Re: I-D Action: draft-gont-6man-flowlabel-security-02.txt
Brian E Carpenter <brian.e.carpenter@gmail.com> Tue, 24 January 2012 20:18 UTC
Return-Path: <brian.e.carpenter@gmail.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4406C21F84D6 for <ipv6@ietfa.amsl.com>; Tue, 24 Jan 2012 12:18:41 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.042
X-Spam-Level:
X-Spam-Status: No, score=-102.042 tagged_above=-999 required=5 tests=[AWL=-1.343, BAYES_00=-2.599, J_CHICKENPOX_14=0.6, MANGLED_OFF=2.3, RCVD_IN_DNSWL_LOW=-1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dP0cS0efcvmV for <ipv6@ietfa.amsl.com>; Tue, 24 Jan 2012 12:18:40 -0800 (PST)
Received: from mail-iy0-f172.google.com (mail-iy0-f172.google.com [209.85.210.172]) by ietfa.amsl.com (Postfix) with ESMTP id A269821F84D5 for <ipv6@ietf.org>; Tue, 24 Jan 2012 12:18:40 -0800 (PST)
Received: by iagf6 with SMTP id f6so6381750iag.31 for <ipv6@ietf.org>; Tue, 24 Jan 2012 12:18:40 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=message-id:date:from:organization:user-agent:mime-version:to:cc :subject:references:in-reply-to:content-type :content-transfer-encoding; bh=nULD3NOmnRew/08qnmVyXKJAhG10JfvBuT0WwkJ0/40=; b=HcYN0tBI5mne5KZN7YsMA77kQ2nAl1QBSsqrNoP0Y8jjnyTq9DnzmtcMuSmQecSWXG SyGKoRLshTh/tpmu87OMa2G8QoxD+RWvpG31uM7TNKr9Ut5viQ+WZkLvg4lXtMKm40zc SRjf+B2SRAlE2OZd0S0ViXxMjse/63VE8EEX8=
Received: by 10.50.216.201 with SMTP id os9mr4951030igc.22.1327436320278; Tue, 24 Jan 2012 12:18:40 -0800 (PST)
Received: from [130.216.38.124] (stf-brian.sfac.auckland.ac.nz. [130.216.38.124]) by mx.google.com with ESMTPS id gd2sm24137069igc.1.2012.01.24.12.18.37 (version=SSLv3 cipher=OTHER); Tue, 24 Jan 2012 12:18:39 -0800 (PST)
Message-ID: <4F1F121D.40409@gmail.com>
Date: Wed, 25 Jan 2012 09:18:37 +1300
From: Brian E Carpenter <brian.e.carpenter@gmail.com>
Organization: University of Auckland
User-Agent: Thunderbird 2.0.0.6 (Windows/20070728)
MIME-Version: 1.0
To: Fernando Gont <fgont@si6networks.com>
Subject: Re: I-D Action: draft-gont-6man-flowlabel-security-02.txt
References: <20120113130238.26417.24991.idtracker@ietfa.amsl.com> <4F1E06DF.2090307@gmail.com> <4F1E1C38.1070901@si6networks.com> <4F1E1FC3.2000206@gmail.com> <4F1E30C4.8020408@si6networks.com>
In-Reply-To: <4F1E30C4.8020408@si6networks.com>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Cc: 6man <ipv6@ietf.org>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipv6>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 24 Jan 2012 20:18:41 -0000
On 2012-01-24 17:17, Fernando Gont wrote:
> On 01/24/2012 12:04 AM, Brian E Carpenter wrote:
>
>>>> Effectively the equivalent algorithm in RFC 6437 is
>>>>
>>>> Flow Label = F(Srce Addr, Dest Addr, Protocol #, Srce Port, Dest Port, Secret Key)
>>>>
>>>> which is less predictable, even if the port number is not randomized.
>>> If the attacker can predict the algorithm in
>>> draft-gont-6man-flowlabel-security-02.txt, he knows the IPv6 addresses
>>> of the two endpoints, and the secret key. So I don't see what'd be the
>>> real improvement of this variant.
>> With your proposal, after observing label N, you can (with reasonable probability)
>> predict label N+1; you don't need this to be 100% accurate to cause trouble.
>
> If the attacker can *observe* labels, why would he bother to "guess" them?
So that s/he can generate plausible bogons as part of a DOS attack. It seems
to me that predictability of the flow label is similar to predictability
of port numbers in that respect.
>>> Yes, now that the requirement of uniqueness has been relaxed, collisions
>>> are less important... but I don't see what's the "gain" of the modified
>>> expression you suggest above.
>> That label 4502 will essentially never be followed by label 4503,
>> which your method explictly allows (your Table 1). Include the counter in
>> the input to the hash function and this problem disappears.
>
> Well, one should clearly state the threat model:
> If you're thinking about off-path attackers, then the fact that flow
> labels corresponding to the same set (src IP, dst IP) will be
> incremental is irrelevant (the attacker knows that the Flow-IDs are a
> monotonically-increasing sequence, but does not know where that sequence
> is).
If you are trying to confuse a load balancing algorithm, being able to
predict the next new SYN packet, even only with partial success,
might be a useful thing. Since all major content providers run load
balancers, attacks on load balancing algorithms are an important
concern. If you can bias a load balancer to (almost) always pick
the same server, the content provider will not be happy.
(Note: I am not suggesting that existing load balancers are open
to such an attack, but we don't want the flow label to make things
worse.)
>
> If the threat model is that we're concerned about on-path attacker,
> then: game over: the attacker will always know the FlowLabel values,
> regardless of the algorithm that we use.
Indeed.
> That said, and as noted above, it is interesting to offer alternatives.
> For example, if you implement the hash-based approach described in my
> I-D, the first flow label is "expensive", but the rest are really cheap:
> e.g., just add the counter to the value of F() that you have recorded in
> the destinations cache. OTOH, randomizing every FlowLabel might be more
> expensive.
That depends on how much extra you pay for holding state in the destinations
cache. A stateless algorithm avoids that.
> I personally think that rather than enforcing a single algorithm, we
> should offer a set of possible algorithms, and discuss the tradeoffs --
> after all, not all implementations need to agree on the same algorithm.
Absolutely; that's why RFC 6437 does not specify an algorithm.
Brian
- Re: I-D Action: draft-gont-6man-flowlabel-securit… Brian E Carpenter
- Re: I-D Action: draft-gont-6man-flowlabel-securit… Fernando Gont
- Re: I-D Action: draft-gont-6man-flowlabel-securit… Brian E Carpenter
- Re: I-D Action: draft-gont-6man-flowlabel-securit… Fernando Gont
- Re: I-D Action: draft-gont-6man-flowlabel-securit… Brian E Carpenter
- Re: I-D Action: draft-gont-6man-flowlabel-securit… Fernando Gont
- Re: I-D Action: draft-gont-6man-flowlabel-securit… Brian E Carpenter
- Re: I-D Action: draft-gont-6man-flowlabel-securit… Fernando Gont
- Re: I-D Action: draft-gont-6man-flowlabel-securit… Brian Haberman
- Re: I-D Action: draft-gont-6man-flowlabel-securit… Fernando Gont
- Re: I-D Action: draft-gont-6man-flowlabel-securit… Brian E Carpenter
- Re: I-D Action: draft-gont-6man-flowlabel-securit… Fernando Gont
- Re: I-D Action: draft-gont-6man-flowlabel-securit… Brian E Carpenter
- Re: I-D Action: draft-gont-6man-flowlabel-securit… Fernando Gont