But I think we're looking at the wrong problem. Let us look at why we
might need to add puzzles to IKE_AUTH at all. There are two cases:
- The IKE SA is set up by a valid initiator.
- The IKE SA is set up by an attacker.
In the first case, the responder needs to compute SKEYSEED anyway. It
should compute it once and cache it, even if it sees multiple bogus
IKE_AUTH messages sent by attackers. Verifying IKE_AUTH messages is
cheap once SKEYSEED has been computed, because you only need to verify
that the SK integrity protection is valid. The (valid) initiator "pays
the price" once, in the form of an IKE_SA_INIT puzzle.
In the second case, the attacker also pays the price if we have a
puzzle attached to IKE_SA_INIT. And the responder only computes
SKEYSEED once, and caches the result. Since SKEYSEED is known to the
attacker, it can send valid SK payloads, and the responder is forced
to validate the certificate (expensive). So attaching a puzzle to
IKE_AUTH is justified, to make the attacker pay for each certificate
validation.
But this also shows that the IKE_SA_INIT puzzle is sufficient to
counteract the cost of computing SKEYSEED (which is all you need for
reassembly), and when even using fragmentation, this is only done once.
I agree with your analysis. However I'm not sure I agree with conclusion.
IKE_SA_INIT puzzle defends from exhausting responder's
memory, while IKE_AUTH puzzle defends from exhausting CPU power.
My primary concern is distributed DoS attack when attackers
are indistinguishable from legitimate clients. In this case attacker
does pay the price of IKE_SA_INIT puzzle,
but after that it is free to attack responder's CPU by
sending bogus messages or valid messages with bogus content. I agree,
that once SKEYSEED is computed
the bogus messages are easy to detect. However performing DH is
relatively expensive for responder,
while sending bogus message is free for attacker
(once it has paid an "entrance fee"), that makes this
attack attractive. Another option - sending valid messages with bogus
auth content, that will require
responder to do a lot of work. It will require from attacker
to compute SKEYSEED, but the responder would have to spend much more
resources,
so the attack is also attractive. IKE_AUTH puzzle
eliminates the first attack and makes the second expensive for attacker.
IKE_AUTH puzzle is just a "second line of defense".
You are probably right that we can get rid of it
and raise the difficulty level of the "first line",
but I'm not yet sure that we will gain an equal effect.
We are almost in agreement. My understanding is that both the
IKE_SA_INIT and IKE_AUTH puzzles are needed, and each one has a
different goal:
- IKE_SA_INIT puzzle: should counteract the responder's memory cost of
keeping the half-open SA, and its CPU cost in computing DH.
- IKE_AUTH puzzle: should counteract the responder's CPU cost of
validating the AUTH payload.
Thanks,
Yaron
_______________________________________________
IPsec mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/ipsec
