Re: [TLS] Martin Duke's No Objection on draft-ietf-tls-dtls-connection-id-11: (with COMMENT)

Martin Thomson <mt@lowentropy.net> Wed, 05 May 2021 02:45 UTC

Return-Path: <mt@lowentropy.net>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 88C6D3A204C for <tls@ietfa.amsl.com>; Tue, 4 May 2021 19:45:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.82
X-Spam-Level:
X-Spam-Status: No, score=-2.82 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=lowentropy.net header.b=sqPGX/Pq; dkim=pass (2048-bit key) header.d=messagingengine.com header.b=rp85XMLN
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Xeld_P3jopw3 for <tls@ietfa.amsl.com>; Tue, 4 May 2021 19:45:43 -0700 (PDT)
Received: from out4-smtp.messagingengine.com (out4-smtp.messagingengine.com [66.111.4.28]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E9F413A2052 for <tls@ietf.org>; Tue, 4 May 2021 19:45:42 -0700 (PDT)
Received: from compute1.internal (compute1.nyi.internal [10.202.2.41]) by mailout.nyi.internal (Postfix) with ESMTP id 4BE2C5C010A for <tls@ietf.org>; Tue, 4 May 2021 22:45:41 -0400 (EDT)
Received: from imap10 ([10.202.2.60]) by compute1.internal (MEProxy); Tue, 04 May 2021 22:45:41 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=lowentropy.net; h=mime-version:message-id:in-reply-to:references:date:from:to :subject:content-type; s=fm2; bh=sMsLcEWCCb9jq4LklU+fC9oMKVywih8 aWd5A6I1zvkw=; b=sqPGX/PqlLuVctKkD5LHNz4WzRrI7L1LQS7bDayulqRydr5 rx1iNZocF792vsiScIv+WrnLKjQNqgWxmU5T292qCFLntN8SsvhBcFKb0s7MPtNq iNk/GnjTfO/PHSwcwiGORZsf0o0Oc0IlTKwHlMp4CVZ5pjichGALOFnQvjOFLV3y KnuDAek3RkpRpJtXYAaU2JnMzNhVEjhEarPfmLNst1VexMlPdg10Z2fz7pRB+nho SZjjPocYGZSNMEBqMdudCuWAJusLL2g4ZwydF+/+Py4uILdBRSn5CQk4FNL87ICc TOTVhH3A7H3ZzFQ3iHS8RHAzxMDDOx/PavnOAfA==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-proxy :x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm2; bh=sMsLcE WCCb9jq4LklU+fC9oMKVywih8aWd5A6I1zvkw=; b=rp85XMLNUIhy+z4a2J/ulb bb5SoiwoP4Gkryq4G6WTye7dxBmTmAUMpuUHU8dQJ54zgzh2vnbACkLb+j23DOT2 HoCLKL4OygmbuST2gNZC8b4KUO0Hy6inQDNRJu9DDJLeaM7Zpz8H5W0W9a+nEgpi HcORu26/9YbYUSneWVpd+taiDjDZzj5lxkNfddKOGOQJ3JbMyHO6f/kTAfQKsP+E 72OjBH3p+OrfzLADimVw74GEfo7pav0eGM1MwtnVVRzVgB3dfu2BT0gGy8DQuLc+ Ld1qAbRDZgRkk2Y94i4ZoXYxDEIc9TdnjH3rYpORnhrtq3U+r+wb6L7GPE+Sq/BQ ==
X-ME-Sender: <xms:1QaSYIjimMYK5g3QUZQsSswX8WwPtQwplonm5ezj6URGzbyHTIO8Bw> <xme:1QaSYBDA9PcJpIIi71lBMMYFzD59KxUdaU0dQGT_Z5m2nmiVeZLskvm1cr6DyKxJl zEXy_xZz6LZRNCfs4s>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeduledrvdefjedgheekucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucenucfjughrpefofgggkfgjfhffhffvufgtsehttd ertderreejnecuhfhrohhmpedfofgrrhhtihhnucfvhhhomhhsohhnfdcuoehmtheslhho figvnhhtrhhophihrdhnvghtqeenucggtffrrghtthgvrhhnpeelfedugfelgeeigfeuve eludejjeeutdelgedvteehueevhfdvhefggeeuffeivdenucffohhmrghinhepihgvthhf rdhorhhgnecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehmrghilhhfrhhomh epmhhtsehlohifvghnthhrohhphidrnhgvth
X-ME-Proxy: <xmx:1QaSYAF_5F24cIdQBD6em35uXa9pgCZwBeDO4HtHkhTuEP6RbqsA4Q> <xmx:1QaSYJRlNHzQ3jMPVHwoSarxMndBEuhHAiRcOl7nzxwz-H2cMJGriw> <xmx:1QaSYFz8RS5jpY7ZrKS3MuaAa0EsYYpC0B1HhxxzfTO_k1RLP1wpng> <xmx:1QaSYE8WYFCuf9JSovePS4EjodLqlK88_WddHmG3zN-dY9n5Z8DdgQ>
Received: by mailuser.nyi.internal (Postfix, from userid 501) id 102274E00C7; Tue, 4 May 2021 22:45:41 -0400 (EDT)
X-Mailer: MessagingEngine.com Webmail Interface
User-Agent: Cyrus-JMAP/3.5.0-alpha0-442-g5daca166b9-fm-20210428.001-g5daca166
Mime-Version: 1.0
Message-Id: <72c410c0-f164-4428-9dda-ca62a9c0b419@www.fastmail.com>
In-Reply-To: <CAM4esxQaGhv8p3U7pa3JTyLFOvicZ4fM14p8-J5zpyOdBWNw9Q@mail.gmail.com>
References: <161894801377.8373.6532898944771346676@ietfa.amsl.com> <VI1PR08MB2639A557022756B119EAB4EAFA5A9@VI1PR08MB2639.eurprd08.prod.outlook.com> <CAM4esxQaGhv8p3U7pa3JTyLFOvicZ4fM14p8-J5zpyOdBWNw9Q@mail.gmail.com>
Date: Wed, 05 May 2021 12:45:21 +1000
From: "Martin Thomson" <mt@lowentropy.net>
To: tls@ietf.org
Content-Type: text/plain
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/-I7VT6ns2EGQbl4rips19raMlJg>
Subject: Re: [TLS] =?utf-8?q?Martin_Duke=27s_No_Objection_on_draft-ietf-tls-d?= =?utf-8?q?tls-connection-id-11=3A_=28with_COMMENT=29?=
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 05 May 2021 02:45:48 -0000

I can't claim credit for all of the jankiness in QUIC regarding on-path, off-path, and friends.

The attack here is fairly simple: an attacker gets a valid packet and rewrites the source address (to an address it controls).  If that packet is accepted by the endpoint that receives it, then it will probe toward the attacker.  The attacker needs to rewrite the source address on the packet it receives so that it elicits a genuine response from the peer.  Then the attacker captures the response and rewrites the source address.

With this, if the attacker can observe two dropped packets (or cause them to be dropped somehow).  The first probably has to precede a quiet period that is long enough to complete the process; the latter needs to contain a probe response.  If those conditions can be met, then the attack can place itself on-path.

Without a probe on the original path, the attacker doesn't have to provide a better route than the original.  Adding that probe means that the attacker has to provide a faster and more consistent service, which looks more like a net gain than an attack.

On Wed, May 5, 2021, at 01:49, Martin Duke wrote:
> Hannes,
> 
> What you might be missing is that Martin Thomson chose what to me is an 
> unintuitive definition of off-path attacker. On-path means that you a 
> router that you can drop a packet. An off-path attacker might be an 
> observer, which can see the packets, or not. I hope that clears things 
> up a little bit -- although this is very hard to reason about.
> 
> >Reading through Section 9.3.3 "Off-Path Packet Forwarding", I noticed that the attacker needs to be able to
> >* observe the packets sent by DTLS endpoints in both directions, and
> 
> I would argue it needs to only observe from the client (the one 
> allegedly changing address) to server.
> 
> >* replay the packets in such a way that they arrive faster than the original packets send by the DTLS endpoints, and
> 
> This is the hardest part. The most plausible way is to purchase a 
> higher SLA from the service provider than the victim traffic.
> 
> >* re-write both source and destination IP address to appear like a NAT for both endpoints.
> 
> No, it just needs to rewrite the source address of client->server packets.
> 
> Your second and third capabilities would actually defeat the "probe the 
> original address" countermeasure provided in the draft.
> 
> So yes, if the "attacker" is actually a router providing a superior 
> route to the host, there's nothing you can do.
> 
> But the required capabilities are the same for (1) pretending there is 
> a NAT rebinding where there isn't, and (2) pretending there isn't one 
> where there is. In both cases, one has to sit between NAT and server, 
> observe packets, rewrite source IPs, and beat the original packet to 
> the server.
> 
> Martin
> 
> On Tue, May 4, 2021 at 6:30 AM Hannes Tschofenig 
> <Hannes.Tschofenig@arm.com> wrote:
> > Hi Martin,
> > 
> > The attack described in Section 9.3.3 of https://tools.ietf.org/html/draft-ietf-quic-transport-34#section-9.3.3 makes a lot of assumptions about the attacker.
> > 
> > I am not opposed to adding the recommendation but I want to understand it first since there is also a price to pay for it (in terms of complexity and performance). Like elsewhere there is no free lunch.
> > 
> > Reading through Section 9.3.3 "Off-Path Packet Forwarding", I noticed that the attacker needs to be able to
> > * observe the packets sent by DTLS endpoints in both directions, and
> > * replay the packets in such a way that they arrive faster than the original packets send by the DTLS endpoints, and
> > * re-write both source and destination IP address to appear like a NAT for both endpoints.
> > 
> > The last point is needed to ensure that the packet re-routing persists.
> > 
> > IMHO these assumptions hint to an on-path attacker. An on-path attacker (such as a router) can already today perform a denial of service attack on DTLS secured communication by dropping all packets.
> > 
> > Ciao
> > Hannes
> > 
> > -----Original Message-----
> > From: Martin Duke via Datatracker <noreply@ietf.org>
> > Sent: Tuesday, April 20, 2021 9:47 PM
> > To: The IESG <iesg@ietf.org>
> > Cc: draft-ietf-tls-dtls-connection-id@ietf.org; tls-chairs@ietf.org; tls@ietf.org; Joseph Salowey <joe@salowey.net>et>; joe@salowey.net
> > Subject: Martin Duke's No Objection on draft-ietf-tls-dtls-connection-id-11: (with COMMENT)
> > 
> > Martin Duke has entered the following ballot position for
> > draft-ietf-tls-dtls-connection-id-11: No Objection
> > 
> > When responding, please keep the subject line intact and reply to all email addresses included in the To and CC lines. (Feel free to cut this introductory paragraph, however.)
> > 
> > 
> > Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html
> > for more information about DISCUSS and COMMENT positions.
> > 
> > 
> > The document, along with other ballot positions, can be found here:
> > https://datatracker.ietf.org/doc/draft-ietf-tls-dtls-connection-id/
> > 
> > 
> > 
> > ----------------------------------------------------------------------
> > COMMENT:
> > ----------------------------------------------------------------------
> > 
> > Thanks for this document.
> > 
> > Section 9.3.3 of quic-transport, which deals with basically the same security model, also requires the receiving endpoint to probe the original address, not just the new one, to address a somewhat more difficult attack. It would be good to at least RECOMMEND this behavior for DTLS applications, and/or (repeat/informatively reference) the logic there.
> > 
> > 
> > 
> > IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.
> _______________________________________________
> TLS mailing list
> TLS@ietf.org <mailto:TLS%40ietf.org>
> https://www.ietf.org/mailman/listinfo/tls
>