Re: [Ace] AS discovery in draft-ietf-ace-oauth-authz-35
Seitz Ludwig <ludwig.seitz@combitech.se> Tue, 08 September 2020 06:51 UTC
Return-Path: <ludwig.seitz@combitech.se>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AEBD23A1326 for <ace@ietfa.amsl.com>; Mon, 7 Sep 2020 23:51:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0eCXyMJR0XYT for <ace@ietfa.amsl.com>; Mon, 7 Sep 2020 23:51:17 -0700 (PDT)
Received: from weald.air.saab.se (weald.air.saab.se [136.163.212.3]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 62B543A131F for <ace@ietf.org>; Mon, 7 Sep 2020 23:51:14 -0700 (PDT)
Received: from mailhub1.air.saab.se ([136.163.213.4]) by weald.air.saab.se (8.14.4/8.14.4) with ESMTP id 0886pBmU000477 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL) for <ace@ietf.org>; Tue, 8 Sep 2020 08:51:12 +0200
DKIM-Filter: OpenDKIM Filter v2.11.0 weald.air.saab.se 0886pBmU000477
Received: from corpappl16590.corp.saab.se (corpappl16590.corp.saab.se [10.12.12.96]) by mailhub1.air.saab.se (8.13.8/8.13.8) with ESMTP id 0886owbD013649 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=FAIL) for <ace@ietf.org>; Tue, 8 Sep 2020 08:50:58 +0200
Received: from corpappl16595.corp.saab.se (10.12.12.127) by corpappl16590.corp.saab.se (10.12.12.96) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.1979.3; Tue, 8 Sep 2020 08:50:58 +0200
Received: from corpappl16595.corp.saab.se ([fe80::3c3e:6470:4c56:a86f]) by corpappl16595.corp.saab.se ([fe80::3c3e:6470:4c56:a86f%4]) with mapi id 15.01.1979.003; Tue, 8 Sep 2020 08:50:58 +0200
From: Seitz Ludwig <ludwig.seitz@combitech.se>
To: "ace@ietf.org" <ace@ietf.org>
Thread-Topic: AS discovery in draft-ietf-ace-oauth-authz-35
Thread-Index: AQHWg4NrTXd9yvNtVkmAYyGU/9Ff5KlcuGCAgABqCgCAABgdAIABFwig
Date: Tue, 08 Sep 2020 06:50:58 +0000
Message-ID: <16e1e31d7060419eaecb6610836b5a39@combitech.se>
References: <4A2220B7-A0FD-4706-A813-2476BCAD66CB@ericsson.com> <022d4f7427be4edea9f96f116dc9ee3e@combitech.se> <BC044304-2BFF-4B23-B5E3-50101CDEB0E4@ericsson.com> <FAFFE31C-C555-4C57-8338-710ADFEB98B9@ericsson.com>
In-Reply-To: <FAFFE31C-C555-4C57-8338-710ADFEB98B9@ericsson.com>
Accept-Language: en-SE, sv-SE, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.12.13.198]
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-Saab-MailScanner-Information: Please contact the ISP for more information
X-Saab-MailScanner-ID: 0886owbD013649
X-Saab-MailScanner: Found to be clean
X-Saab-MailScanner-SpamCheck: not spam, SpamAssassin (not cached, score=-0.499, required 5, ALL_TRUSTED -1.00, KAM_NUMSUBJECT 0.50, URIBL_BLOCKED 0.00)
X-Saab-MailScanner-From: ludwig.seitz@combitech.se
X-Saab-MailScanner-Watermark: 1600152659.23543@ygC1MRewxwyF2ZXEBIWBMQ
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.6.2 (weald.air.saab.se [136.163.212.3]); Tue, 08 Sep 2020 08:51:12 +0200 (CEST)
Archived-At: <https://mailarchive.ietf.org/arch/msg/ace/Ydkrfl4PCcN1eOvzHltHr8qeu3s>
Subject: Re: [Ace] AS discovery in draft-ietf-ace-oauth-authz-35
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 08 Sep 2020 06:51:20 -0000
Hi ACE, Sadly I couldn't attend the interim meeting yesterday. Did the WG decide on how to proceed with regard to John's comment? /Ludwig > -----Original Message----- > From: John Mattsson <john.mattsson@ericsson.com> > Sent: den 7 september 2020 14:11 > To: ace@ietf.org; Seitz Ludwig <ludwig.seitz@combitech.se> > Subject: Re: AS discovery in draft-ietf-ace-oauth-authz-35 > > Hi, > > Rereading Section 6.4 again I think the discussion on Denial-of-Service / > amplification attacks in Section 6.4 clearly needs more work. > > - "However a compromised RS may use this to perform a denial of service > against a specific AS" > > Any attacker (not just a compromised RS) on the path beween C and RS can > easily trick C into contacting any node S (not just an ACE AS). Such a forged > message would be a denial-of-service attack on both C and N, not only on N. > > - "It is therefore advisable to provide C with a (possibly hard-coded) list of > trustworthy authorization servers" > > The list would need to be allowlist to have any effect. My understanding is > that C could contact an AS it does not trust. Having an allowlist in C does not > help in general. Even if C have a list stating that AS1, AS2, and AS3 is allowed, > an attacker can impersonate RS3 (belonging to AS3) and fool C to contact AS1 > or AS2. The attacker may even be able to get C to alternate between > contacting AS1 and AS2. > > Possible DDoS attacks in the IoT space is very serious. Recently, the lagest > DDoS attacks have all been using IoT devices. New protocols should mitigate > amlification and DDoS attacks. > > Cheers, > John > > -----Original Message----- > From: John Mattsson <john.mattsson@ericsson.com> > Date: Monday, 7 September 2020 at 12:45 > To: Seitz Ludwig <ludwig.seitz@combitech.se>, "ace@ietf.org" > <ace@ietf.org> > Subject: Re: AS discovery in draft-ietf-ace-oauth-authz-35 > > Hi Ludwig, > > The problem I have is that the current mechanism is presented as a generic > discovery mechanism and that none of the disadvantages are mentioned in > section 5.1. > > "A generic procedure is described in Section 5.1" > > The mechanism is not presented as an error message when the client in good > faith tries to access a resource. It is presented as something C do > intentionally to dicsover the AS. In the description in the draft, C is clearly > aware that the request is unauthorized. > > Section 6.4 describes the security properties quite well. But I cannot see any > discusion about the inefficiency of doing discovery over the C-RS path, which > in many cases is contrained. > > The current presentation is: > > 5.1 generic procedure to discover AS > > 6.4 BTW this mechanism has some security limitation > > My view would be that is should be more like: > > 5.1 Error message with AS address > > X.X BTW the error message could be used for AS discovery but has limited > effeciency and security and is not recommended. > > Cheers, > John > > -----Original Message----- > From: Seitz Ludwig <ludwig.seitz@combitech.se> > Date: Monday, 7 September 2020 at 08:28 > To: John Mattsson <john.mattsson@ericsson.com>, "ace@ietf.org" > <ace@ietf.org> > Subject: RE: AS discovery in draft-ietf-ace-oauth-authz-35 > > Hi John, > > Replies inline > > /Ludwig > > > -----Original Message----- > > From: Ace <ace-bounces@ietf.org> On Behalf Of John Mattsson > > Sent: den 5 september 2020 14:53 > > To: ace@ietf.org > > Subject: [Ace] AS discovery in draft-ietf-ace-oauth-authz-35 > > > > Hi, > > > > I just reviewed draft-ietf-ace-oscore-profile. This made me wonder > > about the AS discovery mechanism in the ACE framework. Why is this > > particular discovery mechanism given so much attention? Of all > > possible discovery mechanisms, this seems like one of the worst as: > > > > 1. It requires a round-trip over the C-RS path which is typically the most > > constrained path in the architecture. > > 2. The response would in many cases be unprotected, which means C > > does not know if the response comes from RS or an attacker. > > > > A discovery mechanism using a non-contrained path (e.g. DNS, but could > > be any type of look up service) would in many cases be much more > > efficient and should be recommended. Such a mechanism might also be > > protected in more cases and therefore rule out the possibility that > > the response came from an attacker. > > > > I understand that the ACE framework draft does not want to specify any > > other AS discovery mechanism, but at a minimum the severe limitations > > of the current mechanism should be detailed. > > The limitations of this mechanism are detailed in section 6.4, do you think > that there is some consideration missing from that section? > > > I my view the current mechanism > > should be not recommended and only used as an error message when the > > client in good faith try to access a resource believing that it might > > have the right to access it. > > > It is indeed intended as an error message when the client in good faith tries > to access a resource believing it might have the right to access it. > >
- [Ace] AS discovery in draft-ietf-ace-oauth-authz-… John Mattsson
- Re: [Ace] AS discovery in draft-ietf-ace-oauth-au… Seitz Ludwig
- Re: [Ace] AS discovery in draft-ietf-ace-oauth-au… John Mattsson
- Re: [Ace] AS discovery in draft-ietf-ace-oauth-au… Olaf Bergmann
- Re: [Ace] AS discovery in draft-ietf-ace-oauth-au… Stefanie Gerdes
- Re: [Ace] AS discovery in draft-ietf-ace-oauth-au… John Mattsson
- Re: [Ace] AS discovery in draft-ietf-ace-oauth-au… Stefanie Gerdes
- Re: [Ace] AS discovery in draft-ietf-ace-oauth-au… Seitz Ludwig
- Re: [Ace] AS discovery in draft-ietf-ace-oauth-au… John Mattsson
- Re: [Ace] AS discovery in draft-ietf-ace-oauth-au… Stefanie Gerdes
- Re: [Ace] AS discovery in draft-ietf-ace-oauth-au… Jim Schaad