IETF Logo Mail Archive

Re: [core] AD review of draft-ietf-core-echo-request-tag-10

Göran Selander <goran.selander@ericsson.com> Wed, 02 September 2020 17:47 UTC

Return-Path: <goran.selander@ericsson.com>
X-Original-To: core@ietfa.amsl.com
Delivered-To: core@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AB85C3A0C1E; Wed, 2 Sep 2020 10:47:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.102
X-Spam-Level:
X-Spam-Status: No, score=-2.102 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WCpHhyj5lgFi; Wed, 2 Sep 2020 10:47:09 -0700 (PDT)
Received: from EUR01-HE1-obe.outbound.protection.outlook.com (mail-eopbgr130047.outbound.protection.outlook.com [40.107.13.47]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 210B83A0B45; Wed, 2 Sep 2020 10:47:09 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=TDB+2/+75TaDSRS2qImP31HdqA/41oOuoHKmROGd19igVnYWlFVu8ppRnX04nvru9m8fimHvMdcrnY5Gj2zd9G5QLisDa3Ey/2V51x2cskHndlNvfEHzEejLfuY4oz0CSdr/MaU4Gd+aw9JuQbvWVM6058GHgAnTnG+zeA28Mwgsy5tMOFIY5ZJx31c1xhE1YJy408LaV/pFsRh+valbWivv8Z6OBppLW+RCe++QrvjwvRGgIIBgj+kY7ZBmMzpnfogGYjIvqVvNaVuUJF42YIsKxKLRP5/TzeCXZpjWl676Vb/d7BGG7d72OXe/H64Tw0slPj53jAtgwWN4Bn6Xvg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=mrIMkO5liiKDU59EV3wJBPqb/6eEc7MVp66arTh8Xv4=; b=f3oJvjdWC013xwXH0pkz0Nli7fOg0rK87hIWCu3Wtt3YL4YN6SRO2rbH2jhdFpB79CihXYYYdYp1bwdEI0DXjhwhg1v3vPDhXh2jV3n/5goSdjEmmtlLbznMC1T3q019/5EQCBQHW4XeM1WXOx3eiHtpjy6lLZYVxg4BSBYPpv1cIdnGa6lCzlQupMqRLcFoRHvL+M6E05knc93IxgoEaHMR/06Rrpsy0VXcBip55F4Nctm5YXV2NCHaa+ISV2bse7UN4u5qomhnTmZdgmP3PJQHxyexM2buHz11uLM0pPf/bVKGXH4SQSRQ6tJO68P4esNlK9OjolKct2H0Aky21w==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=mrIMkO5liiKDU59EV3wJBPqb/6eEc7MVp66arTh8Xv4=; b=TpOzpR+PCy0aEXmNwvQOxq+3nJ9QXiWeahIeawlCHoR7KA3VYeKY049yoJy8xO/PtKUeO7tT0iuFaVUXfEMlDVwFArHPoUvskrBNP6Acsp6CDBAqZND17vBsWAUJe5ssnvizDHSnZ56q/olkg7iVRQDzX2wqCHvZw+wtGRIcu1k=
Received: from HE1PR0702MB3674.eurprd07.prod.outlook.com (2603:10a6:7:82::14) by HE1PR0702MB3609.eurprd07.prod.outlook.com (2603:10a6:7:83::33) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3348.5; Wed, 2 Sep 2020 17:47:05 +0000
Received: from HE1PR0702MB3674.eurprd07.prod.outlook.com ([fe80::3168:e1aa:8f49:6de3]) by HE1PR0702MB3674.eurprd07.prod.outlook.com ([fe80::3168:e1aa:8f49:6de3%7]) with mapi id 15.20.3348.015; Wed, 2 Sep 2020 17:47:05 +0000
From: Göran Selander <goran.selander@ericsson.com>
To: Roman Danyliw <rdd@cert.org>, Barry Leiba <barryleiba@computer.org>
CC: "draft-ietf-core-echo-request-tag.all@ietf.org" <draft-ietf-core-echo-request-tag.all@ietf.org>, "core@ietf.org" <core@ietf.org>
Thread-Topic: [core] AD review of draft-ietf-core-echo-request-tag-10
Thread-Index: AQHWag2783ig3eTTLEWqbjvVPkqoAKlTipYAgACelYCAACq/gIAABEgAgAFE7gD//9+2AIAAC3+AgABnOoA=
Date: Wed, 02 Sep 2020 17:47:05 +0000
Message-ID: <C1B461BA-A423-485A-AC21-7520234E227C@ericsson.com>
References: <CALaySJJt_U+qF_xwOtJC2BD=oet-stNxoJkMYJfH=Z8BmcLc3g@mail.gmail.com> <1E09C83D-0AC1-42CA-9E2D-E5903FF775D6@ericsson.com> <9854F0F8-A512-44DB-910C-3864106C9708@tzi.org> <3216C47B-D9A9-4EAD-B68F-D2FAB7E0376B@ericsson.com> <CALaySJLU3-39SPDu9F-y3BUCJXYfKJQUeWhcDoFZF0RxcPh9ig@mail.gmail.com> <CF9FD971-16E5-42DD-B443-1D1A4B6A04EE@ericsson.com> <CALaySJ+U3sFzdhp1DUZQ1ynGu6quVqKptQcAckYB=ZJ1GopZ0g@mail.gmail.com> <0c496ec8d63a439684ccdb3489fd541f@cert.org>
In-Reply-To: <0c496ec8d63a439684ccdb3489fd541f@cert.org>
Accept-Language: en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/16.40.20081000
authentication-results: cert.org; dkim=none (message not signed) header.d=none;cert.org; dmarc=none action=none header.from=ericsson.com;
x-originating-ip: [83.251.145.232]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 893ed501-bd5a-4aa3-6cc9-08d84f6834f1
x-ms-traffictypediagnostic: HE1PR0702MB3609:
x-microsoft-antispam-prvs: <HE1PR0702MB3609EABB64012126AF9970CDF42F0@HE1PR0702MB3609.eurprd07.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: buJYwAXqDYVy7Q+0CBjUc6odtF/oC7mnmqyEZ38xtMYZIod5dQ7G+f55quLqF5tTBKAsBc7ZZKCBBFbIRSnpK0Zfj3B75bTo+zPtkT26cgbS806zS0JeTWU4OvqYKAeos1JYMoeU1HxV01Fg8TSk6Yek7t4xn7QJ/NSpelRCCEc5xY1cJIKGTTJ4v1puR92KKflUe/yKvZpoYdPOrEPsWzcWJ/3WjDxriHVMd2Hpv3XW81yW39ECEnigfJ8AzGfE1iCIObjAzvwPX0/oako8IKNvE+gtLLqLCgrKTmoQWqluWxGdIDxErKIyleQIiPkZutJOrtbYskZUIqyzKtOqgiZ1AiXRqZbetEosK8gTRSkMpOxV+MEgF8md6S3d+3dTCybaT2J1lEHGtpQ7KSHbQw==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:HE1PR0702MB3674.eurprd07.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(366004)(136003)(346002)(396003)(39860400002)(376002)(53546011)(2906002)(6506007)(4326008)(186003)(8936002)(36756003)(5660300002)(16799955002)(26005)(6512007)(85182001)(71200400001)(8676002)(2616005)(66556008)(6486002)(66446008)(83380400001)(478600001)(66574015)(86362001)(64756008)(33656002)(66476007)(966005)(76116006)(66946007)(54906003)(316002)(85202003)(110136005); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: givtomXsBdoUetTSyNYDOjWZh4rmaI7DgiMYd4ygLx/B8D83kiBjYfIlC7SFECHyT4yWlt3xaNes8KcqVXe0M6pZWh+NePbF5oBl6qQDhO0pV0WwUhHYivVLgoOymEYuMAy26+bSaFg3ZBGzM2/M12NVGgTsUtZWfCCD+s1tJ+eC7K8UeTa3Ohzr+NFfFayP6wnC2ufYRRvHi1N5A6+p6ULrFU0zG1Ex2fm06poy391tEW1sk/Z8LCpfT+cbTazQY/qrYqTuRKxVT4IY0T2wK8JuvOLKaXZbkuZwAcs5uwqY5mh/5Rhp9xqo06OVHY+CukapqJqFepPf0Cu1D4+SrboTIxJjQytjzxXtW/ZvYQo771RIjiNR4gUpira10OBPfp0IGjm5gG+bx/V7Pfg6pZY8Q3z1oAUMwFa8d7tW0R9qcOt48zgh7RoFjSbRX97w88ThknszakPtM42mYE8e/I1RwKa/0CV+16SCLBXAErmLFPzGHJ+zSjR+XJNMO8IWtW5F7kcB6vp+hjc07kZNQKAFAafmPHmJlhpmMY2YBJco4+3KFk4Z4YRrrvNy086DbizWkEoLI0UhnV/l1rbrXX7Ve3iWlm0sVD6l0A4bUB4aO3btUlGTTGFsZqyrywVph1cJ7h+piRkYwwDZDwdZaA==
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="utf-8"
Content-ID: <42B744623D92D84A95F1EEC6FF92B515@eurprd07.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: HE1PR0702MB3674.eurprd07.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 893ed501-bd5a-4aa3-6cc9-08d84f6834f1
X-MS-Exchange-CrossTenant-originalarrivaltime: 02 Sep 2020 17:47:05.5236 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: TMR6fhB1BOID54qNVjX1rOwvEwsbpqdK8leZTEjJFRBryfjUdGR/dbc6fHiWhvqu+PdOgzt00lrA+mAI+kwVbOraFuo7w3URYumcajKw+mY=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: HE1PR0702MB3609
Archived-At: <https://mailarchive.ietf.org/arch/msg/core/c9cAvT0xdg0xd2JQ8Qyrip4A3lU>
Subject: Re: [core] AD review of draft-ietf-core-echo-request-tag-10
X-BeenThere: core@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Constrained RESTful Environments \(CoRE\) Working Group list" <core.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/core>, <mailto:core-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/core/>
List-Post: <mailto:core@ietf.org>
List-Help: <mailto:core-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/core>, <mailto:core-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 02 Sep 2020 17:47:12 -0000

Hi Roman!

Thanks for your input on location and capability! 

For the arguments presented in this draft I believe that the location of the attacker is not really relevant. Even if some attacks require the attacker to be in a certain location, it is the fact that an attack is possible that is providing the motivation for a required security feature, not where the attacker is located. And since there is no commonly accepted definition precise enough about distinction of capabilities between the different qualified attacker roles,  it seems reasonable to leave out that qualification altogether. This is what we do in the latest version on github [1], where only the capabilities of the attacker are being described. Does this match your expectations? 

Thanks
Göran

[1] Editor's copy: https://core-wg.github.io/echo-request-tag/draft-ietf-core-echo-request-tag.html


On 2020-09-02, 15:37, "Roman Danyliw" <rdd@cert.org> wrote:

    Hi!

    The notion of defining, labelling and discussing the distinction between attackers who can read, inject, delete, and modify data vs. read and inject, but not necessarily delete on modify data, seems like helpful precision.  Thanks for doing it.  

    To make a few general comments ...

    For me, "on-path" speaks to where an attacker is located topologically, not what capabilities the attacker will _always_ have -- there can be mitigating factors based on the particular details of the protocol or operational configurations.  I'd also say the same for "MiTM" too.  Furthermore, I don’t think that in the abstract that we have a an commonly accepted definition precise enough with MiTM vs. on-path attacker to the degree  that we can make the distinction that the latter (again in the abstract) has less capabilities than the former (or vice versa).  

    In terms of prior definitions, consulting Section 3.5 of RFC3552:

    3.5. On-path versus off-path

       In order for a datagram to be transmitted from one host to another,
       it generally must traverse some set of intermediate links and
       gateways.  Such gateways are naturally able to read, modify, or
       remove any datagram transmitted along that path.  This makes it much
       easier to mount a wide variety of attacks if you are on-path.

    This suggests that an "on-path attacker" can indeed read, modify and remove datagrams.

    Back to this specific document, enumerating the specific collection of attacker capabilities _with_ a description of where this adversary would need to be topologically seems like the right editorial approach.  Again, thanks for trying to be so clear.

    Regards,
    Roman 

    > -----Original Message-----
    > From: core <core-bounces@ietf.org> On Behalf Of Barry Leiba
    > Sent: Wednesday, September 2, 2020 8:56 AM
    > To: Göran Selander <goran.selander@ericsson.com>
    > Cc: draft-ietf-core-echo-request-tag.all@ietf.org; core@ietf.org
    > Subject: Re: [core] AD review of draft-ietf-core-echo-request-tag-10
    > 
    > For what it's worth, I just reviewed a routing document that uses the phrase
    > "an attacker in the middle of the network", which is another option.
    > 
    > Barry
    > 
    > On Wed, Sep 2, 2020 at 8:52 AM Göran Selander
    > <goran.selander@ericsson.com> wrote:
    > >
    > > Hi,
    > >
    > > As I understand "replace" and Carsten's provided definitions, an on-path
    > attacker does not necessarily have that capability. But I agree with John's
    > proposal and updated the github version accordingly. In the same way I also
    > replaced the only use of "on-path attacker" in the draft with "attacker". The
    > commit is here:
    > >
    > > https://protect2.fireeye.com/v1/url?k=6db013eb-33008e73-6db05370-861fcb972bfc-c97d000a9303d52e&q=1&e=3671254a-f98c-4bd4-ae74-a74a56c41df5&u=https%3A%2F%2Fgithub.com%2Fcore-wg%2Fecho-request-tag%2Fcommit%2F29969c4
    > >
    > > Any other comments on the recent changes? We plan to submit a new
    > version on Friday.
    > >
    > > Göran
    > >
    > >
    > > On 2020-09-01, 21:29, "Barry Leiba" <barryleiba@computer.org> wrote:
    > >
    > >     John has a good point here, and I support his proposal.
    > >
    > >     That said, remember: I did say that it's not a big deal and I'm
    > >     leaving it to y'all's best judgment.  All I wanted was for you to
    > >     consider the issue... not to rehash "fun" discussions from elsewhere.
    > >     And whichever way you choose isn't going to block this document.
    > >
    > >     Barry
    > >
    > >     On Tue, Sep 1, 2020 at 3:13 PM John Mattsson
    > <john.mattsson@ericsson.com> wrote:
    > >     >
    > >     > In this sentence I think on-path attacker works quite well or even better.
    > It already follows from the sentence that the attacker is able to replace one
    > block with another. The attacker in this case does only needs to be able to
    > reorder packets flowing in one direction of the communication.
    > >     >
    > >     > We could also just use the word attacker, e.g.
    > >     >
    > >     > "it is still possible for an attacker able to reorder packets on the path
    > from client to server to maliciously replace a later operation's blocks with an
    > earlier operation's blocks."
    > >     >
    > >     > Cheers,
    > >     > John
    > >     >
    > >     > -----Original Message-----
    > >     > From: Carsten Bormann <cabo@tzi.org>
    > >     > Date: Tuesday, 1 September 2020 at 18:40
    > >     > To: Göran Selander <goran.selander=40ericsson.com@dmarc.ietf.org>
    > >     > Cc: Barry Leiba <barryleiba@computer.org>, "draft-ietf-core-echo-
    > request-tag.all@ietf.org" <draft-ietf-core-echo-request-tag.all@ietf.org>,
    > "core@ietf.org" <core@ietf.org>
    > >     > Subject: Re: [core] AD review of draft-ietf-core-echo-request-tag-10
    > >     > Resent from: <alias-bounces@ietf.org>
    > >     > Resent to: <christian@amsuess.com>, John Mattsson
    > <john.mattsson@ericsson.com>, <goran.selander@ericsson.com>,
    > <jaime@iki.fi>, <marco.tiloca@ri.se>, <barryleiba@gmail.com>,
    > <superuser@gmail.com>, <barryleiba@computer.org>, Marco Tiloca
    > <marco.tiloca@ri.se>
    > >     > Resent date: Tuesday, 1 September 2020 at 18:40
    > >     >
    > >     >     On 2020-09-01, at 16:19, Göran Selander
    > <goran.selander=40ericsson.com@dmarc.ietf.org> wrote:
    > >     >     >
    > >     >     >
    > >     >     >    — Section 3.5.1 —
    > >     >     >
    > >     >     >       is still possible for a man-in-the-middle to maliciously replace a
    > >     >     >       later operation's blocks with an earlier operation's blocks
    > >     >     >
    > >     >     >    Not a requirement here, and I will accept your best judgment:  in
    > the
    > >     >     >    spirit of recent discussion on inclusive vs exclusionary language, I
    > ask
    > >     >     >    you to consider changing “a man-in-the-middle” to “an on-path
    > attacker”.
    > >     >     >
    > >     >     > [GS] I thought there was a slight difference between "on-path
    > attacker" and "man-in-the-middle”, in that the latter has access to the message
    > flow whereas the former need not have. For example, an on-path attacker may
    > only be able to inject messages. In this case ("replace") the latter would then be
    > more precise. If I'm right then I propose we use available distinctions pending a
    > new dictionary, otherwise I'm fine with changing.
    > >     >
    > >     >     Oh, so we are getting to have this fun discussion on *this* draft.
    > >     >
    > >     >     A MITM can read, inject, delete, and modify data.
    > >     >
    > >     >     An on-path attacker can read and inject, but not necessarily delete or
    > modify data.
    > >     >
    > >     >     I would not use the latter as a synonym for the former.
    > >     >
    > >     >     The other proposal in
    > https://protect2.fireeye.com/v1/url?k=8bc8ba21-d57827b9-8bc8faba-
    > 861fcb972bfc-afe20b2d89bbd667&q=1&e=406fbb72-b2f0-4844-bd11-
    > 3ff570edaf0f&u=https%3A%2F%2Fgithub.com%2Fietf%2Fterminology is even
    > more broken: An impersonation attacker doesn’t even have to be on-path.
    > >     >
    > >     >     (See also my comment on
    > https://protect2.fireeye.com/v1/url?k=a110182c-ffa085b4-a11058b7-
    > 861fcb972bfc-2890999e614b0870&q=1&e=406fbb72-b2f0-4844-bd11-
    > 3ff570edaf0f&u=https%3A%2F%2Fgithub.com%2Fietf%2Fterminology%2Fpull
    > %2F1, which fell by the wayside in the recent lull on this topic.)
    > >     >
    > >     >     In the mid-2000s, there was an attempt to replace MITM attack by
    > “middleperson attack”.  That utterly failed, a simple Google search says “man-
    > in-the-middle” (54100 hits on dl.acm.org) is overwhelmingly still the term of
    > art and not “middleperson” (31 hits on dl.acm.org).
    > >     >
    > >     >     Wikipedia at least knows about the other established word for MITM,
    > Janus attack
    > https://en.wikipedia.org/w/index.php?title=Janus_attack&redirect=no — not
    > very successful either (9 hits on dl.acm.org).
    > >     >
    > >     >     One word that already has the right semantics and does not require
    > the cultural background of “Janus attack” is “Interposer attack”.  0 hits on
    > dl.acm.org, but has all the right properties.  So in the above we would replace
    > MITM by “interposer”:
    > >     >
    > >     >     >       is still possible for an interposer to maliciously replace a
    > >     >     >       later operation's blocks with an earlier operation's blocks
    > >     >
    > >     >     WFM, even if this is blazing a new trail.
    > >     >
    > >     >     Grüße, Carsten
    > >     >
    > >     >
    > >     >
    > >     >
    > >
    > 
    > _______________________________________________
    > core mailing list
    > core@ietf.org
    > https://www.ietf.org/mailman/listinfo/core

v2.23.0 | Report a Bug | By Email