[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Should CPE allow all IPsec through? Was: Re: CPEs

To: Fred Baker <fred@cisco.com>
Subject: Re: Should CPE allow all IPsec through? Was: Re: CPEs
From: Iljitsch van Beijnum <iljitsch@muada.com>
Date: Wed, 9 Jan 2008 11:58:00 +0100
Cc: IPv6 Operations <v6ops@ops.ietf.org>
In-reply-to: <40FA46EC-70B4-42F7-BB45-6B7EAB564293@cisco.com>
References: <58BFC685-DA33-418A-A37A-9075509987D4@muada.com> <1AB21F94DA6EEF459F10770655443339221789E421@G5W0274.americas.hpqcorp.net> <A2C0EB1B-2180-400B-A62E-6A5457156097@muada.com> <40FA46EC-70B4-42F7-BB45-6B7EAB564293@cisco.com>

On 9 jan 2008, at 2:07, Fred Baker wrote:

It seems to me that there is an excellent attack in this. If I knowthat a given address (perhaps found in the envelope of an email Ihave observed) is populated and attempt to open an IPsec session, Iconsume some amount of computing resource. If I do that a lot, I canconsume a large quantity of computing resource. I can obviously alsoconsume other resources including bandwidth of various kinds.

Bandwidth is not an issue: under normal circumstances, the bandwidthbetween the ISP and the CPE is the bottleneck, so filtering by the CPEdoesn't help against an attacker trying to fill up the availablebandwidth.

I suppose it's possible that an attacker gets to use up CPU resourceson the receiving system, but only if that system has an IPsecimplementation that doesn't have any protection against that. Thereare two types of IPsec packets (well, three really): the UDP port 500IKE/ISAKMP protocol for setting up security associations and the datapackets that are signed and/or encrypted (ESP or AH). If there hasbeen no SA negotation and no SAs have been created through some othermechanism, the SPI in the ESP or AH packets won't match existing stateso the packets will be rejected without much work on the receiver'spart. So the only avenue of attack is IKE/ISAKMP. I'm not intimatelyfamiliar with that, but it seems to me that a non-server host wouldknow who it wants to communicate with in advance, and reject any SAestablishment attempts from entities that present identities thatdon't match those that are expected.

The spam analogy doesn't apply here for several reasons. First of all,spam goes to servers. If you are sitting at a random IPv6 address, thechances of a spammer contacting you to deliver spam are incrediblytiny. (I don't even think they bother to scan the IPv4 address spacefor places to deliver spam.) Apart from that, the reason that spamexists is that it gets seen by people and leads to separation of auser from his money in one way or another in a small percentage of allcases. Spurious IPsec packets don't do that.

The reason to not want IPsec to go through stateful firewalls can beeither:

1. DoS risks
2. Penetration risks

I can't definitively say that those two risks round down to zero, butI am fairly confident that if there is a single protocol that we canallow through safely, IPsec is that protocol. It would be helpful tohear from IPsec experts and vendors of OSes with IPsec, though.

References:
- CPEs
  - From: Iljitsch van Beijnum <iljitsch@muada.com>
- RE: CPEs
  - From: "Bound, Jim" <Jim.Bound@hp.com>
- Should CPE allow all IPsec through? Was: Re: CPEs
  - From: Iljitsch van Beijnum <iljitsch@muada.com>
- Re: Should CPE allow all IPsec through? Was: Re: CPEs
  - From: Fred Baker <fred@cisco.com>

Prev by Date: Re: Should CPE allow all IPsec through? Was: Re: CPEs
Next by Date: RE: CPEs
Previous by thread: Re: Should CPE allow all IPsec through? Was: Re: CPEs
Next by thread: Re: CPEs
Index(es):
- Date
- Thread