Re: [IPsec] [secdir] [Last-Call] Secdir last call review of draft-ietf-ipsecme-rfc8229bis-06
Valery Smyslov <svan@elvis.ru> Thu, 02 June 2022 15:19 UTC
Return-Path: <svan@elvis.ru>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6A1D1C14F6E7; Thu, 2 Jun 2022 08:19:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.105
X-Spam-Level:
X-Spam-Status: No, score=-7.105 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=elvis.ru
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uUR-o6WBp4C0; Thu, 2 Jun 2022 08:19:10 -0700 (PDT)
Received: from akmail.elvis.ru (akmail.elvis.ru [82.138.51.97]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 59398C15AAC1; Thu, 2 Jun 2022 08:19:04 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=elvis.ru; s=mail; h=Content-Type:MIME-Version:Message-ID:Date:Subject:In-Reply-To: References:CC:To:From:Sender:Reply-To:Content-Transfer-Encoding:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=J+k+lxcD6GppmnbmmQYlGuBSKT73UJStP0A4DoTNIjk=; b=dIYiksiz1jyTRRPQfVFTIOGK41 XyQPyhyJM5RaucKHgRIuNoT9ugvv3jI6AvO2YlOUwD6H2FWv46fjTHEbHB6C1v42EvgFDQIcoQA56 095G35chpov8HS/xXHirQnK9Tn5td3Nl0wlG9ubvJAUSi+JTxEkaOcNyC76zdE4RhcRM=;
Received: from kmail.elvis.ru ([93.188.44.208]) by akmail.elvis.ru with esmtp (Exim 4.92) (envelope-from <svan@elvis.ru>) id 1nwmbD-0004mi-Dl; Thu, 02 Jun 2022 18:18:59 +0300
Received: from mail16.office.elvis.ru ([10.111.1.29] helo=mail.office.elvis.ru) by kmail.elvis.ru with esmtp (Exim 4.92) (envelope-from <svan@elvis.ru>) id 1nwmbD-00066x-5Q; Thu, 02 Jun 2022 18:18:59 +0300
Received: from MAIL16.office.elvis.ru (10.111.1.29) by MAIL16.office.elvis.ru (10.111.1.29) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.1779.2; Thu, 2 Jun 2022 18:18:59 +0300
Received: from buildpc (10.111.10.33) by MAIL16.office.elvis.ru (10.111.1.29) with Microsoft SMTP Server id 15.1.1779.2 via Frontend Transport; Thu, 2 Jun 2022 18:18:59 +0300
From: Valery Smyslov <svan@elvis.ru>
To: touch@strayalpha.com
CC: draft-ietf-ipsecme-rfc8229bis.all@ietf.org, secdir@ietf.org, ipsec@ietf.org, last-call@ietf.org
References: <165377251630.6282.16767658545384357479@ietfa.amsl.com> <077301d8741b$c0fe9b40$42fbd1c0$@elvis.ru> <25237.6715.619617.181961@fireball.acr.fi> <08f501d874df$90e95750$b2bc05f0$@elvis.ru> <25238.13419.293263.562580@fireball.acr.fi> <0a1601d8750e$051083f0$0f318bd0$@elvis.ru> <25239.24036.317688.539399@fireball.acr.fi> <0b4301d875b9$ae525320$0af6f960$@elvis.ru> <C215CCAA-62D6-4C8D-88A1-248D17AB7E54@strayalpha.com> <0ba801d875d8$2c7a7c00$856f7400$@elvis.ru> <67C9850C-A91F-43EC-A31B-73065BB2FF61@strayalpha.com>
In-Reply-To: <67C9850C-A91F-43EC-A31B-73065BB2FF61@strayalpha.com>
Date: Thu, 02 Jun 2022 18:18:51 +0300
Message-ID: <006701d87694$10d6ce60$32846b20$@elvis.ru>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_NextPart_000_0068_01D876AD.3626C580"
X-Mailer: Microsoft Outlook 14.0
Thread-Index: AQKKl9px7X7eA1CQ6TUrJpeus4VMBQFqn8/DAb05IO0BpRHmcAMg7P2lAmkFNCsB/67htgKpxPc/AlUKDVUCIGbikQJM5tW9qynfd1A=
Content-Language: ru
X-CrossPremisesHeadersFilteredBySendConnector: MAIL16.office.elvis.ru
X-OrganizationHeadersPreserved: MAIL16.office.elvis.ru
X-KLMS-AntiSpam-Interceptor-Info: not scanned
X-KLMS-Rule-ID: 1
X-KLMS-Message-Action: clean
X-KLMS-AntiSpam-Status: not scanned, disabled by settings
X-KLMS-AntiPhishing: Clean, bases: 2022/06/02 12:30:00
X-KLMS-AntiVirus: Kaspersky Security for Linux Mail Server, version 8.0.3.30, bases: 2022/06/02 12:19:00 #19650230
X-KLMS-AntiVirus-Status: Clean, skipped
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/snc_416ZD73Izl3kwOAt5ELZ2Ac>
Subject: Re: [IPsec] [secdir] [Last-Call] Secdir last call review of draft-ietf-ipsecme-rfc8229bis-06
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 02 Jun 2022 15:19:15 -0000
Hi Joe, From: touch@strayalpha.com [mailto:touch@strayalpha.com] Sent: Thursday, June 02, 2022 5:41 PM To: Valery Smyslov Cc: draft-ietf-ipsecme-rfc8229bis.all@ietf.org; secdir@ietf.org; ipsec@ietf.org; last-call@ietf.org Subject: Re: [secdir] [Last-Call] [IPsec] Secdir last call review of draft-ietf-ipsecme-rfc8229bis-06 See below... — Dr. Joe Touch, temporal epistemologist www.strayalpha.com On Jun 1, 2022, at 9:53 AM, Valery Smyslov <svan@elvis.ru> wrote: Hi Joe, From: secdir [ <mailto:secdir-bounces@ietf.org> mailto:secdir-bounces@ietf.org] On Behalf Of <mailto:touch@strayalpha.com> touch@strayalpha.com Sent: Wednesday, June 01, 2022 5:43 PM To: Valery Smyslov Cc: <mailto:draft-ietf-ipsecme-rfc8229bis.all@ietf.org> draft-ietf-ipsecme-rfc8229bis.all@ietf.org; <mailto:secdir@ietf.org> secdir@ietf.org; <mailto:ipsec@ietf.org> ipsec@ietf.org; <mailto:last-call@ietf.org> last-call@ietf.org Subject: Re: [secdir] [Last-Call] [IPsec] Secdir last call review of draft-ietf-ipsecme-rfc8229bis-06 Hi, all, Overall, it seems sufficient to: - highlight how much more vulnerable this tunnel makes IPsec to DOS attacks i.e., that single packets can cause the entire connection to need to be reset Already in the draft. - indicate that there IS a way to avoid that hit by re-syncing the sync requires a scan, but that in some cases such a scan can be more efficient in than starting a new connection, although it does mean that such an attack may be more likely moving forward (note: restarting a connection might provide useful information to an attacker, where continuing may hide the impact of such an attack too, so resync has cons and pros). I’ve added some text about the possibility of a resync. About information for an attacker – if we talk about off-the-path attacker, then in general it is unaware of the results of its attack, it may only guess them indirectly. And since resync will take some time and thus introduce some delay, that may be visible to attacker, I’m not sure which method is preferable in this context – everything depends on specific conditions for the attacker. Yes, but a connection restart is much more potentially visible to an external viewer than a few IPsec packets inside the transfer being discarded. There may be other considerations. If the attack is successful, then the attacker has already guessed the correct sequence number and 4-tuple, so it is likely that it continues to inject data. So, you generally don’t know whether the stream you are using while trying to resync is genuine, and in fact the resync can never happen or will take a long time, during which the IKE SA will be closed by timeout. In contrast, re-creating TCP connection will stop the current attack, the attacker will need to start over. So I prefer the resync to be a MAY and the close to be a SHOULD. Regards, Valery. Joe
- [IPsec] Secdir last call review of draft-ietf-ips… Christian Huitema via Datatracker
- Re: [IPsec] Secdir last call review of draft-ietf… Valery Smyslov
- Re: [IPsec] [Last-Call] Secdir last call review o… Christian Huitema
- Re: [IPsec] [Last-Call] Secdir last call review o… touch@strayalpha.com
- Re: [IPsec] [Last-Call] Secdir last call review o… Valery Smyslov
- Re: [IPsec] [Last-Call] Secdir last call review o… touch@strayalpha.com
- Re: [IPsec] [Last-Call] Secdir last call review o… Valery Smyslov
- Re: [IPsec] [Last-Call] Secdir last call review o… touch@strayalpha.com
- Re: [IPsec] Secdir last call review of draft-ietf… Tero Kivinen
- Re: [IPsec] [Last-Call] Secdir last call review o… touch@strayalpha.com
- Re: [IPsec] Secdir last call review of draft-ietf… Valery Smyslov
- Re: [IPsec] [Last-Call] Secdir last call review o… Valery Smyslov
- Re: [IPsec] Secdir last call review of draft-ietf… Tero Kivinen
- Re: [IPsec] [Last-Call] Secdir last call review o… touch@strayalpha.com
- Re: [IPsec] [Last-Call] Secdir last call review o… touch@strayalpha.com
- Re: [IPsec] Secdir last call review of draft-ietf… Valery Smyslov
- Re: [IPsec] [Last-Call] Secdir last call review o… Valery Smyslov
- Re: [IPsec] [Last-Call] Secdir last call review o… Christian Huitema
- Re: [IPsec] [Last-Call] Secdir last call review o… Christian Huitema
- Re: [IPsec] Secdir last call review of draft-ietf… Tero Kivinen
- Re: [IPsec] Secdir last call review of draft-ietf… Valery Smyslov
- Re: [IPsec] [Last-Call] Secdir last call review o… touch@strayalpha.com
- Re: [IPsec] [secdir] [Last-Call] Secdir last call… Valery Smyslov
- Re: [IPsec] [secdir] [Last-Call] Secdir last call… Valery Smyslov
- Re: [IPsec] [Last-Call] [secdir] Secdir last call… touch@strayalpha.com
- Re: [IPsec] [secdir] [Last-Call] Secdir last call… touch@strayalpha.com
- Re: [IPsec] [Last-Call] [secdir] Secdir last call… Valery Smyslov
- Re: [IPsec] [secdir] [Last-Call] Secdir last call… Valery Smyslov
- Re: [IPsec] [Last-Call] [secdir] Secdir last call… touch@strayalpha.com
- Re: [IPsec] Secdir last call review of draft-ietf… Tero Kivinen