Re: [saag] can an on-path attacker drop traffic?

Nico Williams <nico@cryptonector.com> Sun, 04 October 2020 22:17 UTC

Return-Path: <nico@cryptonector.com>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DA0393A0A50 for <saag@ietfa.amsl.com>; Sun, 4 Oct 2020 15:17:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.1
X-Spam-Level:
X-Spam-Status: No, score=-2.1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cryptonector.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id y3ORZNEvFFE5 for <saag@ietfa.amsl.com>; Sun, 4 Oct 2020 15:17:24 -0700 (PDT)
Received: from bumble.birch.relay.mailchannels.net (bumble.birch.relay.mailchannels.net [23.83.209.25]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F12AC3A0A49 for <saag@ietf.org>; Sun, 4 Oct 2020 15:17:23 -0700 (PDT)
X-Sender-Id: dreamhost|x-authsender|nico@cryptonector.com
Received: from relay.mailchannels.net (localhost [127.0.0.1]) by relay.mailchannels.net (Postfix) with ESMTP id 2451C640987; Sun, 4 Oct 2020 22:17:23 +0000 (UTC)
Received: from pdx1-sub0-mail-a98.g.dreamhost.com (100-100-138-5.trex.outbound.svc.cluster.local [100.100.138.5]) (Authenticated sender: dreamhost) by relay.mailchannels.net (Postfix) with ESMTPA id 86A59640446; Sun, 4 Oct 2020 22:17:22 +0000 (UTC)
X-Sender-Id: dreamhost|x-authsender|nico@cryptonector.com
Received: from pdx1-sub0-mail-a98.g.dreamhost.com (pop.dreamhost.com [64.90.62.162]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384) by 0.0.0.0:2500 (trex/5.18.10); Sun, 04 Oct 2020 22:17:23 +0000
X-MC-Relay: Neutral
X-MailChannels-SenderId: dreamhost|x-authsender|nico@cryptonector.com
X-MailChannels-Auth-Id: dreamhost
X-Thoughtful-Abaft: 1b2de5f442860f42_1601849842854_4152633201
X-MC-Loop-Signature: 1601849842854:518875501
X-MC-Ingress-Time: 1601849842854
Received: from pdx1-sub0-mail-a98.g.dreamhost.com (localhost [127.0.0.1]) by pdx1-sub0-mail-a98.g.dreamhost.com (Postfix) with ESMTP id 01E27BA831; Sun, 4 Oct 2020 15:17:22 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=cryptonector.com; h=date :from:to:cc:subject:message-id:references:mime-version :content-type:in-reply-to; s=cryptonector.com; bh=2IGYF/vRD9JeWH /oYMXyeXcoTbE=; b=U4E5AbjKgQ9VjX4WNk9sutspRv5YGWzL+D/40qo90SRws3 mxtusTPZm3N9annVx4a05AAfksq+/HE0XJFClR/2Lmov25NGpaT1Fv+vVIxjjqXc puxAgFjkEYJM46vbKGgPpcbAbkGWdpJNp51FEWMXcZBJzhJ/RtumsaZplu4tI=
Received: from localhost (unknown [24.28.108.183]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) (Authenticated sender: nico@cryptonector.com) by pdx1-sub0-mail-a98.g.dreamhost.com (Postfix) with ESMTPSA id 4228FBA82F; Sun, 4 Oct 2020 15:17:18 -0700 (PDT)
Date: Sun, 4 Oct 2020 17:17:16 -0500
X-DH-BACKEND: pdx1-sub0-mail-a98
From: Nico Williams <nico@cryptonector.com>
To: Eric Rescorla <ekr@rtfm.com>
Cc: Dan Harkins <dharkins@lounge.org>, Michael Richardson <mcr+ietf@sandelman.ca>, Fernando Gont <fernando@gont.com.ar>, IETF SAAG <saag@ietf.org>
Message-ID: <20201004221715.GB3100@localhost>
References: <4645.1599064072@localhost> <6859c97d-3f0c-0361-5e72-5b82e93568f7@gont.com.ar> <CABcZeBNuBhu8KUoZJsY3VR8LzDa78_n53rRZ-5nMrpCbqh_6KQ@mail.gmail.com> <6be61826-6467-ba49-c88e-c20e717a3b41@lounge.org> <CABcZeBO3sZTVL002FzHnpuqpAxe45_3JBZPRYRFScML8JCDUqg@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <CABcZeBO3sZTVL002FzHnpuqpAxe45_3JBZPRYRFScML8JCDUqg@mail.gmail.com>
User-Agent: Mutt/1.9.4 (2018-02-28)
X-VR-OUT-STATUS: OK
X-VR-OUT-SCORE: -100
X-VR-OUT-SPAMCAUSE: gggruggvucftvghtrhhoucdtuddrgedujedrgedugddtlecutefuodetggdotefrodftvfcurfhrohhfihhlvgemucggtfgfnhhsuhgsshgtrhhisggvpdfftffgtefojffquffvnecuuegrihhlohhuthemuceftddtnecusecvtfgvtghiphhivghnthhsucdlqddutddtmdenucfjughrpeffhffvuffkfhggtggujggfsehttdertddtredvnecuhfhrohhmpefpihgtohcuhghilhhlihgrmhhsuceonhhitghosegtrhihphhtohhnvggtthhorhdrtghomheqnecuggftrfgrthhtvghrnhepffdtkeethfeuteeviefgfeegjeetjedvhfehgfdvtdefueejheelgeeuhffghffgnecukfhppedvgedrvdekrddutdekrddukeefnecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehmohguvgepshhmthhppdhhvghloheplhhotggrlhhhohhsthdpihhnvghtpedvgedrvdekrddutdekrddukeefpdhrvghtuhhrnhdqphgrthhhpefpihgtohcuhghilhhlihgrmhhsuceonhhitghosegtrhihphhtohhnvggtthhorhdrtghomheqpdhmrghilhhfrhhomhepnhhitghosegtrhihphhtohhnvggtthhorhdrtghomhdpnhhrtghpthhtohepnhhitghosegtrhihphhtohhnvggtthhorhdrtghomh
Archived-At: <https://mailarchive.ietf.org/arch/msg/saag/yKAtPlTek0opBDOJ85nsRyJ8b-w>
Subject: Re: [saag] can an on-path attacker drop traffic?
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 04 Oct 2020 22:17:27 -0000

On Sat, Oct 03, 2020 at 07:58:15PM -0700, Eric Rescorla wrote:
> On Sat, Oct 3, 2020 at 6:14 PM Dan Harkins <dharkins@lounge.org> wrote:
> >    It sounds like you're making a distinction between a passive attacker
> > and an active attacker. Which is fine but what use do you see in a protocol
> > that is secure against this "limited attacker" but not against the more
> > powerful attacker?

We could come up with a name for each set of attacker capabilities, or
we could just list the capabilities.  We should want a compact
representation so as to aid in keeping things pithy.

It is true that neither "on-path" nor "MITM" are sufficiently exact.

For example, "on-path" need not imply "active attacker", for example,
and "MITM" need not imply physically on-path.  And an active attacker
who is on-path can be an MITM at some layers but maybe not others.

An active attacker who is on-path should be able to observe, modify, and
insert messages, but dropping messages might be harder.  For example, in
a wireless system dropping a message might require jamming it, but that
would require making a decision to drop a particular message before the
transmission of it ends -- having to see the whole message first would
mean not being able to jam it because the whole message will also
already have been received by the intended recipient.

Note that in the wireless example "on-path" is just not a very good
descriptor at all.  If the communication is line-of-sight and the
attacker could literally block all radiation in the relevant frequencies
between the two end-points, then they can be on-path in the same sense
that the attacker could be on the wire.  Otherwise the attacker is
on-path some ways, and not at all in others.

IMO there's enough combinations that we probably just want to list the
attacker's capabilities.  We could encode it pithily as a set of one-
character flags, say:

  Ln{flags},Ln{flags}...

where <n> is a layer and {flags} is a set of letters, each representing
a capability:

 - O (observe)
 - M (modify)
 - I (insert)
 - D (drop)

E.g., 'L3O' == "on-path" eavesdropper, "L3OMID" == all-powerful on-path
MITM at layer 3 that a protocol might want to defend against, but taking
EKR's point about DoS (below) we might limit our threat models to just
L3OMI attackers.

Such pithy attacker capability description language would probably need
a lot of work to be really useful.  For example, a real attacker might
only be on-path enough to see some DNS traffic but then might leverage
DNS spoofing and cache poisoning to get itself to be on-path enough in
some cases.

> IMO the primary reason is that (!) there are some attacks which we do not
> presently know how to defend against in the case of a Dolev-Yao attacker,
> but which we can defend against a weaker attacker and (2) weaker attackers
> exist.
> 
> As a concrete example, it is possible for such an attacker to terminate
> even connections which are cryptographically protected (e.g., QUIC) by
> simply refusing to carry any packet, so in this respect, QUIC and TCP are
> similar. However a weaker attacker (e.g., an off-path attacker) can
> terminate TCP connections by forging RSTs, which does not work against QUIC
> because the connection termination signals are cryptographically protected.
> I believe this is of some security value -- though perhaps you don't agree,
> but we can only properly analyze it by considering a range of attacker
> capabilities.

This is a DoS attack.  It is true that many DoS attacks cannot be
defeated cryptographically.  For example, a physical cable cut cannot be
protected against with crypto.  What kinds of active attacks other than
DoS attacks cannot be defended against?

Nico
--