IETF Logo Mail Archive

Re: [Anima] Last Call: <draft-ietf-anima-bootstrapping-keyinfra-20.txt> (Bootstrapping Remote Secure Key Infrastructures (BRSKI)) to Proposed Standard

Brian E Carpenter <brian.e.carpenter@gmail.com> Mon, 10 June 2019 20:48 UTC

Return-Path: <brian.e.carpenter@gmail.com>
X-Original-To: anima@ietfa.amsl.com
Delivered-To: anima@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E2EE21200FE for <anima@ietfa.amsl.com>; Mon, 10 Jun 2019 13:48:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.809
X-Spam-Level:
X-Spam-Status: No, score=0.809 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RAZOR2_CF_RANGE_51_100=1.886, RAZOR2_CHECK=0.922, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Cy3nNo_1NdkE for <anima@ietfa.amsl.com>; Mon, 10 Jun 2019 13:48:46 -0700 (PDT)
Received: from mail-pg1-x543.google.com (mail-pg1-x543.google.com [IPv6:2607:f8b0:4864:20::543]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 292C01200F1 for <anima@ietf.org>; Mon, 10 Jun 2019 13:48:41 -0700 (PDT)
Received: by mail-pg1-x543.google.com with SMTP id a3so5652046pgb.3 for <anima@ietf.org>; Mon, 10 Jun 2019 13:48:41 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=subject:to:cc:references:from:message-id:date:user-agent :mime-version:in-reply-to:content-language:content-transfer-encoding; bh=I3ZgEmx9cUz5cIb7Gez/G5ngOgXGO1/8LPd1NE+HDMc=; b=fXIvsJ0RAzoE4xHpZiZY956mpUFDb/iSfzltAbVgZlsyWLN0W5wPnwo+m95f7TETfd ZSiWdMAIuPGHCuFm+Bax+CGyakJhwKFQXejPCL+IgmaxGCVElGGXz4aaTdMKDjKLs6Lt 268yOfqp+wz1EzQmJKy8GJJcffHFAbwF+PLJ262zbWzxevUH//0WD/o8HRdTPJjVa4vG NCRNRqjmOSV2aPCHVlVbj6fFN1Us7RUryHDUzDqDyYu77US4EoYfLXI5pyZbeCfGT748 MM0BgFPda/yJREZl6PwZXvMAOrtKHbNq5nZ6hznfI4MMP3HT/8CHbwzmBnSW3lCX8vNJ 1XdA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:cc:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=I3ZgEmx9cUz5cIb7Gez/G5ngOgXGO1/8LPd1NE+HDMc=; b=lhSmb6RJblkzSt9tya/tUSBwx7KudfQv5tAI+o4x3B8Crx9+IvnkpISsNP5JIv0eGJ wjyJQ6L3g0hmlnp8/JLd72qnYaC/bgEiu1JQ6bfBMigkfRm/4Jk+wOmiuHmZ3po8WxOj pd3CV43FIbboH2SxE0eMe6eZ7MgczTk5ji9/nt6Wsd3qebeDJmAypzRCfYnauZl9V4tJ AvFEtfw7MrUoU0MOfchst2IWLPcgly2ZFtOOzNvuenr3TuVbz21X/fnUT15UJ4+8CmUB TjuBW8v/oMslxxK5ix6dYf/BF3Z6Upib2LQ6MJBdBZKb7noZ09RXGrnDYqgPzNckAv1h RL5g==
X-Gm-Message-State: APjAAAUn05n0tKMMHNYRLBfwilgaLlUz+JFZRibQ658+gBFxwzaHAoag EtsXaouS6rlT0lzZyJ3JklSDp1HF
X-Google-Smtp-Source: APXvYqy+SIsSvhTz6R/L8kju1e3iAxbJS3ju4bZ9XyqJJQpGOBuxmFAXkzORPBOUv4sKU5jExEOTlA==
X-Received: by 2002:a17:90a:7184:: with SMTP id i4mr23468966pjk.49.1560199720328; Mon, 10 Jun 2019 13:48:40 -0700 (PDT)
Received: from [192.168.178.30] (32.23.255.123.dynamic.snap.net.nz. [123.255.23.32]) by smtp.gmail.com with ESMTPSA id o126sm12112062pfb.134.2019.06.10.13.48.37 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 10 Jun 2019 13:48:39 -0700 (PDT)
To: Eric Rescorla <ekr@rtfm.com>, Michael Richardson <mcr+ietf@sandelman.ca>
Cc: Anima WG <anima@ietf.org>
References: <155847367546.2608.5031283783681425886.idtracker@ietfa.amsl.com> <02DFBB01-F7BA-4BCA-B8C5-CF14E8B7A6F4@cisco.com> <20190604192843.gbavqofsq4btcgx3@faui48f.informatik.uni-erlangen.de> <045A7809-CB6F-493E-B9F2-FBF563AD5378@cisco.com> <20190607211720.y63ysayeqtkgi3lj@faui48f.informatik.uni-erlangen.de> <60BB0A11-A12B-4EA5-9379-12C75100D64C@cisco.com> <77dc7db3-e281-2475-6909-c9c5a982f973@gmail.com> <CABcZeBPcJN9eweSW8ayVAbyehjizycpLN2=dDe1txZEh8dm7QQ@mail.gmail.com> <6636.1560178188@localhost> <CABcZeBOJrnhi1vhZ5dcfS3-3DH_duWKCora-+AjARx5MwfUi+g@mail.gmail.com>
From: Brian E Carpenter <brian.e.carpenter@gmail.com>
Message-ID: <da17de42-dc02-38bf-3593-e95e2f715650@gmail.com>
Date: Tue, 11 Jun 2019 08:48:35 +1200
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:60.0) Gecko/20100101 Thunderbird/60.7.0
MIME-Version: 1.0
In-Reply-To: <CABcZeBOJrnhi1vhZ5dcfS3-3DH_duWKCora-+AjARx5MwfUi+g@mail.gmail.com>
Content-Type: text/plain; charset="utf-8"
Content-Language: en-US
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/anima/BbXhoDjj301rNaTs_wXm_TVzPWE>
Subject: Re: [Anima] Last Call: <draft-ietf-anima-bootstrapping-keyinfra-20.txt> (Bootstrapping Remote Secure Key Infrastructures (BRSKI)) to Proposed Standard
X-BeenThere: anima@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Autonomic Networking Integrated Model and Approach <anima.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/anima>, <mailto:anima-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/anima/>
List-Post: <mailto:anima@ietf.org>
List-Help: <mailto:anima-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/anima>, <mailto:anima-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 10 Jun 2019 20:48:49 -0000

On 11-Jun-19 04:21, Eric Rescorla wrote:
> 
> 
> On Mon, Jun 10, 2019 at 7:49 AM Michael Richardson <mcr+ietf@sandelman.ca <mailto:mcr%2Bietf@sandelman.ca>> wrote:
> 
> 
>     {I've clipped the CC list}
> 
>     Eric Rescorla <ekr@rtfm.com <mailto:ekr@rtfm.com>> wrote:
>         >> On 09-Jun-19 01:37, Eliot Lear wrote:
>         >> >
>         >> >
>         >> >> On 7 Jun 2019, at 23:17, Toerless Eckert <tte@cs.fau.de <mailto:tte@cs.fau.de>> wrote:
>         >> >>
>         >> >> Ok, now i got you (i hope ;-).
>         >> >>
>         >> >> I really liked the c1sco example (not sure if we should mention a real
>         >> >> company name in such an rfc someone not reading the draft might take
>         >> >> offense, maybe examp1e.com <http://examp1e.com> insted though).
>         >> >
>         >> > This is a bit tricky with the glyph attack, but certainly the base
>         >> should be
>         >> > example.com <http://example.com>.
>         >>
>         >> Can you use null.example.com <http://null.example.com> and nu11.example.com <http://nu11.example.com>?
>         >>
> 
>         > That's a little unfortunate from the perspective of this attack because
>         > ..com is a public suffix [0] whereas example.com <http://example.com> is not.
> 
>         > -Ekr
> 
>         > [0] https://publicsuffix.org/
> 
>     okay, I'm trying to understand the relevance of this from the point of an
>     example in an RFC.
> 
>     We need to put the example under example.*, but we can't use examp1e.com <http://examp1e.com>,
>     because it's not an example domain.
> 
>     Brian suggested the example null vs nu11.
>     This is not about super-cookies, etc. and it doesn't suggest any kind of
>     process involving the list of publicsuffixes.
> 
> 
> The general shape of this kind of attack is that the attacker wants to impersonate A and so gets a domain with name A' that looks like A. However, this depends on A' being something the attacker can register. The public suffix list embodies the concept (more or less) of "anyone can register here". By contrast, a.example.com <http://a.example.com> is (I assume) owned by example.com <http://example.com> and so your average attacker can't do anything with b.example.com <http://b.example.com>.

However, examp1e.com is 2001:470:1f07:1126::555:1212 or 64.57.183.2 so we *really* can't use it. examp1e.net is 133.242.206.244 and actually responds to HTTP.

You're right that in theory subdomains are unrealistic examples, but does that
matter for an illustrative example?

    Brian

v2.23.0 | Report a Bug | By Email