I get your point, but I think this is more than unfortunate, this is
real ugly. RFC 7383 is primarily about IKE_AUTH, and now, in the case of
those broken networks that limit the MTU, we are reducing the effective
MTU yet again.
Not much, a dozen of bytes.
But I think we're looking at the wrong problem. Let us look at why we
might need to add puzzles to IKE_AUTH at all. There are two cases:
- The IKE SA is set up by a valid initiator.
- The IKE SA is set up by an attacker.
In the first case, the responder needs to compute SKEYSEED anyway. It
should compute it once and cache it, even if it sees multiple bogus
IKE_AUTH messages sent by attackers. Verifying IKE_AUTH messages is
cheap once SKEYSEED has been computed, because you only need to verify
that the SK integrity protection is valid. The (valid) initiator "pays
the price" once, in the form of an IKE_SA_INIT puzzle.
In the second case, the attacker also pays the price if we have a puzzle
attached to IKE_SA_INIT. And the responder only computes SKEYSEED once,
and caches the result. Since SKEYSEED is known to the attacker, it can
send valid SK payloads, and the responder is forced to validate the
certificate (expensive). So attaching a puzzle to IKE_AUTH is justified,
to make the attacker pay for each certificate validation.
But this also shows that the IKE_SA_INIT puzzle is sufficient to
counteract the cost of computing SKEYSEED (which is all you need for
reassembly), and when even using fragmentation, this is only done once.
I agree with your analysis. However I'm not sure I agree with conclusion.
IKE_SA_INIT puzzle defends from exhausting responder's
memory, while IKE_AUTH puzzle defends from exhausting CPU power.
My primary concern is distributed DoS attack when attackers
are indistinguishable from legitimate clients. In this case
attacker does pay the price of IKE_SA_INIT puzzle,
but after that it is free to attack responder's CPU by
sending bogus messages or valid messages
with bogus content. I agree, that once SKEYSEED is computed
the bogus messages are easy to detect. However
performing DH is relatively expensive for responder,
while sending bogus message is free for attacker
(once it has paid an "entrance fee"), that makes this
attack attractive. Another option - sending valid
messages with bogus auth content, that will require
responder to do a lot of work. It will require from attacker
to compute SKEYSEED, but the responder
would have to spend much more resources,
so the attack is also attractive. IKE_AUTH puzzle
eliminates the first attack and makes the second
expensive for attacker.
IKE_AUTH puzzle is just a "second line of defense".
You are probably right that we can get rid of it
and raise the difficulty level of the "first line",
but I'm not yet sure that we will gain an equal effect.
Regards,
Valery.
Thanks,
Yaron
_______________________________________________
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec
