[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Hipsec] Comments on hiccups draft

To: hip WG <hipsec at ietf.org>
Subject: [Hipsec] Comments on hiccups draft
From: Tobias Heer <heer at cs.rwth-aachen.de>
Date: Mon, 27 Jul 2009 16:26:05 +0200
Delivered-to: hipsec at core3.amsl.com
List-archive: <http://www.ietf.org/mail-archive/web/hipsec>
List-help: <mailto:hipsec-request@ietf.org?subject=help>
List-id: "This is the official IETF Mailing List for the HIP Working Group." <hipsec.ietf.org>
List-post: <mailto:hipsec@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/hipsec>, <mailto:hipsec-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/hipsec>, <mailto:hipsec-request@ietf.org?subject=unsubscribe>

Some comments on the hiccups draft. In general I find the approachinteresting and worth pursuing. Below are some questions that mostlyfocus on security:


Conceptual comments and questions:
----------------------------------

Section 3: Existence of the HMAC in the packet:

The hiccups draft states that "[the payload is] protected by aPAYLOAD_HMAC parameter". To me it is unclear how such protection canpossibly work. Since there is no previous handshake there are no keysfor use in the HMAC. Jan explained that the HMAC is merely used as away to create a digest over the packet for making the signature moreefficient. However, if it is only used for creating the digest, Iwonder why it is actually transmitted in the packet because without asecret included in the packet, the digest can easily be calculated andtransmitting the digest in a packet seems to be a unnecessary waste ofspace. Am I missing something here? It would be nice if the draft wasmore precise about the nature and the use of the HMAC.


Section 4.3: Sending R1 if receiver suspects an attack:

I guess that in this case, the receiver drops the data packet and itscontent should be retransmitted (by a higher-layer mechanism?)? Ifyes, this could be mentioned somewhere.


Replay protection:

The draft talks about a immediate replays of DATA packets in thecontext of DoS attacks targeted at ACK signature generation. However,it does not talk about replays after a longer time (e.g. to mess withupper-layer state machines).How can hosts shelter against replays of valid but old hiccupspackets? The sequence number only works from the second packet on andstill complete sequences of HIP DATA packets can be replayed. Cachingpackets or keeping state for every ever-received packet is probablynot feasible. Is there a solution? If not, this should also be statedin the text and the security considerations.


Various sections: DoS resistance:

The draft briefly mentions that the protocol is susceptible to DoSattacks. This statement is rather vague and only mentions the absenceof "half-stateless DoS protection nature of the base exchange" andimmediate replays. However, CPU targeted DoS attacks (verification ofPK-sigantures without a puzzle or working HMAC to shelter againstfloods of HIP DATA packets - not necessarily replays) seem much morerealistic to me than state a space exhaustion attacks. Using HIP DATApacket creates a computational asymmetry between the attacker and thevictim (receiver). This imbalance could be mentioned in a moreexplicit way.



Editorial comments:
-------------------

Section 4.3: "The host MAY responds" -> "The host MAY respond"

Best regards,
Tobias

--

Dipl.-Inform. Tobias Heer, Ph.D. Student
Distributed Systems Group
RWTH Aachen University, Germany
tel: +49 241 80 207 76
web: http://ds.cs.rwth-aachen.de/members/heer

Follow-Ups:
- Re: [Hipsec] Comments on hiccups draft
  - From: Jan Melen

Prev by Date: Re: [Hipsec] WG meeting on Tuesday July 28, 13h00-15h00, room 307 ?
Next by Date: Re: [Hipsec] Comments on the HIP-BONE draft
Previous by thread: [Hipsec] Final agenda for Stockholm
Next by thread: Re: [Hipsec] Comments on hiccups draft
Index(es):
- Date
- Thread