Re: [secdir] Review of draft-ietf-ipsecme-esp-null-heuristics-06.txt

Dan McDonald <danmcd@sun.com> Wed, 03 March 2010 15:42 UTC

Return-Path: <danmcd@sun.com>
X-Original-To: secdir@core3.amsl.com
Delivered-To: secdir@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 69FED28C117; Wed, 3 Mar 2010 07:42:26 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.046
X-Spam-Level:
X-Spam-Status: No, score=-6.046 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HELO_MISMATCH_COM=0.553, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LJeCwAf628aO; Wed, 3 Mar 2010 07:42:25 -0800 (PST)
Received: from brmea-mail-2.sun.com (brmea-mail-2.Sun.COM [192.18.98.43]) by core3.amsl.com (Postfix) with ESMTP id 79ED83A8ABD; Wed, 3 Mar 2010 07:42:24 -0800 (PST)
Received: from dm-east-01.east.sun.com ([129.148.9.192]) by brmea-mail-2.sun.com (8.13.6+Sun/8.12.9) with ESMTP id o23FgPlr004119; Wed, 3 Mar 2010 15:42:25 GMT
Received: from kebe.East.Sun.COM (kebe.East.Sun.COM [129.148.174.48]) by dm-east-01.east.sun.com (8.13.8+Sun/8.13.8/ENSMAIL,v2.4) with ESMTP id o23FgOtV007783; Wed, 3 Mar 2010 10:42:24 -0500 (EST)
Received: from kebe.East.Sun.COM (localhost [127.0.0.1]) by kebe.East.Sun.COM (8.14.4+Sun/8.14.4) with ESMTP id o23FT9b7003774; Wed, 3 Mar 2010 10:29:09 -0500 (EST)
Received: (from danmcd@localhost) by kebe.East.Sun.COM (8.14.4+Sun/8.14.4/Submit) id o23FT8up003773; Wed, 3 Mar 2010 10:29:08 -0500 (EST)
X-Authentication-Warning: kebe.East.Sun.COM: danmcd set sender to danmcd@sun.com using -f
Date: Wed, 3 Mar 2010 10:29:08 -0500
From: Dan McDonald <danmcd@sun.com>
To: Tero Kivinen <kivinen@iki.fi>
Message-ID: <20100303152908.GC23551@kebe.East.Sun.COM>
References: <20100302194822.EA82A22807@thrintun.hactrn.net> <19342.19442.798794.603092@fireball.kivinen.iki.fi>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <19342.19442.798794.603092@fireball.kivinen.iki.fi>
Organization: Sun Microsystems, Inc. - Solaris Networking & Security
User-Agent: Mutt/1.5.20 (2009-06-14)
X-Mailman-Approved-At: Wed, 03 Mar 2010 08:38:38 -0800
Cc: ipsecme-chairs@tools.ietf.org, secdir@ietf.org, draft-ietf-ipsecme-esp-null-heuristics@tools.ietf.org, iesg@ietf.org
Subject: Re: [secdir] Review of draft-ietf-ipsecme-esp-null-heuristics-06.txt
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 03 Mar 2010 15:42:26 -0000

On Wed, Mar 03, 2010 at 01:45:54PM +0200, Tero Kivinen wrote:
> > - The discussion of failure modes for the heuristics is in section 3,
> >   with no reference from the Security Considerations section.
> 
> Do you have any concrete proposal what text to add to security
> considerations section?

Tero -- I will add some of your text below to both Section 3 and the Security
Considerations.

> > - The discussion of failure modes for the heuristics in section 3 is
> >   also incomplete: while it (correctly, I think) concludes that
> >   misclassifying traffic as ESP-NULL is no worse than a DoS attack
> >   which an attacker could have launched anyway, it does not discuss
> >   the other failure mode: what happens if a stream is misclassified as
> >   non-NULL ESP, thus (depending on policy) allowing it through without
> >   inspection, or dropping it on the floor?
> 
> It does say that valid ESP-NULL stream cannot be misclassified as
> non-ESP-NULL stream. The only way for valid ESP-NULL stream to be
> classified as non-ESP-NULL is that the packet does not look valid
> ESP-NULL packet (i.e. for example has garbage in the ESP padding), but
> then it is not valid ESP-NULL packet anymore.

Actually, it's possible that using an authentication algorithm of which the
inspector is not aware can cause ESP-NULL to be misclassified.  Other than
that, we catch everything else.

> I.e. valid EPS-NULL packets cannot be misclassified, but of course
> attacker can easily send packets which cause those packets to be
> misclassified as encrypted ESP, but on the other hand attacker can
> most likely also use encrypted ESP instead (as is listed in the
> security considerations section) if encrypted ESP packets are to be
> allowed to that host.

Rob -- are you also worried about flow-poisoning?  If an attacker manages (by
chance?) to trick an inspecting node into considering a flow encrypted, and
then the inspecting node *caches* that flow as poison (a bad implementation
choice, to be sure, but possible given how much crap is out there), then
legitimate ESP-NULL packets could be dropped.

> All of those depends very much about what kind of the policy is used
> in the intermediate devices. If the policy says drop all packets which
> cannot be inspected, then attacker does not gain anything by getting
> flow misclassified.

The attacker gains denial-of-service, which may be all he/she wants.

Dan