IETF Logo Mail Archive

Re: [tsvwg] L4S & VPN anti-replay interaction: Explanation

Jonathan Morton <chromatix99@gmail.com> Tue, 11 May 2021 15:27 UTC

Return-Path: <chromatix99@gmail.com>
X-Original-To: tsvwg@ietfa.amsl.com
Delivered-To: tsvwg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 25D273A1B85 for <tsvwg@ietfa.amsl.com>; Tue, 11 May 2021 08:27:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.849
X-Spam-Level:
X-Spam-Status: No, score=-1.849 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YQ4Cv5rcIoUh for <tsvwg@ietfa.amsl.com>; Tue, 11 May 2021 08:27:08 -0700 (PDT)
Received: from mail-lj1-x236.google.com (mail-lj1-x236.google.com [IPv6:2a00:1450:4864:20::236]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E58383A1B7F for <tsvwg@ietf.org>; Tue, 11 May 2021 08:27:07 -0700 (PDT)
Received: by mail-lj1-x236.google.com with SMTP id w4so25621632ljw.9 for <tsvwg@ietf.org>; Tue, 11 May 2021 08:27:07 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=e0SUVCJthz7PizBXpQedUDvHn1p7Who6MjULqqc/YVg=; b=OJvjoDhwjT6Me8mJVgX6V+hjcvenj3xnaQ1RsSuFoxn3qpLWfU21c64eMX6+EEtMVh EEvISBJ8HKBEsQ4PMRiBphjXAarGmEpE8YODuMSmJOd28TKilKRqwL2Ze29v/FCdkYdW TEx4oqOzeCLLrstTzVkXaOE10Kgm697m8ot96mH4znnA+OmWTcdP/rERM9fH3lBgFQ20 8sjzAfWpCaVHJ3s1A6fzISt/t1tW7QvncYiHo0Yc4Mq3JkKBwHNN33WYjkIlY7PpwvAP wV0cejbrBdNjq6akt4urIdAaGK0DjAiapZTtb47KmFNqkX74wgit1qqBrud99LDM2J1g +oSg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=e0SUVCJthz7PizBXpQedUDvHn1p7Who6MjULqqc/YVg=; b=tGtI+ulRFGgWBJdKiuH8675XA1kHjs0xVtr+SgI7g0X2hhkTrawombx/Shpb4mvdFX DoOGueU2qdkcL4ixvFmwqFSbSjIWGyXU7IpI+qzZ5TZ8J9+p6PrMgGR7n6W/VWU/Efs8 r3Fdmm8H7Kiiq1a8WdNfGeYPjgJ2TCF5e/KZSARiKCK+AlVH3gvtpuTFVSmRRMsdqoy2 fCbaY+lTFwNS0s3fE1EeeuUd3ma0JKYMzu+n6tQqJ7tF7wATitFw8w894enzoweH0mx0 pT+yh6UF+puaxrJnM15IvrE8ty1m/00/dPId1brQJdYQQNuS6DABuc9QHHggPr9SASn6 tkeA==
X-Gm-Message-State: AOAM530+S2XVSBUOHEZ2/7ez13gmoo0oPf0Iq1yODoaV4eZa54ATyUx3 mk6nv6t48X2EIpJB774ynhg=
X-Google-Smtp-Source: ABdhPJwJYPjGA0bjIMElPpEFAbzpu8yBVb5BV/9/ZofIStz4R2xvQvWFRMzj4zi/NhkjTtGgdzx6Bg==
X-Received: by 2002:a05:651c:3dd:: with SMTP id f29mr25567213ljp.283.1620746820825; Tue, 11 May 2021 08:27:00 -0700 (PDT)
Received: from jonathartonsmbp.lan (188-67-22-208.bb.dnainternet.fi. [188.67.22.208]) by smtp.gmail.com with ESMTPSA id d7sm2669913lfa.48.2021.05.11.08.27.00 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Tue, 11 May 2021 08:27:00 -0700 (PDT)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 11.5 \(3445.9.7\))
From: Jonathan Morton <chromatix99@gmail.com>
In-Reply-To: <MN2PR19MB4045206ECB759EEE5FA3C60383539@MN2PR19MB4045.namprd19.prod.outlook.com>
Date: Tue, 11 May 2021 18:26:59 +0300
Cc: "tsvwg@ietf.org" <tsvwg@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <6AA1F758-32CE-44F9-B76D-37B784CB6F06@gmail.com>
References: <MN2PR19MB4045206ECB759EEE5FA3C60383539@MN2PR19MB4045.namprd19.prod.outlook.com>
To: "Black, David" <David.Black@dell.com>
X-Mailer: Apple Mail (2.3445.9.7)
Archived-At: <https://mailarchive.ietf.org/arch/msg/tsvwg/XOm9Gs26T124uiZfa96tC95dM7M>
Subject: Re: [tsvwg] L4S & VPN anti-replay interaction: Explanation
X-BeenThere: tsvwg@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Transport Area Working Group <tsvwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tsvwg>, <mailto:tsvwg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tsvwg/>
List-Post: <mailto:tsvwg@ietf.org>
List-Help: <mailto:tsvwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tsvwg>, <mailto:tsvwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 11 May 2021 15:27:13 -0000

> On 11 May, 2021, at 5:56 pm, Black, David <David.Black@dell.com> wrote:
> 
> At the VPN receiver, the received L4S packets drive advancing the sliding window to higher sequence numbers.  If the sequence numbers in the arriving L4S packets get ahead of the sequence numbers in the arriving Classic packets by the size of the sliding window or more, the arriving Classic packets are dropped *even though they are not duplicates* (!).

The practical effects of this should also be described to give a full picture.

With normal, congestion-controlled traffic, the above condition results only during relatively brief periods when the C queue builds to some level (which may or may not be up to the AQM threshold).  The packets dropped for arriving outside the replay window cause a reduction in cwnd for that flow, which tends to empty the C queue.  The ultimate result is a reduction in throughput for traffic in the VPN using the C queue.

However, this behaviour can also be exploited by an attacker using unresponsive traffic to the C queue and a relatively small flow to the L queue, at least the latter being directed through the VPN.  This is capable of causing *all* VPN traffic using the C queue to be discarded due to violating the replay window, because the C queue is kept full permanently by the unresponsive traffic.  This is a Denial of Service attack which warrants a "Serious" risk severity rating.

 - Jonathan Morton

v2.23.0 | Report a Bug | By Email