Hi all,
Yoav added a couple of new issues into the tracker,
so I'd like to initiate the discussion of these issues.
The first issue (#229) is concerned with the inconsistency of the puzzle
solution time with the current definition of the puzzle.
So the question - should we change the puzzle definition
so that the deviation of the time required to solve it become smaller
(ideally - all equally difficult puzzles should be solved in constant time
by equal hosts).
My opinion is that while this is a desireable property, it is not so
important
in real life. First, even if we make puzzle constant-time for equal
initiators, it won't help since in real life the initiators are different
and their computational power can differ even more than the deviation
of solution time with the current puzzle definition. In other words,
the real difficulty of any given puzzle is a relative value and it includes
not only the requested number of zero bits, but also the computantional
power
of the initiator, which is in any case an unknown value for the responder.
And second - the draft is about DDoS protection. It implies that
the attack would involve many thouthands of attackers. In this
situation the deviation of puzzle difficulty becomes less important,
since statistically the puzzle solving time as it is seen from responder's
point of view
will be close to average. Of course, for any given initiator it will be a
lottery
and sometimes powerfull attacker will receive easy puzzle and
sometimes weak legacy initiator will receive difficult puzzle.
I see nothing fatal in the former - yes some DoS attacks will be successful.
The protocol doesn't have the goal to completely eliminate the
possibility of DoS attacks (and I don't think it is ever possible),
but to make it harder for attackers. What about the latter -
the protocol should consider such situation and should
leave an initiator a chance to establish IKE SA even if
the initiator is weak and the puzzle appeared to be difficult.
So the conclusion - I don't think we should change puzzle definition so
that it becomes close to constant-time giving the little value that it would
give us (taking into consideration the vast diversity of clients)
and the complexity it would involve and the increasing of the size of IKE
messages.
Regards,
Valery.
#229: Need to decide the nature of the puzzle
Current text has PRF based puzzles: for a given cookie and difficulty leve
l, find a key k, such that PRF(k, cookie) has at least l trailing zero
bits.
The problem with this puzzle is that while the expected time to solve this
puzzle is 2^l, the actual time varies wildly.
Scott Fluhrer suggested ([1]) that we use another kind of puzzle that is
closer to constant-time. That requires more up-front work on the part of
the responder (creating a new opportunity for DoS?) and larger IKE_SA_INIT
requests. IKE_SA_INIT requests are not protected by IKEv2 fragmentation
[1] http://www.ietf.org/mail-archive/web/ipsec/current/msg09601.html
--
-------------------------+-------------------------------------------------
Reporter: | Owner: draft-ietf-ipsecme-ddos-
ynir.i...@gmail.com | protect...@tools.ietf.org
Type: task | Status: new
Priority: normal | Milestone:
Component: ddos- | Severity: Active WG Document
protection |
Keywords: |
-------------------------+-------------------------------------------------
Ticket URL: <http://trac.tools.ietf.org/wg/ipsecme/trac/ticket/229>
ipsecme <http://tools.ietf.org/ipsecme/>
_______________________________________________
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec
