo
- Re: [IPsec] IPsec Digest, Vol 123, Issue 21 Yoav Nir
- Re: [IPsec] IPsec Digest, Vol 123, Issue 21 Paul Wouters
- Re: [IPsec] IPsec Digest, Vol 123, Issue 21 Paul Wouters
- Re: [IPsec] IPsec Digest, Vol 123, Issue 21 Les Leposo
- Re: [IPsec] IPsec Digest, Vol 123, Issue 21 Les Leposo
- Re: [IPsec] IPsec Digest, Vol 123, Issue 21 Yoav Nir
- Re: [IPsec] IPsec Digest, Vol 123, Issue 21 Les Leposo
- Re: [IPsec] IPsec Digest, Vol 123, Issue 21 Tero Kivinen
- Re: [IPsec] IPsec Digest, Vol 123, Issue 21 Les Leposo