Re: [saag] can an on-path attacker drop traffic?

[Nico Williams <nico@cryptonector.com>]

On Sat, Oct 03, 2020 at 07:58:15PM -0700, Eric Rescorla wrote:
> On Sat, Oct 3, 2020 at 6:14 PM Dan Harkins <dharkins@lounge.org> wrote:
> >    It sounds like you're making a distinction between a passive attacker
> > and an active attacker. Which is fine but what use do you see in a protocol
> > that is secure against this "limited attacker" but not against the more
> > powerful attacker?

We could come up with a name for each set of attacker capabilities, or
we could just list the capabilities.  We should want a compact
representation so as to aid in keeping things pithy.

It is true that neither "on-path" nor "MITM" are sufficiently exact.

For example, "on-path" need not imply "active attacker", for example,
and "MITM" need not imply physically on-path.  And an active attacker
who is on-path can be an MITM at some layers but maybe not others.

An active attacker who is on-path should be able to observe, modify, and
insert messages, but dropping messages might be harder.  For example, in
a wireless system dropping a message might require jamming it, but that
would require making a decision to drop a particular message before the
transmission of it ends -- having to see the whole message first would
mean not being able to jam it because the whole message will also
already have been received by the intended recipient.

Note that in the wireless example "on-path" is just not a very good
descriptor at all.  If the communication is line-of-sight and the
attacker could literally block all radiation in the relevant frequencies
between the two end-points, then they can be on-path in the same sense
that the attacker could be on the wire.  Otherwise the attacker is
on-path some ways, and not at all in others.

IMO there's enough combinations that we probably just want to list the
attacker's capabilities.  We could encode it pithily as a set of one-
character flags, say:

  Ln{flags},Ln{flags}...

where <n> is a layer and {flags} is a set of letters, each representing
a capability:

 - O (observe)
 - M (modify)
 - I (insert)
 - D (drop)

E.g., 'L3O' == "on-path" eavesdropper, "L3OMID" == all-powerful on-path
MITM at layer 3 that a protocol might want to defend against, but taking
EKR's point about DoS (below) we might limit our threat models to just
L3OMI attackers.

Such pithy attacker capability description language would probably need
a lot of work to be really useful.  For example, a real attacker might
only be on-path enough to see some DNS traffic but then might leverage
DNS spoofing and cache poisoning to get itself to be on-path enough in
some cases.

> IMO the primary reason is that (!) there are some attacks which we do not
> presently know how to defend against in the case of a Dolev-Yao attacker,
> but which we can defend against a weaker attacker and (2) weaker attackers
> exist.
> 
> As a concrete example, it is possible for such an attacker to terminate
> even connections which are cryptographically protected (e.g., QUIC) by
> simply refusing to carry any packet, so in this respect, QUIC and TCP are
> similar. However a weaker attacker (e.g., an off-path attacker) can
> terminate TCP connections by forging RSTs, which does not work against QUIC
> because the connection termination signals are cryptographically protected.
> I believe this is of some security value -- though perhaps you don't agree,
> but we can only properly analyze it by considering a range of attacker
> capabilities.

This is a DoS attack.  It is true that many DoS attacks cannot be
defeated cryptographically.  For example, a physical cable cut cannot be
protected against with crypto.  What kinds of active attacks other than
DoS attacks cannot be defended against?

Nico
--