IETF Logo Mail Archive

Re: [core] AD review of draft-ietf-core-echo-request-tag-10

Roman Danyliw <rdd@cert.org> Wed, 02 September 2020 13:37 UTC

Return-Path: <rdd@cert.org>
X-Original-To: core@ietfa.amsl.com
Delivered-To: core@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D780C3A0D5A; Wed, 2 Sep 2020 06:37:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cert.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fxdGVsUq-mot; Wed, 2 Sep 2020 06:37:44 -0700 (PDT)
Received: from taper.sei.cmu.edu (taper.sei.cmu.edu [147.72.252.16]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B9D533A0D55; Wed, 2 Sep 2020 06:37:44 -0700 (PDT)
Received: from korb.sei.cmu.edu (korb.sei.cmu.edu [10.64.21.30]) by taper.sei.cmu.edu (8.14.7/8.14.7) with ESMTP id 082DbekC014406; Wed, 2 Sep 2020 09:37:40 -0400
DKIM-Filter: OpenDKIM Filter v2.11.0 taper.sei.cmu.edu 082DbekC014406
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cert.org; s=yc2bmwvrj62m; t=1599053860; bh=c0Tlwf44inseE9h8asy/GtkSlWkTfsR6LTQSy96Xmkk=; h=From:To:CC:Subject:Date:References:In-Reply-To:From; b=CQJO5GZCDfT5cqxCmR/r3sBTi+Alvlb8mR2E0OdlZuyWkvHClIPTI6760WRmMGRE4 dNSyKfYvbBLg/3oC4A0Q5YWug+1RI2DFLtrZp4YwYqKBAg5X5u4Ech3V8aLel8FEa2 loCxjzHFCYw+GlBw8aQ7ABSu+B7QcnVBCeWF7KjA=
Received: from MURIEL.ad.sei.cmu.edu (muriel.ad.sei.cmu.edu [147.72.252.47]) by korb.sei.cmu.edu (8.14.7/8.14.7) with ESMTP id 082Dbc9i019263; Wed, 2 Sep 2020 09:37:39 -0400
Received: from MORRIS.ad.sei.cmu.edu (147.72.252.46) by MURIEL.ad.sei.cmu.edu (147.72.252.47) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.1979.3; Wed, 2 Sep 2020 09:37:38 -0400
Received: from MORRIS.ad.sei.cmu.edu ([fe80::555b:9498:552e:d1bb]) by MORRIS.ad.sei.cmu.edu ([fe80::555b:9498:552e:d1bb%13]) with mapi id 15.01.1979.003; Wed, 2 Sep 2020 09:37:38 -0400
From: Roman Danyliw <rdd@cert.org>
To: Barry Leiba <barryleiba@computer.org>, Göran Selander <goran.selander@ericsson.com>
CC: "draft-ietf-core-echo-request-tag.all@ietf.org" <draft-ietf-core-echo-request-tag.all@ietf.org>, "core@ietf.org" <core@ietf.org>
Thread-Topic: [core] AD review of draft-ietf-core-echo-request-tag-10
Thread-Index: AQHWgGr6HdwxyxOIZEyKRawBPBcjNalUP3+AgAAqv4CAAARHAIABI2cAgAABPQD//77GEA==
Date: Wed, 02 Sep 2020 13:37:37 +0000
Message-ID: <0c496ec8d63a439684ccdb3489fd541f@cert.org>
References: <CALaySJJt_U+qF_xwOtJC2BD=oet-stNxoJkMYJfH=Z8BmcLc3g@mail.gmail.com> <1E09C83D-0AC1-42CA-9E2D-E5903FF775D6@ericsson.com> <9854F0F8-A512-44DB-910C-3864106C9708@tzi.org> <3216C47B-D9A9-4EAD-B68F-D2FAB7E0376B@ericsson.com> <CALaySJLU3-39SPDu9F-y3BUCJXYfKJQUeWhcDoFZF0RxcPh9ig@mail.gmail.com> <CF9FD971-16E5-42DD-B443-1D1A4B6A04EE@ericsson.com> <CALaySJ+U3sFzdhp1DUZQ1ynGu6quVqKptQcAckYB=ZJ1GopZ0g@mail.gmail.com>
In-Reply-To: <CALaySJ+U3sFzdhp1DUZQ1ynGu6quVqKptQcAckYB=ZJ1GopZ0g@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.64.202.220]
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/core/Ah6yZ_b4g98OZOEjsYxeqbItCto>
Subject: Re: [core] AD review of draft-ietf-core-echo-request-tag-10
X-BeenThere: core@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Constrained RESTful Environments \(CoRE\) Working Group list" <core.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/core>, <mailto:core-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/core/>
List-Post: <mailto:core@ietf.org>
List-Help: <mailto:core-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/core>, <mailto:core-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 02 Sep 2020 13:37:47 -0000

Hi!

The notion of defining, labelling and discussing the distinction between attackers who can read, inject, delete, and modify data vs. read and inject, but not necessarily delete on modify data, seems like helpful precision.  Thanks for doing it.  

To make a few general comments ...

For me, "on-path" speaks to where an attacker is located topologically, not what capabilities the attacker will _always_ have -- there can be mitigating factors based on the particular details of the protocol or operational configurations.  I'd also say the same for "MiTM" too.  Furthermore, I don’t think that in the abstract that we have a an commonly accepted definition precise enough with MiTM vs. on-path attacker to the degree  that we can make the distinction that the latter (again in the abstract) has less capabilities than the former (or vice versa).  

In terms of prior definitions, consulting Section 3.5 of RFC3552:

3.5. On-path versus off-path

   In order for a datagram to be transmitted from one host to another,
   it generally must traverse some set of intermediate links and
   gateways.  Such gateways are naturally able to read, modify, or
   remove any datagram transmitted along that path.  This makes it much
   easier to mount a wide variety of attacks if you are on-path.

This suggests that an "on-path attacker" can indeed read, modify and remove datagrams.

Back to this specific document, enumerating the specific collection of attacker capabilities _with_ a description of where this adversary would need to be topologically seems like the right editorial approach.  Again, thanks for trying to be so clear.

Regards,
Roman 

> -----Original Message-----
> From: core <core-bounces@ietf.org> On Behalf Of Barry Leiba
> Sent: Wednesday, September 2, 2020 8:56 AM
> To: Göran Selander <goran.selander@ericsson.com>
> Cc: draft-ietf-core-echo-request-tag.all@ietf.org; core@ietf.org
> Subject: Re: [core] AD review of draft-ietf-core-echo-request-tag-10
> 
> For what it's worth, I just reviewed a routing document that uses the phrase
> "an attacker in the middle of the network", which is another option.
> 
> Barry
> 
> On Wed, Sep 2, 2020 at 8:52 AM Göran Selander
> <goran.selander@ericsson.com> wrote:
> >
> > Hi,
> >
> > As I understand "replace" and Carsten's provided definitions, an on-path
> attacker does not necessarily have that capability. But I agree with John's
> proposal and updated the github version accordingly. In the same way I also
> replaced the only use of "on-path attacker" in the draft with "attacker". The
> commit is here:
> >
> > https://github.com/core-wg/echo-request-tag/commit/29969c4
> >
> > Any other comments on the recent changes? We plan to submit a new
> version on Friday.
> >
> > Göran
> >
> >
> > On 2020-09-01, 21:29, "Barry Leiba" <barryleiba@computer.org> wrote:
> >
> >     John has a good point here, and I support his proposal.
> >
> >     That said, remember: I did say that it's not a big deal and I'm
> >     leaving it to y'all's best judgment.  All I wanted was for you to
> >     consider the issue... not to rehash "fun" discussions from elsewhere.
> >     And whichever way you choose isn't going to block this document.
> >
> >     Barry
> >
> >     On Tue, Sep 1, 2020 at 3:13 PM John Mattsson
> <john.mattsson@ericsson.com> wrote:
> >     >
> >     > In this sentence I think on-path attacker works quite well or even better.
> It already follows from the sentence that the attacker is able to replace one
> block with another. The attacker in this case does only needs to be able to
> reorder packets flowing in one direction of the communication.
> >     >
> >     > We could also just use the word attacker, e.g.
> >     >
> >     > "it is still possible for an attacker able to reorder packets on the path
> from client to server to maliciously replace a later operation's blocks with an
> earlier operation's blocks."
> >     >
> >     > Cheers,
> >     > John
> >     >
> >     > -----Original Message-----
> >     > From: Carsten Bormann <cabo@tzi.org>
> >     > Date: Tuesday, 1 September 2020 at 18:40
> >     > To: Göran Selander <goran.selander=40ericsson.com@dmarc.ietf.org>
> >     > Cc: Barry Leiba <barryleiba@computer.org>, "draft-ietf-core-echo-
> request-tag.all@ietf.org" <draft-ietf-core-echo-request-tag.all@ietf.org>,
> "core@ietf.org" <core@ietf.org>
> >     > Subject: Re: [core] AD review of draft-ietf-core-echo-request-tag-10
> >     > Resent from: <alias-bounces@ietf.org>
> >     > Resent to: <christian@amsuess.com>, John Mattsson
> <john.mattsson@ericsson.com>, <goran.selander@ericsson.com>,
> <jaime@iki.fi>, <marco.tiloca@ri.se>, <barryleiba@gmail.com>,
> <superuser@gmail.com>, <barryleiba@computer.org>, Marco Tiloca
> <marco.tiloca@ri.se>
> >     > Resent date: Tuesday, 1 September 2020 at 18:40
> >     >
> >     >     On 2020-09-01, at 16:19, Göran Selander
> <goran.selander=40ericsson.com@dmarc.ietf.org> wrote:
> >     >     >
> >     >     >
> >     >     >    — Section 3.5.1 —
> >     >     >
> >     >     >       is still possible for a man-in-the-middle to maliciously replace a
> >     >     >       later operation's blocks with an earlier operation's blocks
> >     >     >
> >     >     >    Not a requirement here, and I will accept your best judgment:  in
> the
> >     >     >    spirit of recent discussion on inclusive vs exclusionary language, I
> ask
> >     >     >    you to consider changing “a man-in-the-middle” to “an on-path
> attacker”.
> >     >     >
> >     >     > [GS] I thought there was a slight difference between "on-path
> attacker" and "man-in-the-middle”, in that the latter has access to the message
> flow whereas the former need not have. For example, an on-path attacker may
> only be able to inject messages. In this case ("replace") the latter would then be
> more precise. If I'm right then I propose we use available distinctions pending a
> new dictionary, otherwise I'm fine with changing.
> >     >
> >     >     Oh, so we are getting to have this fun discussion on *this* draft.
> >     >
> >     >     A MITM can read, inject, delete, and modify data.
> >     >
> >     >     An on-path attacker can read and inject, but not necessarily delete or
> modify data.
> >     >
> >     >     I would not use the latter as a synonym for the former.
> >     >
> >     >     The other proposal in
> https://protect2.fireeye.com/v1/url?k=8bc8ba21-d57827b9-8bc8faba-
> 861fcb972bfc-afe20b2d89bbd667&q=1&e=406fbb72-b2f0-4844-bd11-
> 3ff570edaf0f&u=https%3A%2F%2Fgithub.com%2Fietf%2Fterminology is even
> more broken: An impersonation attacker doesn’t even have to be on-path.
> >     >
> >     >     (See also my comment on
> https://protect2.fireeye.com/v1/url?k=a110182c-ffa085b4-a11058b7-
> 861fcb972bfc-2890999e614b0870&q=1&e=406fbb72-b2f0-4844-bd11-
> 3ff570edaf0f&u=https%3A%2F%2Fgithub.com%2Fietf%2Fterminology%2Fpull
> %2F1, which fell by the wayside in the recent lull on this topic.)
> >     >
> >     >     In the mid-2000s, there was an attempt to replace MITM attack by
> “middleperson attack”.  That utterly failed, a simple Google search says “man-
> in-the-middle” (54100 hits on dl.acm.org) is overwhelmingly still the term of
> art and not “middleperson” (31 hits on dl.acm.org).
> >     >
> >     >     Wikipedia at least knows about the other established word for MITM,
> Janus attack
> https://en.wikipedia.org/w/index.php?title=Janus_attack&redirect=no — not
> very successful either (9 hits on dl.acm.org).
> >     >
> >     >     One word that already has the right semantics and does not require
> the cultural background of “Janus attack” is “Interposer attack”.  0 hits on
> dl.acm.org, but has all the right properties.  So in the above we would replace
> MITM by “interposer”:
> >     >
> >     >     >       is still possible for an interposer to maliciously replace a
> >     >     >       later operation's blocks with an earlier operation's blocks
> >     >
> >     >     WFM, even if this is blazing a new trail.
> >     >
> >     >     Grüße, Carsten
> >     >
> >     >
> >     >
> >     >
> >
> 
> _______________________________________________
> core mailing list
> core@ietf.org
> https://www.ietf.org/mailman/listinfo/core

v2.23.0 | Report a Bug | By Email