Re: [secdir] Secdir review of draft-ietf-ippm-6man-pdm-option-05: Implementation Considerations

<> Tue, 18 October 2016 17:06 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id A3F98126D73 for <>; Tue, 18 Oct 2016 10:06:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.12
X-Spam-Status: No, score=-2.12 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RCVD_IN_SORBS_SPAM=0.5] autolearn=unavailable autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id LIo_RDnay5cx for <>; Tue, 18 Oct 2016 10:06:30 -0700 (PDT)
Received: from ( []) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 60B751293F3 for <>; Tue, 18 Oct 2016 10:06:30 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=s2048; t=1476810389; bh=KWCTfElXE2rjaWy2FiK38NCT7rQyMOgbX02IklMFalU=; h=Date:From:Reply-To:To:Cc:In-Reply-To:References:Subject:From:Subject; b=kpIVGqFR+bbL8QKlSPpKBvT2aBFn9/Uc3ccr8r19KjS408SyZkHQbycG/6vXhCg9SeqNh8/FdolaDXNJgBdmZ7ce4a5x1sIISBoMIi+YNXGVCWDVX13qySu8boM6fTk54DeWentk/OQfMr2GtW80bYx6RWUxQdqf0vZS9vrPhK9Qn6rUFsORgkzF8o2T+eJ++C006+c5wTf+3F2qlw0B69fLR5h6GWqxKTg67qP61jZ9ExNuYzi3/C0XOEJf+F+OOqvQfEVgBHurrHbVFVFe/MYXH6XC/wZ12V+sn9hWDLFRwRDW+s9a6wRLWQ1FkgAXWudqT/ZBZXnIV3Ra/AO8+g==
Received: from [] by with NNFMP; 18 Oct 2016 17:06:29 -0000
Received: from [] by with NNFMP; 18 Oct 2016 17:03:22 -0000
Received: from [] by with NNFMP; 18 Oct 2016 17:03:18 -0000
Received: from [] by with NNFMP; 18 Oct 2016 17:03:18 -0000
X-Yahoo-Newman-Property: ymail-4
Received: from by; Tue, 18 Oct 2016 17:03:15 +0000; 1476810195.831
Date: Tue, 18 Oct 2016 17:03:13 +0000
To: Tero Kivinen <>
Message-ID: <>
In-Reply-To: <>
References: <> <> <> <> <>
MIME-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Archived-At: <>
Cc: "" <>, "" <>, "" <>
Subject: Re: [secdir] Secdir review of draft-ietf-ippm-6man-pdm-option-05: Implementation Considerations
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Security Area Directorate <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 18 Oct 2016 17:06:32 -0000


Continuing the taking of issues 1 by 1.  
The discussion around Implementation Considerations boils down to two issues:

1.  Default value of PDM should be OFF

2.  It should not be possible to turn on PDM merely by receiving a packet with PDM in it.   

Current words:

"3.5 Implementation Considerations
The PDM destination options extension header SHOULD be turned on by each stack on a host node. It MAY also be turned on only in case of diagnostics needed for problem resolution."

Suggested changes:

"3.5 Implementation Considerations 

The PDM destination options extension header MUST be explicitly turned on by each stack on a host node by administrative action.  The default value of PDM is off.

PDM MUST NOT be turned on merely if a packet is received with a PDM header.  The received packet could be spoofed by another device."


Nalini Elkins (for the co-authors)
Inside Products, Inc.
(831) 659-8360

From: Tero Kivinen <>
Cc: "" <>; "" <>; "" <>
Sent: Monday, October 10, 2016 5:55 AM
Subject: Re: Secdir review of draft-ietf-ippm-6man-pdm-option-05 writes:
> >There are most likely also other kind of attacks, and as this is
> >service as ESP provides, it is not for PDM to break it unless you
> >explictly spell it out that this is meant to break property of the
> >ESP. 
> OK. I am convinced. I will tell you though that some of us in IPPM,
> we were quite excited (possibly naively) about being able to get
> some performance metrics for ESP.

Why do you think you can performance metrics for ESP in that case? 

> I wonder if it would be acceptable to say that PDM could be put into
> the Destination Option which precedes ESP if it is for an enterprise
> customer who owns the infrastructure and wishes to manage the
> network that way. Otherwise, I can change to say that only the Dest
> Opt following ESP can be used.

I would recommend that if you use transport mode ESP (i.e., where the
flow information would be leaked out from the ESP if PDM is used) then
it must be put inside the ESP. If you use tunnel mode ESP, then there
migth be two PDM headers in the packet, one in the inner packet inside
the ESP header (which has full IP header + destination options
including PDM option), and another one in the outer header, in which
case it would only cover the ESP as one flow (i.e., each ESP SA
identified by the SPIs would get separate PDM option).

I.e. in the Tunnel mode ESP you want to defined the "5-tuple" as:


Btw, in the ICMP etc you do not have port numbers. Are ICMP frames
related to the TCP flows matching the "5-tuple" of the TCP flow or are
they counted as separate?

Anyways so if you define Tunnel mode ESP that way, then you can get
some performance metrics from the ESP processing also. Then if the
enterprice is willing to sacrifice the traffic flow confidentiality,
they can turn on the sa-per-flow option of the IPsec implementation,
which will create separate SA pair for each TCP/UDP etc flow, so then
they will get exact measurements.

In normal case the Tunnel mode ESP will just provide performance
metrics for combination of all traffic inside the tunnel, not per

When using the Transport Mode ESP, then putting the PDM option inside
still provides performance metrics for the host. 

> >so the range is definately enough. The question is that if the scale
> >is from -127 to 128, why do we even need the Time Base?
> The time base is so that one does not have to be committed to
>  picoseconds / milliseconds, etc. Even in your example, I believe
>  you used "unit" or time base. Our thinking was that we wanted
>  future proof so as to be able to handle very small values and very
>  large (as may be needed for DTN, for example). We can see if we can
>  express years in picoseconds and see what happens. Then, the unit
>  would always be picoseconds.

Having scale from -127 to 128 will provide quite good future proof,
for at least for this universum.

Even if you used attoseconds as base, you could express 10^13 years
which is still more than 1000 times longer than the current age of the

> >3.5 Implementation Considerations
> >   The PDM destination options extension header SHOULD be turned on by
> >   each stack on a host node. It MAY also be turned on only in case of
> >   diagnostics needed for problem resolution.
> > so it seems it is on by default. 
> Will change to say that it MUST be turned on only by the stack and
> default value should be OFF.
> "The PDM destination options extension header MUST be turned on only
>   by administrative action at each stack on a host node. The default
>   mode for PDM is OFF."


> >Key management packets are usually in clear, as they are there before
> >we have the actual keys we can use to protect the messages. Also it is
> >not very difficult to guess that 3rd and 4th message in port 500, are
> >the IKE AUTH packets, which will contain signatures.
> >Same thing with TLS.
> >Attackers will knows which packets contain signatures. Currently
> >attackers usually send those signature packets themselves, and measure
> >the time it takes for the device to calculate response. They can also
> >send garbage packets, and detect how far in checking the packets got
> >by checking how long it took for the other end to send error message
> >back.
> >All this kind of timing attacks are usually considered hard, as the
> >network delays cause big jitter on the timings, and they need to try
> >multiple times, and average the response times to get the information
> >they need.
> >This method will provide them easy way to bypass that issue. 
> OK.  So, are you saying that PDM is attack vector for TLS and not
> just for ESP?

Yes, timing attacks are possible against any crypto protocol. If the
protocol and algorithms used in the protocol are specifically written
so that they are protected against timing attacks, they will not work,
but lots of the implementations and protocols care more about the
speed, than for the timing attacks, especially as launching them over
longer distance gets harder and harder as other things add random
times to measurements.

If this allows easy way to get exact timing information from the node
without any issues from the network latencies and so on, this might
open completely new ways to attack implementations and protocols.
Those attacks were not feasible before, but now they might be. 

> No, obviously not. So, now I am not sure where we are. Is there a
> complete objection to this draft or are there changes which can be
> made which would make this acceptable?

Yes, I do not think there is anything that cannot be fixed, but there
are things that needs fixing (from the security point of view):

1) Location of the PDM in ESP transport mode traffic.
2) Make sure this is turned off by default, and you do not want node
   to respond incoming PDM options unless turned on by adminstrator.
3) Add to security considerations section aclear warnings about the
   new possibilities for timing attacks if PDM is turned on.

(not sure if I forgot something).