IETF Logo Mail Archive

Re: [Spud] The reset middleboxes attack

Eric Rescorla <ekr@rtfm.com> Sun, 29 March 2015 01:07 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: spud@ietfa.amsl.com
Delivered-To: spud@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0045E1A9104 for <spud@ietfa.amsl.com>; Sat, 28 Mar 2015 18:07:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.577
X-Spam-Level:
X-Spam-Status: No, score=-0.577 tagged_above=-999 required=5 tests=[BAYES_05=-0.5, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8dgzYgBvJx7Z for <spud@ietfa.amsl.com>; Sat, 28 Mar 2015 18:07:25 -0700 (PDT)
Received: from mail-wi0-f175.google.com (mail-wi0-f175.google.com [209.85.212.175]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 01D061A9100 for <spud@ietf.org>; Sat, 28 Mar 2015 18:07:25 -0700 (PDT)
Received: by wibg7 with SMTP id g7so65061428wib.1 for <spud@ietf.org>; Sat, 28 Mar 2015 18:07:23 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=AbgzsJzyLHHhlGBxVP/CJzDDWD6LSHxbYMdui4SZKgQ=; b=FXkA6/8+TAB45iVo6LJKB0jbctmqkP+sqP8Qu1dbhs9MOpaKAZYnmgklmnmqgpmb4R 46PxNqZRIEsV8c3ZFd1CGUxfL6JneNA4CMBlUHmuh8jxOcgC3z+TgfEB1EKD3QB3gXrN M1XTa7rtM/vYJkkWSJ8QSxnazyxPrYn4k6jSIOHRnK1+N+IKetAf+Ljo3o1YgNNZitYl JiefdwKekOmCzHDlW9CJnFVkkmetvZkwLmYvvtL/hsPU6yn9hJQ7zfUo3iiFuTx4VYD2 Ni0nAUTAJzvLjAtFQb2IRL00GzmE7Ikd041r2/yj6kxLBoEisziCaRtj7spg7VdqYZZ1 cCbw==
X-Gm-Message-State: ALoCoQnSyYe8Rg/r3ucaCoaAzGFkrkDfPUBszTf0rZvkN2L0MOnrf39ZgJpdIp7ONWyqUXbajfth
X-Received: by 10.194.190.10 with SMTP id gm10mr50142234wjc.91.1427591243631; Sat, 28 Mar 2015 18:07:23 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.27.205.198 with HTTP; Sat, 28 Mar 2015 18:06:43 -0700 (PDT)
In-Reply-To: <DM2PR0301MB0655748F52C0984FB6BF8E93A8F60@DM2PR0301MB0655.namprd03.prod.outlook.com>
References: <DM2PR0301MB0655748F52C0984FB6BF8E93A8F60@DM2PR0301MB0655.namprd03.prod.outlook.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Sat, 28 Mar 2015 18:06:43 -0700
Message-ID: <CABcZeBNY5M=jQcp6NxgCyGzwCnu+BaNZGqWmz8vBBBVOJ4HdqQ@mail.gmail.com>
To: Christian Huitema <huitema@microsoft.com>
Content-Type: multipart/alternative; boundary=047d7bea39f4f62637051262fc26
Archived-At: <http://mailarchive.ietf.org/arch/msg/spud/-KYJahfWufNWjn6H9qU2Ueb-m7k>
X-Mailman-Approved-At: Sat, 28 Mar 2015 20:02:39 -0700
Cc: Jana Iyengar <jri@google.com>, "spud@ietf.org" <spud@ietf.org>
Subject: Re: [Spud] The reset middleboxes attack
X-BeenThere: spud@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Session Protocol Underneath Datagrams <spud.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spud>, <mailto:spud-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/spud/>
List-Post: <mailto:spud@ietf.org>
List-Help: <mailto:spud-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spud>, <mailto:spud-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 29 Mar 2015 01:07:27 -0000

On Sat, Mar 28, 2015 at 5:17 PM, Christian Huitema <huitema@microsoft.com>
wrote:

> A key design element out of the SEMI workshop was a request to expose
> session "start and stop" to the path. The rationale is that middleboxes
> could then do a more efficient state management than the current
> timer-based solutions. The hosts would also benefit if they can do away
> with fewer keep alive packets to maintain the state open in the middleboxes.
>
> But there is a big issue. The end systems can distinguish between valid
> and invalid headers because the crypto ensures authentication of the clear
> text header. An attacker capable of packet injection cannot affect the
> state of the end systems, because the injected packets will fail the crypto
> checksum verification and be discarded. But if the hosts are protected, the
> middleboxes are not. They do not have access to the application
> credentials, and they cannot perform the crypto checksum verification. This
> opens the gates for two attacks.
>
> The first and obvious attack is the "middlebox reset" attack. An attacker
> injects a packet with a "stop" mark. Middleboxes on the path see that, and
> free the state associated with the session. NAT mapping disappear and
> firewall opening are closed. Even if the hosts are capable of rejecting the
> fake reset, their connection is still gone, because further packets will be
> discarded by the middleboxes.
>
> One of my coauthors (EKR or Jana, cannot remember) suggested a mitigation,
> which reminded me of the old "S-Key" scheme. Suppose that the "open" packet
> carries a "hash target" T, composed of an algorithm ID (say SHA256) and a
> binary string (32 bytes in the case of SHA256). The middleboxes remember
> that value as part of their state. We then require that the "stop" packets
> carry a "hash result" R, a binary string of arbitrary size. When the
> middleboxes on path see a reset packet, they check that H(R) = T. If it
> does not, they detect a spoofed reset, and discard the packet.
>

Actually it was AGL.

-Ekr


> I can see that implementers may not be enthusiastic with the additional
> complexity. But we would be naïve to just dismiss the attack. We do see
> attackers capable of eavesdropping traffic, and then injecting packets
> "from the side." I am sure that these attackers would find good use of a
> capability to nuke connections at will.
>
> -- Christian Huitema
>
>

v2.8.7 | Report a Bug | By Email