IETF Logo Mail Archive

Re: [core] Benjamin Kaduk's Discuss on draft-ietf-core-stateless-06: (with DISCUSS and COMMENT)

Klaus Hartke <hartke@projectcool.de> Mon, 04 May 2020 17:41 UTC

Return-Path: <hartke@projectcool.de>
X-Original-To: core@ietfa.amsl.com
Delivered-To: core@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4C8D63A0DCB; Mon, 4 May 2020 10:41:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CcHgwAF3Uqyy; Mon, 4 May 2020 10:41:54 -0700 (PDT)
Received: from wp382.webpack.hosteurope.de (wp382.webpack.hosteurope.de [IPv6:2a01:488:42:1000:50ed:8597::]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 00B2B3A0DCE; Mon, 4 May 2020 10:41:18 -0700 (PDT)
Received: from mail-qt1-f177.google.com ([209.85.160.177]); authenticated by wp382.webpack.hosteurope.de running ExIM with esmtpsa (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) id 1jVf5d-0007Yx-5O; Mon, 04 May 2020 19:41:13 +0200
Received: by mail-qt1-f177.google.com with SMTP id g16so175509qtp.11; Mon, 04 May 2020 10:41:13 -0700 (PDT)
X-Gm-Message-State: AGi0PubLtwGUaKbUVsKYqxNsQgo22erPQCaHAdexM/4LdXVli68Knnjx 1gQPo8abMmG8z1w/IseduG9uR7T8AtWTY1R3MMw=
X-Google-Smtp-Source: APiQypKHzeW3TV0ugJZrZ3BwEQ3GBnpnw9g2Ac1qLZBsbZwpm51YWYn35mS11xqouywefP1VoPIBhe0yE1mUVZO0YIA=
X-Received: by 2002:ac8:51cd:: with SMTP id d13mr254349qtn.174.1588614072019; Mon, 04 May 2020 10:41:12 -0700 (PDT)
MIME-Version: 1.0
References: <158741679923.20291.1071401061463555301@ietfa.amsl.com> <CAAzbHvaTq39XG6aY0hsGociCTYYT7VwjPtrKw8KN1sOA30rYDw@mail.gmail.com> <20200503224625.GF27494@kduck.mit.edu>
In-Reply-To: <20200503224625.GF27494@kduck.mit.edu>
From: Klaus Hartke <hartke@projectcool.de>
Date: Mon, 04 May 2020 19:40:39 +0200
X-Gmail-Original-Message-ID: <CAAzbHvbY4ioLC2W4adnJc4LTVY_BhbfWJnEKLwtdTyzu_ca5bg@mail.gmail.com>
Message-ID: <CAAzbHvbY4ioLC2W4adnJc4LTVY_BhbfWJnEKLwtdTyzu_ca5bg@mail.gmail.com>
To: Benjamin Kaduk <kaduk@mit.edu>
Cc: The IESG <iesg@ietf.org>, core-chairs@ietf.org, draft-ietf-core-stateless@ietf.org, "core@ietf.org WG" <core@ietf.org>
Content-Type: text/plain; charset="UTF-8"
X-bounce-key: webpack.hosteurope.de; hartke@projectcool.de; 1588614079; 4bb4f30e;
X-HE-SMSGID: 1jVf5d-0007Yx-5O
Archived-At: <https://mailarchive.ietf.org/arch/msg/core/3zv2kefUDljZ2GOMaxVi3S1yrnc>
Subject: Re: [core] Benjamin Kaduk's Discuss on draft-ietf-core-stateless-06: (with DISCUSS and COMMENT)
X-BeenThere: core@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Constrained RESTful Environments \(CoRE\) Working Group list" <core.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/core>, <mailto:core-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/core/>
List-Post: <mailto:core@ietf.org>
List-Help: <mailto:core-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/core>, <mailto:core-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 04 May 2020 17:41:57 -0000

Benjamin Kaduk wrote:
> Klaus Hartke wrote:
> > Benjamin Kaduk wrote:
> > > Section 3.1
> > >
> > >    o  A client SHOULD integrity protect the state information serialized
> > >       in a token, unless processing a response does not modify state or
> > >       cause any other significant side effects.
> > >
> > > If the intent is that the "does not modify state" clause is the only case
> > > when one would disregard the need for integrity protection, "MUST [...]
> > > unless" seems more appropriate.  (I would prefer unconditional MUST and am
> > > not sure I understand the cases where there is a need to skip integrity
> > > protection.)
> >
> > The intent here is that a client must do integrity protection, but
> > there may exist valid reasons in particular circumstances to ignore
> > this requirement. In this case, the full implications must be
> > understood and carefully weighed.
> >
> > All of the circumstances that come to my mind here are those where a
> > modified token doesn't actually hurt. For example, if a client sends a
> > request to some server at regular intervals, it might only be
> > interested in whether the response has an error or success code and
> > not even deserialise the token.
> >
> > What's the best way to capture this?
>
> Before I get into suggested text, I want to check that I understand the
> situation properly -- in such a case where the client is not even
> deserializing the token, why would the client not be able to use a regular
> token and not look at that token's value?  It doesn't seem like the client
> is gaining anything from having the serialized state available.
>
> Your description makes it sound like we may have to just do "SHOULD
> integrity protect" without the "unless [...]" clause.

Hmm... the top-level section is about clients that avoid keeping
per-request state, which a client can be regardless of whether it uses
<=8 byte tokens or >8 byte tokens; but this sub-section talks about
serialized state, from which indeed the client doesn't get anything if
it's never deserialized...

Maybe the best way forward is indeed to use SHOULD with the "unless
[...]" part... If we change to MUST, then I can already anticipate
people complaining that in their particular use case any integrity
protection is just wasting precious bytes. The SHOULD would take care
of that. And maybe we don't have to go into detail under which
circumstances it might be justified to ignore this SHOULD.

OLD:

   o  A client SHOULD integrity protect the state information serialized
      in a token, unless processing a response does not modify state or
      cause any other significant side effects.

NEW:

   o  A client SHOULD integrity protect the state information serialized
      in a token.

> > >    o  Even when the serialized state is integrity protected, an attacker
> > >       may still replay a response, making the client believe it sent the
> > >       same request twice.  For this reason, the client SHOULD implement
> > >
> > > (Basically the same comments about "SHOULD".)
> >
> > See above.
> >
> > This section is about protecting the serialized state, but of course
> > the requests and responses need to be protected as a whole as well
> > (e.g., using DTLS or OSCORE). In some circumstances, receiving a
> > replayed token might not hurt if the client can verify that the
> > response is coming from the right server.
>
> Presumably the same cases where a replayed response from the right server
> would be tolerable?  Such cases are ... rare, in my opinion.

OLD:

   o  Even when the serialized state is integrity protected, an attacker
      may still replay a response, making the client believe it sent the
      same request twice.  For this reason, the client SHOULD implement
      replay protection (e.g., by using sequence numbers and a replay
      window), unless processing a response does not modify state or
      cause other any significant side effects.  For replay protection,
      integrity protection is REQUIRED.

NEW:

   o  Even when the serialized state is integrity protected, an attacker
      may still replay a response, making the client believe it sent the
      same request twice.  For this reason, the client SHOULD implement
      replay protection (e.g., by using sequence numbers and a replay
      window).

Does it look OK without the "unless [...]" parts?

Klaus

v2.23.0 | Report a Bug | By Email