Re: [core] Secdir last call review of draft-ietf-core-too-many-reqs-04

Ari Keränen <ari.keranen@ericsson.com> Sun, 21 October 2018 18:09 UTC

Return-Path: <ari.keranen@ericsson.com>
X-Original-To: core@ietfa.amsl.com
Delivered-To: core@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2D8D3130E86 for <core@ietfa.amsl.com>; Sun, 21 Oct 2018 11:09:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.384
X-Spam-Level:
X-Spam-Status: No, score=-3.384 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.064, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FROM_EXCESS_BASE64=0.979, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com header.b=epVBWeJH; dkim=fail (1024-bit key) reason="fail (body has been altered)" header.d=ericsson.com header.b=N1sXBfMT
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Li4c83by2253 for <core@ietfa.amsl.com>; Sun, 21 Oct 2018 11:09:52 -0700 (PDT)
Received: from sesbmg23.ericsson.net (sesbmg23.ericsson.net [193.180.251.37]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B0337130DD1 for <core@ietf.org>; Sun, 21 Oct 2018 11:09:51 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; d=ericsson.com; s=mailgw201801; c=relaxed/simple; q=dns/txt; i=@ericsson.com; t=1540145389; x=1542737389; h=From:Sender:Reply-To:Subject:Date:Message-ID:To:CC:MIME-Version:Content-Type: Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=u87jFWpTExA4fBAV3US2OSXi/sCOHKlBqOm2zPueij8=; b=epVBWeJH9Xg+fafbWFkc8McxNG7AXzIfbIkSwhWFJBTZ/eNvHz+11+xLgbLNS2Dc K7s9mzSGqDiZwwrnh9XBAy7/kW8w9xw8Rv0AVwp903ehfuyLryCMvJgeur8C4vsv TfH9Ac+aOQu+gUf6nNg8mkDPsOpfdjZe41B19uQNT9w=;
X-AuditID: c1b4fb25-55bff700000018b4-8a-5bccc0ed21ab
Received: from ESESSMB503.ericsson.se (Unknown_Domain [153.88.183.121]) by sesbmg23.ericsson.net (Symantec Mail Security) with SMTP id 0B.36.06324.DE0CCCB5; Sun, 21 Oct 2018 20:09:49 +0200 (CEST)
Received: from ESESSMR504.ericsson.se (153.88.183.126) by ESESSMB503.ericsson.se (153.88.183.121) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1466.3; Sun, 21 Oct 2018 20:09:49 +0200
Received: from ESESBMB503.ericsson.se (153.88.183.170) by ESESSMR504.ericsson.se (153.88.183.126) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1466.3; Sun, 21 Oct 2018 20:09:49 +0200
Received: from EUR03-AM5-obe.outbound.protection.outlook.com (153.88.183.157) by ESESBMB503.ericsson.se (153.88.183.170) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1466.3 via Frontend Transport; Sun, 21 Oct 2018 20:09:49 +0200
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=QHUUuwm0jwRiK4D1ais0MIPhnxO+HQeuAl3uWBJGj1c=; b=N1sXBfMTr9iE09FNyslAyFTY1TRt2DNX9/hCIEug1TCL7/KqTCsNS8fulWAE5Nu16GsONt8C1dgqSR1JVUyCSVlSspfKfXO1WKLA2GHlqXMMOel5eCU8ujFp9xasXtxiZGDh96T/74wyPxgPkPA6miS+VZ2Rf/EKH5ME2qzZ86M=
Received: from HE1PR07MB4236.eurprd07.prod.outlook.com (20.176.166.145) by HE1PR07MB1371.eurprd07.prod.outlook.com (10.164.52.25) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1273.5; Sun, 21 Oct 2018 18:09:47 +0000
Received: from HE1PR07MB4236.eurprd07.prod.outlook.com ([fe80::b074:afe2:469c:dd95]) by HE1PR07MB4236.eurprd07.prod.outlook.com ([fe80::b074:afe2:469c:dd95%2]) with mapi id 15.20.1273.014; Sun, 21 Oct 2018 18:09:44 +0000
From: =?utf-8?B?QXJpIEtlcsOkbmVu?= <ari.keranen@ericsson.com>
To: Daniel Migault <daniel.migault@ericsson.com>, "core@ietf.org" <core@ietf.org>
CC: "secdir@ietf.org" <secdir@ietf.org>, "draft-ietf-core-too-many-reqs.all@ietf.org" <draft-ietf-core-too-many-reqs.all@ietf.org>, "ietf@ietf.org" <ietf@ietf.org>, Jim Schaad <ietf@augustcellars.com>
Thread-Topic: [core] Secdir last call review of draft-ietf-core-too-many-reqs-04
Thread-Index: AQHUXp4uT9p3k/kKcEqRctTF+ziW0KUVkX4AgBSDwYA=
Date: Sun, 21 Oct 2018 18:09:44 +0000
Message-ID: <031D5D2F-69BA-4315-BC89-1F40363EF586@ericsson.com>
References: <153895864367.4396.18138201518799857673@ietfa.amsl.com> <061801d45f27$602ef380$208cda80$@augustcellars.com>
In-Reply-To: <061801d45f27$602ef380$208cda80$@augustcellars.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=ari.keranen@ericsson.com;
x-originating-ip: [2001:14bb:180:9de9:c917:11cd:c0cb:e1a5]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; HE1PR07MB1371; 6:G/LjbqX8Forbhvj3913oSYjUCrD/3dwxuIb0hEmeq6+79deWQjhpysl7qBYs5xR/y6gxQIUQaXxcBf5N7B44vOY2YOJi+z9QFbMCh7hGSoYgXfbXmc5xuc6YvL5rIqTBDbO8gqgf6YyK+eRhJw+zF8kD+dNvH17lQhmCxaZmsUtg/csU/BtfKgAm1AtNN7bdsTsCjhDVU36gPJN2fxiei/KCAniJFofcoqNbO2wgPhAVPX5pQsG0+lXycNQaux5TNZjpHwC3CXZxznlSIOGnZNEzs5oHMzeUxPKjKkoQInn0WR3PI8HQ5ylvskfl+W7D4+ZzueRKS6nnEFiBdlZS8USS5e/WzoVtPF0iUG3GGaumxHM9GPyLziMLsuV3U93+Q4i1bL+MyWi2PuoNGeFypEtyc/y5M6tz/Npt9R/+fWlkmfxronq9RygEJm+0fEM5H7JTx6IpvXMTBTqMGbckvA==; 5:U9EiMYXsixThk/fpRo5ZoV7i21sPtsr87rYtd9Fa0FpVVkzW//mL30cUc6or8t3LcfzCIhnKO4//ojDobE0g4o7j+7B502cMKLVOYV7QmF8Nu8YmObTMH9yITk1GZVzTQNW2cw1e094yHthR3o2DH3/aWTbXyziOqDaLDgUUA+4=; 7:ULaOi9JOzIYfsSj/r8gmimEU415Mpl29rJPUUDEWyAfbXxX1RAx+nih6YcQ1CeFyhoZfJyB6eJfy7gva5eoK5TLkbBIG5aD8cP2qmsh18FMMh2aB2v5mqkavBiT0BoXMT89k5KqGIdWVHgN5a+UjQA==
x-ms-exchange-antispam-srfa-diagnostics: SOS;SOR;
x-forefront-antispam-report: SFV:SKI; SCL:-1; SFV:NSPM; SFS:(10009020)(366004)(376002)(39860400002)(136003)(396003)(346002)(13464003)(189003)(199004)(14444005)(33656002)(110136005)(54906003)(606006)(316002)(25786009)(76176011)(105586002)(6506007)(53546011)(561944003)(102836004)(106356001)(85202003)(256004)(4326008)(99286004)(478600001)(345774005)(2900100001)(14454004)(2906002)(68736007)(36756003)(236005)(97736004)(6116002)(6512007)(54896002)(6306002)(6246003)(53936002)(7736002)(229853002)(6486002)(8676002)(81156014)(2501003)(82746002)(81166006)(83716004)(5250100002)(6436002)(8936002)(966005)(71190400001)(71200400001)(486006)(5660300001)(99936001)(86362001)(46003)(186003)(476003)(85182001)(446003)(2616005)(11346002); DIR:OUT; SFP:1101; SCL:1; SRVR:HE1PR07MB1371; H:HE1PR07MB4236.eurprd07.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
x-ms-office365-filtering-correlation-id: 9e9740a4-13b8-49bb-3f82-08d637806132
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600074)(711020)(2017052603328)(7153060)(49563074)(7193020); SRVR:HE1PR07MB1371;
x-ms-traffictypediagnostic: HE1PR07MB1371:
x-microsoft-antispam-prvs: <HE1PR07MB137119DC148DA2AF696167B385FB0@HE1PR07MB1371.eurprd07.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(166708455590820)(192374486261705)(158342451672863);
x-ms-exchange-senderadcheck: 1
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(8211001083)(102415395)(6040522)(2401047)(8121501046)(5005006)(10201501046)(3231355)(944501410)(4983020)(52105095)(3002001)(93006095)(93001095)(148016)(149066)(150057)(6041310)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(20161123558120)(20161123562045)(20161123564045)(20161123560045)(201708071742011)(7699051)(76991095); SRVR:HE1PR07MB1371; BCL:0; PCL:0; RULEID:; SRVR:HE1PR07MB1371;
x-forefront-prvs: 083289FD26
received-spf: None (protection.outlook.com: ericsson.com does not designate permitted sender hosts)
x-microsoft-antispam-message-info: 2xIoillKNk8AkZjyfV7CztyedgTqwMH93B5FakqJX+9FNC9Cwh3/djenqMd1srSHW9L31Nu2rSi1HT51wiRyyDLS5SfYlxd4yuaksFLYtckSk74ImX46udEr1aIfxC69ly+DEcQmTUyNIhq3mxpQhzTLAw+RfiCAn6DIuq6w++zVZs6vm0PAWUC3s7k41qfAIRFJ9xrttHBuh3L5sylcHldCz4NRtnFCmjyCfsB5gEl0XiDv4VHfGdvc/sjUZzACMCtTMrUXWYSPcaqC/mX2jYPaPpYB0zl52SvtStizKShuwbBOoUqUIiZcnkEeS//w8WwpZFVl1KGV/Gpv821E+PUDuoPT9gYeKP03f0tyNOo=
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/signed; boundary=Apple-Mail-A311F99D-D2B8-4576-8F7C-14596E8E1A78; protocol="application/pkcs7-signature"; micalg=sha1
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: 9e9740a4-13b8-49bb-3f82-08d637806132
X-MS-Exchange-CrossTenant-originalarrivaltime: 21 Oct 2018 18:09:44.4434 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-Transport-CrossTenantHeadersStamped: HE1PR07MB1371
X-OriginatorOrg: ericsson.com
X-Brightmail-Tracker: H4sIAAAAAAAAA2WSeUhUURSHuW+bN4MTr3E7GWENFWnk2jKYmgZBRkEbEQrVqK9cx5hnoQVi pZgNiZlmTdYUWDptpllqlFurS6KZVpMIM25pPS1CbVokZ65G0H/fPef73Xvu5bKkIpNxY2M1 ybxWo05QMjLqwu6q1BVifWuEz2TZKlWtWEaqcg1XadXNwklGNVhuoFRfrpqpEHpjeVEhs7G4 2EpsJcJlgdF8QuxhXusdvE8Wk17wmDjYI6KUBxl1dDrSD6FTSMoCtxIyGtrIU0jGKrhnCIxD wwReTCAob68g/y5Od92yRxRcMQF1H8JsDYrLJaF68AqNrTwCen81zUQsCGqsQxJbhOGCoD+z lraxE7cDSnKeMzaJ5NoQiJcn7ZIjtw2ME+MIS9vheNuwBHMAfPt+m7AxxS2BkVGd3ZFz6yCv c4DEM6VCd+7naZ9lpVwIGAc22MqIc4HJ5lv2KMm5gqnfQOBbO4G5o4XB7AzDfVM09iNgpLlJ gusBUND7hsS8AF4bbMfKprmbgbYTs2FfeGGsI3HjLQPWvouUbQjgtsBIlz+udyB40to5s6sn jGecnAnHQ62um8hFvvp/BtTbH+Ysgh+XCpDeftG50HShn8LSXnj/yMxgdocqsYjE7AF1upIZ ZxHk68wSzMsge+IM/X99LViLLAjzKvj07Cv617mCHG4gZ4EXIhMP+Pl78drYKEFI0nhp+OQK NP0hGyp/LqlGnZ9DGxHHIqWDfP2d1ggFrT4spCY2osXT+1ju3mxHbpQmScMrneT6ly0RCnm0 OvUIr03aqz2UwAuNaD5LKV3l5jX3whXcAXUyH8/zB3ntbJdgpW7pKKvAMlQqet+trxSndu5/ Mnot2P169lGdzBCw0Gd0LKzUZcxPfBha2XO/4qlD6byfsh+Bjuca07oky1/Rxqqkj0vzg91M NXNcVo+m7V/qmnZk8LzUJbyq0KSLj/M6dsZC/pYGm9LirJeihBSPd2EfN0WailJydok7inOC skqi9mw+p6SEGLWvJ6kV1H8AgLcmJ5gDAAA=
Archived-At: <https://mailarchive.ietf.org/arch/msg/core/pQ9unXWGJk78RzOcY0Lo52uzvy4>
Subject: Re: [core] Secdir last call review of draft-ietf-core-too-many-reqs-04
X-BeenThere: core@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Constrained RESTful Environments \(CoRE\) Working Group list" <core.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/core>, <mailto:core-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/core/>
List-Post: <mailto:core@ietf.org>
List-Help: <mailto:core-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/core>, <mailto:core-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 21 Oct 2018 18:09:55 -0000

Thank you for the review Daniel!

I have now addressed your comments in the latest draft version in Github:
https://github.com/core-wg/too-many-reqs/pull/4/files

* Clarified the text in sections 4 and 5 roughly as proposed
* Added a note in section 5 that dropping requests may result in retries 
* Added a note that responses without encryption can leak information (agree with Jim that it’s not a major risk so didn’t add normative language on this)

I’m planning to submit a new version tomorrow before the DL.


Cheers,
Ari

> On 8 Oct 2018, at 19.53, Jim Schaad <ietf@augustcellars.com>; wrote:
> 
> 
> 
>> -----Original Message-----
>> From: core <core-bounces@ietf.org>; On Behalf Of Daniel Migault
>> Sent: Sunday, October 7, 2018 5:31 PM
>> To: secdir@ietf.org
>> Cc: draft-ietf-core-too-many-reqs.all@ietf.org; ietf@ietf.org;
> core@ietf.org
>> Subject: [core] Secdir last call review of
> draft-ietf-core-too-many-reqs-04
>> 
>> Reviewer: Daniel Migault
>> Review result: Has Nits
>> 
>> Hi,
>> 
>> Reviewer: Daniel Migault
>> Review result: Has Nits
>> 
>> I have reviewed this document as part of the security directorate's
> ongoing
>> effort to review all IETF documents being processed by the IESG. These
>> comments were written primarily for the benefit of the security area
> directors.
>> Document editors and WG chairs should treat these comments just like any
>> other last call comments.
>> 
>> The document is clear and almost ready.  Most of my comments concerns the
>> "Security Considerations".
>> 
>> Yours,
>> Daniel
>> 
>> 4.  CoAP Client Behavior
>> 
>>   A client MUST NOT rely on a server being able to send the 4.29
>>   Response Code in an overload situation because an overloaded server
>>   may not be able to reply to all requests at all.
>> 
>> <mglt>
>> 
>> I believe the sentence may be rephrased. This is just a proposal.
>> OLD
>>   may not be able to reply to all requests at all.
>> NEW
>>   may not be able to reply (at all) to some requests. .
>> 
>> </mglt>
>> 
>> 5.  Security Considerations
>> 
>>   Replying to CoAP requests with a Response Code consumes resources
>>   from a server.  For a server under attack it may be more appropriate
>>   to simply drop requests without responding.
>> 
>> <mglt>
>> The gain from the response with Too Many Requests Response Code is almost
>> the current response and all *similar* requests from that client during
> Max
>> Age. I suspect that is likely a gain except when there is no responses
> from the
>> server and client is not expect to send a request before Max Age. Simply
>> dropping the requests may add the retry traffic, though it depends on the
>> application. That said your text is correct. I am wondering if it would be
> good to
>> illustrate your purpose. </mglt>
>> 
>>   If a CoAP reply with the Too Many Requests Response Code is not
>>   authenticated and integrity protected, an attacker can attempt to
>> 
>> Keranen                 Expires January 25, 2019                [Page 3]
>> 
>> Internet-Draft  Too Many Requests Response Code for CoAP       July 2018
>> 
>>   spoof a reply and make the client wait for an extended period of time
>>   before trying again.
>> 
>> <mglt>
>> A similar attack may also consists in an attacker triggering multiple
> request or
>> transactions with a spoofed IP so the server generates the reply to the
>> legitimate IP. This could be used if an attacker cannot directly send the
> spoofed
>> response to the legitimate client.
>> 
>> The response code provides an information about the state (overloaded) of
> the
>> server which can be used to infer additional information. This could
> potentially
>> be used by an active attacker among other to confirm an attack is
> efficient,
>> that a server is receiving multiple packet at a given time which may be
> used to
>> identify some traffic patterns, identifying a bug a version...  For a
> passive
>> attacker, the response code may among other indicate an appropriated time
> to
>> trigger a larger attack....
>> 
>> Because the code enable an attacker to gain some kind of control of the
> client,
>> and reveals some information about the status of the server. I would
> suggest to
>> mention that Too Many Response Code should not be considered outside
>> unprotected channel. That is a server SHOULD NOT reply with a Too Many
>> Requests Response Code unless the communication is encrypted. A client
>> SHOULD ignore Too Many Response Code unless the communication is
>> encrypted.
>> 
>> The response seems to me small enough so reflection attacks may be out of
>> scope.
> 
> I do not believe that this is aimed to be any type of DOS prevention tool.
> I would disagree that this is a huge attack window.  The client will filter
> the set of response that it is receiving to match only requests that it has
> made.  Thus a general flood attack would not be useful unless it was
> targeting the same messages ids (and tokens) as requests from the client
> under attack.  But then these would be seen by the server as duplicate
> messages and ignored w/o sending out a response.
> 
> I am not sure that I would consider the fact that the server is currently
> "loaded" for some measure is a huge leak of information.  I don't think I
> would care if that was leaked. 
> 
> Jim
> 
>> </mglt>
>> 
>> _______________________________________________
>> core mailing list
>> core@ietf.org
>> https://www.ietf.org/mailman/listinfo/core
>