[IPsec] Review of draft-ietf-ipsecme-ddos-protection
"Waltermire, David A. (Fed)" <david.waltermire@nist.gov> Wed, 29 June 2016 23:11 UTC
Return-Path: <david.waltermire@nist.gov>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 306FD12D904 for <ipsec@ietfa.amsl.com>; Wed, 29 Jun 2016 16:11:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.902
X-Spam-Level:
X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nistgov.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Akr1ebOUqQZU for <ipsec@ietfa.amsl.com>; Wed, 29 Jun 2016 16:11:34 -0700 (PDT)
Received: from gcc01-CY1-obe.outbound.protection.outlook.com (mail-cy1gcc01on0116.outbound.protection.outlook.com [23.103.200.116]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6137A12D927 for <ipsec@ietf.org>; Wed, 29 Jun 2016 16:11:34 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nistgov.onmicrosoft.com; s=selector1-nist-gov; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=VlGz0x9opy1ULd6OL91cvbkQrCLGPp7C0RkkR8KL+KU=; b=SHVyNxSmGAhdE4lqigDboAY+nJoyMQD/opj85k7MnbpwYUlQV0ELt3VUrRKnU50qbNjT4HNk35PIjGSW2wuo2aozLZ9ZmSyf5ODb9HhWlJKMHIgXCpgJF2vsxukyPUnr5pa6nlGTKwP25sW94BkKD74Xdhaf//A8BXlP3csc9fQ=
Received: from DM2PR09MB0665.namprd09.prod.outlook.com (10.161.144.16) by DM2PR09MB0665.namprd09.prod.outlook.com (10.161.144.16) with Microsoft SMTP Server (TLS) id 15.1.523.12; Wed, 29 Jun 2016 23:11:32 +0000
Received: from DM2PR09MB0665.namprd09.prod.outlook.com ([10.161.144.16]) by DM2PR09MB0665.namprd09.prod.outlook.com ([10.161.144.16]) with mapi id 15.01.0523.024; Wed, 29 Jun 2016 23:11:32 +0000
From: "Waltermire, David A. (Fed)" <david.waltermire@nist.gov>
To: IPsecME WG <ipsec@ietf.org>
Thread-Topic: Review of draft-ietf-ipsecme-ddos-protection
Thread-Index: AdHSWx59AuDIEcsNSdSPK3G4/aSINg==
Date: Wed, 29 Jun 2016 23:11:32 +0000
Message-ID: <DM2PR09MB0665431CCBC1C6B88AE28EA7F0230@DM2PR09MB0665.namprd09.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=david.waltermire@nist.gov;
x-originating-ip: [129.6.224.58]
x-ms-office365-filtering-correlation-id: 838ba6c7-830a-4751-d626-08d3a072b5df
x-microsoft-exchange-diagnostics: 1; DM2PR09MB0665; 6:DqIf88LpuR4N8mvTTkMwJBjC/18TuqIUeK4jV5N0e/LscxvmzgdtkD1LmPyZVP4h+Jw0sh18Dn934xVSGx9xThcrDIHCj5YMOTwwTuUVNCwdO+IvIHcxHY8HbYzjayPEK3GeCTn1+z1lQU5jmc/cqNTKNk2ohfOqTYwSpPFqYGrfLNdmvBhelGZ8SkMxkVFjGsd78cb2tJrcdp8SduxYQ5Gp/l8mVBV+r/rZOg++LCcwtdQB38SIVHaY2cDjeJyYAZ+JytX6MoEitFLmnU9rmlQxziaUaoCoULyzkUfOFtjMragna5oKmf0UA+BbrNt8VLiD9aCMXIRP+s728rtGK4escEteflOoT1oE2H/NgSE=; 5:GpfuzP0wjwocJMkZwVUTVNI/UR5ycPxf79sIDLYmaaQhbhC6rXWZLf0EXt5FO9BOX7rmBgFWYOgrtBfvb5TiElXLdJWuFxiGVSFg2sYNiFRUFJNK01c3wqYHyT5WL6zCXe312yWExUflxl0ZrTzcaw==; 24:w2mknWZPdUvBDKrSV2i0ASDODyX9nw8NFokudenfb3GeGY/otxgbZ/JZnANZF729zyC1/BYf7XjeHn51nM+2rADL4/sdeBbXpdWbTM2I/aE=; 7:8JzehOO256MdrLtiCE0XsRYbDvrw7w+re4RijpqiYsrPvn2rQy2Z4EKoQlFE+rrCe+EAhGRl44cX+ojfYZqUW2wF1Miz46gyl+vl9On05t7+vwkBaNLSyvE9ilKVhHJLBWS8iKjwjOXIcW45FOHo7mVbKmUQxM9EYM/0kabUPaS204sHlG0uQXp+nomp/3oRf4VWXmUlQ0x9gwU1OAjvNTlz5Won7jbn4UVROsOzxanReE4RbpgiRJJO5jb8FXaVv3cuGbiad0Me0Fr6OvPcJg==
x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:DM2PR09MB0665;
x-microsoft-antispam-prvs: <DM2PR09MB06650FE8B0298C82940DEA7DF0230@DM2PR09MB0665.namprd09.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(192374486261705);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(601004)(2401047)(8121501046)(5005006)(10201501046)(3002001)(6055026); SRVR:DM2PR09MB0665; BCL:0; PCL:0; RULEID:; SRVR:DM2PR09MB0665;
x-forefront-prvs: 09888BC01D
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(6009001)(7916002)(189002)(199003)(99286002)(2906002)(54356999)(5002640100001)(97736004)(229853001)(450100001)(74316001)(77096005)(586003)(50986999)(66066001)(11100500001)(106356001)(3846002)(3280700002)(86362001)(102836003)(6116002)(87936001)(2900100001)(3660700001)(305945005)(7846002)(68736007)(105586002)(122556002)(9686002)(33656002)(76576001)(5003600100003)(189998001)(10400500002)(7736002)(8936002)(107886002)(110136002)(7696003)(92566002)(81156014)(8676002)(81166006)(230783001)(101416001); DIR:OUT; SFP:1102; SCL:1; SRVR:DM2PR09MB0665; H:DM2PR09MB0665.namprd09.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; MX:1; A:1; LANG:en;
received-spf: None (protection.outlook.com: nist.gov does not designate permitted sender hosts)
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: nist.gov
X-MS-Exchange-CrossTenant-originalarrivaltime: 29 Jun 2016 23:11:32.5852 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 2ab5d82f-d8fa-4797-a93e-054655c61dec
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM2PR09MB0665
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/g1jSfS2qjfHKKNeGEqCjCDz1hN8>
Subject: [IPsec] Review of draft-ietf-ipsecme-ddos-protection
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 29 Jun 2016 23:11:36 -0000
I just completed a review of the DDoS draft. I fixed a number of grammar and wording issues. I would like to issue a pull request, but I don't have access to the site yet. I hope to get that resolved ASAP and then submit the pull request. While I was reviewing the draft I noticed a couple of small things. In section 6, the text reads: When there is no general DDoS attack, it is suggested that no cookie or puzzles be used. At this point the only defensive measure is to monitor the number of half-open SAs, and setting a soft limit per peer IP or prefix. The soft limit can be set to 3-5, and the puzzle difficulty should be set to such a level (number of zero-bits) that all legitimate clients can handle it without degraded user experience. This paragraph is confusing since the first sentence suggests that no puzzles are used and the last sentence suggests a puzzle difficult value. Should the puzzle text be removed from the last sentence? How about the following? When there is no general DDoS attack, it is suggested that no cookie or puzzles be used. At this point the only defensive measure is to monitor the number of half-open SAs, and setting a soft limit per peer IP or prefix. The soft limit can be set to 3-5 to support DoS detection. If puzzles are used, the difficulty should be set to such a level (number of zero-bits) that all legitimate clients can handle it without degraded user experience. Two paragraphs down the text reads: When cookies are activated for all requests and the attacker is still managing to consume too many resources, the Responder MAY increase the difficulty of puzzles imposed on IKE_SA_INIT requests coming from suspicious nodes/prefixes. It should still be doable by all legitimate peers, but it can degrade experience, for example by taking up to 10 seconds to solve the puzzle. This assumes that puzzles are already in use, which might not be the case based on the earlier paragraph. Perhaps the following text can be used instead: When cookies are activated for all requests and the attacker is still managing to consume too many resources, the Responder MAY start to use puzzles for these requests or increase the difficulty of puzzles imposed on IKE_SA_INIT requests coming from suspicious nodes/prefixes. This should still be doable by all legitimate peers, but the use of puzzles at a higher difficulty may degrade the user experience, for example by taking up to 10 seconds to solve the puzzle. Section 7.2.1 contains the sentence: The Responder MUST NOT use puzzles in the IKE_AUTH exchange unless the puzzle has been previously presented and solved in the preceding IKE_SA_INIT exchange."? Should this state "unless the puzzle" or "unless a puzzle"? It seems like the latter is what was intended. Thanks, Dave David Waltermire Information Technology Laboratory | Computer Security Division National Institute of Standards and Technology
- Re: [IPsec] Review of draft-ietf-ipsecme-ddos-pro… Valery Smyslov
- [IPsec] Review of draft-ietf-ipsecme-ddos-protect… Waltermire, David A. (Fed)