Re: [IPsec] I-D Action: draft-ietf-ipsecme-ddos-protection-00.txt
"Graham Bartlett (grbartle)" <grbartle@cisco.com> Wed, 29 October 2014 22:38 UTC
Return-Path: <grbartle@cisco.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 69D751AC3A9 for <ipsec@ietfa.amsl.com>; Wed, 29 Oct 2014 15:38:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.511
X-Spam-Level:
X-Spam-Status: No, score=-14.511 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5eEBV5rI1w9u for <ipsec@ietfa.amsl.com>; Wed, 29 Oct 2014 15:38:30 -0700 (PDT)
Received: from alln-iport-3.cisco.com (alln-iport-3.cisco.com [173.37.142.90]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1F3BF1A9174 for <ipsec@ietf.org>; Wed, 29 Oct 2014 15:38:30 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=10457; q=dns/txt; s=iport; t=1414622311; x=1415831911; h=from:to:cc:subject:date:message-id:references: in-reply-to:mime-version; bh=G+CGGwu2sO009WQygFXe0defQXfU6uIDo3SjahWn8jw=; b=P7xwwPThNBTPHptJbcZ3EQzYhXXYWMntYa5ZM9MwT+ifrKl6G1ycnMvB l1VM4CSvWj5yanyOv3n/VV2p1QY3iQLJ7pnedxR6ivtUHxX4oIgw9x3IM okT1VhMil9eMQRCUTWwdo9K1VneLre5sLxykmUq5teLXSqoO/QukCHJ5Z c=;
X-Files: smime.p7s : 3708
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: Ag4FACVrUVStJA2G/2dsb2JhbABTCYJrI1RYBM4bCodNAoEfFgEBAQEBfYQDAQEEAQEBawYFEAIBCA44AiULJQIEDgUOiDMBDMgWAQEBAQEBAQEBAQEBAQEBAQEBARmKdIVBBAkzGwcJhEIFkg2CEoFQaIcTgTE8gw6NPIQJggYYgVpsgQdBgQMBAQE
X-IronPort-AV: E=Sophos;i="5.07,280,1413244800"; d="p7s'?scan'208";a="91537046"
Received: from alln-core-12.cisco.com ([173.36.13.134]) by alln-iport-3.cisco.com with ESMTP; 29 Oct 2014 22:38:30 +0000
Received: from xhc-rcd-x04.cisco.com (xhc-rcd-x04.cisco.com [173.37.183.78]) by alln-core-12.cisco.com (8.14.5/8.14.5) with ESMTP id s9TMcTqZ008139 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Wed, 29 Oct 2014 22:38:29 GMT
Received: from xmb-aln-x13.cisco.com ([fe80::5404:b599:9f57:834b]) by xhc-rcd-x04.cisco.com ([fe80::200:5efe:173.37.183.34%12]) with mapi id 14.03.0195.001; Wed, 29 Oct 2014 17:38:29 -0500
From: "Graham Bartlett (grbartle)" <grbartle@cisco.com>
To: Yoav Nir <ynir.ietf@gmail.com>
Thread-Topic: [IPsec] I-D Action: draft-ietf-ipsecme-ddos-protection-00.txt
Thread-Index: AQHP8i/ndE20tkR+3keWIkzyL6SKVZxIAZQA
Date: Wed, 29 Oct 2014 22:38:28 +0000
Message-ID: <D0771C85.3154C%grbartle@cisco.com>
References: <20141027214823.13103.25135.idtracker@ietfa.amsl.com>
In-Reply-To: <20141027214823.13103.25135.idtracker@ietfa.amsl.com>
Accept-Language: en-GB, en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/14.4.4.140807
x-originating-ip: [10.61.81.238]
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha256"; boundary="B_3497467112_7791159"
MIME-Version: 1.0
Archived-At: http://mailarchive.ietf.org/arch/msg/ipsec/vBxaxWNvOgpSTcJrBXmowZzXGSI
Cc: "ipsec@ietf.org" <ipsec@ietf.org>
Subject: Re: [IPsec] I-D Action: draft-ietf-ipsecme-ddos-protection-00.txt
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 29 Oct 2014 22:38:32 -0000
Hi Yoav
I have some comments, which I have included below, I hope I have
interoperated your document correctly.
<<>>
Within section 2 I feel the following (or similar should be added).
RFC6989 defines a set of checks to be performed on received DH public
values, the checks against a malformed DH value prevents a vulnerability
when DH values are reused between peers. These checks can be very
computationally expensive. The check is performed in SA_INIT when the DH
value is received, in this case Stage #1 would increase in CPU power
consumed.
GB> from memory Yaron mentioned about the checks being performed when
IKE_AUTHis received, RFC6989 states the checks should be performed when
the public value
is received, if the checks can be performed at IKE_AUTH then maybe add the
following?
Although this check could be delayed until the encrypted IKE_AUTH is
received, should this check fail at Stage #2 the keys would never be
derived.
<<>>
A strategy against DDoS has to rely on at least 4 components:
1. Hardening the half-open SA database by reducing retention time.
2. Hardening the half-open SA database by rate-limiting single IPs/
prefixes.
3. Guidance on what to do when an Authentication request fails to
Decrypt.
GB> I believe another check should be added between 2 and 3. (step 3 now
become step 4)
3. Guidance on what to do when a number of DH Public Key value check fails
(if RFC6989 checks are used).
(the reason being if this was the case, you'd never get to # 3.)
<<>>
In the following you say that puzzle shouldn't be used, but then say about
setting the level ?
When there is no general DDoS attack, it is suggested that no Cookie
or puzzles be used. At this point the only defensive measure is the
monitoring, and setting a soft limit per peer IP or prefix. The soft
limit can be set to 3-5, and the puzzle difficulty should be set to
such a level (number of zero-bits) that all legitimate clients can
handle it without degraded user experience.
Maybe change to ?
'can be set to 3-5, and should the puzzle be used, the difficulty..'
<<>>
Supposing the the tunnels are established
using EAP (see section 2.16 or RFC 7296)
GB> 'or' should be 'of'
<<>>
I don't think the first thing is something we can deal with at the
IKE level. It's probably better left to Intrusion Prevention System
(IPS) technology.
GB> I thought that we could add some words to how to help configure the
IPS?
(the following is an example of an idea I had)..
Should an IPS or similar device be used when a VPN headend is under very
heavy
load when receiving many spoofed SA_INIT request. A strategy to note the
IP TTL of IP addresses that leave 1/2 open connections and rate limit any
requests that have a TTL at or below this value could be employed.
<<>>
Could you add the following to Section 7?
As the puzzle is performed before the peer can reveal its identity, VPN
headends can be deployed in a fashion where similar resourced clients are
grouped in collections to connect to the same headend, this allows for
puzzles of similar difficulty to be given to clients with similar
processing power. Note that the idea of groups clients of similar
processing power allows an attacker to prey on groups of low powered
clients.
<<>>
I have some more ideas that I'll follow up soon.
Many thanks
On 27/10/2014 21:48, "internet-drafts@ietf.org" <internet-drafts@ietf.org>
wrote:
>
>A New Internet-Draft is available from the on-line Internet-Drafts
>directories.
> This draft is a work item of the IP Security Maintenance and Extensions
>Working Group of the IETF.
>
> Title : Protecting Internet Key Exchange (IKE)
>Implementations from Distributed Denial of Service Attacks
> Author : Yoav Nir
> Filename : draft-ietf-ipsecme-ddos-protection-00.txt
> Pages : 12
> Date : 2014-10-27
>
>Abstract:
> This document recommends implementation and configuration best
> practices for Internet-connected IPsec Responders, to allow them to
> resist Denial of Service and Distributed Denial of Service attacks.
> Additionally, the document introduces a new mechanism called "Client
> Puzzles" that help accomplish this task.
>
>
>The IETF datatracker status page for this draft is:
>https://datatracker.ietf.org/doc/draft-ietf-ipsecme-ddos-protection/
>
>There's also a htmlized version available at:
>http://tools.ietf.org/html/draft-ietf-ipsecme-ddos-protection-00
>
>
>Please note that it may take a couple of minutes from the time of
>submission
>until the htmlized version and diff are available at tools.ietf.org.
>
>Internet-Drafts are also available by anonymous FTP at:
>ftp://ftp.ietf.org/internet-drafts/
>
>_______________________________________________
>IPsec mailing list
>IPsec@ietf.org
>https://www.ietf.org/mailman/listinfo/ipsec
- [IPsec] I-D Action: draft-ietf-ipsecme-ddos-prote… internet-drafts
- Re: [IPsec] I-D Action: draft-ietf-ipsecme-ddos-p… Graham Bartlett (grbartle)
- Re: [IPsec] I-D Action: draft-ietf-ipsecme-ddos-p… Graham Bartlett (grbartle)