Re: [IPsec] IKEv1 retransmits - was Re: WGLC on draft-ietf-ipsecme-ddos-protection-04

[Valery Smyslov]

Hi Paul,


On Wed, 16 Mar 2016, Michael Richardson wrote:

Tero Kivinen  wrote:
   > What we could say in the DDoS draft is to add saying that IKEv1
   > protocol is obsoleted, and will be common avenue for the DDoS attacks,
   > and because of that it MUST be disabled.

   > Or perhaps we need the IKEv1 considered harmful draft /
   > ikev1-diediediediedie...

Yes, I would say so.

I'd even suggest that maybe it needs a CVE against products that have IKEv1
turned on by default.


No, because it is perfectly possible to implement IKEv1 without this
problem. Libreswan is moving towards that, see:

https://lists.libreswan.org/pipermail/swan-dev/2016-March/001394.html


Making only the initiator be responsible for retransmissions is possible 
in the IKEv1 Main Mode. However, it is impossible in Aggressive Mode

(and in Quick Mode too, although it is irrelevant here).

The problem is that the last message comes from the initiator, and if this 
message
got lost, the initiator never knew about it it unless the responder retransmits 
the response
to the very first message from the initiator. It's an immanent feature of IKEv1
caused by odd number of messages in these exchanges. It can't be solved.

And besides the possibility of amplification attack, IKEv1 has so many 
problems, that the only reason it is still used is maintaining interoperability

with older products.

Regards,
Valery.





Paul


___
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec

Re: [IPsec] WGLC on draft-ietf-ipsecme-ddos-protection-04

[Graham Bartlett (grbartle)]

Hi

Updated proposal attached.

I¹ve made some amendments to the proposed text based on Valerys comments.

I¹ve also added text around the correct sending of INFORMATIONAL messages
due to a Responder receiving an SA_INIT, this is a known problem today
with a number of implementations. (seen by Tero and myself).

I have also moved text to section 11. Security Consideration.

I¹ve added some words around the checking of the IDi/IDr. I¹ve personally
seen some issues when misconfigured clients have presented an identical
IDi, resulting in INITIAL_CONTACT deleting the Œother¹ clients SA..

I did think about exhaustion of IP addresses when using configuration
payload to allocate clients IPs, if a malicious or misconfigured client
could exhaust the pool. But I feel the wording in section 8 covers this.
Unless others think otherwise?

cheers

On 16/03/2016 14:21, "IPsec on behalf of Waltermire, David A. (Fed)"
 wrote:

>This is just a friendly reminder that the WGLC on
>draft-ietf-ipsecme-ddos-protection-04.txt ends on March 18th, 2016.
>
>The list discussion has been good on the draft. Thank you to everyone
>that commented so far.
>
>If you have any additional comments, please send them to the list by the
>end of the day UTC on Friday.
>
>Thanks,
>Dave
>
>> -Original Message-
>> From: Waltermire, David A. (Fed)
>> Sent: Tuesday, March 01, 2016 10:34 AM
>> To: IPsecME WG 
>> Subject: WGLC on draft-ietf-ipsecme-ddos-protection-04
>> 
>> All:
>> 
>> With the draft-ietf-ipsecme-ddos-protection-04 freshly minted, I
>>believe the
>> draft is shaping up nicely, but needs additional review. To that end,
>>this
>> message starts a Working Group Last Call (WGLC) for draft-ietf-ipsecme-
>> ddos-protection-04.
>> 
>> The version to be reviewed is
>>https://tools.ietf.org/id/draft-ietf-ipsecme-
>> ddos-protection-04.txt.
>> 
>> Please send your comments, questions, and edit proposals to the WG mail
>> list until March 18, 2015.  If you believe that the document is ready
>>to be
>> submitted to the IESG for consideration as a Standards Track RFC please
>>send
>> a short message stating this.
>> 
>> Best Regards,
>> Dave
>
>___
>IPsec mailing list
>IPsec@ietf.org
>https://www.ietf.org/mailman/listinfo/ipsec

 



IPSecME Working Group Y. Nir
Internet-Draft   Check Point
Intended status: Standards Track  V. Smyslov
Expires: September 9, 2016ELVIS-PLUS
  G.Bartlett
   Cisco Systems
   March 8, 2016


  Protecting Internet Key Exchange Protocol version 2 (IKEv2)
   Implementations from Distributed Denial of Service Attacks
 draft-ietf-ipsecme-ddos-protection-05

Abstract

   This document recommends implementation and configuration best
   practices for Internet Key Exchange Protocol version 2 (IKEv2)
   Responders, to allow them to resist Denial of Service and Distributed
   Denial of Service attacks.  Additionally, the document introduces a
   new mechanism called "Client Puzzles" that help accomplish this task.

Status of This Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at http://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on September 9, 2016.

Copyright Notice

   Copyright (c) 2016 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (http://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
 


Nir & Smyslov & BartlettExpires September 9, 2016   [Page 1]

Internet-Draft DDoS Protection for IKEv2  March 2016


   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of














































 


Nir & Smyslov & BartlettExpires September 9, 2016   

Re: [IPsec] WGLC on draft-ietf-ipsecme-ddos-protection-04

[Yoav Nir]

> On 16 Mar 2016, at 2:27 PM, Paul Wouters  wrote:
> 
> 
>> 
>> Or perhaps we need the IKEv1 considered harmful draft /
>> ikev1-diediediediedie... 
> 
> I don't think that will help. I've seen how reluctant people are to change 
> their 10 year old working VPN. 
> 
> IKEv1 is dying pretty quickly now, thanks to mobile phones.

Really?  Granted, it’s been a couple of years since I’ve checked the VPN 
capabilities of an iPhone, but I remember it having L2TP (using IKEv1) and 
XAuth (A Cisco extension to IKEv1). We have some people from Apple in the 
working group who are talking about IKEv2 on the phone, but I don’t think 
they’re removing the support for L2TP or XAuth.

Android IIRC also has the L2TP with IKEv1. Not sure what else.

Windows Mobile?  You can add your own, or you have the usual Windows PPTP, L2TP 
(again with IKEv1) and IKEv2.

Who’s killing IKEv1?

Yoav

___
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec