[core] Secdir last call review of draft-ietf-core-too-many-reqs-04

Daniel Migault <daniel.migault@ericsson.com> Mon, 08 October 2018 00:30 UTC

Return-Path: <daniel.migault@ericsson.com>
X-Original-To: core@ietf.org
Delivered-To: core@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id BD04D1277CC; Sun, 7 Oct 2018 17:30:43 -0700 (PDT)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
From: Daniel Migault <daniel.migault@ericsson.com>
To: <secdir@ietf.org>
Cc: draft-ietf-core-too-many-reqs.all@ietf.org, ietf@ietf.org, core@ietf.org
X-Test-IDTracker: no
X-IETF-IDTracker: 6.85.1
Auto-Submitted: auto-generated
Precedence: bulk
Message-ID: <153895864367.4396.18138201518799857673@ietfa.amsl.com>
Date: Sun, 07 Oct 2018 17:30:43 -0700
Archived-At: <https://mailarchive.ietf.org/arch/msg/core/F3rWucKpEBNOYn2PKRXQqSEY-SE>
Subject: [core] Secdir last call review of draft-ietf-core-too-many-reqs-04
X-BeenThere: core@ietf.org
X-Mailman-Version: 2.1.29
List-Id: "Constrained RESTful Environments \(CoRE\) Working Group list" <core.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/core>, <mailto:core-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/core/>
List-Post: <mailto:core@ietf.org>
List-Help: <mailto:core-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/core>, <mailto:core-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 08 Oct 2018 00:30:44 -0000

Reviewer: Daniel Migault
Review result: Has Nits

Hi,

Reviewer: Daniel Migault
Review result: Has Nits

I have reviewed this document as part of the security directorate's ongoing
effort to review all IETF documents being processed by the IESG. These comments
were written primarily for the benefit of the security area directors. 
Document editors and WG chairs should treat these comments just like any other
last call comments.

The document is clear and almost ready.  Most of my comments concerns the
"Security Considerations".

Yours,
Daniel

4.  CoAP Client Behavior

   A client MUST NOT rely on a server being able to send the 4.29
   Response Code in an overload situation because an overloaded server
   may not be able to reply to all requests at all.

<mglt>

I believe the sentence may be rephrased. This is just a proposal.
OLD
   may not be able to reply to all requests at all.
NEW
   may not be able to reply (at all) to some requests. .

</mglt>

5.  Security Considerations

   Replying to CoAP requests with a Response Code consumes resources
   from a server.  For a server under attack it may be more appropriate
   to simply drop requests without responding.

<mglt>
The gain from the response with Too Many Requests Response Code is almost the
current response and all *similar* requests from that client during Max Age. I
suspect that is likely a gain except when there is no responses from the server
and client is not expect to send a request before Max Age. Simply dropping the
requests may add the retry traffic, though it depends on the application. That
said your text is correct. I am wondering if it would be good to illustrate
your purpose. </mglt>

   If a CoAP reply with the Too Many Requests Response Code is not
   authenticated and integrity protected, an attacker can attempt to

Keranen                 Expires January 25, 2019                [Page 3]

Internet-Draft  Too Many Requests Response Code for CoAP       July 2018

   spoof a reply and make the client wait for an extended period of time
   before trying again.

<mglt>
A similar attack may also consists in an attacker triggering multiple request
or transactions with a spoofed IP so the server generates the reply to the
legitimate IP. This could be used if an attacker cannot directly send the
spoofed response to the legitimate client.

The response code provides an information about the state (overloaded) of the
server which can be used to infer additional information. This could
potentially be used by an active attacker among other to confirm an attack is
efficient, that a server is receiving multiple packet at a given time which may
be used to identify some traffic patterns, identifying a bug a version...  For
a passive attacker, the response code may among other indicate an appropriated
time to trigger a larger attack....

Because the code enable an attacker to gain some kind of control of the client,
and reveals some information about the status of the server. I would suggest to
mention that Too Many Response Code should not be considered outside
unprotected channel. That is a server SHOULD NOT reply with a Too Many Requests
Response Code unless the communication is encrypted. A client SHOULD ignore Too
Many Response Code unless the communication is encrypted.

The response seems to me small enough so reflection attacks may be out of scope.
</mglt>