Re: [saag] can an on-path attacker drop traffic?

Paul Hoffman <paul.hoffman@vpnc.org> Sun, 04 October 2020 15:17 UTC

Return-Path: <paul.hoffman@vpnc.org>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 34DC63A083F for <saag@ietfa.amsl.com>; Sun, 4 Oct 2020 08:17:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.622
X-Spam-Level:
X-Spam-Status: No, score=-1.622 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, KHOP_HELO_FCRDNS=0.274, MAY_BE_FORGED=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eJ-g08u4NZku for <saag@ietfa.amsl.com>; Sun, 4 Oct 2020 08:17:15 -0700 (PDT)
Received: from mail.proper.com (Opus1.Proper.COM [207.182.41.91]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7146E3A0658 for <saag@ietf.org>; Sun, 4 Oct 2020 08:17:15 -0700 (PDT)
Received: from [10.32.60.37] (76-209-242-70.lightspeed.mtryca.sbcglobal.net [76.209.242.70] (may be forged)) (authenticated bits=0) by mail.proper.com (8.15.2/8.15.2) with ESMTPSA id 094FF9qh051524 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO) for <saag@ietf.org>; Sun, 4 Oct 2020 08:15:10 -0700 (MST) (envelope-from paul.hoffman@vpnc.org)
X-Authentication-Warning: mail.proper.com: Host 76-209-242-70.lightspeed.mtryca.sbcglobal.net [76.209.242.70] (may be forged) claimed to be [10.32.60.37]
From: Paul Hoffman <paul.hoffman@vpnc.org>
To: IETF SAAG <saag@ietf.org>
Date: Sun, 04 Oct 2020 08:17:13 -0700
X-Mailer: MailMate Trial (1.13.2r5673)
Message-ID: <B065DBF3-B6BC-44A9-906A-AA51FEA9ADBC@vpnc.org>
In-Reply-To: <AD7F2CB8-6312-4E31-A4C9-29E81FDEC17E@huitema.net>
References: <CABcZeBPPZuRri7vC1gR+asmiyi+ABDA3RA16UHJQbEgW95+q_g@mail.gmail.com> <AD7F2CB8-6312-4E31-A4C9-29E81FDEC17E@huitema.net>
MIME-Version: 1.0
Content-Type: text/plain; format="flowed"
Archived-At: <https://mailarchive.ietf.org/arch/msg/saag/4r9eqVVapf_EOwKCMWnSt2ILqi8>
Subject: Re: [saag] can an on-path attacker drop traffic?
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 04 Oct 2020 15:17:17 -0000

I like Christian's triage (minus the "men"). The "where are they 
relative to the path" differentiation is likely to be more 
understandable to people who are not security geeks than "what they can 
do with creative use of packets". Using a road analogy: a person running 
a tollbooth, a person who can watch the cars go by and tell his 
colleagues when to enter the stream in order to do damage, a person who 
cannot see the traffic or send in cars but can cause lightning storms 
and send fake news to the cars on the road.

--Paul Hoffman

On 3 Oct 2020, at 22:23, Christian Huitema wrote:

>> On Oct 3, 2020, at 8:00 PM, Eric Rescorla <ekr@rtfm.com> wrote:
>>
>>> The QUIC 21.13.3.1 "on-path" attacker seems to be a Dolev-Yao 
>>> attacker.
>>>
>>> The 21.13.3.2 "off-path" attacker seems to have the ability to 
>>> observe
>>> packets, which I normally would not think an off-path attacker would 
>>> have.
>>> So this definition is very surprising to me.
>>
>> I agree it's not ideal. QUIC has been pubreq-ed, so you could raise 
>> it in IETF-LC.
>
> I think of it as man-in-the-middle, man-on-the-side and 
> man-in-the-rough. For me, the man in the middle is what EKR refers to 
> as the Dolev-Yao attacker; best hope there is to detect the attack and 
> reduce it to a denial of service.
>
> The man on the side is capable of reading the traffic and injecting 
> messages; it cannot easily delete messages,  but it can win races and 
> get his own fakery delivered before the genuine packets -- TCP RST is 
> an example of such attacks. Various national organizations have that 
> capability. It is much easier for them to implement than a full MITM. 
> I think that with effort we can defeat this class of attackers.
>
> The man in the rough does not see the traffic but can make guesses. 
> DDOS attacks, port scanning, observing or gaming DNS caches fall in 
> that category. Botnets sometimes resort to these attacks.
>
> And yes, in 2020 we probably need names that don't carry "man-in-foo" 
> imagery. But English is not my mother tongue...
>
> -- Christian Huitema