IETF Logo Mail Archive

Re: [T2TRG] [core] New Version Notification for draft-mattsson-core-coap-attacks-02.txt

John Mattsson <john.mattsson@ericsson.com> Wed, 02 February 2022 14:43 UTC

Return-Path: <john.mattsson@ericsson.com>
X-Original-To: t2trg@ietfa.amsl.com
Delivered-To: t2trg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 54DC83A1013 for <t2trg@ietfa.amsl.com>; Wed, 2 Feb 2022 06:43:52 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.675
X-Spam-Level:
X-Spam-Status: No, score=-2.675 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.576, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5YIXdPPdkfsn for <t2trg@ietfa.amsl.com>; Wed, 2 Feb 2022 06:43:48 -0800 (PST)
Received: from EUR05-AM6-obe.outbound.protection.outlook.com (mail-am6eur05on20620.outbound.protection.outlook.com [IPv6:2a01:111:f400:7e1b::620]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DC9B73A100E for <t2trg@irtf.org>; Wed, 2 Feb 2022 06:43:47 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=JsV44ER8ddSLeGCYgnc53uThMT8G5HI6fbsxuD/op3NsqkDseyPXoKSsZnm6JZbD+6i/1bUzimgLFCXw94/njBT8Uni2yj4/8FbJoHE8nAhHJEY0ngutBeVLpNhnXIcrQfQfKT1AuPXBW41fM1pk7XeSNGxnBsWlwg2p/QiLZgKzin9XE8sUXv1lnnf2wVxnI9hwJiSgreQIk7iO6Ut0yj27ir7FgZjqeixrFoDrQjEf+IK/q1rMUJfBbLp/3esX9QBCsYEf8K7d5HP54ecqsbzNTHZChLaToEEYQeQVPB9LQ90HvB1kyB9ZNzvlQ4D72f+fooKFmDIrCGhpU1pr7g==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=zlWc85C3PYFAXhKkWyzDeU7wyFoiKG7JIpy28Wokzhk=; b=LLltunwcJyanYVdppjJx1omY88HldkWXqYrtpHhGnLkSICgcATGcgzNGUxJfi0wn+cTjU3qVnW2Hbsdsu/Y1Z1eosjje9bDMN3yMdc1Ch8Rf3Zvv3PHJ2y1bUkBYQSO3NB/ZZ/8LzwPC1XR2a0fPxfimNRVyds7v101L+taV5ACUVP11sI12O5UqnFrbuJQpkAs0bXRkJnkQf+7akqXzM8ToGLnzR6cu9W4rrwexXlP7X6VDHfz7HJFv9NaSgrz8OCgx0hO8nl+056ldBKopuPB02H887/RuFEGjKW7AfM8+stHPoLVWGSG+bvsU13zZl9H5lJ+4HG3rwBXzEbR6Mg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=none; dmarc=none; dkim=none; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=zlWc85C3PYFAXhKkWyzDeU7wyFoiKG7JIpy28Wokzhk=; b=AJRgAxzpRJmpXRUFhTTmWnXr6O1Mf+vBCm4H0HbcAu0Uij/9gth7BA3i8XMVRnRU+e51j3+EERXLktmCGBjK2Wn7v7KWtIp5OKhwU4zFFFNv93EI50mDhYglTX23jShm2RmVsAtsd40TPPfCcEAUE+0IAJh0tGpjkItq3bmDDXE=
Received: from HE1PR0701MB3050.eurprd07.prod.outlook.com (2603:10a6:3:4b::8) by DB7PR07MB4988.eurprd07.prod.outlook.com (2603:10a6:10:6b::30) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4951.12; Wed, 2 Feb 2022 14:43:41 +0000
Received: from HE1PR0701MB3050.eurprd07.prod.outlook.com ([fe80::b462:480e:b937:c62c]) by HE1PR0701MB3050.eurprd07.prod.outlook.com ([fe80::b462:480e:b937:c62c%7]) with mapi id 15.20.4951.012; Wed, 2 Feb 2022 14:43:41 +0000
From: John Mattsson <john.mattsson@ericsson.com>
To: Carsten Bormann <cabo@tzi.org>
CC: "core@ietf.org" <core@ietf.org>, "t2trg@irtf.org" <t2trg@irtf.org>
Thread-Topic: [core] New Version Notification for draft-mattsson-core-coap-attacks-02.txt
Thread-Index: AQHYF0n1JcPl+afQf0+0QyaIhsj8LKx+azISgAHQe4CAABjvRA==
Date: Wed, 02 Feb 2022 14:43:41 +0000
Message-ID: <HE1PR0701MB3050F758474CC029B932112F89279@HE1PR0701MB3050.eurprd07.prod.outlook.com>
References: <164370592991.14136.4943780498822971831@ietfa.amsl.com> <HE1PR0701MB30500AA57A7DD6F3170BB60F89269@HE1PR0701MB3050.eurprd07.prod.outlook.com> <5AFB6C76-9C15-4050-B478-711832318342@tzi.org>
In-Reply-To: <5AFB6C76-9C15-4050-B478-711832318342@tzi.org>
Accept-Language: en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=ericsson.com;
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: a73f147c-75fc-488d-63f6-08d9e65a6816
x-ms-traffictypediagnostic: DB7PR07MB4988:EE_
x-microsoft-antispam-prvs: <DB7PR07MB49887AD4C633107529C59DF489279@DB7PR07MB4988.eurprd07.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: w455x6hmDdWCuq9WSktB/I3SOgS7s0Qqm7HAXLb9GLR6Z4RkOLCk0GkQBdX9VuYcfPX9oHDtwNln28i3WaoyJDxq7FPtGqI53BXVPaXZhD9t0CdvkzdWxxP2cVb9rnMXN1RSbbVm6CeLs6IJf3UVk9mqeSGhDvzCLjIdwbuGfrBV7IVSFTnW+D3fKIh274q/K2N5LwMUnYaL3nN2/RXrt8fcnXuxBKGTKBev2eaeU/Etd9xbexcbhcwnHS7Vah8Ybya6hpFI5inz5jUr7yEGThmYtefXP7jmOPjUYQKJrGbodQl5nIZql1tRIMmacvFQEyzvf1sd1CQDqfkL1LMyYTwNP4qR9VHZMKE2+bCqOZ5NHM/zD00EOEGHwRPX7hLZW1sKayUTM4vlslFN8qQnmegLfCv4Ep4X7eZN0FIHkxApW84boFQpl27DA9whynRbeNejp+oDqwVFr/LOyzcx2cdsFWioQWctqI0auhS1DoMYfMIRfNbGr/D3Tp/EtxrQVOISEAY580Z0K6dX/oA5Fe6+RO0eV8bpRUMogMWeueIlBaA7kMcqYZCHGzYrFxLrf8RFps1UdWvTIsJDqtt2NNay5OYfEa1hRUceBMSdxK6vx2mXo7cqpmfkyqAeFlz/ZcFdzf9L9UU9dMQZZaTvLVLuRFj5R+69/8CXllNJhYRoHqwjUl5S9wrkPoLMg6uyNaBPrKepChtjEo8joLAws5RT8kN5PzdRrgbbzTc6U1kzWFXOAxU0pPpnXxWu+9m+Q67JVPshPxmeDE7qfl62cGuwAp88bB/MYgaBRJpoHvDc2rNsZ9AfWdZa0CV10cEL57cMuro+DIdmbVmfEho/otDPmz6577hpobfpfrOSFdfEXWQWgV9UzdHytGH7HK15
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:HE1PR0701MB3050.eurprd07.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230001)(4636009)(366004)(966005)(86362001)(26005)(33656002)(508600001)(66556008)(66946007)(52536014)(186003)(9686003)(53546011)(6506007)(7696005)(8936002)(8676002)(64756008)(66476007)(66446008)(38070700005)(4326008)(91956017)(54906003)(6916009)(71200400001)(316002)(76116006)(5660300002)(38100700002)(15650500001)(44832011)(83380400001)(55016003)(82960400001)(2906002)(122000001); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: RWQZUqhKOWj+4nXVOxEEahVbwWOJuS079Pm6UA5RKHDAZ40T5rtLpoovzOlbWgj9c+kSnfnJz5UgcnAEk61RnXJNbjcj6f9GkaSMBfC68EMb1RqXyjAYBqZ6D/Yy0Lm5xLcdfRkswGGrPaew6qwTzYz2uapX1nPC3TolcV9v9geRmQ1yrqm7orS8Yb5Iq4rhTQOfgp7fxOU3W8BWKh40u8DaLd918e32zYQqknW3F6BEOc8HJFozrzJYbOPoV+pbJQTvhTVhihLNTrWtabOlV+gLiCrwL+gTnNLgIMGNFVpNY886Z+64ZAxXPykyDBEiUjjrDgSdzfyrjwTAjX9NAAd0+7t8TCIYG8wMvH/7WaelK8XertETumJWM51VYh4wmoX4eX7PZSZK+MiMzgZw68ZAXPVGfDXcQYWQXm09Dd1cfR68GzXTcAYTb7abaF7MS/KPUrcAFxF0SMq4Qvb9Q4pkbHRB/CG00vWwuOnLQtdbTOw40NULhM1esnEIcUXaMUSrSt8HzsiwdRu9x0nT/FTtld+c8CQqdO7M/QpSgjnlCllVRtCtoLp4Dk6jJDYOBmByVLF476JA6sMDHCLxZBzj86NuI/lnyCsYwlAsh/GtzwjTBhhLi+ieN5PHNx/nvLbnKzmlYlOvNnCLi2JPhxxj5HC1tlHOG5xyGE9nQEnvBcTnpevVuRWyFug5C/sKSIa4NZPwhfS7d2zZFGFcfQjLOXF0n4KauR2gNpuhuwpw11eUKF3QQPD70Pjc8SZGJSkV+R7Qw4ccGmDQmpdR5jMeWS7ZkM6vJ+l1z+Y0kL2v8NOJyCykRfH/kldTWwLW95GbUgRaZ2F/Bu+99J6PHZ4JjNIqIeM0Vv9HxBDKBSDSG+Bx7eDy4vCVFatalC9NklgMG3zCBRpas/U2BavRUiKB3bsd3Vjwgzn9Eu+z4VmDpY72wLpvM0G55iqUlqUfXt34jOkj95DfaGeeTvmpqBpsqtp5IqrruNESL/xyni21eiaJ0ajW5ufbyTc3LdYUaZB8zpMpGtVJGIrlJlMT8+L7q5ObfCvaDtVgYtQuHXTmsc6CxbzEE7jywiKhiiHkR0NKY6scVbGrBIg8hsKJYb/z0mIPHu2phOuXPs7dAegIWP/5Qp27JuWlbuyYil4PgsCfqzBhJZY1zkI/DniQSMJkEEC/ek6aZ93/rCIsiQRCtsLgFfSd9B+O1uJptyAShfKAEJ2/pp+jAh8PCoBwMwSRQGXwA1mtMJ2qCGJGvmmPIfsxv2T2Q6qGvn5meX+S6CKJm1vapaGX/1LUXInv+pV4Wd4MMpAf8QNGOaaw0ZkhDYS8tC9jUGKK6smN2ccZx/0qS4hENqw5y9j6muL//S5T7p9Otm47dARKGKnpMinESaaJRloFysFuA2S8avRoXo7iiUGshFYHTnEW+rxnQEVoM2G5cuTbao07jmBkQMx6GufXJkCgACpBpnD+/5QkhzzXRQemhV5TAFF5JeuMsofg4lGKnI311dEnUtvr1mWNl8OpXfZ96qDrPFbypoa+WjlK5t+Rch2qNEBJpSuS65cmeQRNn34A5LBKHTeQAmLLXFZus1NvKIvR4YkUa9e2O5MincKGKzGal/UyMFAu7Cy4ZBn8GXoqG9zxbTEZfs8w54TsQuc3/3gI0OoUGu27dganC9EyGyf9hj6dfTQmNp7MdlWtAnxB5532sKohBiY=
Content-Type: multipart/alternative; boundary="_000_HE1PR0701MB3050F758474CC029B932112F89279HE1PR0701MB3050_"
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: HE1PR0701MB3050.eurprd07.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: a73f147c-75fc-488d-63f6-08d9e65a6816
X-MS-Exchange-CrossTenant-originalarrivaltime: 02 Feb 2022 14:43:41.6285 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: AGd5BatlF3uscjyRz+hX+xkp9SdA7ZT8gNQGlZBU+UpxKySbjZsehug1TPOGdhLdUy0Dlbe8zZ2deU8ppwgKfLeocFo7nAhc95puuFKH0+o=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB7PR07MB4988
Archived-At: <https://mailarchive.ietf.org/arch/msg/t2trg/W0sZilAxualTFDpStHc6H7BgNGE>
Subject: Re: [T2TRG] [core] New Version Notification for draft-mattsson-core-coap-attacks-02.txt
X-BeenThere: t2trg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IRTF Thing-to-Thing Research Group <t2trg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/t2trg>, <mailto:t2trg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/t2trg/>
List-Post: <mailto:t2trg@irtf.org>
List-Help: <mailto:t2trg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/t2trg>, <mailto:t2trg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Wed, 02 Feb 2022 14:43:53 -0000

> We obviously need more documentation.

I agree that we obviously need more research and documentation regarding amplification attacks. I also agree that we need more discussion. I think it would be very good if T2TRG do research on the topic.

echo-request-tag (RFC 9175-to-be) will soon be published which provides mechanisms and guidance to mitigate some of the attacks described in draft-mattsson-core-coap-attacks.

Regarding BCP, I agree with you that we don't have all the knowledge. On the other hand we need to make sure that amplification attacks using IoT devices do net get worse. They cause significant and costly damage. Right now CoAP is used in DDoS attacks, and it is not even clear that the devices used are violating IETF requirements.

I think a minumum right now is to publish descriptions on how CoAP can be used in amplification attacks (draft-mattsson-core-coap-attacks) and to make the amplification mitigation requirements in new RFCs (group communicaiton, conditional attributes) stricter then CORE has done in the past.

I agree that an BCP would likely be much better if written later. But one could also arguee that if we know so little on how to mitigate IoT amplification attacks, publishing more IoT RFCs is unethical.

I think a reasonable way forward would be
-               Soon: Publish descriptions on how CoAP can be used in amplification attacks.
-               Soon: Discuss how to make the amplification mitigation requirements in new RFCs stricter between now and when the BCP is published.
-               Later: Publish T2TRG research document on denial-of-service and amplification attacks.
-               Later: Publish BCP referencing the research document.

For T2TRG, here are links to the last two presentation on the topic.

https://datatracker.ietf.org/meeting/111/materials/slides-111-core-coap-attacks-00

https://datatracker.ietf.org/meeting/interim-2022-core-02/materials/slides-interim-2022-core-02-sessa-coap-attacks-draft-mattsson-core-coap-attacks-02-00

Cheers,
John

From: Carsten Bormann <cabo@tzi.org>
Date: Wednesday, 2 February 2022 at 14:03
To: John Mattsson <john.mattsson@ericsson.com>
Cc: core@ietf.org <core@ietf.org>, t2trg@irtf.org <t2trg@irtf.org>
Subject: Re: [core] New Version Notification for draft-mattsson-core-coap-attacks-02.txt
Hi John,

> On 2022-02-01, at 10:30, John Mattsson <john.mattsson=40ericsson.com@dmarc.ietf.org> wrote:
>
> I think this would be a good time to have an adoption call for the document. Echo, Request-Tag, and Token Processing will soon be published as RFC 9175. It would be good to publish the informational “CoAP Attacks” as a companion document in the not-too-distant future as suggested by the security AD.

I think we need to open up this discussion a little bit before we converge on a good way forward.

We already have elements of solutions standardized, e.g., echo-request-tag (RFC 9175-to-be).  This is a standards-track document, done in the CoRE WG.
This document provides the implementer with a set of tools, but doesn’t provide actionable guidelines as to when these tools should be used.

We obviously need more documentation.

We could go ahead and do a BCP now, but somehow that might work approximately as well as the hand-washing mandates that are trying to prevent the spread of COVID-19 — we don’t actually know very well what works and what doesn’t (*).

To really do a BCP that works in a sustainable way, we need to do a bit more research:

— what attacks do occur in practice
— what solutions [mitigations] (RFC 7252, RFC 9175-to-be, others) actually do work against these attacks
— are there workarounds against those solutions that an attacker could use
— would certain solutions just shift around the attacks to a different vulnerability
— what is the design space for potential additional solutions that have fewer work-arounds
— if there are several solutions that one could choose from, how do they compare in
  — effectiveness
  — onus on the communication partners and the network in between
— can we come up metrics that actually allow an implementer to make decisions in this complex space

That information should not all go into the BCP, as this should focus on the actionable advice.  Instead, there should be a document that can be referenced from the BCP to provide more detailed explanation and rationale.

That other document (“research document”) would be a natural thing to work on in T2TRG.  We already have had some off-list discussions that indicate that we might have critical mass for that.

Grüße, Carsten

(*) Spoiler: Hand-washing does little against the spread of COVID-19.  But a general increase of handwashing is not bad at all, and it may be hard to retract mandates until it is proven that handwashing never helps (which you essentially can’t prove), so handwashing will stay on as a ritual that started with COVID-19.
One of my objectives is to minimize the number of rituals that we infect our ecosystem with…

v2.23.0 | Report a Bug | By Email