Re: [bfcpbis] Kathleen Moriarty's Discuss on draft-ietf-bfcpbis-rfc4582bis-13: (with DISCUSS and COMMENT)

["Paul E. Jones" <paulej@packetizer.com>]

Kathleen,

Following up on this email (and building a growing to-do list)....

------ Original Message ------
From: "Kathleen Moriarty" <Kathleen.Moriarty.ietf@gmail.com>
To: "The IESG" <iesg@ietf.org>
Cc: mary.ietf.barnes@gmail.com; 
draft-ietf-bfcpbis-rfc4582bis.all@ietf.org; bfcpbis@ietf.org; 
bfcpbis-chairs@ietf.org
Sent: 3/5/2015 10:22:02 AM
Subject: [bfcpbis] Kathleen Moriarty's Discuss on 
draft-ietf-bfcpbis-rfc4582bis-13: (with DISCUSS and COMMENT)

>Kathleen Moriarty has entered the following ballot position for
>draft-ietf-bfcpbis-rfc4582bis-13: Discuss
>
>When responding, please keep the subject line intact and reply to all
>email addresses included in the To and CC lines. (Feel free to cut this
>introductory paragraph, however.)
>
>
>Please refer to 
>http://www.ietf.org/iesg/statement/discuss-criteria.html
>for more information about IESG DISCUSS and COMMENT positions.
>
>
>The document, along with other ballot positions, can be found here:
>http://datatracker.ietf.org/doc/draft-ietf-bfcpbis-rfc4582bis/
>
>
>
>----------------------------------------------------------------------
>DISCUSS:
>----------------------------------------------------------------------
>
>Thanks for your work on this draft, it was very well written which is
>much appreciated.
>
>I just have one item I'd like to discuss that should be very easy to
>resolve.
>This should be considered with Spencer's question on what happens when
>the fragments are larger or smaller than the path MTU.  It's important 
>to
>state this to prevent fragmentation overlap attacks (unless you can
>explain why we don't need to worry about that).

Are you concerned about IP-packet level fragmentation overlap or payload 
level fragmentation overlap issues?  I think the former should be 
addressed with "do not fragment IP packets".  The latter is an area that 
is not addressed in the spec at present.  However, if there is overlap 
in the application data, I do not see any harm.  Of course, it would be 
important to check to ensure lengths are all correct to prevent buffer 
overruns.

Am I missing something here?


>In the second sentence on page 42, adding the ending clause may be
>helpful:
>   The size of each of these N messages MUST be
>    smaller than the path MTU to help prevent fragmentation overlap
>attacks.

This would be a good addition.  We have other text we need to add re: 
path MTU and it is the intent that all messages fit within the path MTU.


>----------------------------------------------------------------------
>COMMENT:
>----------------------------------------------------------------------
>
>
>Spencer asked what happens when TLS/DTLS is not used, so perhaps
>rewording of the intro to the security considerations section would 
>help
>to clear up his point.  TLS/DTLS is the MTI with flexibility left in to
>support some other undefined mechanism to secure the channel.  Since no
>MTU is set, but recommended, the first few sentences are a bit 
>confusing.
>  The rest of the paragraph is clear in terms of MTI and recommendations
>when TLD/DTLS is used as well as alternates options supporting the 
>listed
>desired security properties.
>
>Security Considerations
>
>    BFCP uses TLS/DTLS to provide mutual authentication between clients
>    and servers.  TLS/DTLS also provides replay and integrity protection
>    and confidentiality.

At present, TLS/DTLS are recommended, but not mandatory.  Without them, 
there is a host of attacks one could perform against either a client or 
server, especially over UDP, and there is no authentication or 
confidentiality.  Much of that is spelled out in the security 
considerations section.

I apologize, but I'm missing what your request is here.  Can you clarify 
for me?

Paul