Re: [Ace] AS discovery in draft-ietf-ace-oauth-authz-35
John Mattsson <john.mattsson@ericsson.com> Tue, 08 September 2020 08:38 UTC
Return-Path: <john.mattsson@ericsson.com>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 912333A1208 for <ace@ietfa.amsl.com>; Tue, 8 Sep 2020 01:38:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.102
X-Spam-Level:
X-Spam-Status: No, score=-2.102 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GjMgXasQNMdb for <ace@ietfa.amsl.com>; Tue, 8 Sep 2020 01:38:00 -0700 (PDT)
Received: from EUR02-HE1-obe.outbound.protection.outlook.com (mail-eopbgr10050.outbound.protection.outlook.com [40.107.1.50]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 304E03A1171 for <ace@ietf.org>; Tue, 8 Sep 2020 01:37:59 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Vfz+9G49iDqF8KXf750tyNtURFzQ8ZEj93lSYwXqkGYK0UOWqaxR//jMpeXt9rURQgQj+oYF7+uR0jRHJp+dF0zZpbzj1fOvxO9C1n8qZfM2WU12WRklQfhi+L3E7dFJw0wS6NhcyqQwxNG2noLuYTAqa3LXMQLujCkTDrFlc/vY4dVMrlyCT5RutlZo/67kizW9Lvoyt0ZM04AnK74Gn8siOV/9/eADG0Uxm3uMzcQnUpJ8Cvpo4wd44ygBYU2NO8tHoBMgMa/amFK9viL6ZkpPnY5IWqYsM9petWQAAmGzI7AeL3jkq4Lv00CN070Gv62u8JheQ/RaLBxPPIJVpQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=G4ncPSq8cZJgtSYevM992Ni5SOwnUfYO74l3KtQ1s/c=; b=STpLXs6TnjXVOGlD4g+8IoQi4jkta+ejNCIuzlI9o+EWIc6Dy38C5lKSS/egb4OJzxfXo1/+LvyBc6OZ2u8e5HizzRPgtjY8UyO3yGLv+lq5rrjn9wRgwyzzc4Yg6BezdIyAnt7ur/dqKobsdL1tnODeFSylP3wwqpFZfEO9UAzTrdqs7tr39LDD++3OYrDLwueLAquS+Qdc7o5dbZQBpsxrbYkECWPJPXDEHwNGFfw2OFYIDu+qC7mGK3KAToEhnUyKtTHwO3SG4Wpq3ZttI2gRoopkoFeSG3DCLl++huDQazyHKCg98RTvtlz12Gxn/knfQzk6u0vULUO5Tjn6cQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=G4ncPSq8cZJgtSYevM992Ni5SOwnUfYO74l3KtQ1s/c=; b=Pav8xrlcK2a89Ge9d1mvNNxt8H5BiebYirCaGvt2kHxTPGkhcFJducz92G9wJZpBXXhonM7kG5o0FY7bFmZ3RmurT+sUsk+BK9mZ5BLqODdFTIBZEKJnLiye5aw0JzmXKKmQU0owSOE8lkbcxTFyXbzVmhU+ROWavzYz3DIXI5k=
Received: from AM6PR07MB4584.eurprd07.prod.outlook.com (2603:10a6:20b:17::24) by AM6PR07MB4929.eurprd07.prod.outlook.com (2603:10a6:20b:35::13) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3370.7; Tue, 8 Sep 2020 08:37:55 +0000
Received: from AM6PR07MB4584.eurprd07.prod.outlook.com ([fe80::4027:7312:e764:73eb]) by AM6PR07MB4584.eurprd07.prod.outlook.com ([fe80::4027:7312:e764:73eb%2]) with mapi id 15.20.3370.015; Tue, 8 Sep 2020 08:37:55 +0000
From: John Mattsson <john.mattsson@ericsson.com>
To: "ace@ietf.org" <ace@ietf.org>
Thread-Topic: [Ace] AS discovery in draft-ietf-ace-oauth-authz-35
Thread-Index: AQHWhbtY2Pyb6RH7vEuuFd1ZB1o9/A==
Date: Tue, 08 Sep 2020 08:37:55 +0000
Message-ID: <707E236E-14F0-4F99-A5CB-B0E5B5DB3F68@ericsson.com>
Accept-Language: en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/16.40.20081000
authentication-results: ietf.org; dkim=none (message not signed) header.d=none;ietf.org; dmarc=none action=none header.from=ericsson.com;
x-originating-ip: [192.176.1.63]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 2e4bf58d-e129-48c5-41b5-08d853d27b92
x-ms-traffictypediagnostic: AM6PR07MB4929:
x-microsoft-antispam-prvs: <AM6PR07MB49298B3864BE01F117CBE24489290@AM6PR07MB4929.eurprd07.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:9508;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: O2NUOzgJuWJPeeTijXWhUQz2DVmVs7FEyD90BWTg9HsBOGQ1B5NE6LJcsQMJ6cHhbmh6sxRZDEjW9sJi/1cTrMwgwDEzYgG0kWthIent391J6VAkpJRpVI9AKz5LyH3Ou3FiS/3DpmjHH2d293cKzhTTes1Rval2Ug/0j/dPT3b6vJ2lu93974xRQA2EXlB3jlve6V9UhYsVz0S21iZ98Qt55QMOFwHVlyMh5qc2TUkSEUOj5/WsQTG3jY1KvFgxtiDHxXtWcLfEVE35wH304eV2ReWPFJVh0543ou03r9CX2nA6jEaS5pirPQlzM51eiYbMp3UcKGYXOYpFGAKUWw==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:AM6PR07MB4584.eurprd07.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(346002)(136003)(376002)(366004)(396003)(39860400002)(5660300002)(2616005)(2906002)(6486002)(86362001)(66476007)(66946007)(64756008)(316002)(44832011)(66446008)(66556008)(36756003)(76116006)(91956017)(6512007)(71200400001)(26005)(8676002)(6916009)(478600001)(33656002)(186003)(6506007)(8936002)(83380400001); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: W6xZFXFAJjjfdNsSd1rfRtVG3rlmf4wY1mQQoCE1CLOPFDOgjBd9WdTXe91eUBYmI7pqAPuuI9vDN1dazk2bFQc3xeVx/6e6gItycKFCsNDKE5ADkd9rI/RUeT+qFKWy0eZzNvYiiRZEHAp0QnNj0t+mlh3s+QEKklAlQMBoaP8vtLQ7f5rmMQrEWzmDZw5CqVrte7SllRbSWvtCtX4H4DsH2UwW1vxHqXRcnmA7BTJils1ZP3Wls7Rv8Fs59yeL55I+mJ21UWk7suNcn9ghwy+DGK/yafZA1+VzJk+fORZIbyj29A8guNMQhY0yUUqxF355zlA8ZC/ObghdGRxPV8k4fVD4TSWAo4Ss0wbD4HwCOlenc2+/yTsVaG1OBajImjT5ak6X2m7LTGPI5I7oYdJ/4K1BQFDZdpI/ntBPsZnuV77bO3xbvoFcMUirMA3PJaapupgHkvM4b9lNmlJBd9fnIM9p12zo1uq9bEqxxiRnyfmPogUcuEcvsROwX2dLdQixGHGGU27a24J5BAm2oH9jnBcJOcCRtRzUp5zUUtgtRvRKNoo3cjZdPkTimtlhmFimELKz32R/a/BG3v9thP8NAeGDFK+JB0VGOuIu0HPvda8Fo0kqZThpCn/R3lzbgvcu7LnBih/6CKQaX66LDg==
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="utf-8"
Content-ID: <DC81B2CB69317348B3A15AE00A2E9AFA@eurprd07.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: AM6PR07MB4584.eurprd07.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 2e4bf58d-e129-48c5-41b5-08d853d27b92
X-MS-Exchange-CrossTenant-originalarrivaltime: 08 Sep 2020 08:37:55.3116 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: B0HZf7CpE++eyEEcGr4DNduTMyQdlYNhGye+HK7yPEJSJn5gLSMWjE2ZtVcLo21ieXs7OcqDMF0IXAJxZY1q8hbi5CNYXCbTRH5b1T+VO9Q=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM6PR07MB4929
Archived-At: <https://mailarchive.ietf.org/arch/msg/ace/GCXfK2rfO1Lo7lL1jweTzz_mEi8>
Subject: Re: [Ace] AS discovery in draft-ietf-ace-oauth-authz-35
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 08 Sep 2020 08:38:09 -0000
Hi Stephanie, Regarding the section that you quoted: "the client MUST be able to determine whether an AS has the authority to issue access tokens for a certain RS. This can for example be done through pre-configured lists, or through an online lookup mechanism that in turn also must be secured." Assuming C has access to a function M letting it determine whether an AS has the authority to issue access tokens for a certain RS, this would certainly partly mitigate DoS attacks. The attack would be a DoS attack on C and M, but the attacker could not choose M. The problem is that: - if C has access to such a function M that can provide a link between AS and RS, the whole mechanism with sending the AS address in an error message seems completely redundant. - If C does not have access to such a function M, the mechanism with sending an address in a spoofable error message seems like a very dangerous attack vector for DDoS attacks. The only implementation of M that would make use of an error message would be if the error message contained something like sign(AS, RS), but this is something that is not discussed in the draft. Cheers, John
- [Ace] AS discovery in draft-ietf-ace-oauth-authz-… John Mattsson
- Re: [Ace] AS discovery in draft-ietf-ace-oauth-au… Seitz Ludwig
- Re: [Ace] AS discovery in draft-ietf-ace-oauth-au… John Mattsson
- Re: [Ace] AS discovery in draft-ietf-ace-oauth-au… Olaf Bergmann
- Re: [Ace] AS discovery in draft-ietf-ace-oauth-au… Stefanie Gerdes
- Re: [Ace] AS discovery in draft-ietf-ace-oauth-au… John Mattsson
- Re: [Ace] AS discovery in draft-ietf-ace-oauth-au… Stefanie Gerdes
- Re: [Ace] AS discovery in draft-ietf-ace-oauth-au… Seitz Ludwig
- Re: [Ace] AS discovery in draft-ietf-ace-oauth-au… John Mattsson
- Re: [Ace] AS discovery in draft-ietf-ace-oauth-au… Stefanie Gerdes
- Re: [Ace] AS discovery in draft-ietf-ace-oauth-au… Jim Schaad