IETF Logo Mail Archive

Re: [tsvwg] L4S dual-queue re-ordering and VPNs

Jonathan Morton <chromatix99@gmail.com> Sat, 08 May 2021 14:22 UTC

Return-Path: <chromatix99@gmail.com>
X-Original-To: tsvwg@ietfa.amsl.com
Delivered-To: tsvwg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6CB3D3A1965 for <tsvwg@ietfa.amsl.com>; Sat, 8 May 2021 07:22:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.848
X-Spam-Level:
X-Spam-Status: No, score=-1.848 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nIXhi5C0SN_9 for <tsvwg@ietfa.amsl.com>; Sat, 8 May 2021 07:22:17 -0700 (PDT)
Received: from mail-lj1-x22e.google.com (mail-lj1-x22e.google.com [IPv6:2a00:1450:4864:20::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A2EC23A195E for <tsvwg@ietf.org>; Sat, 8 May 2021 07:22:16 -0700 (PDT)
Received: by mail-lj1-x22e.google.com with SMTP id s25so15230708lji.0 for <tsvwg@ietf.org>; Sat, 08 May 2021 07:22:16 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=usCWqYivPCNKurnxPO8e71BWbRYii/X9DkeXrM2XVko=; b=nOZQQJ0IG+WsNdZSiHQYGhbzUxbSWJw8amfgs52qfroKJ6enUMmQ0WwBAbFJFWzsUp NGUoK4hjySr1/uvZfmgVt4Xuo00HKDF+vlYpGKre1xluBQRWXgAmY3euFYa6/lbI6For tPj6LCcAeawicOz4iAKnLn8I9NC5oPE8belySK1l12ZxnMsj5QM846aXHOV6MGWZ6Eoa XyxJNzfkQOirU+eokysgBUaOo9Ndyf4XXm4uBHxSIaIdRrszYm3cGAaI++O/LAx25hQQ mFJKKrtB+WCdmLjxR8393C3alQiQb6TyZH4EstGtThDO6j+yRDdCRaRDjqCI0xq4KWfb R0PA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=usCWqYivPCNKurnxPO8e71BWbRYii/X9DkeXrM2XVko=; b=OAwAlOlkE9XNJDf/BbJattC9pwapFyAqosWHl7tn1RwU4Qd7OQ5MuJKg1sXYXheQC8 BEEweCNlzpq0PWa376CdQDnpybggenaQ+OPb7+5UiWsw0XmMC77RzInYHgQvH+aGD1AH 8FlMxbneTEhcc/zQJzI+30V+eaxxioPfkZ++ImotibtEEAN5FrTmMOyHKiK7kLuAUF0h EXdtrkDLuYDhJ+oFYRGT2XyU+JRHRKBk7bLjnEJYSfXf863nU0KoXa6O3J47krYSaMmW 9f871O8zw6pcu6PY8s32h7iEaDdc4Msdc5mAS656nnPsKuq8pxKFhtuMKTJsrY6tetFY 1eoA==
X-Gm-Message-State: AOAM532SXGzbJzrqqhn0en3pTqWv9oc4yKBSUcMVyUzJoKi0bcC3gHmH 5UcMXqajorUkh0ENmmSK8Nk=
X-Google-Smtp-Source: ABdhPJyCbKPKyyheuF66u9OIMMBy0Qnz8wmthkaD2PJTQTHk/giYgqRR3Enngwlw1Mk/xY7YQFXRjA==
X-Received: by 2002:a05:651c:b28:: with SMTP id b40mr12262738ljr.454.1620483734203; Sat, 08 May 2021 07:22:14 -0700 (PDT)
Received: from jonathartonsmbp.lan (178-55-25-11.bb.dnainternet.fi. [178.55.25.11]) by smtp.gmail.com with ESMTPSA id x25sm1638441lfe.255.2021.05.08.07.22.13 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Sat, 08 May 2021 07:22:13 -0700 (PDT)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 11.5 \(3445.9.7\))
From: Jonathan Morton <chromatix99@gmail.com>
In-Reply-To: <e15d732f64bf983975dbe507092b39f0744f7f74.camel@heistp.net>
Date: Sat, 08 May 2021 17:22:12 +0300
Cc: "Black, David" <David.Black@dell.com>, Sebastian Moeller <moeller0@gmx.de>, Greg White <g.white@CableLabs.com>, TSVWG <tsvwg@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <37CE31A2-E78D-479E-AC65-B49C57B7227D@gmail.com>
References: <68F275F9-8512-4CD9-9E81-FE9BEECD59B3@cablelabs.com> <1DB719E5-55B5-4CE2-A790-C110DB4A1626@gmx.de> <MN2PR19MB40452C9DD1164609A005139583569@MN2PR19MB4045.namprd19.prod.outlook.com> <e15d732f64bf983975dbe507092b39f0744f7f74.camel@heistp.net>
To: Pete Heist <pete@heistp.net>
X-Mailer: Apple Mail (2.3445.9.7)
Archived-At: <https://mailarchive.ietf.org/arch/msg/tsvwg/Qw74KPTghzeqXRbFHdDTg7ETsxM>
Subject: Re: [tsvwg] L4S dual-queue re-ordering and VPNs
X-BeenThere: tsvwg@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Transport Area Working Group <tsvwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tsvwg>, <mailto:tsvwg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tsvwg/>
List-Post: <mailto:tsvwg@ietf.org>
List-Help: <mailto:tsvwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tsvwg>, <mailto:tsvwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 08 May 2021 14:22:22 -0000

> On 8 May, 2021, at 9:45 am, Pete Heist <pete@heistp.net> wrote:
> 
> I noticed that this issue seems to affect tunnels with replay window
> sizes of 32 and 64 packets regardless of the bottleneck bandwidth,
> likely because the peak C sojourn times can also increase as the
> bandwidth decreases. IMO, this seems like a safety concern from the
> standpoint that the deployment of DualPI2 can cause harm to
> conventional traffic, in IPsec tunnels using common defaults in
> particular, beyond that which is caused by DualPI2 itself.

It turns out that there's also a Denial of Service attack enabled by this phenomenon - one which does not rely on any legitimate L4S endpoints being deployed or used.  It is a property of the passive deployment of DualQ.

We assume a VPN tunnel upon which Sequence Verification is in use (RFC-4303 ยง3.4.3), over a path that includes a DualQ-Coupled qdisc (draft-ietf-tsvwg-aqm-dualq-coupled), abbreviated DualQ.  We further assume that an attacker is able to send traffic with chosen ECN codepoints into the input end of this tunnel.  We outline two attack scenarios, the second of which further assumes that the attacker sends traffic directly over the DualQ path, not via the tunnel, which requires that the attacker knows more information than the first attack scenario.  The threat is the ability to deny any useful traffic being conveyed by the VPN tunnel, at a significantly lower cost than a conventional DDoS.

In the first attack scenario, the attacker generates two distinct streams of traffic, named Lambda and Omega, both of which are directly into the input end of the tunnel.  The Lambda stream is bulk data with an ECN codepoint that filters into the C queue - either Not-ECT or ECT(0).  The Omega stream is a low-volume stream of small packets with an ECN codepoint that filters into the L queue - either ECT(1) or CE.  It is not necessary for either stream to be accepted by a host at the receiving end, only by the endpoints of the VPN itself.

The purpose of the Lambda stream is to keep the C queue of the DualQ full, and it is sufficient to send MTU-sized packets in only slightly greater volume than the capacity of the link.  We will assume for analysis that DualQ maintains the C queue at its AQM setpoint, which is 25ms by default.

The purpose of the Omega stream is to bypass the Lambda stream by taking the "fast lane" through the DualQ instance, and thereby control the leading edge of the Sequence Verification window of the VPN receiver.  If the leading edge of the window can be kept so far ahead of the traffic arriving via the C queue that the latter always falls behind the trailing edge of the window, then the amount of useful traffic conveyed by the VPN in the same direction falls to nil - a successful Denial of Service.

The required Sequence Verification window to deny this attack scenario full effectiveness is the VPN packet throughput of the C queue multiplied by the difference in queue sojourn times between the C and L queues, plus the interval between packets delivered in the Omega stream.  Since the default SV window in some popular VPNs is 32 or 64, this attack can be fairly easy to implement.

Another mitigation that the VPN could apply is to limit the throughput of the VPN, such that it cannot by itself be used to saturate the DualQ link and thus keep the C queue full.  We address this with the second attack scenario, which bypasses such a mitigation.

In the second attack scenario, the Lambda stream is sent directly to the DualQ link rather than through the VPN.  The Omega stream is still sent through the VPN.  The properties of the two streams are mostly similar otherwise to those of the first attack scenario, but the volume of the Omega stream must be increased.

The second attack scenario will succeed if the number of Omega packets delivered during any interval of time equal to the difference between the C and L queue sojourn times is greater than the Sequence Verification window.  This is also easy to achieve if the Omega packets are small and the SV window is at the usual defaults of 32 or 64.

The cause of this attack enablement is that DualQ can reorder packets from the same flow under fairly precise control of an attacker.  A straight FIFO, or a flow-aware qdisc that treats a VPN as a single flow (such as RFC-8290 fq_codel or Cake), delivers packets from any given flow in-order, and is thus immune from this attack.  Adding DualQ-like semantics to any of these carries the risk of enabling the attack as described above.

 - Jonathan Morton

v2.23.0 | Report a Bug | By Email