Re: [beepwg] A couple of features to limit BEEP no reply attack
David Kramer <dkramer@apple.com> Fri, 13 March 2009 21:31 UTC
Return-Path: <beepwg-bounces@beepcore.org>
X-Original-To: ietfarch-beep-archive@core3.amsl.com
Delivered-To: ietfarch-beep-archive@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 4CA6228C0EE for <ietfarch-beep-archive@core3.amsl.com>; Fri, 13 Mar 2009 14:31:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.598
X-Spam-Level:
X-Spam-Status: No, score=-102.598 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, UNPARSEABLE_RELAY=0.001, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vclaziOuWrGj for <ietfarch-beep-archive@core3.amsl.com>; Fri, 13 Mar 2009 14:31:17 -0700 (PDT)
Received: from hl27.dinaserver.com (hl27.dinaserver.com [82.98.144.26]) by core3.amsl.com (Postfix) with ESMTP id DFB203A6B24 for <beep-archive@lists.ietf.org>; Fri, 13 Mar 2009 14:31:16 -0700 (PDT)
Received: from hl27.dinaserver.com (localhost [127.0.0.1]) by hl27.dinaserver.com (Postfix) with ESMTP id 4C3BF75F4A4; Fri, 13 Mar 2009 22:31:52 +0100 (CET)
X-Original-To: beepwg@beepcore.org
Delivered-To: beepwg-lista@hl27.dinaserver.com
Received: from mail-out3.apple.com (mail-out3.apple.com [17.254.13.22]) by hl27.dinaserver.com (Postfix) with ESMTP id 4E6B978DE87 for <beepwg@beepcore.org>; Fri, 13 Mar 2009 22:31:37 +0100 (CET)
Received: from relay14.apple.com (relay14.apple.com [17.128.113.52]) by mail-out3.apple.com (Postfix) with ESMTP id BB1E2568DF50; Fri, 13 Mar 2009 14:31:36 -0700 (PDT)
Received: from relay14.apple.com (unknown [127.0.0.1])A3908280AA; Fri, 13 Mar 2009 14:31:36 -0700 (PDT)
X-AuditID: 11807134-ab060bb000000ff0-60-49bad0b8df06
Received: from dkramer.apple.com (dkramer.apple.com [17.224.20.97]) by relay14.apple.com (Apple SCV relay) with ESMTP id 7327A28087; Fri, 13 Mar 2009 14:31:36 -0700 (PDT)
Subject: Re: [beepwg] A couple of features to limit BEEP no reply attack
Mime-Version: 1.0 (Apple Message framework v1047)
Content-Transfer-Encoding: 7bit
From: David Kramer <dkramer@apple.com>
Message-Id: <9471C896-E007-4745-8A49-885D51B6B130@apple.com>
In-Reply-To: <1236942381.17324.180.camel@vulcan.aspl.local>
Date: Fri, 13 Mar 2009 14:31:36 -0700
References: <1236942381.17324.180.camel@vulcan.aspl.local>
Content-Type: text/plain; delsp="yes"; charset="us-ascii"; format="flowed"
To: Francis Brosnan Blazquez <francis@aspl.es>
X-Mailer: Apple Mail (2.1047)
X-Brightmail-Tracker: AAAAAA==
X-DinaScanner: Libre de Virus, Este E-Mail no ha sido analizado.
X-DinaScanner-SpamCheck: no es spam, SpamAssassin (not cached, puntaje=-6.599, requerido 6, autolearn=not spam, BAYES_00 -2.60, RCVD_IN_DNSWL_MED -4.00),
cc: BEEPwg <beepwg@beepcore.org>
X-BeenThere: beepwg@beepcore.org
X-Mailman-Version: 2.1
Precedence: list
List-Id: <beepwg.beepcore.org>
List-Help: <mailto:beepwg-request@beepcore.org?subject=help>
List-Post: <mailto:beepwg@beepcore.org>
List-Subscribe: <http://beepcore.org/mailman/listinfo/beepwg>, <mailto:beepwg-request@beepcore.org?subject=subscribe>
List-Unsubscribe: <http://beepcore.org/mailman/listinfo/beepwg>, <mailto:beepwg-request@beepcore.org?subject=unsubscribe>
Sender: beepwg-bounces@beepcore.org
Errors-To: beepwg-bounces@beepcore.org
X-DinaScanner-Information: DinaScanner. Filtro anti-Spam y anti-Virus
X-MailScanner-ID: 4C3BF75F4A4.EB08B
X-DinaScanner-From: beepwg-bounces@beepcore.org
Francis, I read your draft proposal for the reply-limit and no-reply features and have a few questions and comments. First, regarding reply-limit: * The reply-limit feature could be implemented by the library implementing the BEEP protocol. The library could automatically terminate the session whenever it determined that the remote peer was taking too long to reply to requests. Clients using the library could override this timeout value on a per-session and per-channel basis. Can you provide an example showing why it is better to make this a feature of the BEEP protocol instead of just implementing this in the library? * When using reply-limit, if peer A takes longer than the limit to reply, is it considered a protocol violation if peer B doesn't terminate the session? In other words, who's responsibility is it to enforce the reply-limit? Both peers? Or just the receiving peer? Regarding "no-reply": * Because the "no-reply" feature still allows replies, a downside of using "no-reply" instead of NFN messages is that each peer still has to keep track of all of the un-replied-to messages it has sent, in order to verify that each RPY that does arrive has a valid msgno. The peer's memory usage will increase for each message it sends that the remote peer does not reply to. Do you agree that this feature would be unusable in low-memory environments, unless the peer stopped validating the msgno of incoming RPY messages? * The issue you mention about the NFN scheme not supporting correlation between requests and replies was first raised because I suggested that the NFN scheme could be used to implement support for out-of-order replies. As was pointed out to me, and I agree, the application would have to do extra work to correlate these out-of- order replies, which could instead be handled by the msgno value in the frame header if the protocol were changed to allow out of order RPYs. But in the cases where you do not want a reply, this issue does not apply. * The "no-reply" feature seems mis-named. You are not creating a channel in which there are no replies, you are creating a channel in which replies are optional, and the choice is made by the receiver, not the sender. This does not seem like a useful feature to me. I would understand a feature that allowed for a channel on which replies were not allowed at all (eg, it is against the rules to send a RPY when you receive a MSG on the channel) and I would understand a feature that allowed for channel on which the sender specified whether or not a RPY was needed (eg, the sender could send a NFN if it didn't want a RPY, and it could send a MSG if it did want a RPY)... but I don't understand the "no-reply" feature, because it allows the receiver to decide whether or not to respond. Can you provide an example protocol where it is useful to allow the receiving peer the option to decide whether or not it replies? Also, I suggest renaming the feature to "optional-reply". Regarding the over-all goal of limiting BEEP no reply attack: * Anytime a remote peer does not behave the way you want, you have the right to terminate the session. Why is this not sufficient for protecting against the no reply attack? Can't all of this just be implemented by the library? For example, if the client of the library asks to close a channel, and the remote peer refuses, the library could automatically terminate the session -- or it could terminate the session on the third failed attempt -- or whatever policy you want. And if the client of the library sends a message but receives no reply after some timeout, the library could automatically terminate the session. Does any of this have to be part of the protocol? What is the advantage of broadcasting your reply-limit to the other peer? If I tell you my reply-limit is 10, and you take 11 seconds to reply on channel 0, I'll terminate the session. But I could do the same even if I didn't tell you what my reply-limit is, right? What is the difference? * In the case where a peer is is performing the permanent negative close attack on only one channel, I could see the use for a "channel terminate" message that the peer could send over channel 0 to indicate that it would no longer consider valid any messages sent with that channel number. Do you think this would solve the problem effectively? If the remote peer is performing the permanent negative close attach on all channels (or just on channel 0) then terminating the session is already the appropriate response, right? You goal of limiting BEEP no reply attacks is good, but I don't yet see any compelling reasons to make the features you have described part of the protocol. If you can describe some profiles where these features would be useful it might be easier for me to understand the purpose of the features and comment on them more effectively. Thanks, David On Mar 13, 2009, at 4:06 AM, Francis Brosnan Blazquez wrote: > Hi, > > I've been working on a couple of features that will allow limiting how > BEEP implements some reply requirements that may be used to setup an > attack. > > It would be great to known your opinion about this. > > Cheers! > -- > Francis Brosnan Blazquez <francis@aspl.es> > Advanced Software Production Line, S.L. > <draft-brosnan-beep-limit-close.txt>
- [beepwg] A couple of features to limit BEEP no re… Francis Brosnan Blazquez
- [beepwg] Re: [Vortex] A couple of features to lim… Francis Brosnan Blazquez
- Re: [beepwg] A couple of features to limit BEEP n… David Kramer
- [beepwg] Re: A couple of features to limit BEEP n… Martin Thomson
- [beepwg] Re: [Vortex] A couple of features to lim… Francis Brosnan Blazquez
- Re: [beepwg] A couple of features to limit BEEP n… Francis Brosnan Blazquez
- Re: [beepwg] Re: A couple of features to limit BE… Francis Brosnan Blazquez
- RE: [beepwg] Re: A couple of features to limit BE… Thomson, Martin
- RE: [beepwg] Re: A couple of features to limit BE… Francis Brosnan Blazquez
- [beepwg] Re: [Vortex] A couple of features to lim… Benoit Amiaux
- Re: [beepwg] Re: A couple of features to limit BE… Francis Brosnan Blazquez
- Re: [beepwg] Re: [Vortex] A couple of features to… Francis Brosnan Blazquez