[DNSOP] work limits - RFC 4035 section 5.3.3

Fri, 16 Feb 2024 08:45:18 -0800 

Hello,
let me start a new thread because the "About key tags" is getting out of hand. 

Intro
=====
The so-called KeyTrap CVE has technical report available here:
https://www.athene-center.de/fileadmin/content/PDF/Keytrap_2401.pdf

TL;DR is:

RFC 4035 section 5.3.3. Checking the Signature

has a MUST loop doing crypto operations over product of #DNSKEY * #RRSIG 
set (for matching key tags), and this can be damn expensive.



Of course we should have listened to RFC 1034 page 35 "limit amount of 
work" advice ...



Hardware limits
===============
To put things in perspective, try this command:
$ openssl speed ecdsap384

On hardware I have it shows ~ 2000 verify operations per second.


This defines an upper bound on number of combinations a resolver can try 
per second (and completely waste its CPU budget while doing so).



BIND's approach at the moment
=============================

BIND versions released on 2024-02-13 use limit of 16 (successful) 
validations per message and limit of 1 allowed validation failure per 
message, with no special handling for keytag collisions. I.e. colliding 
key will cause validation failure which counts towards fail-budget.



This has already caused breakage on half-broken domain paste.debian.org 
which had half signatures broken & uses 3-step CNAME chain, but does not 
use colliding key tags.



Even these relatively strict limits allow the attacker to eat 1 whole 
CPU by doing ~ 2000 / 16 = 125 QPS causing cache misses



To mitigate this BIND also offloads (depending on version) either 
validation work or all of cache miss handling into separate threads.



Sensible thread scheduler in the OS should split the available capacity 
among validating & non-validating threads. In our tests it indeed allows 
an attacker doing PRSD against a signed zone to cause cache hit QPS to 
drop to 1/2 of the pre-attack QPS, but not significantly less than that.



The Question
============
What work limits on RFC 4035 sec. 5.3.3 on you consider sensible?


Feel free to propose your own variables to be used, and don't forget ot 
include back-of-envelope example to support your proposal (using say 
2000 validations per CPU/second as a base).


--
Petr Špaček
Internet Systems Consortium

_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop






















					Reply via email to