[Teep] How to prevent DOS/DDoS in TEEP Usecase for CC in Network
yangpenglin@chinamobile.com Sun, 14 August 2022 08:18 UTC
Return-Path: <yangpenglin@chinamobile.com>
X-Original-To: teep@ietfa.amsl.com
Delivered-To: teep@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4557DC1524AE for <teep@ietfa.amsl.com>; Sun, 14 Aug 2022 01:18:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.906
X-Spam-Level:
X-Spam-Status: No, score=-1.906 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4RpCi-PfuzSY for <teep@ietfa.amsl.com>; Sun, 14 Aug 2022 01:18:27 -0700 (PDT)
Received: from cmccmta3.chinamobile.com (cmccmta3.chinamobile.com [221.176.66.81]) by ietfa.amsl.com (Postfix) with ESMTP id 0E51EC1522DA for <teep@ietf.org>; Sun, 14 Aug 2022 01:18:26 -0700 (PDT)
X-RM-TagInfo: emlType=0
X-RM-SPAM-FLAG: 00000000
Received: from spf.mail.chinamobile.com (unknown[172.16.121.13]) by rmmx-syy-dmz-app11-12011 (RichMail) with SMTP id 2eeb62f8afcaf0b-9733a; Sun, 14 Aug 2022 16:18:21 +0800 (CST)
X-RM-TRANSID: 2eeb62f8afcaf0b-9733a
X-RM-TagInfo: emlType=0
X-RM-SPAM-FLAG: 00000000
Received: from [192.168.1.6] (unknown[223.72.62.117]) by rmsmtp-syy-appsvr07-12007 (RichMail) with SMTP id 2ee762f8afcb154-51244; Sun, 14 Aug 2022 16:18:21 +0800 (CST)
X-RM-TRANSID: 2ee762f8afcb154-51244
Content-Type: multipart/alternative; boundary="------------Fo9sQ9s0pavIK9ufG3P3Qqs1"
Message-ID: <83d33160-b020-0e7c-4bc2-e1953870f4b8@chinamobile.com>
Date: Sun, 14 Aug 2022 16:18:20 +0800
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Thunderbird/102.1.2
From: yangpenglin@chinamobile.com
To: sorin.faibish@cdsi.us.com
References: <7BDDC50D-753C-42DD-BAE4-1ED5B2713A55@cdsi.us.com>
Content-Language: en-US
Cc: "teep@ietf.org" <teep@ietf.org>
In-Reply-To: <7BDDC50D-753C-42DD-BAE4-1ED5B2713A55@cdsi.us.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/teep/-Fsyxrhy7aDTT-UU_W7N6_1BIVA>
Subject: [Teep] How to prevent DOS/DDoS in TEEP Usecase for CC in Network
X-BeenThere: teep@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: A Protocol for Dynamic Trusted Execution Environment Enablement <teep.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/teep>, <mailto:teep-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/teep/>
List-Post: <mailto:teep@ietf.org>
List-Help: <mailto:teep-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/teep>, <mailto:teep-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 14 Aug 2022 08:18:29 -0000
Hi Sorin and all, I try to summarize this issue in the following, if not corret please point out without hesitation. "The UA may be tampered and this may cause DoS attack or even DDoS attack." My personal opinion is that since UA is defined as untrusted, TEEP architecture cannot make sure its trustworthiness. So in some sense it seems the DOS attack cannot be totally denied. But if we could create secure channel betwen TEE and TAM or use some encryption format like COSE to encode the network data, the server side of this TEE device could discard those malicious network flow. As to TEEP broker, since it is for transparent forwarding and is also not trusted, it maybe not reliable to block malicious traffic. BR Penglin -------- Forwarded Message -------- Subject: Re: [Teep] Call for adoption of draft-yang-teep-usecase-for-cc-in-network Date: Fri, 12 Aug 2022 03:24:03 +0000 From: Sorin Faibish <sorin.faibish@cdsi.us.com> To: ypl <ypl_helloworld@163.com> CC: yangpenglin@chinamobile.com <yangpenglin@chinamobile.com> Sure. No problem. We want all WG people opinion. Thanks ./Sorin Sent from my iPad On Aug 11, 2022, at 10:06 PM, ypl <ypl_helloworld@163.com> wrote: > Hi Sorin, > > Thanks for your suggestion. Indeed, there may have DOS risks in > untrusted applications which have no remote attestation mechanism to > make sure the UA is properly deployed. But I am not sure how to > protect UA since it is not defined as trusted. Do you mind we discuss > this in TEEP mailing list, in case people have other opinions? > > BR > Penglin > On 8/11/2022 10:14 PM, Sorin Faibish wrote: >> >> Penglin, >> >> I reviewed the draft and it looks correct IMHO. I didn’t look at the >> spelling or grammar correctness; will leave it for next draft. But >> looking at the 5 use cases I was interested to see if they are safe >> from DDoS attack perspective. In my opinion the IOT devices must be >> protected from being exploited for DDoS by malicious actors. I >> believe that cases 4.2 and 4.3 and 4.5 may be susceptible of such >> exploits. You can look at my draft: >> >> https://datatracker.ietf.org/doc/html/draft-faibish-iot-ddos-usecases >> >> I would consider looking at the use case defined in section 4.1 of >> the above draft as being most relevant to your draft. Feel free to >> cite my draft as reference. >> >> Thank you >> >> ./Sorin >> >> *From:* ypl <ypl_helloworld@163.com> >> *Sent:* Tuesday, August 9, 2022 9:58 PM >> *To:* Sorin Faibish <sorin.faibish@cdsi.us.com> >> *Cc:* yangpenglin@chinamobile.com >> *Subject:* Fwd: [Teep] Call for adoption of >> draft-yang-teep-usecase-for-cc-in-network >> >> Hi Sorin, >> >> Thanks for your comments in IETF 114 TEEP meeting. This TEEP Usecase >> for CC in Network draft is under call for adoption in TEE mailing >> list. If you are interested, would you mind to review this draft or >> leave a comment in that mailing list? Thanks very much. >> >> (The CC address is my company email, just in case it may block new >> email contacts) >> >> BR. >> Penglin >> >> >> >> -------- Forwarded Message -------- >> >> *Subject: * >> >> >> >> [Teep] Call for adoption of draft-yang-teep-usecase-for-cc-in-network >> >> *Date: * >> >> >> >> Wed, 3 Aug 2022 19:09:57 +0530 >> >> *From: * >> >> >> >> tirumal reddy <kondtir@gmail.com> <mailto:kondtir@gmail.com> >> >> *To: * >> >> >> >> teep <teep@ietf.org> <mailto:teep@ietf.org> >> >> Hi all, >> >> This is a WG Adoption call for draft-yang-teep-usecase-for-cc-in-network. >> Draft link: >> https://datatracker.ietf.org/doc/draft-yang-teep-usecase-for-cc-in-network/ >> >> This adoption call will last until Aug 17th. Please direct all >> discussions to the TEEP mailing list. >> Please also indicate if you are willing to contribute text, review, etc. >> >> Regards >> TEEP Co-chairs Tiru & Nancy >>