IETF Logo Mail Archive

Re: [arch-d] I-D Action: draft-iab-protocol-maintenance-08.txt

Martin Thomson <mt@lowentropy.net> Wed, 13 July 2022 04:15 UTC

Return-Path: <mt@lowentropy.net>
X-Original-To: architecture-discuss@ietfa.amsl.com
Delivered-To: architecture-discuss@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8A1E0C157B51 for <architecture-discuss@ietfa.amsl.com>; Tue, 12 Jul 2022 21:15:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.107
X-Spam-Level:
X-Spam-Status: No, score=-2.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=lowentropy.net header.b=HYwUCKV9; dkim=pass (2048-bit key) header.d=messagingengine.com header.b=v0ud/6fA
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bHcWQMzUbEj4 for <architecture-discuss@ietfa.amsl.com>; Tue, 12 Jul 2022 21:15:05 -0700 (PDT)
Received: from wout2-smtp.messagingengine.com (wout2-smtp.messagingengine.com [64.147.123.25]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D20EEC14F5E1 for <architecture-discuss@ietf.org>; Tue, 12 Jul 2022 21:15:05 -0700 (PDT)
Received: from compute3.internal (compute3.nyi.internal [10.202.2.43]) by mailout.west.internal (Postfix) with ESMTP id 6102432002E2 for <architecture-discuss@ietf.org>; Wed, 13 Jul 2022 00:15:02 -0400 (EDT)
Received: from imap41 ([10.202.2.91]) by compute3.internal (MEProxy); Wed, 13 Jul 2022 00:15:02 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=lowentropy.net; h=cc:content-type:date:date:from:from:in-reply-to:in-reply-to :message-id:mime-version:references:reply-to:sender:subject :subject:to:to; s=fm1; t=1657685701; x=1657772101; bh=0hXGvrTn59 VmMkE6uEKVe+cwjriCnjsS11WSlIIS3BU=; b=HYwUCKV9ui+839gsnlS1ZSWDtg ULVYIZgALho7X6RZJb01MM4hDlG/ZrNai4ItDiQhNq6glnBpZDVSPRyP8J5QzN3f ga0V44F//GKp8rhlxHC8XFCsoco3qJEwg6RSdZn6vhB2TXtJ08c6BxaKjieDHoH+ 4sB5mntd+3wz8HvRJmpVb6nI9TnYy+IT79IZyXQuizontVR2ntNTqg1yN3foMTng vF8BgZBEdp/cP45mxDVYcUzhwcVj7Vd+p4Mr8eKPta9aZhIIX7zvaZJiV6I2zLbz 9IKfC0VdcLz7NNBzDaIipyuSq9HgXP8e8et5FJ5PjakJSP1YmRETAhfI8z+Q==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-type:date:date:feedback-id :feedback-id:from:from:in-reply-to:in-reply-to:message-id :mime-version:references:reply-to:sender:subject:subject:to:to :x-me-proxy:x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s= fm3; t=1657685701; x=1657772101; bh=0hXGvrTn59VmMkE6uEKVe+cwjriC njsS11WSlIIS3BU=; b=v0ud/6fA6U7lY8/2GcGgJgvTSUhJVdHpSXTP9ZRcLBQm iExfKfkgp6Yv04dw7EHw65kFqEzxEAcYwHGixNnY7kq82fkW+gkB6xcOVFk/nVeQ 9+IIoJG/bY0wvYNwoK7O0Sly3J+wHYevqKAKVvfzHvf2km5iFyyNPr/5nTqdLANM 6mdW0g4jV5Y7cAazcstihMmSd35qdQBsPQnItt0pI8AXwq9AQ+tMf0vh6gq3bDej glmZ3H+qROREzQQ7X9B3/JDbzg8mtFnAkDreDHWMFbBadFjE8G4qsqDLti+oEH4E lcDtzo/0j2VAiW/zHUebtMMOlxpl4XWerhciJ9Gjaw==
X-ME-Sender: <xms:xUbOYnqsI-2YMMuUd1gpWYZx8Kz7H3IAMXck630rdloqNjxpEoBpKQ> <xme:xUbOYhoolBlSH-2ckAU0ik8Xomo48b3CrF6sQVwb2ycFcydTGaE8B5uKnMJAYhp_i vA-st_KEp10FTQj_NE>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvfedrudejiedgkedvucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucenucfjughrpefofgggkfgjfhffhffvufgtsehttd ertderredtnecuhfhrohhmpedfofgrrhhtihhnucfvhhhomhhsohhnfdcuoehmtheslhho figvnhhtrhhophihrdhnvghtqeenucggtffrrghtthgvrhhnpeeflefgieevheduudduhe eiiedtfffgleekgeduheejheeuveeuiedvfeethfffhfenucffohhmrghinhepmhhithhl shdrohhrghenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhepmhgrihhlfhhroh hmpehmtheslhhofigvnhhtrhhophihrdhnvght
X-ME-Proxy: <xmx:xUbOYkPHdHsTAV7OfKI2L-3mrj6kuJBM5yN9ZXH-xFVnn7aKWvxMuQ> <xmx:xUbOYq51Zox-y7Wk2reladgGwkl1EX6FBfij8Mj6v9fmK84UlIxhNQ> <xmx:xUbOYm4zBnJuL66x2q3DkKWX1PCmlCcqrCrw5jwKKGD9E7MCd1318Q> <xmx:xUbOYoFsq_nGtvPEGCYKMvBVjsew7WYl7MF7e4ybDO4GEpNbmYvX_Q>
Feedback-ID: ic129442d:Fastmail
Received: by mailuser.nyi.internal (Postfix, from userid 501) id 9CFAD234007E; Wed, 13 Jul 2022 00:15:01 -0400 (EDT)
X-Mailer: MessagingEngine.com Webmail Interface
User-Agent: Cyrus-JMAP/3.7.0-alpha0-755-g3e1da8b93f-fm-20220708.002-g3e1da8b9
Mime-Version: 1.0
Message-Id: <6723979f-c496-43e1-a389-a50dd3af2224@beta.fastmail.com>
In-Reply-To: <dbee51f0-1913-af6e-de00-c3a7f5b77f68@gmail.com>
References: <a06000c5-939a-a896-9c0f-576e9e2ff97f@gmail.com> <D20FCDD6-3756-40E7-AD6A-416A2C464DF1@gmail.com> <dbee51f0-1913-af6e-de00-c3a7f5b77f68@gmail.com>
Date: Wed, 13 Jul 2022 14:14:41 +1000
From: Martin Thomson <mt@lowentropy.net>
To: architecture-discuss@ietf.org
Content-Type: text/plain
Archived-At: <https://mailarchive.ietf.org/arch/msg/architecture-discuss/e86oxl4BsCpotNWbyIlp4m0Hgw8>
Subject: Re: [arch-d] I-D Action: draft-iab-protocol-maintenance-08.txt
X-BeenThere: architecture-discuss@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: open discussion forum for long/wide-range architectural issues <architecture-discuss.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/architecture-discuss>, <mailto:architecture-discuss-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/architecture-discuss/>
List-Post: <mailto:architecture-discuss@ietf.org>
List-Help: <mailto:architecture-discuss-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/architecture-discuss>, <mailto:architecture-discuss-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 13 Jul 2022 04:15:10 -0000

On Wed, Jul 13, 2022, at 14:03, Brian E Carpenter wrote:
> Would a state machine analysis detect possible race conditions? 

Some tools exist for doing this sort of analysis, but not all manifestations of the tool capture the details necessary to be able to detect the attack.  Some of the work from INRIA on TLS included analysis of protocol state machines: https://mitls.org/pages/attacks/SMACK

> These are not mentioned in the draft, and I think they're the sort of corner 
> case that the robustness principle should help with.

This idea that the robustness principle might step in where the protocol design falls short is exactly the sort of thing that needs to stop.  We can do better (see above), but relying on implementers to just get it right was a poor strategy even when we didn't know much better.  Collectively, we are a group experts who are equipped with the best knowledge and tooling, so there really isn't any excuse for shipping specifications that fall over when they encounter something as trivially predictable as a race condition.

v2.23.0 | Report a Bug | By Email