Re: [tcpinc] Resumption safety (was "Eric Rescorla's Discuss on draft-ietf-tcpinc-tcpcrypt-09: (with DISCUSS and COMMENT)")

Tero Kivinen <kivinen@iki.fi> Tue, 12 December 2017 17:27 UTC

Return-Path: <kivinen@iki.fi>
X-Original-To: tcpinc@ietfa.amsl.com
Delivered-To: tcpinc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 267301294CF for <tcpinc@ietfa.amsl.com>; Tue, 12 Dec 2017 09:27:38 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.12
X-Spam-Level:
X-Spam-Status: No, score=-1.12 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_NEUTRAL=0.779, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id o6kd2PXBifQy for <tcpinc@ietfa.amsl.com>; Tue, 12 Dec 2017 09:27:36 -0800 (PST)
Received: from mail.kivinen.iki.fi (fireball.acr.fi [212.16.101.130]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 857AF127A91 for <tcpinc@ietf.org>; Tue, 12 Dec 2017 09:27:35 -0800 (PST)
Received: from fireball.acr.fi (localhost [127.0.0.1]) by mail.kivinen.iki.fi (8.15.2/8.15.2) with ESMTPS id vBCHRLmv025547 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Tue, 12 Dec 2017 19:27:21 +0200 (EET)
Received: (from kivinen@localhost) by fireball.acr.fi (8.15.2/8.14.8/Submit) id vBCHRK81004300; Tue, 12 Dec 2017 19:27:20 +0200 (EET)
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-ID: <23088.4472.814142.142233@fireball.acr.fi>
Date: Tue, 12 Dec 2017 19:27:20 +0200
From: Tero Kivinen <kivinen@iki.fi>
To: "Valery Smyslov" <svanru@gmail.com>
Cc: "'Kyle Rose'" <krose@krose.org>, "'Black\, David'" <David.Black@dell.com>, "'Eric Rescorla'" <ekr@rtfm.com>, "'Mirja Kuehlewind \(IETF\)'" <ietf@kuehlewind.net>, "'tcpinc'" <tcpinc@ietf.org>
In-Reply-To: <073801d37315$90c89bd0$b259d370$@gmail.com>
References: <CAJU8_nUUHbmFcPA2obo6q3dLqL1MGE2iKen-0EQ82re=+gtTfw@mail.gmail.com> <CE03DB3D7B45C245BCA0D243277949362FD96B0D@MX307CL04.corp.emc.com> <23072.32691.892725.97892@fireball.acr.fi> <01bc01d36a71$45957db0$d0c07910$@gmail.com> <CABcZeBPN_XQc8np3CWi_-AtDUafW4ZPc8EnRje8yj57Rv-vxyw@mail.gmail.com> <B0FB25D40E23475C9259A4C204B327D2@chichi> <CE03DB3D7B45C245BCA0D243277949362FDD6E73@MX307CL04.corp.emc.com> <CAJU8_nW9fkn9E=NbKFZ3zy5uSY36WFqRcQpBYdyYuLwzAbqFHA@mail.gmail.com> <CAJU8_nX7NOSG8hkUYqG_GeqSyPzmhwsyA30Z0riqRmwK8SozpQ@mail.gmail.com> <073801d37315$90c89bd0$b259d370$@gmail.com>
X-Mailer: VM 8.2.0b under 25.1.1 (x86_64--netbsd)
X-Edit-Time: 21 min
X-Total-Time: 20 min
Archived-At: <https://mailarchive.ietf.org/arch/msg/tcpinc/9gMsJodQq4EalqZkFZ_dQpMwPrE>
Subject: Re: [tcpinc] Resumption safety (was "Eric Rescorla's Discuss on draft-ietf-tcpinc-tcpcrypt-09: (with DISCUSS and COMMENT)")
X-BeenThere: tcpinc@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "Working group mailing list for TCP Increased Security \(tcpinc\)" <tcpinc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tcpinc>, <mailto:tcpinc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tcpinc/>
List-Post: <mailto:tcpinc@ietf.org>
List-Help: <mailto:tcpinc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tcpinc>, <mailto:tcpinc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 12 Dec 2017 17:27:38 -0000

Valery Smyslov writes:
> The issue is not tcpcrypt specific. TLS, IPsec and other
> security protocols that use counter-based cipher modes 
> are likely to be vulnerable to VM cloning/resumption problem as well.

Note, that VM cloning/resumption operations are most likely trying to
indicate the changing status to the operating system.

Even without any security if you clone a VM, allow the both of them to
run, the TCP sessions connected from those two devices to servers are
going to be messed up. 

This means that when you clone the VM, VM system might change the MAC
address of the virtual network card, so that you will not have
duplicate MAC addresses in the same virtual network. To do that they
most likely use some kind of plug and play virtual network interface
and remove that interface and then reinstall new interface with new
MAC. This also of course triggers DHCP and they will get new
IP-addresses, thus all TCP state will get destroyed (btw, does this
remove ability to use tcpinc resumption, i.e., can you do tcpinc
resumption using different IP?).

On other case where you take snapshot of VM, run it forward for a
moment, and then stop it and resume back to previous snapshot, the
situation is similar, i.e., the resumed VM will have different TCP
session state anyways, thus VM should not even try to keep that
intact. This means that on resumption VM system most likely also fakes
a network link status change, i.e., just like you had disconnected the
ethernet cable and put it back in. This usually triggers operating
system to rerun the DHCP, which might get new IP address etc, but in
case of resumption they might actually get the same IP back, but some
operating systems immediately tear down all TCP connections when the
link is broken, thus TLS (and tcpinc) TCP connections would get
broken, and they would fall back to resumption etc.

All of these are trying to indicate the operating system that
something has changed. For example IPsec SAs are quite commonly tied
to the specific interface, meaning that when you remove the interface
those get teared down and new SAs are created (perhaps using IKE
resumption). Or if only IP-address changes, then IKE will run mobike
to move the SAs to new IP-address, and if mobike is not available it
will tear down the SAs and recreate them. They might also send
operating system indications that machine is resuming from the sleep,
which might again do some kind of cleaning up operations.

I.e., the VM system vendors are trying to make things work, meaning
they will try to do tricks that will trigger proper response in the
operating systems.

This might also include things like virtual true random number
generator device (which would require support from the operating
system) to solve the issue with the random numbers in the VMs.

So if VMs can solve this issue by forcing resumption they will try to
do that as that makes things just work better. With TLS, IKEv2 etc
this will work as we have fresh nonces that get used in those cases.
I think tcpinc should also try to work for those cases, i.e., the
resumption should include something that make sure that it is using
fresh keys. 

> That's why I agree that we shouldn't take any steps now (in a hurry and for 
> tcpcrypt only). The problem should be recognized and addressed 
> in a more generic way.

I disagree on that. I do not think the issue is with the existing
traffic keys, it is what you do when traffic keys are already gone
(i.e., VM resume operations done by the operating system cleaned
them), but you want to do resumption to recreate them.

Current VM systems are tuned for working with protocols like TCP,
IPsec and TLS, and they try to do things that makes them work. If same
mechanism work also for tcpinc, then tcpinc will get those for free.
If not, then we need to wait for VM and operating system vendors to
find out a way to get things working with tcpinc.
-- 
kivinen@iki.fi