IETF Logo Mail Archive

Re: [IPsec] [secdir] [Last-Call] Secdir last call review of draft-ietf-ipsecme-rfc8229bis-06

Valery Smyslov <svan@elvis.ru> Thu, 02 June 2022 15:19 UTC

Return-Path: <svan@elvis.ru>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6A1D1C14F6E7; Thu, 2 Jun 2022 08:19:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.105
X-Spam-Level:
X-Spam-Status: No, score=-7.105 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=elvis.ru
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uUR-o6WBp4C0; Thu, 2 Jun 2022 08:19:10 -0700 (PDT)
Received: from akmail.elvis.ru (akmail.elvis.ru [82.138.51.97]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 59398C15AAC1; Thu, 2 Jun 2022 08:19:04 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=elvis.ru; s=mail; h=Content-Type:MIME-Version:Message-ID:Date:Subject:In-Reply-To: References:CC:To:From:Sender:Reply-To:Content-Transfer-Encoding:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=J+k+lxcD6GppmnbmmQYlGuBSKT73UJStP0A4DoTNIjk=; b=dIYiksiz1jyTRRPQfVFTIOGK41 XyQPyhyJM5RaucKHgRIuNoT9ugvv3jI6AvO2YlOUwD6H2FWv46fjTHEbHB6C1v42EvgFDQIcoQA56 095G35chpov8HS/xXHirQnK9Tn5td3Nl0wlG9ubvJAUSi+JTxEkaOcNyC76zdE4RhcRM=;
Received: from kmail.elvis.ru ([93.188.44.208]) by akmail.elvis.ru with esmtp (Exim 4.92) (envelope-from <svan@elvis.ru>) id 1nwmbD-0004mi-Dl; Thu, 02 Jun 2022 18:18:59 +0300
Received: from mail16.office.elvis.ru ([10.111.1.29] helo=mail.office.elvis.ru) by kmail.elvis.ru with esmtp (Exim 4.92) (envelope-from <svan@elvis.ru>) id 1nwmbD-00066x-5Q; Thu, 02 Jun 2022 18:18:59 +0300
Received: from MAIL16.office.elvis.ru (10.111.1.29) by MAIL16.office.elvis.ru (10.111.1.29) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.1779.2; Thu, 2 Jun 2022 18:18:59 +0300
Received: from buildpc (10.111.10.33) by MAIL16.office.elvis.ru (10.111.1.29) with Microsoft SMTP Server id 15.1.1779.2 via Frontend Transport; Thu, 2 Jun 2022 18:18:59 +0300
From: Valery Smyslov <svan@elvis.ru>
To: touch@strayalpha.com
CC: draft-ietf-ipsecme-rfc8229bis.all@ietf.org, secdir@ietf.org, ipsec@ietf.org, last-call@ietf.org
References: <165377251630.6282.16767658545384357479@ietfa.amsl.com> <077301d8741b$c0fe9b40$42fbd1c0$@elvis.ru> <25237.6715.619617.181961@fireball.acr.fi> <08f501d874df$90e95750$b2bc05f0$@elvis.ru> <25238.13419.293263.562580@fireball.acr.fi> <0a1601d8750e$051083f0$0f318bd0$@elvis.ru> <25239.24036.317688.539399@fireball.acr.fi> <0b4301d875b9$ae525320$0af6f960$@elvis.ru> <C215CCAA-62D6-4C8D-88A1-248D17AB7E54@strayalpha.com> <0ba801d875d8$2c7a7c00$856f7400$@elvis.ru> <67C9850C-A91F-43EC-A31B-73065BB2FF61@strayalpha.com>
In-Reply-To: <67C9850C-A91F-43EC-A31B-73065BB2FF61@strayalpha.com>
Date: Thu, 02 Jun 2022 18:18:51 +0300
Message-ID: <006701d87694$10d6ce60$32846b20$@elvis.ru>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_NextPart_000_0068_01D876AD.3626C580"
X-Mailer: Microsoft Outlook 14.0
Thread-Index: AQKKl9px7X7eA1CQ6TUrJpeus4VMBQFqn8/DAb05IO0BpRHmcAMg7P2lAmkFNCsB/67htgKpxPc/AlUKDVUCIGbikQJM5tW9qynfd1A=
Content-Language: ru
X-CrossPremisesHeadersFilteredBySendConnector: MAIL16.office.elvis.ru
X-OrganizationHeadersPreserved: MAIL16.office.elvis.ru
X-KLMS-AntiSpam-Interceptor-Info: not scanned
X-KLMS-Rule-ID: 1
X-KLMS-Message-Action: clean
X-KLMS-AntiSpam-Status: not scanned, disabled by settings
X-KLMS-AntiPhishing: Clean, bases: 2022/06/02 12:30:00
X-KLMS-AntiVirus: Kaspersky Security for Linux Mail Server, version 8.0.3.30, bases: 2022/06/02 12:19:00 #19650230
X-KLMS-AntiVirus-Status: Clean, skipped
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/snc_416ZD73Izl3kwOAt5ELZ2Ac>
Subject: Re: [IPsec] [secdir] [Last-Call] Secdir last call review of draft-ietf-ipsecme-rfc8229bis-06
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 02 Jun 2022 15:19:15 -0000

Hi Joe,

 

From: touch@strayalpha.com [mailto:touch@strayalpha.com] 
Sent: Thursday, June 02, 2022 5:41 PM
To: Valery Smyslov
Cc: draft-ietf-ipsecme-rfc8229bis.all@ietf.org; secdir@ietf.org; ipsec@ietf.org; last-call@ietf.org
Subject: Re: [secdir] [Last-Call] [IPsec] Secdir last call review of draft-ietf-ipsecme-rfc8229bis-06

 

See below...

—

Dr. Joe Touch, temporal epistemologist

www.strayalpha.com





On Jun 1, 2022, at 9:53 AM, Valery Smyslov <svan@elvis.ru> wrote:

 

Hi Joe,

 

From: secdir [ <mailto:secdir-bounces@ietf.org> mailto:secdir-bounces@ietf.org] On Behalf Of  <mailto:touch@strayalpha.com> touch@strayalpha.com
Sent: Wednesday, June 01, 2022 5:43 PM
To: Valery Smyslov
Cc:  <mailto:draft-ietf-ipsecme-rfc8229bis.all@ietf.org> draft-ietf-ipsecme-rfc8229bis.all@ietf.org;  <mailto:secdir@ietf.org> secdir@ietf.org;  <mailto:ipsec@ietf.org> ipsec@ietf.org;  <mailto:last-call@ietf.org> last-call@ietf.org
Subject: Re: [secdir] [Last-Call] [IPsec] Secdir last call review of draft-ietf-ipsecme-rfc8229bis-06

 

Hi, all,

 

Overall, it seems sufficient to:

 

- highlight how much more vulnerable this tunnel makes IPsec to DOS attacks

          i.e., that single packets can cause the entire connection to need to be reset

 

          Already in the draft.

 

- indicate that there IS a way to avoid that hit by re-syncing

          the sync requires a scan, but that in some cases such a scan can be more 

          efficient in than starting a new connection, although it does mean that such 

          an attack may be more likely moving forward (note: restarting a connection

          might provide useful information to an attacker, where continuing may hide

          the impact of such an attack too, so resync has cons and pros).

 

          I’ve added some text about the possibility of a resync. 

          About information for an attacker – if we talk about off-the-path attacker,

          then in general it is unaware of the results of its attack, it may 

          only guess them indirectly. And since resync will take some time and 

          thus introduce some delay, that may be visible to attacker, I’m not sure 

          which method is preferable in this context – everything depends on

          specific conditions for the attacker.

 

Yes, but a connection restart is much more potentially visible to an external viewer than a few IPsec packets inside the transfer being discarded.

 

         There may be other considerations. If the attack is successful, then the attacker

         has already guessed the correct sequence number and 4-tuple, so it is likely 

         that it continues to inject data. So, you generally don’t know whether the

         stream you are using while trying to resync is genuine, and in fact the resync can never happen or 

         will take a long time, during which the IKE SA will be closed by timeout.

         In contrast, re-creating TCP connection will stop the current attack, the attacker will need

         to start over. So I prefer the resync to be a MAY and the close to be a SHOULD.

 

          Regards,

          Valery.

 

Joe

v2.23.0 | Report a Bug | By Email