IETF Logo Mail Archive

Re: [core] Benjamin Kaduk's Discuss on draft-ietf-core-stateless-06: (with DISCUSS and COMMENT)

Benjamin Kaduk <kaduk@mit.edu> Sat, 09 May 2020 02:01 UTC

Return-Path: <kaduk@mit.edu>
X-Original-To: core@ietfa.amsl.com
Delivered-To: core@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1D30F3A07A5; Fri, 8 May 2020 19:01:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id phMlqob6Rhte; Fri, 8 May 2020 19:01:36 -0700 (PDT)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BA7FF3A07A6; Fri, 8 May 2020 19:01:35 -0700 (PDT)
Received: from kduck.mit.edu ([24.16.140.251]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by outgoing.mit.edu (8.14.7/8.12.4) with ESMTP id 04921Tuj021065 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Fri, 8 May 2020 22:01:32 -0400
Date: Fri, 08 May 2020 19:01:28 -0700
From: Benjamin Kaduk <kaduk@mit.edu>
To: Klaus Hartke <hartke@projectcool.de>
Cc: The IESG <iesg@ietf.org>, core-chairs@ietf.org, draft-ietf-core-stateless@ietf.org, "core@ietf.org WG" <core@ietf.org>
Message-ID: <20200509020128.GD27494@kduck.mit.edu>
References: <158741679923.20291.1071401061463555301@ietfa.amsl.com> <CAAzbHvaTq39XG6aY0hsGociCTYYT7VwjPtrKw8KN1sOA30rYDw@mail.gmail.com> <20200503224625.GF27494@kduck.mit.edu> <CAAzbHvbY4ioLC2W4adnJc4LTVY_BhbfWJnEKLwtdTyzu_ca5bg@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <CAAzbHvbY4ioLC2W4adnJc4LTVY_BhbfWJnEKLwtdTyzu_ca5bg@mail.gmail.com>
User-Agent: Mutt/1.12.1 (2019-06-15)
Archived-At: <https://mailarchive.ietf.org/arch/msg/core/ogy5rsWGP9nIbBO-glXvHp1AUnM>
Subject: Re: [core] Benjamin Kaduk's Discuss on draft-ietf-core-stateless-06: (with DISCUSS and COMMENT)
X-BeenThere: core@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Constrained RESTful Environments \(CoRE\) Working Group list" <core.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/core>, <mailto:core-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/core/>
List-Post: <mailto:core@ietf.org>
List-Help: <mailto:core-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/core>, <mailto:core-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 09 May 2020 02:01:44 -0000

On Mon, May 04, 2020 at 07:40:39PM +0200, Klaus Hartke wrote:
> Benjamin Kaduk wrote:
> > Klaus Hartke wrote:
> > > Benjamin Kaduk wrote:
> > > > Section 3.1
> > > >
> > > >    o  A client SHOULD integrity protect the state information serialized
> > > >       in a token, unless processing a response does not modify state or
> > > >       cause any other significant side effects.
> > > >
> > > > If the intent is that the "does not modify state" clause is the only case
> > > > when one would disregard the need for integrity protection, "MUST [...]
> > > > unless" seems more appropriate.  (I would prefer unconditional MUST and am
> > > > not sure I understand the cases where there is a need to skip integrity
> > > > protection.)
> > >
> > > The intent here is that a client must do integrity protection, but
> > > there may exist valid reasons in particular circumstances to ignore
> > > this requirement. In this case, the full implications must be
> > > understood and carefully weighed.
> > >
> > > All of the circumstances that come to my mind here are those where a
> > > modified token doesn't actually hurt. For example, if a client sends a
> > > request to some server at regular intervals, it might only be
> > > interested in whether the response has an error or success code and
> > > not even deserialise the token.
> > >
> > > What's the best way to capture this?
> >
> > Before I get into suggested text, I want to check that I understand the
> > situation properly -- in such a case where the client is not even
> > deserializing the token, why would the client not be able to use a regular
> > token and not look at that token's value?  It doesn't seem like the client
> > is gaining anything from having the serialized state available.
> >
> > Your description makes it sound like we may have to just do "SHOULD
> > integrity protect" without the "unless [...]" clause.
> 
> Hmm... the top-level section is about clients that avoid keeping
> per-request state, which a client can be regardless of whether it uses
> <=8 byte tokens or >8 byte tokens; but this sub-section talks about
> serialized state, from which indeed the client doesn't get anything if
> it's never deserialized...
> 
> Maybe the best way forward is indeed to use SHOULD with the "unless
> [...]" part... If we change to MUST, then I can already anticipate
> people complaining that in their particular use case any integrity
> protection is just wasting precious bytes. The SHOULD would take care
> of that. And maybe we don't have to go into detail under which
> circumstances it might be justified to ignore this SHOULD.
> 
> OLD:
> 
>    o  A client SHOULD integrity protect the state information serialized
>       in a token, unless processing a response does not modify state or
>       cause any other significant side effects.
> 
> NEW:
> 
>    o  A client SHOULD integrity protect the state information serialized
>       in a token.
> 
> > > >    o  Even when the serialized state is integrity protected, an attacker
> > > >       may still replay a response, making the client believe it sent the
> > > >       same request twice.  For this reason, the client SHOULD implement
> > > >
> > > > (Basically the same comments about "SHOULD".)
> > >
> > > See above.
> > >
> > > This section is about protecting the serialized state, but of course
> > > the requests and responses need to be protected as a whole as well
> > > (e.g., using DTLS or OSCORE). In some circumstances, receiving a
> > > replayed token might not hurt if the client can verify that the
> > > response is coming from the right server.
> >
> > Presumably the same cases where a replayed response from the right server
> > would be tolerable?  Such cases are ... rare, in my opinion.
> 
> OLD:
> 
>    o  Even when the serialized state is integrity protected, an attacker
>       may still replay a response, making the client believe it sent the
>       same request twice.  For this reason, the client SHOULD implement
>       replay protection (e.g., by using sequence numbers and a replay
>       window), unless processing a response does not modify state or
>       cause other any significant side effects.  For replay protection,
>       integrity protection is REQUIRED.
> 
> NEW:
> 
>    o  Even when the serialized state is integrity protected, an attacker
>       may still replay a response, making the client believe it sent the
>       same request twice.  For this reason, the client SHOULD implement
>       replay protection (e.g., by using sequence numbers and a replay
>       window).
> 
> Does it look OK without the "unless [...]" parts?

I think so (for both cases), though some note about it being impossible to
implement replay protection without integrity protection (while still
avoiding per-request state) would probably still be in order.

Thanks,

Ben

v2.23.0 | Report a Bug | By Email