Re: [Ace] draft-ietf-ace-oauth-authz-35 - unauthorized AS address, DoS, and privacy
John Mattsson <john.mattsson@ericsson.com> Wed, 09 September 2020 09:36 UTC
Return-Path: <john.mattsson@ericsson.com>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6E8963A11AB; Wed, 9 Sep 2020 02:36:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.102
X-Spam-Level:
X-Spam-Status: No, score=-2.102 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id I2PdUs1N4fXm; Wed, 9 Sep 2020 02:36:36 -0700 (PDT)
Received: from EUR05-VI1-obe.outbound.protection.outlook.com (mail-vi1eur05on2069.outbound.protection.outlook.com [40.107.21.69]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 25A6C3A11A3; Wed, 9 Sep 2020 02:36:36 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Y9VihJrrCoY/C6DEGM+nsyuWtOnLaUXSNM2qM8QmnQv2Y8YF4sWvYNluCqXF8Sirww7NwLXdTQMkeoFg9+ge6NIKSrbC8HJ9WEBR32dn7aIyi4p9/+9KDMVJ0XkOJnAoj+0pPwUyBHBUS0cKrBShNJ5susIbO9M9hea804QdjP3gk/Z0c9Tod8myRljMAtoSreKfUob08pwXgYD/EnETl6yEW2o/l2hmGo8Y2Pp0NPAlF8RUqtUEjFqCmVS70M40sQhv6kWnaOsW925wGI8V4OvJ53aQykBluQ9nIW4pAS7eWVWWly6MaEC49U5xnbWpAHlRsYceVROKJe1lKL8pIA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=vEkJS7bs3MsH+aJZS1u3JkeulxYhEhfzDBcF6peB+Pk=; b=aRIXx5eRYAiMnGyyJ7FmyWB7gl51ZKvQ5pr1ajQM9xaj05pTop1JY5/kTerJIyYnnG8hcOJQnZpwhXiN1+DgD0ybBf79RWFx1RLrKJWLDd3EiUVENVKlbs2eS3Uu2BeBK7reZ5N4zEdGVE+dy5YiJmggGmcJZvBmqjHsUl63NGwr9ONr4nI53MZuvnUu0R8BNuCLzesXDDvMmyM9jNmABvbY7NXuLIxi8A92nSCLP938ol3w18vmqf3JihMfS2NAA0O7pOp3HT5kyQKN6wbE8kuvnqnBU1qE3q6l5zO2hVAWplPE5p9TMUxLgzYATYDNoDJpBAfeE3TXfEM+x1ryWw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=vEkJS7bs3MsH+aJZS1u3JkeulxYhEhfzDBcF6peB+Pk=; b=BTuGsIJMXS3TpdwbAvmaciq/mpGQXn47WHg6sKO7sQ6uVmoIpdS+ifur/oTsw99YuVx+MLMEW1j4DzwOPYSDsFychTkVIwcZzwrljNwdKMCZVAHqPlv+kQyys28AXzGVz39pZeyKCu+vFOzDSOf6/nDAClj6WudWLxHVvWiL/8Y=
Received: from AM6PR07MB4584.eurprd07.prod.outlook.com (2603:10a6:20b:17::24) by AM6PR07MB4711.eurprd07.prod.outlook.com (2603:10a6:20b:18::29) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3370.11; Wed, 9 Sep 2020 09:36:31 +0000
Received: from AM6PR07MB4584.eurprd07.prod.outlook.com ([fe80::4027:7312:e764:73eb]) by AM6PR07MB4584.eurprd07.prod.outlook.com ([fe80::4027:7312:e764:73eb%2]) with mapi id 15.20.3370.015; Wed, 9 Sep 2020 09:36:31 +0000
From: John Mattsson <john.mattsson@ericsson.com>
To: Olaf Bergmann <bergmann@tzi.org>
CC: "ace@ietf.org" <ace@ietf.org>, "draft-ietf-ace-oauth-authz.all@ietf.org" <draft-ietf-ace-oauth-authz.all@ietf.org>
Thread-Topic: [Ace] draft-ietf-ace-oauth-authz-35 - unauthorized AS address, DoS, and privacy
Thread-Index: AQHWhnwA43bpZmaNe02CEHxKiGnz1alf9yjvgAA2ywA=
Date: Wed, 09 Sep 2020 09:36:31 +0000
Message-ID: <C3C52EBE-CD20-4201-9E93-F7FB4D92D77C@ericsson.com>
References: <8CF8DD8C-895F-489D-8D21-FE2048B550EA@ericsson.com> <877dt3l5u1.fsf@wangari>
In-Reply-To: <877dt3l5u1.fsf@wangari>
Accept-Language: en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/16.40.20081000
authentication-results: tzi.org; dkim=none (message not signed) header.d=none;tzi.org; dmarc=none action=none header.from=ericsson.com;
x-originating-ip: [192.176.1.84]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 58c411b4-2264-4dc7-83f2-08d854a3d5f2
x-ms-traffictypediagnostic: AM6PR07MB4711:
x-microsoft-antispam-prvs: <AM6PR07MB47116D560FDDFCCFE36FE03389260@AM6PR07MB4711.eurprd07.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: 7PzzI/24i27nVRwCQyakdpcRvUGDeMxTjAjoxEKXFzs77bcqeZbCjN2JdLGl1ej22wngpD1eYO0+7kx/GkN/8brkLTrzqBTgyPifu+jNcSXy/CTKCdxJ5Yp5vbPtI/B+c7r42sCqtlHYtbmDPH3NeheOdthhe34TjIInboWZsW5vJirs7nOqJiFhEpl4UzlsCeqgfO95zfpWlzc3JyDbpGkLSqlY17Qe8ByQPVE+F302DipOISVP9EEo+8u9IfBEZtZKD6KV9Oy4PqaUZgRZ7kOvLfWj7CwHVoTDksMSFeo6mlbIz+Ahp+3sQ4LbIrOOddiR1YpBQMUNb/7Iez1NEA==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:AM6PR07MB4584.eurprd07.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(136003)(39860400002)(346002)(366004)(376002)(396003)(83380400001)(6512007)(36756003)(86362001)(8676002)(66574015)(54906003)(6916009)(316002)(8936002)(5660300002)(2906002)(478600001)(186003)(33656002)(26005)(66946007)(64756008)(66446008)(66476007)(2616005)(66556008)(91956017)(6506007)(44832011)(71200400001)(4326008)(53546011)(76116006)(6486002); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: yGBOxGRjbQCXam1rJ9kG1nc2vF/w/wxPt9bW89lVnVdVGV20kiU916wDEfYuDYiRKiMdrTOd2YmTc2DdYcaf76X8Kd8GpPoVVujmZooZ56pOYtNAArioceh30F/iV3c5Fw4zxQTAWrzUPGJIo4l+umNAMbD8W33zOw/blbTPXgogMHR/mgzk5tXl/mca7AUSqDTnmNdxm9xwLIK8m8UEZkDs1kPtjao+t3ePu9WZFBue7Rfi6fKPvyGtGByckaPu+WkLSppBF8ltT5JCYH+5TlPDTVpY8+u8ZsqQXqj1jL1dr6jEf2c70KYC109pMQAHcl2VtXgmavZP/tFsI6Otvak8svDpGnicmRJP2PhDHszRWSYkDLFKSywBXohTKAb6P/racZ7bX5Sx6GA5/+nxS4hfoAC+aJvTim6CpyHNvu4oPZIXLzAsARKO1uSUC6E7hyx0tbykUOZcUJQs79jB4ZFcZ9PK60Nq+tthXOSpkNz6V1SmArJfoGqRANV2aOoKHWeVLimD7WXM54j04A61wZHZRhSMv9yHZNF6LkKmusu2yg9TzNMT4YDdsqy6AcD4Tc/xt//LPubmDZ4UcssWILHk0MuigYq5yJPF0L+RD9C+ySiepVJSjHxu8wrGR8My+byAIK2S+Vh215v9+E84/A==
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="utf-8"
Content-ID: <6E03CCE08992F5448A973ACC26894F6E@eurprd07.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: AM6PR07MB4584.eurprd07.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 58c411b4-2264-4dc7-83f2-08d854a3d5f2
X-MS-Exchange-CrossTenant-originalarrivaltime: 09 Sep 2020 09:36:31.8208 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: pNc4U6ElKaU6FftqkF8Mv7OTNYz86z5tctZ56HF4cIzzHEVLuuKLaz+LyUp+YX3sXmcGgRqbnELTky4aQR3Ad4/5GUg/n0GNte7NMZ+TTCg=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM6PR07MB4711
Archived-At: <https://mailarchive.ietf.org/arch/msg/ace/D3Zz55NvdPXwiH_o0cIWotuk9yI>
Subject: Re: [Ace] draft-ietf-ace-oauth-authz-35 - unauthorized AS address, DoS, and privacy
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 09 Sep 2020 09:36:38 -0000
Hi Olof, Your reasoning does seem to be anchored in the draft. See inline. The current state of the draft is not acceptable. Grüße, John Preuß Mattsson -----Original Message----- From: Olaf Bergmann <bergmann@tzi.org> Date: Wednesday, 9 September 2020 at 10:20 To: John Mattsson <john.mattsson@ericsson.com> Cc: "ace@ietf.org" <ace@ietf.org>, "draft-ietf-ace-oauth-authz.all@ietf.org" <draft-ietf-ace-oauth-authz.all@ietf.org> Subject: Re: [Ace] draft-ietf-ace-oauth-authz-35 - unauthorized AS address, DoS, and privacy Hello John, Thank you for condensing this discussion thread. See inline for my reasoning why I think that this issue is less severe than one would expect at first: John Mattsson <john.mattsson=40ericsson.com@dmarc.ietf.org> writes: >> Summarizing my thoughts and opinion on this issue. Changing the title >> to highlight the issues better. >> >> As currently specified in draft-ietf-ace-oauth-authz-35, the RS will >> happily send the AS address to any node that asks. This causes two >> problems. >> >> - If C acts on the unauthorized information, this is an attack vector >> for DoS attacks as an attacker on the C-RS path can make C contact a >> chosen node on the Internet. > >The important part here is the "If". A proper client MUST NOT act on >unauthorized information at any time. The workaround is the list of >known AS'es in the draft. (In the current architecture, a client would >not and cannot communicate with an unknown AS anyway as it has no way to >establish a secure communication.) I cannot find anything in the draft stating that “A proper client MUST NOT act on unauthorized information at any time”. This also raises the question why the unauthorized information is needed in the first place. >> - That RS shares the AS address with anybody that asks can be a severe >> privacy problem. If RS is a medical device, the AS address can reveal >> sensitive information. If RS is a blood pressure sensor it could >> e.g. be “AS address = >> coaps://as.hopkinsmedicine.org/kimmel_cancer_center/” > >This is a valid concern. However, I would argue that the Uri-Path in >this URI should not be constructed to reveal this information in the >first place. All discussions so far assumed that the authorization >information endpoint on the AS would be named more descriptively as, >e.g., /autz-info. This could at least mitigate the issue. I don’t find anything in the draft stating that “the Uri-Path in this URI should not be constructed to reveal this information”, or how such a construction would look like. This is not trivial. >> The requirement "the client MUST be able to determine whether an AS >> has the authority to issue access tokens for a certain RS. This can >> for example be done through pre-configured lists, or through an online >> lookup mechanism that in turn also must be secured." indicates that C >> is required to have another mechanism to determine the AS for a >> specific RS and that the unauthorized AS address is completely >> redundant. > >No. This indicates that before contacting an AS (in order to retrieve an >access token for its communication with RS), the client must be sure >that it trusts the AS to provide this access token. This is something >that the client always needs to do, independent of the discovery >mechanism. I don’t find anything in the draft stating that “the client must be sure that it trusts the AS”. The draft states that “It is therefore advisable to provide C with a (possibly hard-coded) list of trustworthy authorization servers”. “Advisable” is not the same as “must”, “trustworthy” is not the same as “trust, and “C trust in AS” is completely different than “whether an AS has the authority to issue access tokens for a certain RS” >> The draft does not discuss the privacy issues of unauthorized AS >> addresses at all and the draft is diminishing the DoS issues by only >> talking about compromised RS and attacking an AS. This indicates that >> none of these issues has been discussed enough. >> >> I currently have a strong opinion that Unauthorized AS address should >> be removed from the specification. > >I still think that due to the lack of a secure discovery mechanism for >authorized AS'es, this mechanism is the best we have. Otherwise, the >specification would leave the reader completely in the dark on how to >guess to which AS the RS has delegated its authorization tasks. (A >natural way would be to include it in /.well-known/core but I fail to >see a difference except for an additional roundtrip in case the client >is not aware a priori that the requested resource is protected.) Your reasoning seems to indicate that the mechanism "the client MUST be able to determine whether an AS has the authority to issue access tokens for a certain RS” is just an imaginary requirement, and not something you believe will be possible in practice. Grüße Olaf
- [Ace] draft-ietf-ace-oauth-authz-35 - unauthorize… John Mattsson
- Re: [Ace] draft-ietf-ace-oauth-authz-35 - unautho… Olaf Bergmann
- Re: [Ace] draft-ietf-ace-oauth-authz-35 - unautho… John Mattsson
- Re: [Ace] draft-ietf-ace-oauth-authz-35 - unautho… Stefanie Gerdes
- Re: [Ace] draft-ietf-ace-oauth-authz-35 - unautho… Olaf Bergmann
- Re: [Ace] draft-ietf-ace-oauth-authz-35 - unautho… Jim Schaad
- Re: [Ace] draft-ietf-ace-oauth-authz-35 - unautho… Seitz Ludwig
- Re: [Ace] draft-ietf-ace-oauth-authz-35 - unautho… Olaf Bergmann
- Re: [Ace] draft-ietf-ace-oauth-authz-35 - unautho… Stefanie Gerdes
- Re: [Ace] draft-ietf-ace-oauth-authz-35 - unautho… Stefanie Gerdes
- Re: [Ace] draft-ietf-ace-oauth-authz-35 - unautho… Stefanie Gerdes
- Re: [Ace] draft-ietf-ace-oauth-authz-35 - unautho… Michael Richardson
- Re: [Ace] draft-ietf-ace-oauth-authz-35 - unautho… Michael Richardson
- Re: [Ace] draft-ietf-ace-oauth-authz-35 - unautho… Benjamin Kaduk
- Re: [Ace] draft-ietf-ace-oauth-authz-35 - unautho… Michael Richardson
- Re: [Ace] draft-ietf-ace-oauth-authz-35 - unautho… Seitz Ludwig