Re: [IPsec] Mirja Kühlewind's No Objection on draft-ietf-ipsecme-ddos-protection-09: (with COMMENT)
Yoav Nir <ynir.ietf@gmail.com> Fri, 23 September 2016 20:06 UTC
Return-Path: <ynir.ietf@gmail.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CAA4B12B2FB; Fri, 23 Sep 2016 13:06:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3rBxDv-EQWBT; Fri, 23 Sep 2016 13:06:14 -0700 (PDT)
Received: from mail-wm0-x230.google.com (mail-wm0-x230.google.com [IPv6:2a00:1450:400c:c09::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 19D2612B2DC; Fri, 23 Sep 2016 13:06:10 -0700 (PDT)
Received: by mail-wm0-x230.google.com with SMTP id l132so51271377wmf.0; Fri, 23 Sep 2016 13:06:10 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=iJAfW2IMj11Ps14SHH3T4K7cCxMieXCQo+10fgFTiCk=; b=yDaK8XJxTlFf7wG8YY5dbXTbLb9VQXdhz4KxdgNKGon4OTG8yPnCVSd5cpspBbhmcA Xk1Cjy6iCdqX5ZQ1gUYwzLfzP6u3zUgUVz/FHq20W5fvnrdDXH1jagHsIk4AeKKEcZCT b5nW/4ll6Ys5xR0ZX6y0NaYasnm8lke7wO/gZrm3G0+cuVeAsa9npo7h2sGPKuYNXLhY MTZOUhvsRfqGj5V37i0/el1X9OHqD93SDqVeY21FaAIf1odh2kp1kfMxb3G3gOX6Nnxp DiwJM7gVKND6Gd3wTvpvyn7FxEOCE1pB/dxc0D5qPHLjiIzzVQ2TLQe10qQgAGk/csm0 My9g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=iJAfW2IMj11Ps14SHH3T4K7cCxMieXCQo+10fgFTiCk=; b=eE44efxe8L3B6MY2l++12Yk3K1v1liBNKhDIdI8HaW2TgioVrx6LIDyKuavAJEBgAi GG4ty/bVlbVzk70Y6quO26mas5fArF++CDlha3CVI03j61gyZP6Jm1+Ter8hjrGiP2bH l4fs9yHHow7I1jDubWrRp64WA0gnK8whuDMiZWyAYMYzIzuOYC6Wm8we87P5I6Ej4RtE bMp42Dqe+RDemNNO74fZToHMMuRFPhdLhiQ86aKd4ZrSlYItTgEY9jcaWP0kGmqE/rWy NqCkO9+AWo16Hr974MahwZuJTUduG8FB2OIv+lf6cQdYNmbHrMTG9x31N9VTMi4FEa7z CHJQ==
X-Gm-Message-State: AA6/9RlfRX99G9+3IyaECe4NxHju5XTpfxDdQKWcCn5d77BhZmHeAsqtsRs9HUiv/VuSDg==
X-Received: by 10.28.137.18 with SMTP id l18mr4232789wmd.70.1474661168593; Fri, 23 Sep 2016 13:06:08 -0700 (PDT)
Received: from [192.168.1.14] ([46.120.57.147]) by smtp.gmail.com with ESMTPSA id 137sm4656713wmi.16.2016.09.23.13.06.07 (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Fri, 23 Sep 2016 13:06:07 -0700 (PDT)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 9.3 \(3124\))
From: Yoav Nir <ynir.ietf@gmail.com>
In-Reply-To: <147465789941.20366.13358533684157949770.idtracker@ietfa.amsl.com>
Date: Fri, 23 Sep 2016 23:06:05 +0300
Content-Transfer-Encoding: quoted-printable
Message-Id: <674D263A-4EF8-4F8A-8320-1224FABAD10C@gmail.com>
References: <147465789941.20366.13358533684157949770.idtracker@ietfa.amsl.com>
To: Mirja Kuehlewind <ietf@kuehlewind.net>
X-Mailer: Apple Mail (2.3124)
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/luW0ESCPPHkydNQDSGqla0Ew9QM>
Cc: ipsec@ietf.org, ipsecme-chairs@ietf.org, draft-ietf-ipsecme-ddos-protection@ietf.org, The IESG <iesg@ietf.org>, David Waltermire <david.waltermire@nist.gov>
Subject: Re: [IPsec] Mirja Kühlewind's No Objection on draft-ietf-ipsecme-ddos-protection-09: (with COMMENT)
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 23 Sep 2016 20:06:16 -0000
Hi. See responses below > On 23 Sep 2016, at 10:11 PM, Mirja Kuehlewind <ietf@kuehlewind.net> wrote: > ---------------------------------------------------------------------- > COMMENT: > ---------------------------------------------------------------------- > > Some questions: > > 1) sec 7.1.2: If there is a puzzle but no cookie, maybe the initiator > should ignore it and try to send reply without the puzzle solution, as > there might be still a change to get served…? If it then received another > packet with puzzle it can still solve it and reply. A response that contains neither COOKIE nor INVALID_KE_PAYLOAD nor the regular payloads like SA is invalid according to RFC 7296. That is one reason why we chose to keep the COOKIE notification and add a PUZZLE notification rather than put both pieces of data in the new notification. A response with only PUZZLE and no COOKIE is invalid and should be treated as such. So after some (not specified anywhere) time, the Initiator should start a new IKE_SA_INIT exchange, hoping that this time the Responder returns a valid response. > > 2) sec 7.1.4: Does „the Responder MUST verify the puzzle solution“? Maybe > there are cases where the burden for the initiator is high enough by > requesting the solution that there is already an effect even if the > responder decides to not verify it…? There was a suggestion discussed that the Responder MAY choose not to check the solution or randomly check just one of the four solutions. The WG didn’t like that as it makes the protocol non-deterministic and makes things harder to test. So consensus was to make the verification mandatory. Of course, this doesn’t affect interoperability, so we can’t force a responder to check everything. > 3) also sec 7.1.4: Does the following sentence really makes sense? How > doe the responser know? Maybe just remove it? > „The more time the Initiator spent solving the puzzles, the higher > priority it should receive.“ The Responder cannot know. It can only assume based on the expected number of steps in finding a solution with a certain number of trailing zero bits. > 4) sec 7.2.1.1 says „the Responder would be able to estimate the > computational power of the Initiator and select the difficulty level > accordingly.“ How would it estimate the computational power? Based on the > reply time? Wouldn’t it also need to know the RTT and current congestion > level then? The only estimate that the responder has is based on what the initiator solved during the IKE_SA_INIT exchange. If the Initiator solved a level-15 puzzle (15 trailing zeros in each of the four solutions) then it stands to reason that it *can* solve a level-15 puzzle. Maybe the word “estimate” is misleading here. > 5) sec 7.2.2 says „If the IKE_SA_INIT response message contains the > PUZZLE notification and the Initiator supports puzzles, it MUST solve the > puzzle.“ > Should this be „IKE_SA_AUTH“ here instead of „IKE_SA_INIT“? > Otherwise it contradicts sec 7.1.2 („The Initiator MAY ignore the PUZZLE > notification…“) Sure. Seems to be a typo. > Two general comments/questions: > > 1) What’s about the additional cpu load of the responder to calculate the > puzzle. Can that be a problem? Are there any strategies to keep that low > (recalculation/caching/reuse)? How long should things be cached/used? > Maybe add a few sentences in the Operational Considerations section! Verifying a puzzle solution involves 4 invocation of a MAC function on a few tens of bytes. This is very low considering that (1) IKE initiation involves at least one and typically two PK operations, and (2) IKE is for generating key material which is then used to MAC millions or billions of packets. > 2) Would it make sense to also give a field to change the number of > requested keys to scale load? Or why was it decided to use a fixed number > of 4 here? You scale the load by changing the difficulty (number of requested trailing zero bits). The reason we are asking for 4 solutions rather than 1 is to make the amount of work more predictable. We could make it even more predictable with 16 solutions, but that makes the packet bigger and runs the risk of requiring packet fragmentation. So we chose 4 as a reasonable compromise. See this mail about it: https://mailarchive.ietf.org/arch/msg/ipsec/v7PFBEWeaT6ZQCjzCmIaxbRnZ8A Yoav
- Re: [IPsec] Mirja Kühlewind's No Objection on dra… Yoav Nir
- [IPsec] Mirja Kühlewind's No Objection on draft-i… Mirja Kuehlewind
- Re: [IPsec] Mirja Kühlewind's No Objection on dra… Mirja Kuehlewind (IETF)
- Re: [IPsec] Mirja Kühlewind's No Objection on dra… Valery Smyslov
- Re: [IPsec] Mirja Kühlewind's No Objection on dra… Mirja Kühlewind
- Re: [IPsec] Mirja Kühlewind's No Objection on dra… Valery Smyslov
- Re: [IPsec] Mirja Kühlewind's No Objection on dra… Mirja Kuehlewind (IETF)