Re: [core] Benjamin Kaduk's Discuss on draft-ietf-core-stateless-06: (with DISCUSS and COMMENT)
Benjamin Kaduk <kaduk@mit.edu> Sat, 09 May 2020 02:01 UTC
Return-Path: <kaduk@mit.edu>
X-Original-To: core@ietfa.amsl.com
Delivered-To: core@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1D30F3A07A5; Fri, 8 May 2020 19:01:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id phMlqob6Rhte; Fri, 8 May 2020 19:01:36 -0700 (PDT)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BA7FF3A07A6; Fri, 8 May 2020 19:01:35 -0700 (PDT)
Received: from kduck.mit.edu ([24.16.140.251]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by outgoing.mit.edu (8.14.7/8.12.4) with ESMTP id 04921Tuj021065 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Fri, 8 May 2020 22:01:32 -0400
Date: Fri, 08 May 2020 19:01:28 -0700
From: Benjamin Kaduk <kaduk@mit.edu>
To: Klaus Hartke <hartke@projectcool.de>
Cc: The IESG <iesg@ietf.org>, core-chairs@ietf.org, draft-ietf-core-stateless@ietf.org, "core@ietf.org WG" <core@ietf.org>
Message-ID: <20200509020128.GD27494@kduck.mit.edu>
References: <158741679923.20291.1071401061463555301@ietfa.amsl.com> <CAAzbHvaTq39XG6aY0hsGociCTYYT7VwjPtrKw8KN1sOA30rYDw@mail.gmail.com> <20200503224625.GF27494@kduck.mit.edu> <CAAzbHvbY4ioLC2W4adnJc4LTVY_BhbfWJnEKLwtdTyzu_ca5bg@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <CAAzbHvbY4ioLC2W4adnJc4LTVY_BhbfWJnEKLwtdTyzu_ca5bg@mail.gmail.com>
User-Agent: Mutt/1.12.1 (2019-06-15)
Archived-At: <https://mailarchive.ietf.org/arch/msg/core/ogy5rsWGP9nIbBO-glXvHp1AUnM>
Subject: Re: [core] Benjamin Kaduk's Discuss on draft-ietf-core-stateless-06: (with DISCUSS and COMMENT)
X-BeenThere: core@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Constrained RESTful Environments \(CoRE\) Working Group list" <core.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/core>, <mailto:core-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/core/>
List-Post: <mailto:core@ietf.org>
List-Help: <mailto:core-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/core>, <mailto:core-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 09 May 2020 02:01:44 -0000
On Mon, May 04, 2020 at 07:40:39PM +0200, Klaus Hartke wrote: > Benjamin Kaduk wrote: > > Klaus Hartke wrote: > > > Benjamin Kaduk wrote: > > > > Section 3.1 > > > > > > > > o A client SHOULD integrity protect the state information serialized > > > > in a token, unless processing a response does not modify state or > > > > cause any other significant side effects. > > > > > > > > If the intent is that the "does not modify state" clause is the only case > > > > when one would disregard the need for integrity protection, "MUST [...] > > > > unless" seems more appropriate. (I would prefer unconditional MUST and am > > > > not sure I understand the cases where there is a need to skip integrity > > > > protection.) > > > > > > The intent here is that a client must do integrity protection, but > > > there may exist valid reasons in particular circumstances to ignore > > > this requirement. In this case, the full implications must be > > > understood and carefully weighed. > > > > > > All of the circumstances that come to my mind here are those where a > > > modified token doesn't actually hurt. For example, if a client sends a > > > request to some server at regular intervals, it might only be > > > interested in whether the response has an error or success code and > > > not even deserialise the token. > > > > > > What's the best way to capture this? > > > > Before I get into suggested text, I want to check that I understand the > > situation properly -- in such a case where the client is not even > > deserializing the token, why would the client not be able to use a regular > > token and not look at that token's value? It doesn't seem like the client > > is gaining anything from having the serialized state available. > > > > Your description makes it sound like we may have to just do "SHOULD > > integrity protect" without the "unless [...]" clause. > > Hmm... the top-level section is about clients that avoid keeping > per-request state, which a client can be regardless of whether it uses > <=8 byte tokens or >8 byte tokens; but this sub-section talks about > serialized state, from which indeed the client doesn't get anything if > it's never deserialized... > > Maybe the best way forward is indeed to use SHOULD with the "unless > [...]" part... If we change to MUST, then I can already anticipate > people complaining that in their particular use case any integrity > protection is just wasting precious bytes. The SHOULD would take care > of that. And maybe we don't have to go into detail under which > circumstances it might be justified to ignore this SHOULD. > > OLD: > > o A client SHOULD integrity protect the state information serialized > in a token, unless processing a response does not modify state or > cause any other significant side effects. > > NEW: > > o A client SHOULD integrity protect the state information serialized > in a token. > > > > > o Even when the serialized state is integrity protected, an attacker > > > > may still replay a response, making the client believe it sent the > > > > same request twice. For this reason, the client SHOULD implement > > > > > > > > (Basically the same comments about "SHOULD".) > > > > > > See above. > > > > > > This section is about protecting the serialized state, but of course > > > the requests and responses need to be protected as a whole as well > > > (e.g., using DTLS or OSCORE). In some circumstances, receiving a > > > replayed token might not hurt if the client can verify that the > > > response is coming from the right server. > > > > Presumably the same cases where a replayed response from the right server > > would be tolerable? Such cases are ... rare, in my opinion. > > OLD: > > o Even when the serialized state is integrity protected, an attacker > may still replay a response, making the client believe it sent the > same request twice. For this reason, the client SHOULD implement > replay protection (e.g., by using sequence numbers and a replay > window), unless processing a response does not modify state or > cause other any significant side effects. For replay protection, > integrity protection is REQUIRED. > > NEW: > > o Even when the serialized state is integrity protected, an attacker > may still replay a response, making the client believe it sent the > same request twice. For this reason, the client SHOULD implement > replay protection (e.g., by using sequence numbers and a replay > window). > > Does it look OK without the "unless [...]" parts? I think so (for both cases), though some note about it being impossible to implement replay protection without integrity protection (while still avoiding per-request state) would probably still be in order. Thanks, Ben
- [core] Benjamin Kaduk's Discuss on draft-ietf-cor… Benjamin Kaduk via Datatracker
- Re: [core] Benjamin Kaduk's Discuss on draft-ietf… Klaus Hartke
- Re: [core] Benjamin Kaduk's Discuss on draft-ietf… Benjamin Kaduk
- Re: [core] Benjamin Kaduk's Discuss on draft-ietf… Klaus Hartke
- Re: [core] Benjamin Kaduk's Discuss on draft-ietf… Klaus Hartke
- Re: [core] Benjamin Kaduk's Discuss on draft-ietf… Benjamin Kaduk
- Re: [core] Benjamin Kaduk's Discuss on draft-ietf… Klaus Hartke
- Re: [core] Benjamin Kaduk's Discuss on draft-ietf… Benjamin Kaduk
- Re: [core] Benjamin Kaduk's Discuss on draft-ietf… Benjamin Kaduk
- Re: [core] Benjamin Kaduk's Discuss on draft-ietf… Michael Richardson
- Re: [core] Benjamin Kaduk's Discuss on draft-ietf… Benjamin Kaduk
- Re: [core] Benjamin Kaduk's Discuss on draft-ietf… Michael Richardson