Document: draft-tiloca-tls-dos-handshake-00.txt I'm trying to understand the threat model and operating model this is designed for. Let's start with the threat model. The anti-DoS mechanisms in DTLS are specifically oriented towards attackers who are not on-path, because on-path attackers can, as you say, obtain the HRR/HVR.
You say: DTLS 1.2 as well as both TLS 1.3 and DTLS 1.3 provide the optional Cookie exchange as possible solution to mitigate this Denial of Service attack. While this makes the attack more complicated to mount, a well determined and resourceful adversary able to spoof valid IP addresses can still successfully perform it, by intercepting the possible server response including the Cookie and then echoing it in the second ClientHello. This is particularly doable in case the handshake is not based on Pre-Shared Key exchange modes. I take from this that your assumed threat model is an attacker who is minimally a man-on-the-side (i.e., able to read traffic and inject his own but not block) and maximally a full active attacker able to block data. Is that correct? Depending on the specific protocol version and the key establishment mode used in the handshake, the attack impact can range from single replies triggered by invalid ClientHello messages, to the server performing advanced handshake steps with consequent setup of invalid half-open sessions. Especially if performed in a large-scale and distributed manner, this attack can thwart performance and service availability of (D)TLS servers. Moreover, it can be particularly effective in application scenarios where servers are resource- constrained devices running DTLS over low-power, low bandwidth and lossy networks. It seems like the attack you are considering is one in which the attacker generates DTLS handshakes and then forces the DTLS server to either perform computations or hold state open (e.g., by doing a handshake or a partial handshake and then stopping) Is that correct? Assuming I am correct, the design you describe here seems much more complicated than necessary [0]. Consider the simpler design: - The client contacts the TA - TA generates a new value C = HMAC(k_M, N) and sends that to the client - the client inserts C in the ClientHello. The major downside is that this allows an on-path attacker to steal C and put it in their own CH, but so what? The attacker is still rate limited by the number of valid clients, and (at least) a fully active attacker doesn't need to substitute their own handshake messages for the valid clients because they can force the server to perform computations by playing the client messages and leave the server in a half-open state by blocking some client messages. I suppose you could argue that they could negotiate cipher suites that are more expensive to the server, but that seems like a fairly weak attack. Just to touch briefly on resumption: why do you need this mechanism at all for that? The client and server already have an assocation so the server knows that it has a valid client without any new assertion from the TA. -Ekr [0] It also, won't work. In particular, having the client send a MAC over the CH leads to having to zero out portions of the CH, which is going to create implementation problems in two ways. First, it creates a circular dependency with the TLS 1.3 PSK binder, so you'll need to have an exception there. Second, the zero-ing out trick you use is actually quite annoying to implement in many TLS stacks (it would be so in NSS). On Sat, Jul 8, 2017 at 4:10 AM, Marco Tiloca <[email protected]> wrote: > Dear all, > > FYI, we have recently submitted a new draft proposing an extension for > (D)TLS 1.2/1.3. > > The solution described in the draft addresses Denial of Service attacks > against the handshake protocol, allowing servers to promptly abort invalid > session set ups. > > Feedback and comments are of course very welcome. Thanks a lot! > > Best regards, > /Marco > > -------- Forwarded Message -------- > Subject: New Version Notification for draft-tiloca-tls-dos- > handshake-00.txt > Date: Wed, 28 Jun 2017 07:40:45 -0700 > From: [email protected] > To: Marco Tiloca <[email protected]> <[email protected]>, Ludwig Seitz > <[email protected]> <[email protected]>, Maarten Hoeve > <[email protected]> <[email protected]> > > A new version of I-D, draft-tiloca-tls-dos-handshake-00.txt > has been successfully submitted by Marco Tiloca and posted to the > IETF repository. > > Name: draft-tiloca-tls-dos-handshake > Revision: 00 > Title: Extension for protecting (D)TLS handshakes against > Denial of Service > Document date: 2017-06-28 > Group: Individual Submission > Pages: 12 > URL: > https://www.ietf.org/internet-drafts/draft-tiloca-tls-dos-handshake-00.txt > Status: > https://datatracker.ietf.org/doc/draft-tiloca-tls-dos-handshake/ > Htmlized: https://tools.ietf.org/html/draft-tiloca-tls-dos-handshake-00 > Htmlized: > https://datatracker.ietf.org/doc/html/draft-tiloca-tls-dos-handshake-00 > > > Abstract: > This document describes an extension for TLS and DTLS to protect the > server from Denial of Service attacks against the handshake protocol. > The extension includes a Message Authentication Code (MAC) over the > ClientHello message, computed by the Client through key material > obtained from a Trust Anchor entity. The server registered at the > Trust Anchor derives the same key material and checks the MAC to > determine whether continuing or aborting the handshake. > > > > > Please note that it may take a couple of minutes from the time of submission > until the htmlized version and diff are available at tools.ietf.org. > > The IETF Secretariat > > > _______________________________________________ > TLS mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/tls > >
_______________________________________________ TLS mailing list [email protected] https://www.ietf.org/mailman/listinfo/tls
