IETF Logo Mail Archive

Re: [IPsec] Secdir last call review of draft-ietf-ipsecme-rfc8229bis-06

Valery Smyslov <svan@elvis.ru> Mon, 30 May 2022 11:52 UTC

Return-Path: <svan@elvis.ru>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 74491C15C015; Mon, 30 May 2022 04:52:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.105
X-Spam-Level:
X-Spam-Status: No, score=-2.105 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=elvis.ru
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Y5f2zKjgqZdW; Mon, 30 May 2022 04:52:42 -0700 (PDT)
Received: from akmail.elvis.ru (akmail.elvis.ru [82.138.51.97]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 643E3C15C004; Mon, 30 May 2022 04:52:39 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=elvis.ru; s=mail; h=Content-Transfer-Encoding:Content-Type:MIME-Version:Message-ID: Date:Subject:In-Reply-To:References:CC:To:From:Sender:Reply-To:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=eUcxCHU6z0MQcCYiCJFg+Mrr2Wob+4LtIJ0c0hy/7IY=; b=CQl33Bn1u5CzSFTgXawF+a0Iq1 NNOMUg8D+lY87o4YzGUVB/3aaehgOL/etwRhnPVJDQe/Ct4+1wBMFuRdCdoeoOgH5SJae8PXEHpYB BkAEySbQcl68GJXxIYwyoUGIaq2xXvm/yE8x8PJMJI8Zix8JGD2I+EsiXX3DiJMFVSio=;
Received: from kmail.elvis.ru ([93.188.44.208]) by akmail.elvis.ru with esmtp (Exim 4.92) (envelope-from <svan@elvis.ru>) id 1nvdwp-0005LI-MH; Mon, 30 May 2022 14:52:35 +0300
Received: from mail16.office.elvis.ru ([10.111.1.29] helo=mail.office.elvis.ru) by kmail.elvis.ru with esmtp (Exim 4.92) (envelope-from <svan@elvis.ru>) id 1nvdwp-0002A0-GU; Mon, 30 May 2022 14:52:35 +0300
Received: from MAIL16.office.elvis.ru (10.111.1.29) by MAIL16.office.elvis.ru (10.111.1.29) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.1779.2; Mon, 30 May 2022 14:52:35 +0300
Received: from buildpc (10.111.10.33) by MAIL16.office.elvis.ru (10.111.1.29) with Microsoft SMTP Server id 15.1.1779.2 via Frontend Transport; Mon, 30 May 2022 14:52:35 +0300
From: Valery Smyslov <svan@elvis.ru>
To: 'Christian Huitema' <huitema@huitema.net>, secdir@ietf.org
CC: draft-ietf-ipsecme-rfc8229bis.all@ietf.org, ipsec@ietf.org, last-call@ietf.org
References: <165377251630.6282.16767658545384357479@ietfa.amsl.com>
In-Reply-To: <165377251630.6282.16767658545384357479@ietfa.amsl.com>
Date: Mon, 30 May 2022 14:52:35 +0300
Message-ID: <077301d8741b$c0fe9b40$42fbd1c0$@elvis.ru>
MIME-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Outlook 14.0
Content-Language: ru
Thread-Index: AQKKl9px7X7eA1CQ6TUrJpeus4VMBavSw4kQ
X-CrossPremisesHeadersFilteredBySendConnector: MAIL16.office.elvis.ru
X-OrganizationHeadersPreserved: MAIL16.office.elvis.ru
X-KLMS-AntiSpam-Interceptor-Info: not scanned
X-KLMS-Rule-ID: 1
X-KLMS-Message-Action: clean
X-KLMS-AntiSpam-Status: not scanned, disabled by settings
X-KLMS-AntiPhishing: Clean, bases: 2022/05/30 09:55:00
X-KLMS-AntiVirus: Kaspersky Security for Linux Mail Server, version 8.0.3.30, bases: 2022/05/30 06:46:00 #19619552
X-KLMS-AntiVirus-Status: Clean, skipped
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/m-9s75-1zMQI3tqcBaRBkRXd2kA>
Subject: Re: [IPsec] Secdir last call review of draft-ietf-ipsecme-rfc8229bis-06
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 30 May 2022 11:52:47 -0000

Hi Christian,

thank you for your review! Please, find my comments inline.

> -----Original Message-----
> From: Christian Huitema via Datatracker [mailto:noreply@ietf.org]
> Sent: Sunday, May 29, 2022 12:15 AM
> To: secdir@ietf.org
> Cc: draft-ietf-ipsecme-rfc8229bis.all@ietf.org; ipsec@ietf.org; last-call@ietf.org
> Subject: Secdir last call review of draft-ietf-ipsecme-rfc8229bis-06
> 
> Reviewer: Christian Huitema
> Review result: Has Nits
> 
> I have reviewed this document as part of the security directorate's ongoing
> effort to review all IETF documents being processed by the IESG.  These
> comments were written primarily for the benefit of the security area directors.
> Document editors and WG chairs should treat these comments just like any other
> last-call comments.
> 
> This draft is ready, with a single nit: I wish the security section mentioned
> data injection attacks over TCP, not just SYN flooding and RST attacks.
> 
> This draft is a bis version of RFC 8229, which describes how to encapsulate IKE
> and IPSEC in TCP. The new text adds precisions on how to handle TCP specific
> issues, which taken together help making the the specification more robust. The
> changes from RFC 8229 include:
> 
> * added section 7.2, retransmission, specify that UDP-style retransmission
> logic of IKE should be replaced by simple detection of failure over timers, and
> that if an initiator wants to retry an exchange, they have to start a new
> connection.
> 
> * added section 7.3, cookies and puzzles, points out that source address
> spoofing is already prevented by the 3-ways handshake of TCP, and that cookies
> SHOULD NOT be sent, unless a puzzle is also sent.
> 
> * added section 7.4, error handling in IKE_SA_INIT. RFC 7296 says "Because all
> error notifications are completely unauthenticated, the recipient should
> continue trying for some time before giving up. Draft says that if an attacker
> manages to insert a fake error message in a TCP connection, then the initiator
> will never receive correct messages on that flow and should act on the error
> immediately -- unless the error can be corrected by repeating the request with
> amended parameters.
> 
> * moved section 10 to section 7.6, Considerations for Keep-Alives and Dead Peer
> Detection, with an addition that IKEv2 exchange of informational messages
> should be used instead of TCP keep-alive. (Note that moving the section means
> the reviewer cannot use "diff" to find what changed, and that's not nice.)

We understand this, but we think that the new document has more logical structure.

> * moved section 8 to section 8.1. Added clarifications for cases when moving
> from a path that supported UDP to one that required TCP, and vice versa.
> 
> * added section 8.2 for IKE redirect, with clarification on what happens when
> redirecting from a path that supported UDP to one that required TCP, and vice
> versa.
> 
> * moved last paragraphs of section 8 to section 8.3 on IKEv2 Session Resumption
> 
> * renumbered section 10 and higher as section 9 and higher.
> 
> * updated IANA considerations
> 
> Security considerations are unchanged from RFC 8229. This is a missed
> opportunity. The security considerations correctly state that "IKE Responders
> that support TCP encapsulation may become vulnerable to new Denial-of-Service
> (DoS) attacks that are specific to TCP", citing SYN flooding attacks, and later
> mentions TCP Reset attacks against both initiators and responders. The security
> section does not mention packet injection attacks against TCP connections,
> although this kind of attack is actually discussed in section 7.3.

In general packet injection attacks have no effects on applications, since both ESP and IKE
provide data integrity and will ignore packets that fail ICV check.

However, I agree that in some cases the attack may have some effect:
- if an attacker alters the content of the Length field that separates packets,
   then the receiver will incorrectly identify the margins of the following packets and 
   will drop all of them or even tear down the TCP connection if the content of the
   Length field happen to be 0 or 1
- if the content of an IKE message is changed, then it will be dropped by the receiver;
   if the dropped message is the IKE request message, then the initiator will tear 
   down the IKE SA after timeout, since in most cases the request message will not be retransmitted
   (as advised in section 7.2)
- if an attacker alters the non-ESP marker then IKE packets will be dispatched to ESP
   and sometimes visa versa, those packets will be dropped
- if an attacker modifies IKE messages while new IKE SA is being established
   (i.e. in the IKE_SA_INIT exchange), then in most cases this will result in 
   failure to establish IKE SA

In other words, the result of packet injection attack will be some kind of DoS attack.

We can add these considerations into the Section 11.

Note, that if an attacker is so powerful, that it is able to modify packets 
on the wire, then it may mount DoS attack on IPsec regardless on the transport
being used.

> TCP specific attacks are not an issue as long as TCP encapsulation is only used
> on network paths that do not support UDP. On the other hand, since TCP is more
> vulnerable to denial of service than UDP, we have potential downgrade attacks
> in which an attacker somehow convinces the initiator that UDP is not available,
> when in fact it is. The initiator will move to using TCP, and the attacker can
> then attack the TCP connection. It might be worth mentioning this in the
> security section, and how the guidance provided in section 6.1 mitigates such
> attacks.

We can add a sentence that an attacker can force TCP encapsulation by blocking UDP.

> Of course, IKE and IPSEC are already protected against UDP or IP packet
> injection attacks, which are much easier to mount than TCP injection attacks.
> However, UDP or IP packet injection will generally not affect the state of the
> security associations. TCP packet injection attacks will force initiators and
> responders to abandon the TCP connection, as explained for example in section
> 7.3. It might be worth mentioning that the defenses against RST injection also
> apply against other forms of packet injection.

If the TCP connection is abandoned (for any reason) and the associated IKE SA
is still up, then the IKE initiator will re-create it. So, it is not a big deal, but definitely
can influence performance. On the other hand, an attacker who is able to alter 
the packets on the wire (TCP, UDP, any) can make IKE peers to tear down IKE SA
(e.g. by spoiling every packet). So, I'm not sure using TCP gives significant
advantages for an attacker here, in most cases it will result in DoS.

Regards,
Valery.

v2.23.0 | Report a Bug | By Email