IETF Logo Mail Archive

Re: [IPsec] Secdir last call review of draft-ietf-ipsecme-rfc8229bis-06

Tero Kivinen <kivinen@iki.fi> Tue, 31 May 2022 15:30 UTC

Return-Path: <kivinen@iki.fi>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 354A6C15C0B5; Tue, 31 May 2022 08:30:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -8.986
X-Spam-Level:
X-Spam-Status: No, score=-8.986 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, NICE_REPLY_A=-1.876, RCVD_IN_DNSWL_HI=-5, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=iki.fi
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RoXwBJx5LLHQ; Tue, 31 May 2022 08:30:38 -0700 (PDT)
Received: from meesny.iki.fi (meesny.iki.fi [195.140.195.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 01F65C15C0AF; Tue, 31 May 2022 08:29:54 -0700 (PDT)
Received: from fireball.acr.fi (fireball.acr.fi [83.145.195.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) (Authenticated sender: kivinen@iki.fi) by meesny.iki.fi (Postfix) with ESMTPSA id 941042016D; Tue, 31 May 2022 18:29:49 +0300 (EEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=iki.fi; s=meesny; t=1654010989; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=pj+80q/tStdsRGuy7UikFaaEN/fER1QETNUDKK1Wrpc=; b=QgD6mn/TSmbwq2uNEq1vWER4jRW6eYxLzp6RJ3uL2Vs3SqtyVeXWXBn/l1rewZuUcaNXT8 5ZMOsRgF7PGRh+ZQsWEfSScu9z43hK4DtVO/a1gWdMDW0OWRapX7JNnMKnxqVitXKKkMaP lAuPb8ZxakvbPoaWbyu7VhbO2zlnD7E=
Received: by fireball.acr.fi (Postfix, from userid 15204) id BF65525C12E5; Tue, 31 May 2022 18:29:47 +0300 (EEST)
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Message-ID: <25238.13419.293263.562580@fireball.acr.fi>
Date: Tue, 31 May 2022 18:29:47 +0300
From: Tero Kivinen <kivinen@iki.fi>
To: Valery Smyslov <svan@elvis.ru>
Cc: 'Christian Huitema' <huitema@huitema.net>, secdir@ietf.org, draft-ietf-ipsecme-rfc8229bis.all@ietf.org, ipsec@ietf.org, last-call@ietf.org
In-Reply-To: <08f501d874df$90e95750$b2bc05f0$@elvis.ru>
References: <165377251630.6282.16767658545384357479@ietfa.amsl.com> <077301d8741b$c0fe9b40$42fbd1c0$@elvis.ru> <25237.6715.619617.181961@fireball.acr.fi> <08f501d874df$90e95750$b2bc05f0$@elvis.ru>
X-Mailer: VM 8.2.0b under 26.3 (x86_64--netbsd)
X-Edit-Time: 18 min
X-Total-Time: 17 min
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=iki.fi; s=meesny; t=1654010989; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=pj+80q/tStdsRGuy7UikFaaEN/fER1QETNUDKK1Wrpc=; b=lCYzRuM54nGjH/E47HkCM2islmrVQJeAw9Qy45DHI9dBddePkvmb1YYdEKJ7QmC/Y1SvkP dbwVgvRpMqSi5q3YRcqQEXDvQhXsGJ3loCck5Vh205lLU6YA3GX5yGH8aVPG+IdyFwqP5H 7xLm/qabrQS6b/LVI36FytKE+gXoq1s=
ARC-Authentication-Results: i=1; ORIGINATING; auth=pass smtp.auth=kivinen@iki.fi smtp.mailfrom=kivinen@iki.fi
ARC-Seal: i=1; s=meesny; d=iki.fi; t=1654010989; a=rsa-sha256; cv=none; b=ue1LJuJAHaGwMW7QroSXfcnw7fMttV9rqsbb4ebGzwjv23NF47EP/4AaSFwJvNorncNbzg d5CAMv9MB6n5A739D3zkWA6hY1Ehpu3qfGIMioMFz5Aj7Sq54Y7oTjyCWpiTgcY/R1TKQE fslDCV7wGBBC1KpFCBzX3quO/zAWiE4=
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/tathZVnEmqlU4aNFmyaPfP3dnMw>
Subject: Re: [IPsec] Secdir last call review of draft-ietf-ipsecme-rfc8229bis-06
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 31 May 2022 15:30:44 -0000

Valery Smyslov writes:
> Agree, that's what is in the suggested text:
> 
>    o  if an attacker alters the content of the Length field that
>       separates packets, then the receiver will incorrectly identify the
>       margins of the following packets and will drop all of them or even
>       tear down the TCP connection if the content of the Length field
>       happens to be 0 or 1 (see Section 3)

I think we should tear down the TCP stream immediately if we detect
that length bytes can't be correct. I.e., if the length in TCP stream
and length in IKE packet do not match. We can authenticate the IKE
packet, and if it passes the authentication but tcp indicates wrong
length, then we know that someone messed up the TCP stream, and we
have no way of recovering from that other than restarting the TCP
stream.

> > I think we need to add text explaining how to detect when the TCP
> > length framing gets messed up by attacks, and how to recover (i.e.,
> > close down the TCP channel and recreate the TCP channel).
> 
> I'm not sure we must go so far and this complication is really
> needed. Let us make a distinction between on-the-path attackers and
> off-the-path ones. On-the-path attackers who are able to read,
> modify and inject (or even drop) packets can do a lot of bad things
> and modifying specifically the length field is not the easiest way
> to disrupt communication between peers. On contrast, it's quite a
> hard task for the off-the-path attacker, who cannot read the TCP
> stream, to modify exactly those two bytes in the stream where the
> Length sits. So, most probably a larger part of the stream will be
> corrupted, that will cause some packets drop, and, in case these are
> IKE packets, most probably the IKE SA will be teared down by the
> peers (due to timeout).

It does not need to modify exactly those two bytes, it just needs to
insert about 1500 bytes of data anywhere to the TCP stream. Most
likely that 1500 bytes will contain at least one TCP packet boundary,
and if we just insert random data there that will cause tcp packet
boundaries to get messed up from that point forward.

Most of the traffic in the stream will be ESP traffic, not IKE
traffic, quite often you do not have any IKE traffic there as there is
no need for it. If this attack is done on host B, then host B can't
receive any packets from A, but A will still receive packets from B.
After few tens of seconds the IKE of B will start liveness check using
IKE packet and after few minutes that will fail, and then IKE SA is
teared down. I.e., recover from that will take several minutes (i.e.,
in order of 5 minutes).

On the other hand B will almost immidiately notice it is getting 100%
of garbage from the ESP packets it is receiving from the tcp stream,
so it should be very easy for it to detect that something is wrong
(this of course assumes there is traffic going through the
connection). As there is no way of recover from this kind of situation
I think B should close the TCP connection almost immediately when it
starts getting too many ESP packets which fail authentication or even
basic sanity checks. If it can it can then reconnect or wait for the
other end to reconnect (depending which role it had originally).

It might also end up in situation where host B has received length
that is quite long (for example close to 64kB), and is buffering
incoming frames until it reaches that limit, and if there is little
traffic between hosts this might take long time, but luckily if there
is no traffic between, then the normal recover that takes few minutes
will kick in, and long recovery does not matter, as there is no
traffic... 

> Moreover, from my reading of RFC 5961, in many cases the result of
> data injection attack will be that RST will be sent by one of the
> peers (due to ACK war).
> 
> So, I'm not sure we should advise implementers to complicate their
> code for this specific case, because the final result will be the
> same. I think that it is enough if we mention the possibility of
> this event (as in the suggested text).

I do not think the result is same. Without special code, anybody who
can insert data to the TCP stream will be able to cause disruption
which takes several minutes to recover. With code that checks that if
sanity checks for incoming packets (IKE packet lengths, IKE
authentication, ESP sanity checks, ESP authentication) fails for
several packets in a row and closes the TCP connection, that will drop
that outage to seconds (few seconds to detect, and few seconds to
recreate TCP connection).
-- 
kivinen@iki.fi

v2.23.0 | Report a Bug | By Email