Re: [Ace] AS discovery in draft-ietf-ace-oauth-authz-35
John Mattsson <john.mattsson@ericsson.com> Mon, 07 September 2020 12:11 UTC
Return-Path: <john.mattsson@ericsson.com>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6F00E3A0C6F for <ace@ietfa.amsl.com>; Mon, 7 Sep 2020 05:11:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.102
X-Spam-Level:
X-Spam-Status: No, score=-2.102 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IsgBt6yOe7o5 for <ace@ietfa.amsl.com>; Mon, 7 Sep 2020 05:11:36 -0700 (PDT)
Received: from EUR03-AM5-obe.outbound.protection.outlook.com (mail-eopbgr30089.outbound.protection.outlook.com [40.107.3.89]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 365563A0C6A for <ace@ietf.org>; Mon, 7 Sep 2020 05:11:33 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=RcEbKFh8zRafQXdOI7e84GSbuFpozgH76/S0BV4eK3x4drRNoVzG2IpV2KOVGfzUiVZHaafk1wj3X9QTDfOqc6SGCLezm8lm7Tm12ddRweLYbMb53GBPE3N12dtfzSgj1lbh2Eo/fFAi1SdI8LDEBS5niZ88VZEyQN5Sv1huLneeySpf5J80PH1GLDSj07DlcNFcsi/c724W/g+xaxNh1BmOO42ztmYXAQVwpcAvZYlwzXlTpLIYxvTQRVnB+762a0q40h6sghy3IKDvlQGv1z1v8ptutLEX7eCFbkcv3XHxZXo0gJPTi92WM0qx+Zr0Mb3R4QdhG1uDCT+3A8Amng==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=6QxZ481BqOULegA+6NfgayJcqBmcy9iNHctimqAP4qs=; b=K4ICRQCIm8lARj0B9p1D3SOKifMb6qVOe6z/uH1i/LidLb8xTScpkQ1/2zLeiuxxcbx1fpj5qiXPRTl/0ARwWBnCtrO+Ju1TMYExS6aJmeNofTmk6iwJfRq9L6CuL8250S2xpZs2Syum8a+d0oC+IExYQ6RflxpzCcEXdG7PhfIvYZRqKbr+e5k4EeUVtND9ysxeIpn+t5xHDrc8vEByDwM60Ev8gQmCVLy140U/fu9o+ynW54JAsNmm3hbNdVBkiBkXXq9YT8WWoNkLRCTZ9LNsXwto859zbRMJuL2tPnnz/TPuLUoi7hDlWgjsXsR1aLG2D+9LdAjW3nvghawjEA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=6QxZ481BqOULegA+6NfgayJcqBmcy9iNHctimqAP4qs=; b=O1Bz+JGBp4xKJ3RjD9Yn/C7RGs2OHH4XXPDpQo2kFotk6jH0rPNYY75/IakTIrd8Iup/5LMs4vTtFZOaf9Lnq3S0d2i71zz31pmEVJr1ndOoMc92Pr+eOBN2x/S9+KvDTbdJdqns9vHIrjm0qovgdPn4UwWdU3b1jDwY/TDpPn0=
Received: from AM6PR07MB4584.eurprd07.prod.outlook.com (2603:10a6:20b:17::24) by AM7PR07MB6674.eurprd07.prod.outlook.com (2603:10a6:20b:18f::12) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3370.7; Mon, 7 Sep 2020 12:11:29 +0000
Received: from AM6PR07MB4584.eurprd07.prod.outlook.com ([fe80::4027:7312:e764:73eb]) by AM6PR07MB4584.eurprd07.prod.outlook.com ([fe80::4027:7312:e764:73eb%2]) with mapi id 15.20.3370.015; Mon, 7 Sep 2020 12:11:29 +0000
From: John Mattsson <john.mattsson@ericsson.com>
To: "ace@ietf.org" <ace@ietf.org>, Seitz Ludwig <ludwig.seitz@combitech.se>
Thread-Topic: AS discovery in draft-ietf-ace-oauth-authz-35
Thread-Index: AQHWg4NrTXd9yvNtVkmAYyGU/9Ff5KlcuGCAgABqCgCAABgdAA==
Date: Mon, 07 Sep 2020 12:11:29 +0000
Message-ID: <FAFFE31C-C555-4C57-8338-710ADFEB98B9@ericsson.com>
References: <4A2220B7-A0FD-4706-A813-2476BCAD66CB@ericsson.com> <022d4f7427be4edea9f96f116dc9ee3e@combitech.se> <BC044304-2BFF-4B23-B5E3-50101CDEB0E4@ericsson.com>
In-Reply-To: <BC044304-2BFF-4B23-B5E3-50101CDEB0E4@ericsson.com>
Accept-Language: en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/16.40.20081000
authentication-results: ietf.org; dkim=none (message not signed) header.d=none;ietf.org; dmarc=none action=none header.from=ericsson.com;
x-originating-ip: [81.225.97.222]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 12d6dbef-7f60-479a-3c2f-08d8532726b5
x-ms-traffictypediagnostic: AM7PR07MB6674:
x-microsoft-antispam-prvs: <AM7PR07MB66743C5D81B5A8571B891E5B89280@AM7PR07MB6674.eurprd07.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: FTxTXmm2v6wxkHKAzhM44cNUMM2+igVhKwDcrw4YnsnfCA8bRa7obFmI5EMSmD5kEKvh+XAGQzfUf1wsa+Jiy0BfLW6W4MgURxiLBFmqo7K+4DOXKRtrFWWn6ufkpPXe/1KtjcXBNM8ih4jsEg5Z9NhWPQ6AfXllotECoQWRaT15lAwQz35e03spjvcSY/axL1H1uKdXm7IlXanmtQeXIXchupDppWXP8SRiCOH+Y8rb3z9CKYEfKDHNXwuSLvVD6qv18wI3rzetBu4mvRxdqyDKWl5lG7ztoSOVIozd7pXGrhuj4ur3I1U8lkob88AyIloTIhi2b27sZut0KxrFFg==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:AM6PR07MB4584.eurprd07.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(396003)(346002)(376002)(136003)(39860400002)(366004)(66476007)(66446008)(64756008)(66946007)(91956017)(36756003)(2616005)(44832011)(6506007)(2906002)(71200400001)(53546011)(478600001)(316002)(86362001)(8936002)(8676002)(66556008)(5660300002)(76116006)(26005)(110136005)(186003)(6486002)(6512007)(83380400001)(33656002); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: FLCPROP1x3uzTefa41RbPvb0AQkX+JcC8bFx1qWYL7uWcA2iPpJYJifEyAHt+bCIBwD4SwzK9Fj6JSm8ciVPOk5IukJKbNSOepuSN6x4zAYnhF+Y/qoUGptjAMbOqnX2Vjwoa4JNySWqibzND09Dv14S0eHYf5qewbxPdrf1wqTvq0sB4TOA+kjVKGVbmEpzeayq8aMkidrIiRG1CtnPDsXx0vJqsuEZtSyEcypcL8ooojn1RRP81+A/BLfpe63uFXAxe/L0Xp+Y2UgyVXP1XWDQT5LcH0vu2VAyn+vrvuqHgkTZ0evrkSFUYhcoeZCEw0FPGziTwfAAbE10iA4DJ6t9zSxA5W+s/ggwe7GtXQ82A/A7ifNoO1tIa9D7W+pM/kc2F/9evGtYVF0qtjIKNaFxM+qRT/GWHls3P5wI35qF2sJa7QrUnpnMopfqLuGXRliklvmsdn/FmE+jI55zsWq1gVgjaRYCy4lbbFuprRslYy7flDWpCaSlftUGykpk0zOPMgo8DLsLwk/Kki/m3RPq2dVtIKIB7Hbsk9q+k8db1PVvDjnSgdJRV1wt2LRntaYw+QMfIw1AIsw3sSxneUB1aINpe4FHmQgyjnga70JgFRXeNe2k8NgTL+Uz6+iVyh2vsXq1vYQXSQc38Mga6Q==
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="utf-8"
Content-ID: <16A57FA328F5B848926E2BD2A6BFE61E@eurprd07.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: AM6PR07MB4584.eurprd07.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 12d6dbef-7f60-479a-3c2f-08d8532726b5
X-MS-Exchange-CrossTenant-originalarrivaltime: 07 Sep 2020 12:11:29.0826 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: Kn/wrXl8ovJk5ov3pOOgr1dIbk00RYN9Jt3ZpxtNG2LwHLFomU3tKiqq0eqPWuHD7y0RZVHIcW4m0c+h/hHR4254LpCJg+ase9xexDbiP0A=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM7PR07MB6674
Archived-At: <https://mailarchive.ietf.org/arch/msg/ace/xlGARfTBY9p-LZPcwzy1B4ig1WY>
Subject: Re: [Ace] AS discovery in draft-ietf-ace-oauth-authz-35
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 07 Sep 2020 12:11:37 -0000
Hi, Rereading Section 6.4 again I think the discussion on Denial-of-Service / amplification attacks in Section 6.4 clearly needs more work. - "However a compromised RS may use this to perform a denial of service against a specific AS" Any attacker (not just a compromised RS) on the path beween C and RS can easily trick C into contacting any node S (not just an ACE AS). Such a forged message would be a denial-of-service attack on both C and N, not only on N. - "It is therefore advisable to provide C with a (possibly hard-coded) list of trustworthy authorization servers" The list would need to be allowlist to have any effect. My understanding is that C could contact an AS it does not trust. Having an allowlist in C does not help in general. Even if C have a list stating that AS1, AS2, and AS3 is allowed, an attacker can impersonate RS3 (belonging to AS3) and fool C to contact AS1 or AS2. The attacker may even be able to get C to alternate between contacting AS1 and AS2. Possible DDoS attacks in the IoT space is very serious. Recently, the lagest DDoS attacks have all been using IoT devices. New protocols should mitigate amlification and DDoS attacks. Cheers, John -----Original Message----- From: John Mattsson <john.mattsson@ericsson.com> Date: Monday, 7 September 2020 at 12:45 To: Seitz Ludwig <ludwig.seitz@combitech.se>, "ace@ietf.org" <ace@ietf.org> Subject: Re: AS discovery in draft-ietf-ace-oauth-authz-35 Hi Ludwig, The problem I have is that the current mechanism is presented as a generic discovery mechanism and that none of the disadvantages are mentioned in section 5.1. "A generic procedure is described in Section 5.1" The mechanism is not presented as an error message when the client in good faith tries to access a resource. It is presented as something C do intentionally to dicsover the AS. In the description in the draft, C is clearly aware that the request is unauthorized. Section 6.4 describes the security properties quite well. But I cannot see any discusion about the inefficiency of doing discovery over the C-RS path, which in many cases is contrained. The current presentation is: 5.1 generic procedure to discover AS 6.4 BTW this mechanism has some security limitation My view would be that is should be more like: 5.1 Error message with AS address X.X BTW the error message could be used for AS discovery but has limited effeciency and security and is not recommended. Cheers, John -----Original Message----- From: Seitz Ludwig <ludwig.seitz@combitech.se> Date: Monday, 7 September 2020 at 08:28 To: John Mattsson <john.mattsson@ericsson.com>, "ace@ietf.org" <ace@ietf.org> Subject: RE: AS discovery in draft-ietf-ace-oauth-authz-35 Hi John, Replies inline /Ludwig > -----Original Message----- > From: Ace <ace-bounces@ietf.org> On Behalf Of John Mattsson > Sent: den 5 september 2020 14:53 > To: ace@ietf.org > Subject: [Ace] AS discovery in draft-ietf-ace-oauth-authz-35 > > Hi, > > I just reviewed draft-ietf-ace-oscore-profile. This made me wonder about > the AS discovery mechanism in the ACE framework. Why is this particular > discovery mechanism given so much attention? Of all possible discovery > mechanisms, this seems like one of the worst as: > > 1. It requires a round-trip over the C-RS path which is typically the most > constrained path in the architecture. > 2. The response would in many cases be unprotected, which means C > does not know if the response comes from RS or an attacker. > > A discovery mechanism using a non-contrained path (e.g. DNS, but could be > any type of look up service) would in many cases be much more efficient and > should be recommended. Such a mechanism might also be protected in > more cases and therefore rule out the possibility that the response came > from an attacker. > > I understand that the ACE framework draft does not want to specify any > other AS discovery mechanism, but at a minimum the severe limitations of > the current mechanism should be detailed. The limitations of this mechanism are detailed in section 6.4, do you think that there is some consideration missing from that section? > I my view the current mechanism > should be not recommended and only used as an error message when the > client in good faith try to access a resource believing that it might have the > right to access it. > It is indeed intended as an error message when the client in good faith tries to access a resource believing it might have the right to access it.
- [Ace] AS discovery in draft-ietf-ace-oauth-authz-… John Mattsson
- Re: [Ace] AS discovery in draft-ietf-ace-oauth-au… Seitz Ludwig
- Re: [Ace] AS discovery in draft-ietf-ace-oauth-au… John Mattsson
- Re: [Ace] AS discovery in draft-ietf-ace-oauth-au… Olaf Bergmann
- Re: [Ace] AS discovery in draft-ietf-ace-oauth-au… Stefanie Gerdes
- Re: [Ace] AS discovery in draft-ietf-ace-oauth-au… John Mattsson
- Re: [Ace] AS discovery in draft-ietf-ace-oauth-au… Stefanie Gerdes
- Re: [Ace] AS discovery in draft-ietf-ace-oauth-au… Seitz Ludwig
- Re: [Ace] AS discovery in draft-ietf-ace-oauth-au… John Mattsson
- Re: [Ace] AS discovery in draft-ietf-ace-oauth-au… Stefanie Gerdes
- Re: [Ace] AS discovery in draft-ietf-ace-oauth-au… Jim Schaad