IETF Logo Mail Archive

Re: [Spud] The reset middleboxes attack

Dave Dolson <ddolson@sandvine.com> Sun, 29 March 2015 18:38 UTC

Return-Path: <ddolson@sandvine.com>
X-Original-To: spud@ietfa.amsl.com
Delivered-To: spud@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A21521A7022 for <spud@ietfa.amsl.com>; Sun, 29 Mar 2015 11:38:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.91
X-Spam-Level:
X-Spam-Status: No, score=-1.91 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zx0_RTeD0TNs for <spud@ietfa.amsl.com>; Sun, 29 Mar 2015 11:38:57 -0700 (PDT)
Received: from mail1.sandvine.com (mail1.sandvine.com [64.7.137.165]) by ietfa.amsl.com (Postfix) with ESMTP id F12FE1A702D for <spud@ietf.org>; Sun, 29 Mar 2015 11:38:53 -0700 (PDT)
Received: from WTL-EXCHP-2.sandvine.com ([fe80::68ac:f071:19ff:3455]) by WTL-EXCHP-3.sandvine.com ([::1]) with mapi id 14.03.0195.001; Sun, 29 Mar 2015 14:38:53 -0400
From: Dave Dolson <ddolson@sandvine.com>
To: Yoav Nir <ynir.ietf@gmail.com>, Christian Huitema <huitema@microsoft.com>
Thread-Topic: [Spud] The reset middleboxes attack
Thread-Index: AdBps0lZieRUM/cCRaqTbV+IIDrJUwAaIMQAAAzzhiA=
Date: Sun, 29 Mar 2015 18:38:52 +0000
Message-ID: <20150329183851.4935767.64500.6234@sandvine.com>
References: <DM2PR0301MB0655748F52C0984FB6BF8E93A8F60@DM2PR0301MB0655.namprd03.prod.outlook.com>, <33962F88-F1E9-4ED7-863A-97AED7836A75@gmail.com>
In-Reply-To: <33962F88-F1E9-4ED7-863A-97AED7836A75@gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Content-Type: text/plain; charset="windows-1256"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <http://mailarchive.ietf.org/arch/msg/spud/pH6O8mN1W6rEaywYIW1mHRq7a4k>
Cc: Jana Iyengar <jri@google.com>, Eric Rescorla <ekr@rtfm.com>, "spud@ietf.org" <spud@ietf.org>
Subject: Re: [Spud] The reset middleboxes attack
X-BeenThere: spud@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Session Protocol Underneath Datagrams <spud.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spud>, <mailto:spud-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/spud/>
List-Post: <mailto:spud@ietf.org>
List-Help: <mailto:spud-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spud>, <mailto:spud-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 29 Mar 2015 18:38:58 -0000

Recall ‎https://tools.ietf.org/html/rfc5925

This protects TCP sessions against RST attacks done by guessing sequence numbers. Originally used to protect long-lived BGP connections.
Of course this was to protect the end-points, not middle boxes.


David Dolson
Senior Software Architect, Sandvine Inc.
  Original Message
From: Yoav Nir
Sent: Sunday, March 29, 2015 4:28 AM
To: Christian Huitema
Cc: Jana Iyengar; Eric Rescorla; spud@ietf.org
Subject: Re: [Spud] The reset middleboxes attack‎


> On Mar 29, 2015, at 3:17 AM, Christian Huitema <huitema@microsoft.com> wrote:
>
> A key design element out of the SEMI workshop was a request to expose session "start and stop" to the path. The rationale is that middleboxes could then do a more efficient state management than the current timer-based solutions. The hosts would also benefit if they can do away with fewer keep alive packets to maintain the state open in the middleboxes.
>
> But there is a big issue. The end systems can distinguish between valid and invalid headers because the crypto ensures authentication of the clear text header. An attacker capable of packet injection cannot affect the state of the end systems, because the injected packets will fail the crypto checksum verification and be discarded. But if the hosts are protected, the middleboxes are not. They do not have access to the application credentials, and they cannot perform the crypto checksum verification. This opens the gates for two attacks.
>
> The first and obvious attack is the "middlebox reset" attack. An attacker injects a packet with a "stop" mark. Middleboxes on the path see that, and free the state associated with the session. NAT mapping disappear and firewall opening are closed. Even if the hosts are capable of rejecting the fake reset, their connection is still gone, because further packets will be discarded by the middleboxes.
>
> One of my coauthors (EKR or Jana, cannot remember) suggested a mitigation, which reminded me of the old "S-Key" scheme. Suppose that the "open" packet carries a "hash target" T, composed of an algorithm ID (say SHA256) and a binary string (32 bytes in the case of SHA256). The middleboxes remember that value as part of their state. We then require that the "stop" packets carry a "hash result" R, a binary string of arbitrary size. When the middleboxes on path see a reset packet, they check that H(R) = T. If it does not, they detect a spoofed reset, and discard the packet.
>
> I can see that implementers may not be enthusiastic with the additional complexity. But we would be naïve to just dismiss the attack. We do see attackers capable of eavesdropping traffic, and then injecting packets "from the side." I am sure that these attackers would find good use of a capability to nuke connections at will.

Hi, Christian

I understand the issue. Is this something we are really worried about? It has always been possible to do this with TCP by sending a RST, and that worked on the endpoints as well, and TLS has never protected us from that attack.

To get the solution to work, presumably the initiator generates a secret and sends its has in the OPEN command. This allows the initiator to close the connection by sending the pre-image. But what if we want both sides to be able to close the connection? We either need to transmit the pre-image in the encrypted part of the protocol (what Joe’s architecture diagram calls “transport”), or we need a per-endpoint hash, requiring the responder to also send a hash in the ACK command. The latter doubles the state on the middlebox.

Yoav
_______________________________________________
Spud mailing list
Spud@ietf.org
https://www.ietf.org/mailman/listinfo/spud

v2.8.7 | Report a Bug | By Email