-
Notifications
You must be signed in to change notification settings - Fork 368
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
DTLS Return Routability Check (RRC) #1006
Comments
I don't plan to mitigate that in the near future. |
I just read the discussion. You seems to not really appreciate this DTLS RRC feature at least for CoAP 😁. I would just know : About 1. I well understand the code ? About 2. If you are agree about adding a warning in builder ? (I can do that) About 4. I didn't think so mush about that but my first impression is that RRC at DTLS level is not a so bad idea, but I'm ok to say it's to soon to talk about implementation. So let's this aside for now. About 3. After reading the discussion and thinking a more about that is. I feel we need more than just a callback.
|
About 1. About 2. About 3. About 4. And just to remind: |
PR #1012 Just wait for mid of next week, if some feedback is given for the reordering and address updates |
About 1. an 2. About 3.
About 4. About getting feedback for tlswg/dtls-conn-id#69, you should maybe point your issue on this thread : http://ietf.10.n7.nabble.com/draft-tschofenig-tls-dtls-rrc-00-DTLS-Return-Routability-Check-RRC-td599108.html ? |
I guess, Hannes is very busy with dtls 1.3 . And FMPOV, I would go for 2.0.0-M16 without PR #1012 . It's not a big thing, if this takes some more days or weeks.
I tried to prepare a android app, which "proofs" the benefits for DTLS1.2 CID.
I'm still very sure, that this is no real issue. Let me try to distinguish between short wake ups, just to send data, and longer wake ups, also to check, it data is send to the device. For the first, there is simply no issue, it's only a ACK/SUCCESS (or nothing). The second would be something as the LWM2M "registration update", and that could be verified with the "echo-request-tag". |
I rethink a little bit about it. But concretely for someone who is using CID with Leshan/Californium, I understand there is nothing to prevent this kind of attack ? Correct ? If we should add something which approach do you advice ? |
There have been many discussions. Let me point to DTLS CID - Issues, a collection of links to statements. That also includes my own major statement on the tls-mail-list:
So, as long as only small messages are sent back, there is no threat.
There is no general threat (see above). Only, if larger messages must be sent back. CoAP may also use draft-ietf-core-echo-request-tag, if implemented, to mitigate that. E.g. the lwm2m register-interface may be protected by such a echo-tag, "only", if the lwm2m server has something to send back (I remember ... :-) ). The current californium/scandium implementation doesn't consider that for now. (Too busy with other stuff, and some months ago, it seems for me to be unclear, what the assumed attack surface is including or not. I simply don't belief, that this is the largest threat. If you control such an heavy on-path-adversary there will be more valuable targets for now, than DTLS CID. Hope, that's changing and DTLS CID gets major technology and "worth to be attacked" :-). )
That's open for me. A RRC on the DTLS 1.2 layer itself will also have its use. We will see, which gets first specified and/or implemented, DTLS-RRC or CoAP-echo-request-tag. One of the pain points is always, that it requires other implementations to support this as well. Otherwise, we will only run some Cali clients on raspberries :-). |
Just to be sure, I understand this correctly : Common use case is :
So in this particular common use case, without RRC or echo-request-tag, I guess, if an "attack" intercept the UPDATE request, spoof the source address. He can amplify traffic. |
First I assume, that the scenario is precisely:
With that, it depends mainly on the factor of that request to the registration update.
Yes, at least in my opinion. A DDoS attack isn't formed by some amplified messages, it requires masses of them. For more, it requires more development time and/or engagement of other parties. |
A very first and experimental implementation is available as feature branch rrc. In order to follow the instruction, a feature-release is required. I hope that could be provided begin of next week. |
There is a new draft-tschofenig-tls-dtls-rrc-00 which comes to complete draft-ietf-tls-dtls-connection-id.
With some recommendations and a new return routability check mechanism.
Reading the code, I think this is what we do currently.
Maybe we can add a warning if the DTLS configuration does not match this requirement.
I think this could make sense even for monitoring, but I'm not sure to see how this could look like 🤔
Maybe a flag in endpointcontext ?
It's a fresh new draft, so I think there is no hurry about implementing this.
(There is an IETF discussion about this)
The text was updated successfully, but these errors were encountered: