[Tcpcrypt] attack resilience (was "v3 of the charter")
Erik Nygren <erik+ietf@nygren.org> Fri, 02 May 2014 13:41 UTC
Return-Path: <nygren@gmail.com>
X-Original-To: tcpcrypt@ietfa.amsl.com
Delivered-To: tcpcrypt@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 641411A6FB4 for <tcpcrypt@ietfa.amsl.com>; Fri, 2 May 2014 06:41:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.677
X-Spam-Level:
X-Spam-Status: No, score=-0.677 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, J_CHICKENPOX_66=0.6, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gx8qdB7gY5QL for <tcpcrypt@ietfa.amsl.com>; Fri, 2 May 2014 06:41:40 -0700 (PDT)
Received: from mail-vc0-x229.google.com (mail-vc0-x229.google.com [IPv6:2607:f8b0:400c:c03::229]) by ietfa.amsl.com (Postfix) with ESMTP id 418261A2130 for <tcpcrypt@ietf.org>; Fri, 2 May 2014 06:41:40 -0700 (PDT)
Received: by mail-vc0-f169.google.com with SMTP id im17so5350567vcb.14 for <tcpcrypt@ietf.org>; Fri, 02 May 2014 06:41:37 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:date:message-id:subject:from:to:content-type; bh=VDyRquDIURvwT3phox/xNj2kTBTGEKKtJoI80K00qeI=; b=NdKy7aY/YhXj+R2sKcGYvdATbVuS2fkVlUXly9zXYiD2u/i0jfyu8WrjBGDApDkdl8 Ap5LiY4sksVwFFESLW8rOfTjuQewp8pYRkaZ1RiZs0UtqMHKXH+DVf0XVCt+KmAdhVZ8 MYb9jGXvSZ+g08KHSYQ1pfV5mcycmPmxgLc8toGaBvQXZvlDyQ7cQ3kLivq8VbCfxGXY NYKhfjSglikG8f2WpZmyU4SlyEFL0fhXRzHHWgxahAws5v5L+PbybzLsuJeoZnvU668a marFPrI3oRR0dYFSjoGY4x1Uky5wkTlng/yUXznJY1txfH1mUkmfNP8rwOZSg+8wZ7rJ 3PXQ==
MIME-Version: 1.0
X-Received: by 10.58.31.136 with SMTP id a8mr13938920vei.20.1399038097831; Fri, 02 May 2014 06:41:37 -0700 (PDT)
Sender: nygren@gmail.com
Received: by 10.220.189.195 with HTTP; Fri, 2 May 2014 06:41:37 -0700 (PDT)
Date: Fri, 02 May 2014 09:41:37 -0400
X-Google-Sender-Auth: T-n6yfaGaa8Yuq15TpmFX9xC3SY
Message-ID: <CAKC-DJi=Vj7Ga+Ns=J1VtunnSbYXHv-A32M01+z-RyWayJ4xbQ@mail.gmail.com>
From: Erik Nygren <erik+ietf@nygren.org>
To: marcelo bagnulo braun <marcelo@it.uc3m.es>, tcpcrypt@ietf.org
Content-Type: multipart/alternative; boundary="047d7b2e49d0d93db804f86af009"
Archived-At: http://mailarchive.ietf.org/arch/msg/tcpcrypt/zKGXX71yR6GU-ARyqf1IVvkSMVg
Subject: [Tcpcrypt] attack resilience (was "v3 of the charter")
X-BeenThere: tcpcrypt@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Discussion list for adding encryption to TCP." <tcpcrypt.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tcpcrypt>, <mailto:tcpcrypt-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tcpcrypt/>
List-Post: <mailto:tcpcrypt@ietf.org>
List-Help: <mailto:tcpcrypt-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tcpcrypt>, <mailto:tcpcrypt-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 02 May 2014 13:41:41 -0000
At what stage should we discuss attack resilience, and in particular the
ability of one end-point to launch an asymmetric resource DDoS attack
against the other end-point? This has historically been an area where
remediations have been critical for both TCP extensions as well as for
crypto systems. Just look at SYN flood attack mitigations (eg,
SynCookies), the failure of TTCP and the additions to TFO to address those
gaps, the need for tokens in the DTLS handshake, and especially the
challenges in defending servers exposing TLS to DDoS attacks. Mitigations
need to be traded off against added round-trips as well as privacy
exposures.
Should there be a line-item in the charter on this topic, or should this be
covered in post-charter discussions?
For example, a client clearly must not be able to force a server to do
expensive crypto operations until there has at least been one packet
handshake. End-points under duress can also presumably chose to fallback
to plaintext TCP (although this could motivate an attacker to try and force
end-points into this mode). Optional proof-of-work client puzzles (when
under duress) are also an option, but add complexity and potential risks in
regimes outside of client:server uses of TCP.
Erik