Re: [Spud] The reset middleboxes attack
Christian Huitema <huitema@microsoft.com> Mon, 30 March 2015 20:36 UTC
Return-Path: <huitema@microsoft.com>
X-Original-To: spud@ietfa.amsl.com
Delivered-To: spud@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1])
by ietfa.amsl.com (Postfix) with ESMTP id BD6131A87BB
for <spud@ietfa.amsl.com>; Mon, 30 Mar 2015 13:36:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.902
X-Spam-Level:
X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5
tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001,
SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44])
by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id PXCZMwRvijHm for <spud@ietfa.amsl.com>;
Mon, 30 Mar 2015 13:36:50 -0700 (PDT)
Received: from na01-by2-obe.outbound.protection.outlook.com
(mail-by2on0145.outbound.protection.outlook.com [207.46.100.145])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits))
(No client certificate requested)
by ietfa.amsl.com (Postfix) with ESMTPS id 47C321A87BA
for <spud@ietf.org>; Mon, 30 Mar 2015 13:36:50 -0700 (PDT)
Received: from DM2PR0301MB0653.namprd03.prod.outlook.com (25.160.96.15) by
DM2PR0301MB0846.namprd03.prod.outlook.com (25.160.215.144) with Microsoft
SMTP Server (TLS) id 15.1.125.19; Mon, 30 Mar 2015 20:36:49 +0000
Received: from DM2PR0301MB0655.namprd03.prod.outlook.com (25.160.96.17) by
DM2PR0301MB0653.namprd03.prod.outlook.com (25.160.96.15) with Microsoft SMTP
Server (TLS) id 15.1.118.21; Mon, 30 Mar 2015 20:36:48 +0000
Received: from DM2PR0301MB0655.namprd03.prod.outlook.com ([25.160.96.17]) by
DM2PR0301MB0655.namprd03.prod.outlook.com ([25.160.96.17]) with mapi id
15.01.0118.022; Mon, 30 Mar 2015 20:36:48 +0000
From: Christian Huitema <huitema@microsoft.com>
To: "Bless, Roland (TM)" <roland.bless@kit.edu>, "spud@ietf.org"
<spud@ietf.org>
Thread-Topic: [Spud] The reset middleboxes attack
Thread-Index: AdBps0lZieRUM/cCRaqTbV+IIDrJUwBQ3ROAAAwSmEA=
Date: Mon, 30 Mar 2015 20:36:48 +0000
Message-ID: <DM2PR0301MB0655FFD27159E9FFD015442FA8F50@DM2PR0301MB0655.namprd03.prod.outlook.com>
References: <DM2PR0301MB0655748F52C0984FB6BF8E93A8F60@DM2PR0301MB0655.namprd03.prod.outlook.com>
<55195F25.8000007@kit.edu>
In-Reply-To: <55195F25.8000007@kit.edu>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [2001:4898:80e8:ed31::2]
authentication-results: kit.edu; dkim=none (message not signed) header.d=none;
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:; SRVR:DM2PR0301MB0653;
UriScan:; BCL:0; PCL:0; RULEID:; SRVR:DM2PR0301MB0846;
x-forefront-antispam-report: BMV:1; SFV:NSPM;
SFS:(10019020)(6009001)(51704005)(377454003)(24454002)(86612001)(2171001)(99286002)(19580405001)(46102003)(86362001)(33656002)(77156002)(2501003)(102836002)(2950100001)(2656002)(122556002)(92566002)(76176999)(62966003)(87936001)(54356999)(2900100001)(50986999)(19580395003)(76576001)(74316001)(3826002);
DIR:OUT; SFP:1102; SCL:1; SRVR:DM2PR0301MB0653;
H:DM2PR0301MB0655.namprd03.prod.outlook.com; FPR:; SPF:None; MLV:sfv; LANG:en;
x-microsoft-antispam-prvs: <DM2PR0301MB0653DE1BEB6FD34917722504A8F50@DM2PR0301MB0653.namprd03.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:;
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0;
RULEID:(601004)(5002010)(5005006); SRVR:DM2PR0301MB0653; BCL:0; PCL:0; RULEID:;
SRVR:DM2PR0301MB0653;
x-forefront-prvs: 05315CBE52
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-originalarrivaltime: 30 Mar 2015 20:36:48.0337 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM2PR0301MB0653
X-OriginatorOrg: microsoft.onmicrosoft.com
Archived-At: <http://mailarchive.ietf.org/arch/msg/spud/xENzbnUj9_CRHVy0R0y7ZCvez_s>
Cc: Jana Iyengar <jri@google.com>, Eric Rescorla <ekr@rtfm.com>
Subject: Re: [Spud] The reset middleboxes attack
X-BeenThere: spud@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Session Protocol Underneath Datagrams <spud.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spud>,
<mailto:spud-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/spud/>
List-Post: <mailto:spud@ietf.org>
List-Help: <mailto:spud-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spud>,
<mailto:spud-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 30 Mar 2015 20:36:51 -0000
> On Monday, March 30, 2015, at 7:35 AM, Bless, Roland (TM) [mailto:roland.bless@kit.edu] wrote: > ... > > I can see that implementers may not be enthusiastic with the > > additional complexity. But we would be naïve to just dismiss the > > attack. We do see attackers capable of eavesdropping traffic, and then > > injecting packets "from the side." I am sure that these attackers > > would find good use of a capability to nuke connections at will. > > The described approach would be still vulnerable to on-path attackers, right? If we add a cryptographic protection on the reset packets, then it will prevent the reset injection attack by anyone, including on path attackers. Of course, on path middleboxes have the possibility to just drop all packets for a connection. That's a different attack, and it is possible to find out the culprit by looking at where packets are dropped. It is much harder to get away undetected with a blocking attack than with a single packet injection attack. > Furthermore, middleboxes must be prepared that route changes may occur and > they may see only the start packet and maybe some data packets, but never the > end packet. The route changes issue is probably worth its own thread. I am worried that even if routing does not change, SPUD expose end points to new attacks. The root cause is that SPUD middleboxes are expected to make decisions based on unauthenticated data in the packet headers. The reset attack is just one of those, probably the most obvious one. Quick brainstorm comes up with other possible attacks: * Inject lots of "open" packets with different context ID, targeting the same five tuple. These will be discarded by the end points, but for the middle boxes they are the equivalent of a "SYN Flooding" attack. * Inject packets with creative values for declared bandwidth and other parameters. Depending on parameter values, this can be either a DOS against the end point (e.g., fake requirement of 100 bps for a video stream) or a DOS attack against the network (e.g., stack a lot of bandwidth reservations for nonexistent flows). I understand how to protect against the reset attack, but I am not sure what to do about these other attacks. -- Christian Huitema
- [Spud] The reset middleboxes attack Christian Huitema
- Re: [Spud] The reset middleboxes attack Tirumaleswar Reddy (tireddy)
- Re: [Spud] The reset middleboxes attack Eric Rescorla
- Re: [Spud] The reset middleboxes attack Yoav Nir
- Re: [Spud] The reset middleboxes attack Phillip Hallam-Baker
- Re: [Spud] The reset middleboxes attack Yoav Nir
- Re: [Spud] The reset middleboxes attack Dave Dolson
- Re: [Spud] The reset middleboxes attack Caitlin Bestler
- Re: [Spud] The reset middleboxes attack Yoav Nir
- Re: [Spud] The reset middleboxes attack Bless, Roland (TM)
- Re: [Spud] The reset middleboxes attack Christian Huitema
- Re: [Spud] The reset middleboxes attack Bless, Roland (TM)