Re: [IPsec] AD review of draft-ietf-ipsecme-ddos-protection
"Valery Smyslov" <svanru@gmail.com> Fri, 09 September 2016 20:01 UTC
Return-Path: <svanru@gmail.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F28DA12B337 for <ipsec@ietfa.amsl.com>; Fri, 9 Sep 2016 13:01:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.261
X-Spam-Level:
X-Spam-Status: No, score=-2.261 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, STOX_REPLY_TYPE=0.439] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UMixy5wW8gNI for <ipsec@ietfa.amsl.com>; Fri, 9 Sep 2016 13:01:12 -0700 (PDT)
Received: from mail-lf0-x231.google.com (mail-lf0-x231.google.com [IPv6:2a00:1450:4010:c07::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 20EB412B22C for <ipsec@ietf.org>; Fri, 9 Sep 2016 13:01:11 -0700 (PDT)
Received: by mail-lf0-x231.google.com with SMTP id l131so51445499lfl.2 for <ipsec@ietf.org>; Fri, 09 Sep 2016 13:01:11 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:from:to:references:in-reply-to:subject:date:mime-version :content-transfer-encoding:importance; bh=YAymbDkyhSCxu+E/SNxBVG8KhZYgOd+6QSKMPU4UtGQ=; b=sIqXI+hltBn47l8J37rtahshqj64ZIfKeOquPPg0ed5Lc/P5rvpdo4DZzMuHbFDX/d e7A9WbpnwZ13UMhN8dFLi0asInWZjVXJOpk60rxzYvnfIfmCPfV0vouyhmKQcK3el14Z vPM6azfyqSOdonYVCdt7L4I93aUFwX2cvYLt08Zpj9CM50CCWnf1VrgA+QsBORejtpMF f44cI1Crug56WJjqP91V/U12fG2pYslvCzAWtPuOTIL4x8oXFo0yJGYCA724GImP7TCK h0/EPX4N72Dx5OaVwE4qYrwBKzyhteDp+1/Rqm3zmD3taQWLTHZUhVJbCknV1FxnvezS YNYw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:message-id:from:to:references:in-reply-to :subject:date:mime-version:content-transfer-encoding:importance; bh=YAymbDkyhSCxu+E/SNxBVG8KhZYgOd+6QSKMPU4UtGQ=; b=je7i0zpDfUOuvpRR/Y1Q7zPOJ2bVlYrF+dl2Nx21AphMLlkmSpgWDVZ6TX0PEIO4XZ Wt8G644BtTcbPgDQkdtvhTtubIlvH8O4ho/mrcsJUhqTqc9vZhQwzMsT8/GuIgSV7FhD rWPdjBQv4OAbDO6oH1MKQJv19OzITRp9Lv3yZZc0wtFcd0K7rRTksBpxTQVl65nRcF1N PVJIxOn6fyJhP6G0NdsLl9C3crSvlwdyIu/rqTDOXAKp5WpmpAC4QymnSnqTTJEotFEv ICt3Y6SEoB76GM0h/lP+KyCnrr3b7J5E0QrKmp7rOvMh46E/YfctqMqi6bz3iumeDKvK 92BQ==
X-Gm-Message-State: AE9vXwPAzXsQDf6zeaUAcCn9D4TObp/ePtS8jfvYEa/PN/oMfsPL1vrN9g+SnWBPUbrh4g==
X-Received: by 10.46.9.13 with SMTP id 13mr1833461ljj.2.1473451269090; Fri, 09 Sep 2016 13:01:09 -0700 (PDT)
Received: from chichi (ppp83-237-170-241.pppoe.mtu-net.ru. [83.237.170.241]) by smtp.gmail.com with ESMTPSA id t78sm844834lfi.43.2016.09.09.13.01.07 (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Fri, 09 Sep 2016 13:01:08 -0700 (PDT)
Message-ID: <F059BEF961BB49B6BFA4B38FE154E010@chichi>
From: Valery Smyslov <svanru@gmail.com>
To: Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>, ipsec@ietf.org
References: <CAHbuEH7g-8RLZKQt1T1PsO33gpEAFgEQAbYM8LPrrM=g4t7=8Q@mail.gmail.com>
In-Reply-To: <CAHbuEH7g-8RLZKQt1T1PsO33gpEAFgEQAbYM8LPrrM=g4t7=8Q@mail.gmail.com>
Date: Fri, 09 Sep 2016 23:01:02 +0300
MIME-Version: 1.0
Content-Type: text/plain; format="flowed"; charset="iso-8859-1"; reply-type="original"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
Importance: Normal
X-Mailer: Microsoft Windows Live Mail 16.4.3528.331
X-MimeOLE: Produced By Microsoft MimeOLE V16.4.3528.331
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/wTxkLDB0sk07DrBPyQopD3E6hXk>
Subject: Re: [IPsec] AD review of draft-ietf-ipsecme-ddos-protection
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 09 Sep 2016 20:01:14 -0000
Hi Kathleen,
thank you for the review. I'll try to answer.
> Hello,
>
> Thank you for you work on draft-ietf-ipsecme-ddos-protection. This is
> a good read that lays out the problem well and describes the solution
> well. Thanks for that!
>
> I have some nits and questions before we put this into IETF last call.
>
> Section 4.2 -
> This level of detail is great. Hopefully developers make sure logs
> and other ways to help with troubleshooting to determine the number of
> half open SA and failed IKE-Auth exchanges. Are these maintained with
> counters (SNMP/YANG) or log entries or some other way? Does this
> matter and does it need to be indicated here for developers so
> implementors have the tools needed to determine next steps?
I think that it is a local matter how implementations measure the number
of half-open SAs. It is possible to maintain some counters or
parse local log files. Or, for example, just call size() method
for some kind of container (list, map) in case all half-open SAs are placed there.
The only requirement is that implementations must do this measuring
periodically to get a picture of what is happening. Again, it is a local
matter how often implementations should learn the number of half-open SAs,
the draft doesn't impose any restrictions.
Do you think some clarification is needed here?
> Section 4.6: Suggest using some descriptive language instead of
> saying 'garbage' in the following sentence for non-native English
> speakers:
>
> The
> attacker can just send garbage in the IKE_AUTH message forcing the
> Responder to perform costly CPU operations to compute SK_* keys.
How about:
Instead of sending properly formed and encrypted IKE_AUTH message the
attacker can just send arbitrary data, forcing the Responder
to perform costly CPU operations to compute SK_* keys.
(by the way, I'm a non-native English speaker, and the word "garbage"
doesn't shock me here, but I agree that more formal language is probably better)
> Same in section 4.7, maybe "meaningless bits" or something along those lines?
Great! Definitely better from my point of view, thank you.
> Malicious
> initiators can use this feature to mount a DoS attack on the
> responder by providing an URL pointing to a large file possibly
> containing garbage.
>
> Section 7.1.1.2: The following sentence could be cleaned up a bit
> (last paragraph):
> The
> initial request message sent by the Initiator contains an SA payload
> with the list of transforms the Initiator supports and is willing to
> use in the IKE SA being established.
I'm not sure what's wrong with this sentence, but I'll try. Is the followng better?
The
initial request message sent by the Initiator, contains an SA payload,
containing a list of transforms. The Initiator supports all transforms
from this list and can use any of them in the IKE SA being established.
> Section 7.2.1.1
>
> The first sentence of course fits in this section, but has already
> been said in the draft. This whole section seems repetitious. There
> are a few places where text is repeated, is it possible to reduce
> repetition? It might not be for clarity as the sections vary, but an
> effort to reduce it might make the latter part of the draft as easy to
> read as the start.
Yes, this sentence almost duplicates the sentence from the second para
of previous Section (7.2). But I'd rather to keep it in 7.2.1.1 and just
remove from 7.2, because 7.2.1.1 gives more detailed instructions
to implementers while 7.2 is just an overview.
Are you OK with this?
> Section 7.2.4: 4th paragraph, 1st sentence doesn't read well. Can you
> break it up and phase the "non-first" differently? I don't think that
> is a term of art, is it?
>
> If the Initiator uses IKE Fragmentation, then it is possible, that
> due to packet loss and/or reordering the Responder could receive non-
> first IKE Fragment messages before receiving the first one containing
> the PS payload.
How about:
If the Initiator uses IKE Fragmentation, then it sends all IKE Fragment messages simultaneously.
Due to packets loss and/or reordering the Responder could receive
subsequent IKE Fragment messages before receiving the first one, that contains
the PS payload.
Thank you,
Valery.
> Thank you!
>
> --
>
> Best regards,
> Kathleen
- [IPsec] AD review of draft-ietf-ipsecme-ddos-prot… Kathleen Moriarty
- Re: [IPsec] AD review of draft-ietf-ipsecme-ddos-… Valery Smyslov
- Re: [IPsec] AD review of draft-ietf-ipsecme-ddos-… kathleen.moriarty.ietf