"last call" on SIMPLE-XMPP interworking I-D

On Wed Jul 19 16:54:32 2006, Peter Saint-Andre wrote:
> Dave Cridland wrote:
> > I suspect that the simplest method is to recommend
restricting 
> access to
> > the XMPP side of the XMPP/SIMPLE gateway to a
single XMPP domain, 
> and
> > recommending that sensible limits should be put on
the number of 
> users
> > allowed to connect to a server from the same
address.
> > > This, I think, forces such an attack to be
done by the attacker 
> finding
> > a bunch of zombie machines creating the users on
the XMPP domain 
> (if
> > possible), and performing the subscription. The
thing is, why on 
> earth
> > would you bother when you could just flood the SIP
presence server
> > directly with your zombie army?
> 
> Because, according to Adam, the mismatch between SIP
presence
> subscriptions (short-lived) and XMPP presence
subscriptions 
> (long-lived)
> means that the attacker can save some bytes by
attacking from the 
> XMPP
> side of the wormhole rather than from the SIP side,
thus presumably
> making the attack less expensive in terms of bandwidth
and 
> processor.

Yes.

Now re-read the paragraphs I've quoted of my own again,
this time 
together as opposed to in isolation.

A traditional "Jabber transport" would allow
gatewaying through it 
from any Jid. If instead the XMPP/SIMPLE transport only
allows 
gatewaying through it from its local XMPP domain, then in
order to 
mount the attack, the attacker has to obtain several
thousand 
accounts on that server.

Now, this ought to be very easily detectable - a sudden
surge of 
thousands of account creations is bound to raise some
eyebrows, and 
if the accounts aren't created via JEP-0077, but via an
"email the 
password" style mechanism, this is going to be
considerably harder to 
manage. It'd be virtually impossible to do this anyway on a
single 
machine - you'd need perhaps one machine for every five
accounts 
within your control to hope not to be noticed or hit some
limits. 
That's logistically quite a tall order, no matter how many
zombies 
there are these days.

Also, it means that in order to create the XMPP sessions,
register 
the user, and so on, it's going to cost the attacker
considerably 
more before the amplification attack starts to kick in - and
since 
you require such a huge zombie army to mount the attack
anyway, you 
might as well attack directly.

But, if you can write yourself a few servers, instead of
clients, to 
do this work, you need far fewer zombie machines, and much
less 
resource, since you can more or less setup a dummy s2s and
start 
spewing presence stanzas about. That's why I'm proposing
that a large 
part of the solution - without crippling XMPP in the process
- ought 
to involve prevention of this method.

Of course, you could combine both Adam's proposal and this
- only 
remote clients get the spurious <iq> hacks.

Dave.
-- 
Dave Cridland - mailto:davecridland.net - xmpp:dwdjabber.org
  -
acap://acap.dave.cridland.net/byowner/user/dwd/bookmarks/
  - http://dave.cridland.net/
Infotrope Polymer - ACAP, IMAP, ESMTP, and Lemonade

_______________________________________________
Simple mailing list
Simpleietf.org
https:/
/www1.ietf.org/mailman/listinfo/simple

Dave Cridland wrote:
> A traditional "Jabber transport" would
allow gatewaying through it 
> from any Jid. If instead the XMPP/SIMPLE transport only
allows 
> gatewaying through it from its local XMPP domain, then
in order to 
> mount the attack, the attacker has to obtain several
thousand accounts 
> on that server.

As far as I can tell, this solves the problem; however, I
think it 
breaks the solution for most deployments as well. I foresee
these 
gateways being deployed primarily by enterprises who are
using one 
system (SIMPLE or XMPP) so that their users can communicate
with 
enterprises using the other. Limiting interworking to local
users makes 
such use impossible.

> Of course, you could combine both Adam's proposal and
this - only 
> remote clients get the spurious <iq> hacks.

This sounds like a reasonable balance. I think you could
extend it 
further and assert that the <iq/> exchanges are
required *except* for 
servers on a "known good" list provisioned by
the gateway administrator.

/a

_______________________________________________
Simple mailing list
Simpleietf.org
https:/
/www1.ietf.org/mailman/listinfo/simple

On Wed Jul 19 20:48:25 2006, Adam Roach wrote:
> Dave Cridland wrote:
>> A traditional "Jabber transport" would
allow gatewaying through it 
>> from any Jid. If instead the XMPP/SIMPLE transport
only allows 
>> gatewaying through it from its local XMPP domain,
then in order to 
>> mount the attack, the attacker has to obtain
several thousand 
>> accounts on that server.
> 
> As far as I can tell, this solves the problem; however,
I think it 
> breaks the solution for most deployments as well. I
foresee these 
> gateways being deployed primarily by enterprises who
are using one 
> system (SIMPLE or XMPP) so that their users can
communicate with 
> enterprises using the other. Limiting interworking to
local users 
> makes such use impossible.
> 
> 
Ah... I'm just limiting XMPP usage to local XMPP users. Any
SIMPLE 
user can use the gateway.

So for enterprises using XMPP "natively", they
would need to run an 
XMPP/SIMPLE gateway (or be on the known good list of
another, to 
borrow your suggestion below, but I think in practise
they'll want 
their own).

SIMPLE enterprises don't have to run a gateway, although
they may 
wish to if they want to ensure they have access to one.


>> Of course, you could combine both Adam's proposal
and this - only 
>> remote clients get the spurious <iq> hacks.
> 
> This sounds like a reasonable balance. I think you
could extend it 
> further and assert that the <iq/> exchanges are
required *except* 
> for servers on a "known good" list
provisioned by the gateway 
> administrator.

Yes, true.

Dave.
-- 
Dave Cridland - mailto:davecridland.net - xmpp:dwdjabber.org
  -
acap://acap.dave.cridland.net/byowner/user/dwd/bookmarks/
  - http://dave.cridland.net/
Infotrope Polymer - ACAP, IMAP, ESMTP, and Lemonade

_______________________________________________
Simple mailing list
Simpleietf.org
https:/
/www1.ietf.org/mailman/listinfo/simple

Dave Cridland wrote:
> Ah... I'm just limiting XMPP usage to local XMPP
users. Any SIMPLE 
> user can use the gateway.
>
> So for enterprises using XMPP "natively",
they would need to run an 
> XMPP/SIMPLE gateway (or be on the known good list of
another, to 
> borrow your suggestion below, but I think in practise
they'll want 
> their own).
>
> SIMPLE enterprises don't have to run a gateway,
although they may wish 
> to if they want to ensure they have access to one.

While this is a valid deployment model, it is not the one
supported by 
the name resolution procedures currently in Peter's draft.

/a

_______________________________________________
Simple mailing list
Simpleietf.org
https:/
/www1.ietf.org/mailman/listinfo/simple

My apologies for taking so long to incorporate our
consensus. Comments
at the end.

Dave Cridland wrote:
> On Wed Jul 19 20:48:25 2006, Adam Roach wrote:
>> Dave Cridland wrote:
>>> A traditional "Jabber transport"
would allow gatewaying through it
>>> from any Jid. If instead the XMPP/SIMPLE
transport only allows
>>> gatewaying through it from its local XMPP
domain, then in order to
>>> mount the attack, the attacker has to obtain
several thousand
>>> accounts on that server.
>>
>> As far as I can tell, this solves the problem;
however, I think it
>> breaks the solution for most deployments as well. I
foresee these
>> gateways being deployed primarily by enterprises
who are using one
>> system (SIMPLE or XMPP) so that their users can
communicate with
>> enterprises using the other. Limiting interworking
to local users
>> makes such use impossible.
>>
>>
> Ah... I'm just limiting XMPP usage to local XMPP
users. Any SIMPLE user
> can use the gateway.
> 
> So for enterprises using XMPP "natively",
they would need to run an
> XMPP/SIMPLE gateway (or be on the known good list of
another, to borrow
> your suggestion below, but I think in practise they'll
want their own).
> 
> SIMPLE enterprises don't have to run a gateway,
although they may wish
> to if they want to ensure they have access to one.
> 
> 
>>> Of course, you could combine both Adam's
proposal and this - only
>>> remote clients get the spurious <iq>
hacks.
>>
>> This sounds like a reasonable balance. I think you
could extend it
>> further and assert that the <iq/> exchanges
are required *except* for
>> servers on a "known good" list
provisioned by the gateway administrator.
> 
> Yes, true.

I have just submitted draft-saintandre-xmpp-simple-08 to the
Secretariat
containing the following paragraph in the Security
Considerations:

******

   The mismatch between long-lived XMPP presence
subscriptions and
   short-lived SIP presence subscriptions introduces the
possibility of
   an amplification attack launched from the XMPP network
against a SIP
   presence server.  To help prevent such an attack, access
to an XMPP-
   SIMPLE gateway that is hosted on the XMPP network SHOULD
be
   restricted to XMPP users associated with a single domain
or trust
   realm (e.g., a gateway hosted at simple.example.com
should allow only
   users within the example.com domain to access the
gateway, not users
   within example.org, example.net, or any other domain); if
a SIP
   presence server receives communications through an
XMPP-SIMPLE
   gateway from users who are not associated with a domain
that is so
   related to the hostname of the gateway, it MAY (based on
local
   service provisioning) refuse to service such users or
refuse to
   communicate with the gateway.  Furthermore, whenever an
XMPP-SIMPLE
   gateway seeks to refresh an XMPP user's long-lived
subscription to a
   SIP user's presence, it MUST first send an XMPP
<presence/> stanza of
   type "probe" from the address of the gateway
to the "bare JID"
   (userdomain.tld) of the XMPP user, to which the user's
XMPP server
   MUST respond in accordance with [XMPP-IM]; however, the
administrator
   of an XMPP-SIMPLE gateway MAY (based on local service
provisioning)
   exempt "known good" XMPP servers from this
check (e.g., the XMPP
   server associated with the XMPP-SIMPLE gateway as
described above).

******

I'll post a note to the list when this I-D has been
published, since it
contains several other modifications that address feedback
received on
and off the lists.

Peter

-- 
Peter Saint-Andre
Jabber Software Foundation
http://www
.jabber.org/people/stpeter.shtml

_______________________________________________
Simple mailing list
Simpleietf.org
https:/
/www1.ietf.org/mailman/listinfo/simple

Any further input on draft-saintandre-xmpp-simple-08?

http://www.ietf.org/internet-drafts/draft
-saintandre-xmpp-simple-08.txt

If not, I'll pursue requesting a standards action regarding
this I-D.

Thanks!

Peter

Peter Saint-Andre wrote:
> My apologies for taking so long to incorporate our
consensus. Comments
> at the end.
> 
> Dave Cridland wrote:
>> On Wed Jul 19 20:48:25 2006, Adam Roach wrote:
>>> Dave Cridland wrote:
>>>> A traditional "Jabber
transport" would allow gatewaying through it
>>>> from any Jid. If instead the XMPP/SIMPLE
transport only allows
>>>> gatewaying through it from its local XMPP
domain, then in order to
>>>> mount the attack, the attacker has to
obtain several thousand
>>>> accounts on that server.
>>> As far as I can tell, this solves the problem;
however, I think it
>>> breaks the solution for most deployments as
well. I foresee these
>>> gateways being deployed primarily by
enterprises who are using one
>>> system (SIMPLE or XMPP) so that their users can
communicate with
>>> enterprises using the other. Limiting
interworking to local users
>>> makes such use impossible.
>>>
>>>
>> Ah... I'm just limiting XMPP usage to local XMPP
users. Any SIMPLE user
>> can use the gateway.
>>
>> So for enterprises using XMPP
"natively", they would need to run an
>> XMPP/SIMPLE gateway (or be on the known good list
of another, to borrow
>> your suggestion below, but I think in practise
they'll want their own).
>>
>> SIMPLE enterprises don't have to run a gateway,
although they may wish
>> to if they want to ensure they have access to one.
>>
>>
>>>> Of course, you could combine both Adam's
proposal and this - only
>>>> remote clients get the spurious <iq>
hacks.
>>> This sounds like a reasonable balance. I think
you could extend it
>>> further and assert that the <iq/>
exchanges are required *except* for
>>> servers on a "known good" list
provisioned by the gateway administrator.
>> Yes, true.
> 
> I have just submitted draft-saintandre-xmpp-simple-08
to the Secretariat
> containing the following paragraph in the Security
Considerations:
> 
> ******
> 
>    The mismatch between long-lived XMPP presence
subscriptions and
>    short-lived SIP presence subscriptions introduces
the possibility of
>    an amplification attack launched from the XMPP
network against a SIP
>    presence server.  To help prevent such an attack,
access to an XMPP-
>    SIMPLE gateway that is hosted on the XMPP network
SHOULD be
>    restricted to XMPP users associated with a single
domain or trust
>    realm (e.g., a gateway hosted at simple.example.com
should allow only
>    users within the example.com domain to access the
gateway, not users
>    within example.org, example.net, or any other
domain); if a SIP
>    presence server receives communications through an
XMPP-SIMPLE
>    gateway from users who are not associated with a
domain that is so
>    related to the hostname of the gateway, it MAY
(based on local
>    service provisioning) refuse to service such users
or refuse to
>    communicate with the gateway.  Furthermore, whenever
an XMPP-SIMPLE
>    gateway seeks to refresh an XMPP user's long-lived
subscription to a
>    SIP user's presence, it MUST first send an XMPP
<presence/> stanza of
>    type "probe" from the address of the
gateway to the "bare JID"
>    (userdomain.tld) of the XMPP user, to which the
user's XMPP server
>    MUST respond in accordance with [XMPP-IM]; however,
the administrator
>    of an XMPP-SIMPLE gateway MAY (based on local
service provisioning)
>    exempt "known good" XMPP servers from
this check (e.g., the XMPP
>    server associated with the XMPP-SIMPLE gateway as
described above).
> 
> ******
> 
> I'll post a note to the list when this I-D has been
published, since it
> contains several other modifications that address
feedback received on
> and off the lists.
> 
> Peter
> 
> 
_______________________________________________
Simple mailing list
Simpleietf.org
https:/
/www1.ietf.org/mailman/listinfo/simple