Re: I-D Action: draft-gont-6man-flowlabel-security-02.txt
Brian E Carpenter <brian.e.carpenter@gmail.com> Tue, 24 January 2012 20:18 UTC
Return-Path: <brian.e.carpenter@gmail.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4406C21F84D6 for <ipv6@ietfa.amsl.com>; Tue, 24 Jan 2012 12:18:41 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.042
X-Spam-Level:
X-Spam-Status: No, score=-102.042 tagged_above=-999 required=5 tests=[AWL=-1.343, BAYES_00=-2.599, J_CHICKENPOX_14=0.6, MANGLED_OFF=2.3, RCVD_IN_DNSWL_LOW=-1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dP0cS0efcvmV for <ipv6@ietfa.amsl.com>; Tue, 24 Jan 2012 12:18:40 -0800 (PST)
Received: from mail-iy0-f172.google.com (mail-iy0-f172.google.com [209.85.210.172]) by ietfa.amsl.com (Postfix) with ESMTP id A269821F84D5 for <ipv6@ietf.org>; Tue, 24 Jan 2012 12:18:40 -0800 (PST)
Received: by iagf6 with SMTP id f6so6381750iag.31 for <ipv6@ietf.org>; Tue, 24 Jan 2012 12:18:40 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=message-id:date:from:organization:user-agent:mime-version:to:cc :subject:references:in-reply-to:content-type :content-transfer-encoding; bh=nULD3NOmnRew/08qnmVyXKJAhG10JfvBuT0WwkJ0/40=; b=HcYN0tBI5mne5KZN7YsMA77kQ2nAl1QBSsqrNoP0Y8jjnyTq9DnzmtcMuSmQecSWXG SyGKoRLshTh/tpmu87OMa2G8QoxD+RWvpG31uM7TNKr9Ut5viQ+WZkLvg4lXtMKm40zc SRjf+B2SRAlE2OZd0S0ViXxMjse/63VE8EEX8=
Received: by 10.50.216.201 with SMTP id os9mr4951030igc.22.1327436320278; Tue, 24 Jan 2012 12:18:40 -0800 (PST)
Received: from [130.216.38.124] (stf-brian.sfac.auckland.ac.nz. [130.216.38.124]) by mx.google.com with ESMTPS id gd2sm24137069igc.1.2012.01.24.12.18.37 (version=SSLv3 cipher=OTHER); Tue, 24 Jan 2012 12:18:39 -0800 (PST)
Message-ID: <4F1F121D.40409@gmail.com>
Date: Wed, 25 Jan 2012 09:18:37 +1300
From: Brian E Carpenter <brian.e.carpenter@gmail.com>
Organization: University of Auckland
User-Agent: Thunderbird 2.0.0.6 (Windows/20070728)
MIME-Version: 1.0
To: Fernando Gont <fgont@si6networks.com>
Subject: Re: I-D Action: draft-gont-6man-flowlabel-security-02.txt
References: <20120113130238.26417.24991.idtracker@ietfa.amsl.com> <4F1E06DF.2090307@gmail.com> <4F1E1C38.1070901@si6networks.com> <4F1E1FC3.2000206@gmail.com> <4F1E30C4.8020408@si6networks.com>
In-Reply-To: <4F1E30C4.8020408@si6networks.com>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Cc: 6man <ipv6@ietf.org>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipv6>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 24 Jan 2012 20:18:41 -0000
On 2012-01-24 17:17, Fernando Gont wrote: > On 01/24/2012 12:04 AM, Brian E Carpenter wrote: > >>>> Effectively the equivalent algorithm in RFC 6437 is >>>> >>>> Flow Label = F(Srce Addr, Dest Addr, Protocol #, Srce Port, Dest Port, Secret Key) >>>> >>>> which is less predictable, even if the port number is not randomized. >>> If the attacker can predict the algorithm in >>> draft-gont-6man-flowlabel-security-02.txt, he knows the IPv6 addresses >>> of the two endpoints, and the secret key. So I don't see what'd be the >>> real improvement of this variant. >> With your proposal, after observing label N, you can (with reasonable probability) >> predict label N+1; you don't need this to be 100% accurate to cause trouble. > > If the attacker can *observe* labels, why would he bother to "guess" them? So that s/he can generate plausible bogons as part of a DOS attack. It seems to me that predictability of the flow label is similar to predictability of port numbers in that respect. >>> Yes, now that the requirement of uniqueness has been relaxed, collisions >>> are less important... but I don't see what's the "gain" of the modified >>> expression you suggest above. >> That label 4502 will essentially never be followed by label 4503, >> which your method explictly allows (your Table 1). Include the counter in >> the input to the hash function and this problem disappears. > > Well, one should clearly state the threat model: > If you're thinking about off-path attackers, then the fact that flow > labels corresponding to the same set (src IP, dst IP) will be > incremental is irrelevant (the attacker knows that the Flow-IDs are a > monotonically-increasing sequence, but does not know where that sequence > is). If you are trying to confuse a load balancing algorithm, being able to predict the next new SYN packet, even only with partial success, might be a useful thing. Since all major content providers run load balancers, attacks on load balancing algorithms are an important concern. If you can bias a load balancer to (almost) always pick the same server, the content provider will not be happy. (Note: I am not suggesting that existing load balancers are open to such an attack, but we don't want the flow label to make things worse.) > > If the threat model is that we're concerned about on-path attacker, > then: game over: the attacker will always know the FlowLabel values, > regardless of the algorithm that we use. Indeed. > That said, and as noted above, it is interesting to offer alternatives. > For example, if you implement the hash-based approach described in my > I-D, the first flow label is "expensive", but the rest are really cheap: > e.g., just add the counter to the value of F() that you have recorded in > the destinations cache. OTOH, randomizing every FlowLabel might be more > expensive. That depends on how much extra you pay for holding state in the destinations cache. A stateless algorithm avoids that. > I personally think that rather than enforcing a single algorithm, we > should offer a set of possible algorithms, and discuss the tradeoffs -- > after all, not all implementations need to agree on the same algorithm. Absolutely; that's why RFC 6437 does not specify an algorithm. Brian
- Re: I-D Action: draft-gont-6man-flowlabel-securit… Brian E Carpenter
- Re: I-D Action: draft-gont-6man-flowlabel-securit… Fernando Gont
- Re: I-D Action: draft-gont-6man-flowlabel-securit… Brian E Carpenter
- Re: I-D Action: draft-gont-6man-flowlabel-securit… Fernando Gont
- Re: I-D Action: draft-gont-6man-flowlabel-securit… Brian E Carpenter
- Re: I-D Action: draft-gont-6man-flowlabel-securit… Fernando Gont
- Re: I-D Action: draft-gont-6man-flowlabel-securit… Brian E Carpenter
- Re: I-D Action: draft-gont-6man-flowlabel-securit… Fernando Gont
- Re: I-D Action: draft-gont-6man-flowlabel-securit… Brian Haberman
- Re: I-D Action: draft-gont-6man-flowlabel-securit… Fernando Gont
- Re: I-D Action: draft-gont-6man-flowlabel-securit… Brian E Carpenter
- Re: I-D Action: draft-gont-6man-flowlabel-securit… Fernando Gont
- Re: I-D Action: draft-gont-6man-flowlabel-securit… Brian E Carpenter
- Re: I-D Action: draft-gont-6man-flowlabel-securit… Fernando Gont