[IPsec] AD review of draft-ietf-ipsecme-ddos-protection
Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com> Fri, 09 September 2016 18:31 UTC
Return-Path: <kathleen.moriarty.ietf@gmail.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B6D1012B1E2 for <ipsec@ietfa.amsl.com>; Fri, 9 Sep 2016 11:31:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iZNEgEUYcPKE for <ipsec@ietfa.amsl.com>; Fri, 9 Sep 2016 11:31:43 -0700 (PDT)
Received: from mail-ua0-x230.google.com (mail-ua0-x230.google.com [IPv6:2607:f8b0:400c:c08::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E752912B1E1 for <ipsec@ietf.org>; Fri, 9 Sep 2016 11:31:42 -0700 (PDT)
Received: by mail-ua0-x230.google.com with SMTP id 95so50802436uaz.2 for <ipsec@ietf.org>; Fri, 09 Sep 2016 11:31:42 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:from:date:message-id:subject:to; bh=o/4wiZSPHtGzDHY2lsdD7Vu7AD/I39Vk8wGyrJ94N2E=; b=JJ7HSg5YgugD3/ISt9+R9aaWjcKpCCOKlCEK+5d7ZOcq86yOh73OCkmA5ucFXix+vi LRhX/hZ47s3XhP8Pg0HuMehcqA47sSDU1g7QGo5VOXMT1lt50s72YaS8lQYSx2lT3B5f B/GuG2CMd8GfT1OeJ4bg8jF5VUJnJ97I06nBxqZzSfqZUsVMN8zUH98GQjvIheoz2HVQ lACNOly3HlkMVSkDzRj6GCVbmiySQr1KTDKmuhlWiEG6ZxQNNf6DLVQCymg+d2C7I1gK SPB8voizc3OIT6xZbqqTH83djA+O7mU+lr+shxYnNoaYnHPo2ebyQAJh3CBmqd0GaM9Z TkLw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=o/4wiZSPHtGzDHY2lsdD7Vu7AD/I39Vk8wGyrJ94N2E=; b=QT712hEifARAiL9KtPTHx6g2MVsgY/1PZSMQlOI9FC50847cbqnrJ87NoNXN8M4t6k sVUgxYEEgBwq53jynHMkqMQBg2c6dC3rOiPk2cqpkxHVNruoBt5SMGswK2bO9i+3HJdX SrI6jMxofvHr7pNI13E6AMQjmor2I3sQeFZwO8rvSjU7G1jXLF+MdOGsO6WoqvladOhV nzkEc2BdEudvmA0jJinq3p/Q/+Nu/ia0GojTLYq5IKcckIJQj+o3gliMyyxEPwWB1+OG b0uu8v/OfffDzd/yvgzEwT0h6UGJNC7TDNy45qqUuEfhwV35s+e6CoO6l5AsqAMcZo49 AHmw==
X-Gm-Message-State: AE9vXwPDK1Y3pGOOZCaCXLGtVVRMCz3nqcutqqvAN7Y4sW27VykCTWh2LI67Qk7AiHaSlgW1LndJXutaEHGLzA==
X-Received: by 10.176.1.3 with SMTP id 3mr3561506uak.88.1473445901985; Fri, 09 Sep 2016 11:31:41 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.176.65.8 with HTTP; Fri, 9 Sep 2016 11:31:41 -0700 (PDT)
From: Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>
Date: Fri, 09 Sep 2016 14:31:41 -0400
Message-ID: <CAHbuEH7g-8RLZKQt1T1PsO33gpEAFgEQAbYM8LPrrM=g4t7=8Q@mail.gmail.com>
To: "ipsec@ietf.org" <ipsec@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/y2v_-1J-BbdUeflsg1GjDGkzGMc>
Subject: [IPsec] AD review of draft-ietf-ipsecme-ddos-protection
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 09 Sep 2016 18:31:45 -0000
Hello, Thank you for you work on draft-ietf-ipsecme-ddos-protection. This is a good read that lays out the problem well and describes the solution well. Thanks for that! I have some nits and questions before we put this into IETF last call. Section 4.2 - This level of detail is great. Hopefully developers make sure logs and other ways to help with troubleshooting to determine the number of half open SA and failed IKE-Auth exchanges. Are these maintained with counters (SNMP/YANG) or log entries or some other way? Does this matter and does it need to be indicated here for developers so implementors have the tools needed to determine next steps? Section 4.6: Suggest using some descriptive language instead of saying 'garbage' in the following sentence for non-native English speakers: The attacker can just send garbage in the IKE_AUTH message forcing the Responder to perform costly CPU operations to compute SK_* keys. Same in section 4.7, maybe "meaningless bits" or something along those lines? Malicious initiators can use this feature to mount a DoS attack on the responder by providing an URL pointing to a large file possibly containing garbage. Section 7.1.1.2: The following sentence could be cleaned up a bit (last paragraph): The initial request message sent by the Initiator contains an SA payload with the list of transforms the Initiator supports and is willing to use in the IKE SA being established. Section 7.2.1.1 The first sentence of course fits in this section, but has already been said in the draft. This whole section seems repetitious. There are a few places where text is repeated, is it possible to reduce repetition? It might not be for clarity as the sections vary, but an effort to reduce it might make the latter part of the draft as easy to read as the start. Section 7.2.4: 4th paragraph, 1st sentence doesn't read well. Can you break it up and phase the "non-first" differently? I don't think that is a term of art, is it? If the Initiator uses IKE Fragmentation, then it is possible, that due to packet loss and/or reordering the Responder could receive non- first IKE Fragment messages before receiving the first one containing the PS payload. Thank you! -- Best regards, Kathleen
- [IPsec] AD review of draft-ietf-ipsecme-ddos-prot… Kathleen Moriarty
- Re: [IPsec] AD review of draft-ietf-ipsecme-ddos-… Valery Smyslov
- Re: [IPsec] AD review of draft-ietf-ipsecme-ddos-… kathleen.moriarty.ietf