IETF Logo Mail Archive

Re: [core] WGLC draft-ietf-core-echo-request-tag-05

Jim Schaad <ietf@augustcellars.com> Sun, 22 September 2019 03:44 UTC

Return-Path: <ietf@augustcellars.com>
X-Original-To: core@ietfa.amsl.com
Delivered-To: core@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6FDE0120125; Sat, 21 Sep 2019 20:44:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id J4GN-FBCFK7K; Sat, 21 Sep 2019 20:44:25 -0700 (PDT)
Received: from mail2.augustcellars.com (augustcellars.com [50.45.239.150]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C1468120059; Sat, 21 Sep 2019 20:44:24 -0700 (PDT)
Received: from Jude (73.180.8.170) by mail2.augustcellars.com (192.168.0.56) with Microsoft SMTP Server (TLS) id 15.0.1395.4; Sat, 21 Sep 2019 16:07:00 -0700
From: Jim Schaad <ietf@augustcellars.com>
To: 'John Mattsson' <john.mattsson@ericsson.com>, draft-ietf-core-echo-request-tag@ietf.org
CC: 'core' <core@ietf.org>
References: <003901d5376d$27710960$76531c20$@augustcellars.com> <624A1C17-F891-4E19-B529-791A503A4500@ericsson.com>
In-Reply-To: <624A1C17-F891-4E19-B529-791A503A4500@ericsson.com>
Date: Sat, 21 Sep 2019 16:06:58 -0700
Message-ID: <000201d570d1$470c1e70$d5245b50$@augustcellars.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
X-Mailer: Microsoft Outlook 16.0
Thread-Index: AQJXc2ZUSiAjtBd1lVH15O+XNkYS4AEimaU+pig2wEA=
Content-Language: en-us
X-Originating-IP: [73.180.8.170]
Archived-At: <https://mailarchive.ietf.org/arch/msg/core/RhoZxEgK46pBHcolSRI2YXv53HE>
Subject: Re: [core] WGLC draft-ietf-core-echo-request-tag-05
X-BeenThere: core@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Constrained RESTful Environments \(CoRE\) Working Group list" <core.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/core>, <mailto:core-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/core/>
List-Post: <mailto:core@ietf.org>
List-Help: <mailto:core-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/core>, <mailto:core-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 22 Sep 2019 03:44:28 -0000

I believe that this update (and the prior one) address all of the issues that I had identified.  I still have not managed to identify the vague feeling item so it should be ignored.

I am wondering if someplace there needs to be a statement that all of the request tags much match in order for a match to occur?  This may be default behavior, it is for uri-path, but I don't know if it is always true, for example accept requires only a single match.  May also want a note on duplicates in section 3.4.3 or 3.5

Jim


-----Original Message-----
From: John Mattsson <john.mattsson@ericsson.com> 
Sent: Thursday, September 19, 2019 6:20 AM
To: Jim Schaad <ietf@augustcellars.com>; draft-ietf-core-echo-request-tag@ietf.org
Cc: 'core' <core@ietf.org>
Subject: Re: WGLC draft-ietf-core-echo-request-tag-05

Thanks Jim!

>11. Section 6 - I am having problems with the idea of a forgery of an 
>Echo option, if the option is visible to an attacker why would they 
>need to forge it?
>
>12. Appendix A - I think we have a different definition of forgery for 
>list item 1.  I would have labeled this as guessing not forgery.  That 
>is probably my security background talking.

I changes "frogery" to "guessing" everwhere. 

>13. Appendix A - point 2 - The security is even higher if encryption 
>rather than integrity is used here.

I added a sentence that "The use of encrypted timestamps in the Echo option increases security, ...."

We thought about this before and at some point we did have an solution example with encryption. But as most uses of Echo will be encrypted anyway DTLS/TLS/OSCORE and encryption requires an nonce, and as a nonce increases overhead we did not feel that the message overhead/complexity/security trade-off was good enough to have as an example and chose to have Integrity Protected Timestamp as an example instead.

Cheers,
John

-----Original Message-----
From: Jim Schaad <ietf@augustcellars.com>
Date: Thursday, 11 July 2019 at 00:17
To: "draft-ietf-core-echo-request-tag@ietf.org" <draft-ietf-core-echo-request-tag@ietf.org>
Cc: 'core' <core@ietf.org>
Subject: WGLC draft-ietf-core-echo-request-tag-05
Resent from: <alias-bounces@ietf.org>
Resent to: <christian@amsuess.com>, John Mattsson <john.mattsson@ericsson.com>, <goran.selander@ericsson.com> Resent date: Thursday, 11 July 2019 at 00:16

    Here are some comments:
    
    1.  The Abstract needs to say that it updates RFC 7252 - and it would be
    nice if it summarized what it updated.
    
    2.  You can clean up the text dealing with core-object-security
    
    3.  In section 2.1 - It is not clear to me why one would use an outer option
    for the echo option.   The inner one would be end-to-end and thus does the
    freshness thing.  What does the outer one do?
    
    4.  In section 2.1 (or section 2.2) - There needs to be some text about
    where the echo options should be reflected in the event that either both
    inner and outer options are returned or just an outer is returned.  Can you
    use an inner w/o security for a new request?  I.e. is the inner echo value
    considered to be a security value?
    
    5.  Not sure if it is permissible for a proxy to modify the request in
    response to a 4.01 with an echo option or not.  Clarification might be
    useful on this topic.  I think I understand the paragraphs about proxies as
    servers.
    
    6.  In section 2.3 - item 1 star 2 - I would think that a server could
    proactively return an echo option even if the request did not come with one.
    Thus  GET - Content w/ echo - PUT w/ echo
    
    7.  In section 2.3 - item 2 - star 2 - s/expect/except/
    
    8.  In section 3 it says that the requests must be integrity protected, but
    in section 3.1 it says that this may be an outer option and is of class E
    not class I.  (And I recognize that it cannot be class I.)  I think that
    section 3 is probably the incorrect one.
    
    9.  I think that section 3.4.1 is missing something, but I have not figure
    out what it is yet.  I'll continue to mull this one over.
    
    10.  Section 3.4.2 - I think that it would be reasonable to highlight that
    two OSCORE blockwise operations meet these conditions as the path is hidden
    by security.
    
    11. Section 6 - I am having problems with the idea of a forgery of an Echo
    option, if the option is visible to an attacker why would they need to forge
    it?
    
    12. Appendix A - I think we have a different definition of forgery for list
    item 1.  I would have labeled this as guessing not forgery.  That is
    probably my security background talking.
    
    13. Appendix A - point 2 - The security is even higher if encryption rather
    than integrity is used here.
    
    jim

v2.23.0 | Report a Bug | By Email