IETF Logo Mail Archive

Re: [T2TRG] [core] New Version Notification for draft-mattsson-core-coap-attacks-02.txt

Achim Kraus <achimkraus@gmx.net> Fri, 04 February 2022 08:09 UTC

Return-Path: <achimkraus@gmx.net>
X-Original-To: t2trg@ietfa.amsl.com
Delivered-To: t2trg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 132E03A0D7B; Fri, 4 Feb 2022 00:09:40 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.812
X-Spam-Level:
X-Spam-Status: No, score=-2.812 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, NICE_REPLY_A=-0.714, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=gmx.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 39IBN7yCczg3; Fri, 4 Feb 2022 00:09:38 -0800 (PST)
Received: from mout.gmx.net (mout.gmx.net [212.227.17.22]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 88F333A0D5F; Fri, 4 Feb 2022 00:09:33 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=gmx.net; s=badeba3b8450; t=1643962163; bh=ME3ANMaGEKZRLeu1Hkmuuvxf0IkGJKIvLavtJnktYvk=; h=X-UI-Sender-Class:Date:Subject:To:Cc:References:From:In-Reply-To; b=jwdF+Klbmul9ZwpNVkBR6svWafz5PuU55p/0U31FNj64fmHuA2Zg/iS0/WTTq1Tp0 Poc1P6dYk50G1x8aU0Dh+lpNGcUUdSXSgP4tEc8mV3inEDhBb5U+T8077LNhxYJAlD 39fM/EZndtRlMJUEo7aHM73s/KuPsQ4/yDnMGCdo=
X-UI-Sender-Class: 01bb95c1-4bf8-414a-932a-4f6e2808ef9c
Received: from [192.168.178.10] ([5.146.193.130]) by mail.gmx.net (mrgmx104 [212.227.17.168]) with ESMTPSA (Nemesis) id 1MQe5u-1mtFvp0tlO-00NkZ8; Fri, 04 Feb 2022 09:09:23 +0100
Message-ID: <16853d5f-a795-3a59-f8d9-e5c2652d0d9d@gmx.net>
Date: Fri, 04 Feb 2022 09:09:21 +0100
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Thunderbird/91.5.0
Content-Language: en-US
To: Carsten Bormann <cabo@tzi.org>
Cc: John Mattsson <john.mattsson@ericsson.com>, "t2trg@irtf.org" <t2trg@irtf.org>, "core@ietf.org" <core@ietf.org>
References: <164370592991.14136.4943780498822971831@ietfa.amsl.com> <HE1PR0701MB30500AA57A7DD6F3170BB60F89269@HE1PR0701MB3050.eurprd07.prod.outlook.com> <5AFB6C76-9C15-4050-B478-711832318342@tzi.org> <HE1PR0701MB3050F758474CC029B932112F89279@HE1PR0701MB3050.eurprd07.prod.outlook.com> <9F1343E2-B330-4ED8-8ECB-591A013A51EF@tzi.org> <HE1PR0701MB3050423B37F408F2C9F8B98689279@HE1PR0701MB3050.eurprd07.prod.outlook.com> <bd50b93f-4ecf-f367-0de9-eb49b90c0c15@gmx.net> <0E1DE32A-1762-46D0-B535-730E66FB2714@tzi.org>
From: Achim Kraus <achimkraus@gmx.net>
In-Reply-To: <0E1DE32A-1762-46D0-B535-730E66FB2714@tzi.org>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: quoted-printable
X-Provags-ID: V03:K1:yeWwLQ7/cEomHAzh3cEQQZCTHiW4zzQyIlrQXl6gkOBZx6oHA/D 1q/aLG1aV8v6ejaojtKNvkfHWMtpSl62Yz7hoZcKEvzDFWm/Mivl6ngxKIfyn2bTZERLwx/ 3Q6EFGhiNltPxr3chiK9RNMVEKrB0U9haDpwBbsPmZzzMTMKp3L07A+km1iTcqwkgBmzcgq nIF3Z44IRMXK/pM6tFdTA==
X-UI-Out-Filterresults: notjunk:1;V03:K0:9vrwnmefIbc=:G4aOzuJlQq0nG3TPJHx7Xf FgWtHE0gMX7wlrHUdfHGphgBEY7VIBpVbLE5pFy1AM9RBi8uiHRi4G45m1OitX6+eEawax78i 5/Rh28/sShY++p11FPToVFVwoecjH0gU5hTvMhI3A310B+epmfeCdzmC2N9Ag4Rp+/Ya+w0ko Z3Run9pu0Zimg0J4qoY/zWIgCQPQNJr3SW4HyywOYouViXFFlelYlu8vLCMaW4CQhOBHhbK9H PIQ0Yq5ZuCtNNun5mYf53tCFzYNnZa+A/2E2+ksN0hF93aGJzYR9L9AriYkufwRYh+Wz8AoX6 Eyg65yxeo+kx/QXYR/XFgBsYy2TZ/Vh+LSlLBltoiBDj+PTOHIbK4t5pYb5vh6fCjNIJFgsBO BfSCGhvEY7SKBIi+pyzikNdCmvotZzbKAvYV5oPrOSATBJysPQeudtmEO+OKX8cLqoKFIxPa8 idJUAFFz43Lk1NJZhQmWTVB2oNWC0yB1WvdbtORQgihwnpm1DkKCtvazwiYmlj+BxgCv82dOD bvTJ78hshKZyKubCslviAI6291teTMqXuTE6RMfWf09q8XN5RatyZL1urk7AEP8qMdL/rxtdV lZ2NJERdBsl45Onc9NPMuO4vEJDnYXoB364ZSjnHyBPJ7A1w73KLxUPhzWD+Xs0gPixSK5qII ikpFCwIY3mWuKOwmpbvq7AOa8qxSlwWk+dWEfeKlATGJaSdwv+8AmlZCjXicDvU3xTPuu31nI 8bKtFl/q102wwEGfQ/HyxHd7XLs4E3D/aHlbk+DNRVqlH0ohc/Jrex07uRW+8br1nXcy8wETj Cbt2stoT6Gr4OAekZnXKBQlq4vudXH4r2NDfUFJb/NXf9yIyw3X9oy1mse7M84VDZ0PFyEmuV HCTdiEci3HrqrqX91zRTIbzGT9Wx9M0vQO0ST4BJI0ml0jsjFmGFmU/6aeXhzQEkUdi+WTk/c eLuDHCacIls5PzDhfK1An8HWMzzw+Z9tQ77DnNI/t3atGMTVxs/LHd9R9MJiUJPwUYlimLUqg 4KpJbYbXPgZ/J33R2AHqe/y5etEVbMdechu6J0s/nyW6AgsjO9LW+UKOVupA9l5YkgwhdEAbb xrS63QjG6TUXfc=
Archived-At: <https://mailarchive.ietf.org/arch/msg/t2trg/4ALRDcPd-SislyI315o5qzqJd2s>
Subject: Re: [T2TRG] [core] New Version Notification for draft-mattsson-core-coap-attacks-02.txt
X-BeenThere: t2trg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IRTF Thing-to-Thing Research Group <t2trg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/t2trg>, <mailto:t2trg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/t2trg/>
List-Post: <mailto:t2trg@irtf.org>
List-Help: <mailto:t2trg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/t2trg>, <mailto:t2trg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 04 Feb 2022 08:09:40 -0000

Hi Carsten,

 > That is exactly the issue that makes this so hard.
 > We need to factor in how attackers are going to behave, so the
answers are neither exact nor stable.
 > If there are better amplification sources, there will be much fewer
attacks using public CoAP servers.
 > But once these go away, CoAP server suddenly seem interesting again.
 > So the fixes in other protocols and implementations are our enemy here…

For the future there may be several ways to go.

Amplification attacks:
AFAIK requires address spoofing and that seems to get harder.
One way is to try to give guidance to use "plain" CoAP in a saver way,
the other is to give the guidance to use CoAP over DTLS, which reduces
such amplification as well. I'm unfortunately not common with OSCORE, so
I don't know, if that changes something in that scope or not.

Attacks by "captured" devices:
Such attacks don't require spoofing, but the protection against
capturing a device have a larger scope than just the protocols. What is
required according the protocols, is to harden the implementations.
FMPOV, it's again a difference, to focus on CoAP or DTLS. AFAIK,
hardening DTLS makes progress, seems that many researches have put an
eye on it. At least the open source project received a lot of input to
improve (e.g. californium, tinydtls, pion/dtls).

In the past years I missed some guidance about protecting the "systems
under attack". Years ago, the major general recommendation seems to have
been "block UDP at all at the very first firewall".
That obviously doesn't work for CoAP over UDP or DTLS. In the scope of
Eclipse/Californium I added therefore instruction to use firewall rules
for DTLS (see
https://github.com/eclipse/californium/wiki/DTLS-1.2-based-firewall), if
that is possible (obvious, that mostly isn't possible at the very first
firewall, but later on the own machines).
For plain CoAP, I don't see, how malicious traffic can be filtered out
at that level.
(And yes, that protects only from non-DTLS traffic, as explained in the
wiki.)

For me the question is therefore more:
Stick to try to give guidance to use plain CoAP,
or start to stronger recommend DTLS.

 > It seems you have data, and that is what I’d like to collect in the
T2TRG effort, together with what went wrong in the specific instances.

I setup some time ago https://github.com/eclipse/californium/wiki and
update the information there.

best regards
Achim Kraus


Am 02.02.22 um 18:57 schrieb Carsten Bormann:
> Just picking one paragraph here:
>
>> On 2022-02-02, at 18:52, Achim Kraus <achimkraus@gmx.net> wrote:
>>
>> I'm not sure, if there is a common, realistic understanding of the
>> "nature" of such an attack. At least I have much more questions than
>> answers. E.g. is amplification only relevant above some threshold?
>> Means, if a request with 80 bytes is used and the response has 160, is
>> that relevant? Or must the response be above 400 bytes in order to get
>> relevant? So, in theory there may be a lot of rules, but I'm afraid,
>> that these rules stay theoretical, complicated, and maybe practically wrong.
>
> That is exactly the issue that makes this so hard.
> We need to factor in how attackers are going to behave, so the answers are neither exact nor stable.
> If there are better amplification sources, there will be much fewer attacks using public CoAP servers.
> But once these go away, CoAP server suddenly seem interesting again.
> So the fixes in other protocols and implementations are our enemy here…
>
> It seems you have data, and that is what I’d like to collect in the T2TRG effort, together with what went wrong in the specific instances.
>
> Then we need to forge these data into an assessment of the situation and finally rules with a bit harder boundaries than the ones we already have.  That will be the BCP.
>
> Grüße, Carsten
>

v2.23.0 | Report a Bug | By Email