Re: [secdir] sec-dir review of draft-ietf-ipsecme-ikev2-fragmentation-06

Valery Smyslov <svan@elvis.ru> Thu, 03 April 2014 15:19 UTC

Return-Path: <svan@elvis.ru>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F0EC31A024E; Thu, 3 Apr 2014 08:19:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -97.301
X-Spam-Level:
X-Spam-Status: No, score=-97.301 tagged_above=-999 required=5 tests=[BAYES_50=0.8, HELO_EQ_RU=0.595, HOST_EQ_RU=0.875, STOX_REPLY_TYPE=0.439, T_RP_MATCHES_RCVD=-0.01, USER_IN_WHITELIST=-100] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id c8vk2lLztqXq; Thu, 3 Apr 2014 08:18:57 -0700 (PDT)
Received: from fish.elvis.ru (fish.elvis.ru [82.138.51.18]) by ietfa.amsl.com (Postfix) with ESMTP id 8EFEE1A0226; Thu, 3 Apr 2014 08:18:55 -0700 (PDT)
Received: from [10.111.1.40] (helo=robin.office.elvis.ru) by fish.elvis.ru with esmtp (Exim 4.76) (envelope-from <svan@elvis.ru>) id 1WVjPk-0006Hz-2U; Thu, 03 Apr 2014 19:18:48 +0400
Received: from buildpc (10.111.10.31) by robin.office.elvis.ru (10.111.1.40) with Microsoft SMTP Server id 14.1.438.0; Thu, 3 Apr 2014 19:18:48 +0400
Message-ID: <038E8235A7E047809B765B35F995772A@buildpc>
From: Valery Smyslov <svan@elvis.ru>
To: Derek Atkins <derek@ihtfp.com>
References: <sjmzjk2ijfd.fsf@mocana.ihtfp.org> <B90F5487B44E4F5E9B0904B14FE94D90@buildpc> <89fe86e74a6e22a538adcc0cc3db2489.squirrel@mail2.ihtfp.org>
Date: Thu, 3 Apr 2014 19:18:46 +0400
MIME-Version: 1.0
Content-Type: text/plain; format=flowed; charset="UTF-8"; reply-type=original
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.5931
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.6157
Archived-At: http://mailarchive.ietf.org/arch/msg/secdir/fM0_hDA3FYhiwFHdSEOHSU6csvY
Cc: ipsecme-chairs@tools.ietf.org, iesg@ietf.org, secdir@ietf.org
Subject: Re: [secdir] sec-dir review of draft-ietf-ipsecme-ikev2-fragmentation-06
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 03 Apr 2014 15:19:01 -0000

Hi,

>> Note, that in this proposal each IKE fragment is individually protected -
>> encrypted and authenticated. Forged fragments will be detected
>> before they are placed into reassembling queue and thus they
>> couldn't exhaust receiver's resources - only fragments from real peer
>> will be taken into consideration. And if attacker is capable enough
>> to drop an arbitrary IP packet, than there is no protection
>> anyway - the connection will fail on attacker's will in any case,
>> with or without IKE fragmentation.
>
> It's only authenticated in the sense that you have to have already had a
> full round trip so yes, an attacker can not forge their source IP.  But

No, it is fully cryptographically authenticated. IKE fragmentation
may only take place after shared keys (SK_*) keys are computed.

> that doesn't prevent a true DDoS where real hosts (think botnet) all
> perform a real IKE_SA_INIT and then use their sessions to build a lot of
> held state with "fake" fragments that will never complete.

Messages of IKE_SA_INIT cannot be fragmented with this proposal,
because SK_* are not yet computed. This is limitation, mentioned in the 
draft.
It is assumed that IKE_SA_INIT messages can
be made relatively small to avoid IP fragmentation.

> Like I said, it's an improvement because it's not at the kernel IP layer,
> and theoretically there are more resources available at the IKE layer.
> But it probably should still be mentioned.  (Not that IKE without
> fragmentation isn't also subject to this kind of DDoS attack).

As I've said, IKE_SA_INIT are beyond this proposal
(and IKE_SA_RESUME also, if we count in IKE session resumption
protocol). But messages of the other exchanges can be
fragmented with full cryptographic protection, including
authentication of each fragment, and I don't think this attack is possible
here (and it was one of the goals to prevent this kind of attack).

Regards,
Valery.

> Thanks,
>
>>
>> Regards,
>> Valery Smyslov.
>
> -derek
>
> -- 
>       Derek Atkins                 617-623-3745
>       derek@ihtfp.com             www.ihtfp.com
>       Computer and Internet Security Consultant
>