draft-ietf-ipsecme-ddos-protection-01.txt   draft-ietf-ipsecme-ddos-protection-02.txt 
IPSecME Working Group Y. Nir IPSecME Working Group Y. Nir
Internet-Draft Check Point Internet-Draft Check Point
Intended status: Standards Track V. Smyslov Intended status: Standards Track V. Smyslov
Expires: September 9, 2015 ELVIS-PLUS Expires: January 6, 2016 ELVIS-PLUS
March 8, 2015 July 5, 2015
Protecting Internet Key Exchange (IKE) Implementations from Distributed Protecting Internet Key Exchange (IKE) Implementations from Distributed
Denial of Service Attacks Denial of Service Attacks
draft-ietf-ipsecme-ddos-protection-01 draft-ietf-ipsecme-ddos-protection-02
Abstract Abstract
This document recommends implementation and configuration best This document recommends implementation and configuration best
practices for Internet-connected IPsec Responders, to allow them to practices for Internet-connected IPsec Responders, to allow them to
resist Denial of Service and Distributed Denial of Service attacks. resist Denial of Service and Distributed Denial of Service attacks.
Additionally, the document introduces a new mechanism called "Client Additionally, the document introduces a new mechanism called "Client
Puzzles" that help accomplish this task. Puzzles" that help accomplish this task.
Status of This Memo Status of This Memo
skipping to change at page 1, line 36 skipping to change at page 1, line 36
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on September 9, 2015. This Internet-Draft will expire on January 6, 2016.
Copyright Notice Copyright Notice
Copyright (c) 2015 IETF Trust and the persons identified as the Copyright (c) 2015 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 5, line 21 skipping to change at page 5, line 21
At this point, filling up the half-open SA database in no longer the At this point, filling up the half-open SA database in no longer the
most efficient DoS attack. The attacker has two ways to do better: most efficient DoS attack. The attacker has two ways to do better:
1. Go back to spoofed addresses and try to overwhelm the CPU that 1. Go back to spoofed addresses and try to overwhelm the CPU that
deals with generating cookies, or deals with generating cookies, or
2. Take the attack to the next level by also sending an 2. Take the attack to the next level by also sending an
Authentication request. Authentication request.
I don't think the first thing is something we can deal with at the It seems that the first thing cannot be dealt with at the IKE level.
IKE level. It's probably better left to Intrusion Prevention System It's probably better left to Intrusion Prevention System (IPS)
(IPS) technology. technology.
Sending an Authentication request is surprisingly cheap. It requires On the other hand sending an Authentication request is surprisingly
a proper IKE header with the correct IKE SPIs, and it requires a cheap. It requires a proper IKE header with the correct IKE SPIs,
single encrypted payload. The content of the payload might as well and it requires a single encrypted payload. The content of the
be junk. The responder has to perform the relatively expensive key payload might as well be junk. The responder has to perform the
derivation, only to find that the Authentication request does not relatively expensive key derivation, only to find that the
decrypt. Depending on the responder implementation, this can be Authentication request does not decrypt. Depending on the responder
repeated with the same half-open SA (if the responder does not delete implementation, this can be repeated with the same half-open SA (if
the half-open SA following an unsuccessful decryption - see the responder does not delete the half-open SA following an
discussion in Section 4). unsuccessful decryption - see discussion in Section 4).
Here too, the number of half-open SAs that the attacker can achieve Here too, the number of half-open SAs that the attacker can achieve
is crucial, because each one of them allows the attacker to waste is crucial, because each one of them allows the attacker to waste
some CPU time. So making it hard to make many half-open SAs is some CPU time. So making it hard to make many half-open SAs is
important. important.
A strategy against DDoS has to rely on at least 4 components: A strategy against DDoS has to rely on at least 4 components:
1. Hardening the half-open SA database by reducing retention time. 1. Hardening the half-open SA database by reducing retention time.
skipping to change at page 6, line 11 skipping to change at page 6, line 11
4. Increasing cost of half-open SA up to what is tolerable for 4. Increasing cost of half-open SA up to what is tolerable for
legitimate clients. legitimate clients.
Puzzles have their place as part of #4. Puzzles have their place as part of #4.
3. Puzzles 3. Puzzles
The puzzle introduced here extends the cookie mechanism from RFC The puzzle introduced here extends the cookie mechanism from RFC
7296. It is loosely based on the proof-of-work technique used in 7296. It is loosely based on the proof-of-work technique used in
BitCoins ([bitcoins]). Future versions of this document will have BitCoins ([bitcoins]).
the exact bit structure of the notification payloads, but for now, I
will only describe the semantics of the content.
A puzzle is sent to the Initiator in two cases: A puzzle is sent to the Initiator in two cases:
o The Responder is so overloaded, than no half-open SAs are allowed o The Responder is so overloaded, than no half-open SAs are allowed
to be created without the puzzle, or to be created without the puzzle, or
o The Responder is not too loaded, but the rate-limiting in o The Responder is not too loaded, but the rate-limiting in
Section 5 prevents half-open SAs from being created with this Section 5 prevents half-open SAs from being created with this
particular peer address or prefix without first solving a puzzle. particular peer address or prefix without first solving a puzzle.
When the Responder decides to send the challenge notification in When the Responder decides to send the challenge notification in
response to a IKE_SA_INIT request, the notification includes three response to a IKE_SA_INIT request, the notification includes three
fields: fields:
1. Cookie - this is calculated the same as in RFC 7296. As in RFC 1. Cookie - this is calculated the same as in RFC 7296. As in RFC
7296, the process of generating the cookie is not specified. 7296, the process of generating the cookie is not specified.
2. Algorithm, this is the identifier of a PRF algorithm, one of 2. Algorithm, this is the identifier of a PRF algorithm, one of
those proposed by the Initiator in the SA payload. those proposed by the Initiator in the SA payload.
3. Zero Bit Count. This is a number between 8 and 255 that 3. Zero Bit Count. This is a number between 8 and 255 (or a special
represents the length of the zero-bit run at the end of the value - 0, see Section 8.1.1.1) that represents the length of the
output of the PRF function calculated over the Keyed-Cookie zero-bit run at the end of the output of the PRF function
payload that the Initiator is to send. Since the mechanism is calculated over the Keyed-Cookie payload that the Initiator is to
supposed to be stateless for the Responder, the same value is send. Since the mechanism is supposed to be stateless for the
sent to all Initiators who are receiving this challenge. The Responder, either the same value is sent to all Initiators who
values 0 and 1-8 are explicitly excluded, because the value zero are receiving this challenge or the value is somehow encoded in
is meaningless, and the values 1-8 create a puzzle that is too the cookie. The values 1-8 are explicitly excluded, because they
easy to solve for it to make any difference in mitigating DDoS create a puzzle that is too easy to solve for it to make any
attacks. difference in mitigating DDoS attacks.
Upon receiving this challenge payload, the Initiator attempts to Upon receiving this challenge payload, the Initiator attempts to
calculate the PRF using different keys. When a key is found such calculate the PRF using different keys. When a key is found such
that the resulting PRF output has a sufficient number of trailing that the resulting PRF output has a sufficient number of trailing
zero bits, that result is sent to the Responder in a Keyed-Cookie zero bits, that result is sent to the Responder in a Keyed-Cookie
notification, as described in Section 3.1. notification, as described in Section 3.1.
When receiving a request with a Keyed-Cookie, the Responder verifies When receiving a request with a Keyed-Cookie, the Responder verifies
two things: two things:
skipping to change at page 7, line 50 skipping to change at page 7, line 48
| 0b13cd9a | 00b97bb323d6d33350000000 | 28 | 247.914 | | 0b13cd9a | 00b97bb323d6d33350000000 | 28 | 247.914 |
| 37dc96e4 | 1e24babc92234aa3a0000000 | 29 | 1237.170 | | 37dc96e4 | 1e24babc92234aa3a0000000 | 29 | 1237.170 |
| 7a1a56d8 | c98f0061e380a49e00000000 | 33 | 2726.150 | | 7a1a56d8 | c98f0061e380a49e00000000 | 33 | 2726.150 |
+----------+--------------------------+----------+------------------+ +----------+--------------------------+----------+------------------+
Table 1: COOKIE=fdbcfa5a430d7201282358a2a034de0013cfe2ae Table 1: COOKIE=fdbcfa5a430d7201282358a2a034de0013cfe2ae
The figures above were obtained on a 2.4 GHz single core i5. Run The figures above were obtained on a 2.4 GHz single core i5. Run
times can be halved or quartered with multi-core code, but would be times can be halved or quartered with multi-core code, but would be
longer on mobile phone processors, even if those are multi-core as longer on mobile phone processors, even if those are multi-core as
well. With these figures I believe that 20 bits is a reasonable well. With these figures 20 bits is believed to be a reasonable
choice for puzzle level difficulty for all Initiators, with 24 bits choice for puzzle level difficulty for all Initiators, with 24 bits
acceptable for specific hosts/prefixes. acceptable for specific hosts/prefixes.
3.1. The Keyed-Cookie Notification 3.1. The Keyed-Cookie Notification
To be added To be added
3.2. The Puzzle-Required Notification 3.2. The Puzzle-Required Notification
To be added To be added
skipping to change at page 11, line 27 skipping to change at page 11, line 27
Initiators. This will force the attacker to use real source Initiators. This will force the attacker to use real source
addresses, and help avoid the need to impose a greater burden in the addresses, and help avoid the need to impose a greater burden in the
form of cookies on the general population of initiators. This makes form of cookies on the general population of initiators. This makes
the per-node or per-prefix soft limit more effective. the per-node or per-prefix soft limit more effective.
When Cookies are activated for all requests and the attacker is still When Cookies are activated for all requests and the attacker is still
managing to consume too many resources, the Responder MAY increase managing to consume too many resources, the Responder MAY increase
the difficulty of puzzles imposed on IKE_SA_INIT requests coming from the difficulty of puzzles imposed on IKE_SA_INIT requests coming from
suspicious nodes/prefixes. It should still be doable by all suspicious nodes/prefixes. It should still be doable by all
legitimate peers, but it can degrade experience, for example by legitimate peers, but it can degrade experience, for example by
taking up to 10 seconds to calculate the cookie extension. taking up to 10 seconds to solve the puzzle.
If the load on the Responder is still too great, and there are many If the load on the Responder is still too great, and there are many
nodes causing multiple half-open SAs or IKE_AUTH failures, the nodes causing multiple half-open SAs or IKE_AUTH failures, the
Responder MAY impose hard limits on those nodes. Responder MAY impose hard limits on those nodes.
If it turns out that the attack is very widespread and the hard caps If it turns out that the attack is very widespread and the hard caps
are not solving the issue, a puzzle MAY be imposed on all Initiators. are not solving the issue, a puzzle MAY be imposed on all Initiators.
Note that this is the last step, and the Responder should avoid this Note that this is the last step, and the Responder should avoid this
if possible. if possible.
skipping to change at page 12, line 9 skipping to change at page 12, line 9
the IKE_SESSION_RESUME response message, as allowed by RFC 5723, Sec. the IKE_SESSION_RESUME response message, as allowed by RFC 5723, Sec.
4.3.2. Note that the Responder SHOULD cache tickets for a short time 4.3.2. Note that the Responder SHOULD cache tickets for a short time
to reject reused tickets (Sec. 4.3.1), and therefore there should be to reject reused tickets (Sec. 4.3.1), and therefore there should be
no issue of half-open SAs resulting from replayed IKE_SESSION_RESUME no issue of half-open SAs resulting from replayed IKE_SESSION_RESUME
messages messages
7. Operational Considerations 7. Operational Considerations
[This section needs a lot of expanding] [This section needs a lot of expanding]
Not all Initiators support the puzzles, but all initiators are
supposed to support stateless cookies. If this notification is sent
to a non-supporting but legitimate initiator, the exchange will fail.
Responders are advised to first try to mitigate the DoS using
stateless cookies, even imposing them generally before resorting to
using puzzles.
The difficulty level should be set by balancing the requirement to The difficulty level should be set by balancing the requirement to
minimize the latency for legitimate initiators and making things minimize the latency for legitimate initiators and making things
difficult for attackers. A good rule of thumb is for taking about 1 difficult for attackers. A good rule of thumb is for taking about 1
second to solve the puzzle. A typical initiator or bot-net member in second to solve the puzzle. A typical initiator or bot-net member in
2014 can perform slightly less than a million hashes per second per 2014 can perform slightly less than a million hashes per second per
core, so setting the difficulty level to n=20 is a good compromise. core, so setting the difficulty level to n=20 is a good compromise.
It should be noted that mobile initiators, especially phones are It should be noted that mobile initiators, especially phones are
considerably weaker than that. Implementations should allow considerably weaker than that. Implementations should allow
administrators to set the difficulty level, and/or be able to set the administrators to set the difficulty level, and/or be able to set the
difficulty level dynamically in response to load. difficulty level dynamically in response to load.
Initiators should set a maximum difficulty level beyond which they Initiators should set a maximum difficulty level beyond which they
won't try to solve the puzzle and log or display a failure message to won't try to solve the puzzle and log or display a failure message to
the administrator or user. the administrator or user.
8. Using Puzzles in the Protocol 8. Using Puzzles in the Protocol
8.1. Puzzles in IKE_SA_INIT Exchange 8.1. Puzzles in IKE_SA_INIT Exchange
IKE initiator indicates the desire to create new IKE SA by sending IKE initiator indicates the desire to create a new IKE SA by sending
IKE_SA_INIT request message. The message may optionally contain IKE_SA_INIT request message. The message may optionally contain
COOKIE notification if this is a repeated request after the responder COOKIE notification if this is a repeated request performed after the
asked initiator to return a cookie. responder's demand to return a cookie.
HDR, [N(COOKIE),] SA, KE, Ni, [V+][N+] --> HDR, [N(COOKIE),] SA, KE, Ni, [V+][N+] -->
According to the plan, described in Section 6, IKE responder should According to the plan, described in Section 6, IKE responder should
monitor incoming requests to detect whether it is under attack. If monitor incoming requests to detect whether it is under attack. If
the responder learns that (D)DoS attack is likely to be in progress, the responder learns that (D)DoS attack is likely to be in progress,
then it either requests the initiator to return cookie or, if the then it either requests the initiator to return a cookie or, if the
volume is so high, that puzzles need to be used for defense, it volume is so high, that puzzles need to be used for defense, it
requests the initiator to solve the puzzle. requests the initiator to solve a puzzle.
The responder MAY choose to process some fraction of IKE_SA_INIT The responder MAY choose to process some fraction of IKE_SA_INIT
requests without presenting a puzzle even being under attack to allow requests without presenting a puzzle even being under attack to allow
legacy clients, that don't support puzzles, to have chances be legacy clients, that don't support puzzles, to have chances to be
served. The decision whether to process any particular request must served. The decision whether to process any particular request must
be probabilistic, with the probability depending on the responder's be probabilistic, with the probability depending on the responder's
load (i.e. on the volume of the attack). Only those requests, that load (i.e. on the volume of attack). Only those requests, that
contain COOKIE notification, must participate in this lottery. In contain COOKIE notification, must participate in this lottery. In
other words, the responder MUST first perform return routability other words, the responder MUST first perform return routability
check before allowing any legacy client to be served if it is under check before allowing any legacy client to be served if it is under
attack. See Section 8.1.3 for details. attack. See Section 8.1.3 for details.
8.1.1. Presenting Puzzle 8.1.1. Presenting Puzzle
If the responder takes a decision to use puzzles, then it includes If the responder takes a decision to use puzzles, then it includes
two notifications in its response message - the COOKIE notification two notifications in its response message - the COOKIE notification
and the PUZZLE notification. The format of the PUZZLE notification and the PUZZLE notification. The format of the PUZZLE notification
is described in Section 10.1. is described in Section 10.1.
<-- HDR, N(COOKIE), N(PUZZLE), [V+][N+] <-- HDR, N(COOKIE), N(PUZZLE), [V+][N+]
The presence of these notifications in IKE_SA_INIT response message The presence of these notifications in an IKE_SA_INIT response
indicates to the initiator that it should solve the puzzle to get message indicates to the initiator that it should solve the puzzle to
better chances to be served. get better chances to be served.
8.1.1.1. Selecting Puzzle Difficulty Level 8.1.1.1. Selecting Puzzle Difficulty Level
The PUZZLE notification contains the difficulty level of the puzzle - The PUZZLE notification contains the difficulty level of the puzzle -
the minimum number of trailing zero bits that the result of PRF must the minimum number of trailing zero bits that the result of PRF must
contain. In diverse environments it is next to impossible for the contain. In diverse environments it is next to impossible for the
responder to set any specific difficulty level that will result in responder to set any specific difficulty level that will result in
roughly the same amount of work for all initiators, because roughly the same amount of work for all initiators, because
computation power of different initiators may vary by the order of computation power of different initiators may vary by the order of
magnitude, or even more. The responder may set difficulty level to magnitude, or even more. The responder may set difficulty level to
0, meaning that the initiator is requested to spend as much power to 0, meaning that the initiator is requested to spend as much power to
solve puzzle, as it can afford. In this case no specific number of solve puzzle, as it can afford. In this case no specific number of
trailing zero bits is required from the initiator, however the more trailing zero bits is required from the initiator, however the more
bits initiator is able to get, the higher chances it will have to be bits initiator is able to get, the higher chances it will have to be
served by the responder. In diverse environments it is RECOMMENDED served by the responder. In diverse environments it is RECOMMENDED
that the initiator sets difficulty level to 0. that the initiator sets difficulty level to 0, unless the attack
volume is very high.
If the responder sets non-zero difficulty level, then the level If the responder sets non-zero difficulty level, then the level
should be determined by analyzing the volume of the attack. The should be determined by analyzing the volume of the attack. The
responder MAY set different difficulty levels to different requestd responder MAY set different difficulty levels to different requestd
depending on the IP address the request has come from. depending on the IP address the request has come from.
8.1.1.2. Selecting Puzzle Algorithm 8.1.1.2. Selecting Puzzle Algorithm
The PUZZLE notification also contains identificator of the algorithm, The PUZZLE notification also contains identificator of the algorithm,
that must be used by initiator in puzzle solution. that must be used by initiator to compute puzzle.
Cryptographic algorithm agility is considered an important feature Cryptographic algorithm agility is considered an important feature
for modern protocols ([ALG-AGILITY]). This feature ensures that for modern protocols ([ALG-AGILITY]). This feature ensures that
protocol doesn't rely on a single build-in set of cryptographic protocol doesn't rely on a single build-in set of cryptographic
algorithms, but has a means to replace one set with another and algorithms, but has a means to replace one set with another and
negotiate new set with the peer. IKEv2 fully supports cryptographic negotiate new set with the peer. IKEv2 fully supports cryptographic
algorithm agility for its core operations. algorithm agility for its core operations.
To support this feature in case of puzzles the algorithm, that is To support this feature in case of puzzles the algorithm, that is
used to compute puzzle, needs to be negotiated during IKE_SA_INIT used to compute puzzle, needs to be negotiated during IKE_SA_INIT
skipping to change at page 14, line 31 skipping to change at page 14, line 27
reason to return a puzzle. In this case the responder returns reason to return a puzzle. In this case the responder returns
NO_PROPOSAL_CHOSEN notification. Note that PRF is a mandatory NO_PROPOSAL_CHOSEN notification. Note that PRF is a mandatory
transform type for IKE SA (see Sections 3.3.2 and 3.3.3 of [RFC7296]) transform type for IKE SA (see Sections 3.3.2 and 3.3.3 of [RFC7296])
and at least one transform of this type must always be present in SA and at least one transform of this type must always be present in SA
payload in IKE_SA_INIT exchange. payload in IKE_SA_INIT exchange.
8.1.1.3. Generating Cookie 8.1.1.3. Generating Cookie
If responder supports puzzles then cookie should be computed in such If responder supports puzzles then cookie should be computed in such
a manner, that the responder is able to learn some important a manner, that the responder is able to learn some important
information from the sole cookie, when it is returned back by information from the sole cookie, when it is later returned back by
initiator. In particular - the responder should be able to learn the initiator. In particular - the responder should be able to learn the
following information: following information:
o Whether the puzzle was given to the initiator or only the cookie o Whether the puzzle was given to the initiator or only the cookie
was requested. was requested.
o The difficulty level of the puzzle given to the initiator. o The difficulty level of the puzzle given to the initiator.
o The number of consecutive puzzles given to the initiator. o The number of consecutive puzzles given to the initiator.
skipping to change at page 16, line 46 skipping to change at page 16, line 44
First, the responder determines if it requested only a cookie, or First, the responder determines if it requested only a cookie, or
presented a puzzle to the initiator. If no puzzle was given, then it presented a puzzle to the initiator. If no puzzle was given, then it
means that at the time the responder requested a cookie it didn't means that at the time the responder requested a cookie it didn't
detect the (D)DoS attack or the attack volume was low. In this case detect the (D)DoS attack or the attack volume was low. In this case
the received request message must not contain the PS payload, and the received request message must not contain the PS payload, and
this payload MUST be ignored if for any reason the message contains this payload MUST be ignored if for any reason the message contains
it. Since no puzzle was given, the responder marks the request with it. Since no puzzle was given, the responder marks the request with
the lowest priority since the initiator spent a little resources the lowest priority since the initiator spent a little resources
creating it. creating it.
If the responder learns from the cookie that the puzzle was given to If the responder learns from the cookie that puzzle was given to the
the initiator, then it looks for the PS payload to determine whether initiator, then it looks for the PS payload to determine whether its
its request to solve the puzzle was honored or not. If the incoming request to solve the puzzle was honored or not. If the incoming
message doesn't contain PS payload, then it means that the initiator message doesn't contain PS payload, then it means that the initiator
either doesn't support puzzles or doesn't want to deal with them. In either doesn't support puzzles or doesn't want to deal with them. In
either case the request is marked with the lowest priority since the either case the request is marked with the lowest priority since the
initiator spent a little resources creating it. initiator spent a little resources creating it.
If PS payload is found in the message then the responder MUST verify If PS payload is found in the message then the responder MUST verify
the puzzle solution that it contains. The result must contain at the puzzle solution that it contains. The result must contain at
least the requested number of trailing zero bits (that is also least the requested number of trailing zero bits (that is also
learned from the cookie, as well as the PRF algorithm used in puzzle learned from the cookie, as well as the PRF algorithm used in puzzle
solution). If the result of the solution contais fewer bits, than solution). If the result of the solution contais fewer bits, than
skipping to change at page 18, line 8 skipping to change at page 18, line 8
The responder SHOULD accept incoming request if its priority is high The responder SHOULD accept incoming request if its priority is high
- it means that the initiator spent quite a lot of resources. The - it means that the initiator spent quite a lot of resources. The
responder MAY also accept some of low-priority requests where the responder MAY also accept some of low-priority requests where the
initiators don't support puzzles. The percentage of accepted legacy initiators don't support puzzles. The percentage of accepted legacy
requests depends on the responder's current load. requests depends on the responder's current load.
If initiator solved the puzzle, but didn't spend much resources for If initiator solved the puzzle, but didn't spend much resources for
it (the selected puzzle difficulty level appeared to be low and the it (the selected puzzle difficulty level appeared to be low and the
initiator solved it quickly), then the responder SHOULD give it initiator solved it quickly), then the responder SHOULD give it
another puzzle. The more puzzles the initiator solve the higher another puzzle. The more puzzles the initiator solves the higher
would be its chances ro be served. would be its chances ro be served.
The details of how the responder takes decision on any particular The details of how the responder takes decision on any particular
request are implementation dependant. The responder can collect all request are implementation dependant. The responder can collect all
the incoming requests for some short period of time, sort them out the incoming requests for some short period of time, sort them out
based on their priority, calculate the number of alailable memory based on their priority, calculate the number of alailable memory
slots for half-open IKE SAs and then serve that number of the slots for half-open IKE SAs and then serve that number of the
requests from the head of the sorted list. The rest of requests can requests from the head of the sorted list. The rest of requests can
be either discarded or responded to with new puzzles. be either discarded or responded to with new puzzles.
skipping to change at page 18, line 31 skipping to change at page 18, line 31
priority and the available resources. priority and the available resources.
8.2. Puzzles in IKE_AUTH Exchange 8.2. Puzzles in IKE_AUTH Exchange
Once the IKE_SA_INIT exchange is completed, the responder has created Once the IKE_SA_INIT exchange is completed, the responder has created
a state and is awaiting for the first message of the IKE_AUTH a state and is awaiting for the first message of the IKE_AUTH
exchange from initiator. At this point the initiator has already exchange from initiator. At this point the initiator has already
passed return routability check and has proved that it has performed passed return routability check and has proved that it has performed
some work to complete IKE_SA_INIT exchange. However, the initiator some work to complete IKE_SA_INIT exchange. However, the initiator
is not yet authenticated and this fact allows malicious initiator to is not yet authenticated and this fact allows malicious initiator to
conduct an attack, described in Section 2. Unlike DoS attack in perform an attack, described in Section 2. Unlike DoS attack in
IKE_SA_INIT exchange, which is targeted on the responder's memory IKE_SA_INIT exchange, which is targeted on the responder's memory
resources, the goal of this attack is to exhaust responder's CPU resources, the goal of this attack is to exhaust responder's CPU
power. The attack is performed by sending the first IKE_AUTH message power. The attack is performed by sending the first IKE_AUTH message
containing garbage. This costs nothing to the initiator, but the containing garbage. This costs nothing to the initiator, but the
responder has to do relatively costly operations of computing the responder has to do relatively costly operations of computing the
Diffie-Hellman shared secret and deriving SK_* keys to be able to Diffie-Hellman shared secret and deriving SK_* keys to be able to
verify authenticity of the message. If the responder doesn't save verify authenticity of the message. If the responder doesn't keep
the computed keys after unsuccessful verification of IKE_AUTH the computed keys after unsuccessful verification of IKE_AUTH
message, then the attack can be repeated several times on the same message, then the attack can be repeated several times on the same
IKE SA. IKE SA.
The responder can use puzzles to make this attack more costly for the The responder can use puzzles to make this attack more costly for the
initiator. The idea is that the responder includes puzzle in the initiator. The idea is that the responder includes puzzle in the
IKE_SA_INIT response message and the initiator includes puzzle IKE_SA_INIT response message and the initiator includes puzzle
solution in the first IKE_AUTH request message outside the Encrypted solution in the first IKE_AUTH request message outside the Encrypted
payload, so that the responder is able to verify puzzle solution payload, so that the responder is able to verify puzzle solution
before computing Diffie-Hellman shared secret. The difficulty level before computing Diffie-Hellman shared secret. The difficulty level
skipping to change at page 19, line 28 skipping to change at page 19, line 28
puzzle has been previously presented and solved in the preceeding puzzle has been previously presented and solved in the preceeding
IKE_SA_INIT exchange. IKE_SA_INIT exchange.
<-- HDR, SA, KE, Nr, N(PUZZLE), [V+][N+] <-- HDR, SA, KE, Nr, N(PUZZLE), [V+][N+]
8.2.1.1. Selecting Puzzle Difficulty Level 8.2.1.1. Selecting Puzzle Difficulty Level
The difficulty level of the puzzle in IKE_AUTH should be chosen so, The difficulty level of the puzzle in IKE_AUTH should be chosen so,
that the initiator would spend more time to solve the puzzle, than that the initiator would spend more time to solve the puzzle, than
the responder to compute Diffie-Hellman shared secret and the keys, the responder to compute Diffie-Hellman shared secret and the keys,
needed to decrypt and verify IKE_AUTH message. On the other hand, needed to decrypt and verify the IKE_AUTH request message. On the
the difficulty level should not be too high, otherwise the legitimate other hand, the difficulty level should not be too high, otherwise
clients would experience additional delay while establishing IKE SA. the legitimate clients would experience additional delay while
establishing IKE SA.
Note, that since puzzles in the IKE_AUTH exchange are only allowed to Note, that since puzzles in the IKE_AUTH exchange are only allowed to
be used if they were used in the preceeding IKE_SA_INIT exchange, the be used if they were used in the preceeding IKE_SA_INIT exchange, the
responder would be able to estimate the computing power of the responder would be able to estimate the computing power of the
initiator and to select the difficulty level accordingly. Unlike initiator and to select the difficulty level accordingly. Unlike
puzzles in IKE_SA_INIT, the requested difficulty level for IKE_AUTH puzzles in IKE_SA_INIT, the requested difficulty level for IKE_AUTH
puzzles MUST NOT be zero. In other words, the responder must always puzzles MUST NOT be zero. In other words, the responder must always
set specific difficulty level and must not let the initiator to set specific difficulty level and must not let the initiator to
choose it on its own. choose it on its own.
skipping to change at page 20, line 21 skipping to change at page 20, line 21
puzzle is solved the initiator sends the IKE_AUTH request message, puzzle is solved the initiator sends the IKE_AUTH request message,
containing the Puzzle Solution payload. containing the Puzzle Solution payload.
HDR, PS, SK {IDi, [CERT,] [CERTREQ,] HDR, PS, SK {IDi, [CERT,] [CERTREQ,]
[IDr,] AUTH, SA, TSi, TSr} --> [IDr,] AUTH, SA, TSi, TSr} -->
The Puzzle Solution payload is placed outside the Encrypted payload, The Puzzle Solution payload is placed outside the Encrypted payload,
so that the responder would be able to verify the puzzle before so that the responder would be able to verify the puzzle before
calculating the Diffie-Hellman shared secret and the SK_* keys. calculating the Diffie-Hellman shared secret and the SK_* keys.
If IKE Fragmentation is used, then the PS payload MUST be present If IKE Fragmentation [RFC7383] is used in IKE_AUTH exchange, then the
only in the first IKE Fragment message, in accordance with the PS payload MUST be present only in the first IKE Fragment message, in
Section 2.5.3 of [RFC7383]. Note, that calculation of the puzzle in accordance with the Section 2.5.3 of RFC7383. Note, that calculation
the IKE_AUTH exchange doesn't depend on the content of the IKE_AUTH of the puzzle in the IKE_AUTH exchange doesn't depend on the content
message (see Section 8.2.2.1). Thus the responder has to solve the of the IKE_AUTH message (see Section 8.2.2.1). Thus the responder
puzzle only once and the solution is valid for both unfragmented and has to solve the puzzle only once and the solution is valid for both
fragmented IKE messages. unfragmented and fragmented IKE messages.
8.2.2.1. Computing Puzzle 8.2.2.1. Computing Puzzle
The puzzle in the IKE_AUTH exchange is computed differently, than in The puzzle in the IKE_AUTH exchange is computed differently, than in
the IKE_SA_INIT exchange (see Section 8.1.2.1). The general the IKE_SA_INIT exchange (see Section 8.1.2.1). The general
principle is the same, the difference is in constructing of the principle is the same, the difference is in constructing of the
string S. Unlike the IKE_SA_INIT exchange, where S is the cookie, in string S. Unlike the IKE_SA_INIT exchange, where S is the cookie, in
the IKE_AUTH exchange S is a concatenation of Nr and SPIr. In other the IKE_AUTH exchange S is a concatenation of Nr and SPIr. In other
words, the task for IKE initiator is to find the key K for the agreed words, the task for IKE initiator is to find the key K for the agreed
upon PRF such that the result of PRF(K,Nr | SPIr) has sufficient upon PRF such that the result of PRF(K,Nr | SPIr) has sufficient
skipping to change at page 20, line 52 skipping to change at page 20, line 52
8.2.3. Receiving Puzzle Solution 8.2.3. Receiving Puzzle Solution
If the responder requested the initiator to solve puzzle in the If the responder requested the initiator to solve puzzle in the
IKE_AUTH exchange, then it SHOULD silently discard all the IKE_AUTH IKE_AUTH exchange, then it SHOULD silently discard all the IKE_AUTH
request messages without the Puzzle Solution payload. request messages without the Puzzle Solution payload.
Once the message containing solution for the puzzle is received the Once the message containing solution for the puzzle is received the
responder SHOULD verify the solution before performing computationly responder SHOULD verify the solution before performing computationly
intensive operations - computing the Diffie-Hellman shared secret and intensive operations - computing the Diffie-Hellman shared secret and
the SK_* keys. The responder MUST silently discard the received the SK_* keys. The responder MUST silently discard the received
message if the puzzle solution is not correct. If the puzzle is message if the puzzle solution is not correct (has insufficient
successfully verified and the SK_* key are calculated, but the number of trailing zero bits). If the puzzle is successfully
message authenticity check fails, the responder SHOULD save the verified and the SK_* key are calculated, but the message
calculated keys in the IKE SA state while waiting for the authenticity check fails, the responder SHOULD save the calculated
retransmissions from the initiator. In this case the responder may keys in the IKE SA state while waiting for the retransmissions from
skip verification of the puzzle solution and ignore the Puzzle the initiator. In this case the responder may skip verification of
Solution payload in the retransmitted messages. the puzzle solution and ignore the Puzzle Solution payload in the
retransmitted messages.
If the initiator uses IKE Fragmentation, then it is possible, that If the initiator uses IKE Fragmentation, then it is possible, that
due to packets loss and/or reordering the responder would receive due to packets loss and/or reordering the responder would receive
non-first IKE Fragment messages before receiving the first one, non-first IKE Fragment messages before receiving the first one,
containing the PS payload. In this case the responder MAY choose to containing the PS payload. In this case the responder MAY choose to
keep the received fragments until the first fragment containing the keep the received fragments until the first fragment containing the
solution to the puzzle is received. However in this case the solution to the puzzle is received. However in this case the
responder SHOULD NOT try to verify authenticity (that would require responder SHOULD NOT try to verify authenticity of the kept fragments
the calculation of the SK_* keys) untill the first fragment with the untill the first fragment with the PS payload is received and the
PS payload is received and the solution to the puzzle is verified. solution to the puzzle is verified. After successful verification of
After successful verification of the puzzle the responder would the puzzle the responder would calculate the SK_* key and verify
calculate the SK_* key and verify authenticity of the collected authenticity of the collected fragments.
fragments.
9. DoS Protection after IKE SA is created 9. DoS Protection after IKE SA is created
Once IKE SA is created there is usually no much traffic over it. In Once IKE SA is created there is usually no much traffic over it. In
most cases this traffic consists of exchanges aimed to create most cases this traffic consists of exchanges aimed to create
additional Child SAs, rekey or delete them and check the liveness of additional Child SAs, rekey or delete them and check the liveness of
the peer. With a typical setup and typical Child SA lifetimes there the peer. With a typical setup and typical Child SA lifetimes there
must be no more than a few such exchanges in a minute, often less. must be no more than a few such exchanges in a minute, often less.
Some of these exchanges require relatively little resources (like Some of these exchanges require relatively little resources (like
liveness check), while others may be resourse consuming (like liveness check), while others may be resource consuming (like
creating or rekeying Child SA with Diffie-Hellman exchange). creating or rekeying Child SA with Diffie-Hellman exchange).
Since any endpoint can initiate new exchange, there is a possibility Since any endpoint can initiate new exchange, there is a possibility
that a peer would initiate too many exchanges, that could exhaust that a peer would initiate too many exchanges, that could exhaust
host resources. For example the peer can perform endless continuous host resources. For example the peer can perform endless continuous
Child SA rekeying or create overwhelming number of Child SAs with the Child SA rekeying or create overwhelming number of Child SAs with the
same Traffic Selectors etc. Such behaviour may be caused by buggy same Traffic Selectors etc. Such behaviour may be caused by buggy
implementation, misconfiguration or be intentional. The latter implementation, misconfiguration or be intentional. The latter
becomes more real threat if the peer uses NULL Authentication, becomes more real threat if the peer uses NULL Authentication,
described in [NULL-AUTH]. In this case the peer remains anonymous, described in [NULL-AUTH]. In this case the peer remains anonymous,
skipping to change at page 23, line 21 skipping to change at page 23, line 21
o PRF (2 octets) - Transform ID of the PRF algorithm that must be o PRF (2 octets) - Transform ID of the PRF algorithm that must be
used to solve the puzzle. Readers should refer to the section used to solve the puzzle. Readers should refer to the section
"Transform Type 2 - Pseudo-random Function Transform IDs" in "Transform Type 2 - Pseudo-random Function Transform IDs" in
[IKEV2-IANA] for the list of possible values. [IKEV2-IANA] for the list of possible values.
o Difficulty (1 octet) - Difficulty Level of the puzzle. Specifies o Difficulty (1 octet) - Difficulty Level of the puzzle. Specifies
minimum number of trailing zero bit, that the result of PRF must minimum number of trailing zero bit, that the result of PRF must
contain. Value 0 means that the responder doesn't request any contain. Value 0 means that the responder doesn't request any
specific difficulty level and the initiator is free to select specific difficulty level and the initiator is free to select
appropriate difficulty level of its own. appropriate difficulty level of its own (see Section 8.1.1.1 for
details).
This notification contains no data. This notification contains no data.
10.2. Puzzle Solution Payload 10.2. Puzzle Solution Payload
The solution to the puzzle is returned back to the responder in a The solution to the puzzle is returned back to the responder in a
dedicated payload, called Puzzle Solution payload and denoted as PS dedicated payload, called Puzzle Solution payload and denoted as PS
in this document. in this document.
1 2 3 1 2 3
skipping to change at page 24, line 51 skipping to change at page 24, line 51
[RFC5723] Sheffer, Y. and H. Tschofenig, "Internet Key Exchange [RFC5723] Sheffer, Y. and H. Tschofenig, "Internet Key Exchange
Protocol Version 2 (IKEv2) Session Resumption", RFC 5723, Protocol Version 2 (IKEv2) Session Resumption", RFC 5723,
January 2010. January 2010.
[bitcoins] [bitcoins]
Nakamoto, S., "Bitcoin: A Peer-to-Peer Electronic Cash Nakamoto, S., "Bitcoin: A Peer-to-Peer Electronic Cash
System", October 2008, <https://bitcoin.org/bitcoin.pdf>. System", October 2008, <https://bitcoin.org/bitcoin.pdf>.
[ALG-AGILITY] [ALG-AGILITY]
Housley, R., "Guidelines for Cryptographic Algorithm Housley, R., "Guidelines for Cryptographic Algorithm
Agility", draft-iab-crypto-alg-agility-02 (work in Agility", draft-iab-crypto-alg-agility-05 (work in
progress), December 2014. progress), December 2014.
[NULL-AUTH] [NULL-AUTH]
Smyslov, V. and P. Wouters, "The NULL Authentication Smyslov, V. and P. Wouters, "The NULL Authentication
Method in IKEv2 Protocol", draft-ietf-ipsecme-ikev2-null- Method in IKEv2 Protocol", draft-ietf-ipsecme-ikev2-null-
auth-02 (work in progress), January 2015. auth-07 (work in progress), January 2015.
Authors' Addresses Authors' Addresses
Yoav Nir Yoav Nir
Check Point Software Technologies Ltd. Check Point Software Technologies Ltd.
5 Hasolelim st. 5 Hasolelim st.
Tel Aviv 6789735 Tel Aviv 6789735
Israel Israel
EMail: ynir.ietf@gmail.com EMail: ynir.ietf@gmail.com
 End of changes. 32 change blocks. 
84 lines changed or deleted 78 lines changed or added

This html diff was produced by rfcdiff 1.42. The latest version is available from http://tools.ietf.org/tools/rfcdiff/