[Curdle] Erratum ID #5502
Rebecca VanRheenen <rvanrheenen@amsl.com> Fri, 31 May 2024 22:24 UTC
Return-Path: <rvanrheenen@amsl.com>
X-Original-To: curdle@ietfa.amsl.com
Delivered-To: curdle@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 87AFFC169421 for <curdle@ietfa.amsl.com>; Fri, 31 May 2024 15:24:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.898
X-Spam-Level:
X-Spam-Status: No, score=-6.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 57Sh8RVF6F_T for <curdle@ietfa.amsl.com>; Fri, 31 May 2024 15:24:07 -0700 (PDT)
Received: from c8a.amsl.com (c8a.amsl.com [4.31.198.40]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 24F75C14F5FF for <curdle@ietf.org>; Fri, 31 May 2024 15:24:07 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by c8a.amsl.com (Postfix) with ESMTP id D9F04423462D; Fri, 31 May 2024 15:24:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
Received: from c8a.amsl.com ([127.0.0.1]) by localhost (c8a.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1Oj2lG5S71AL; Fri, 31 May 2024 15:24:06 -0700 (PDT)
Received: from [IPv6:2601:641:300:5fb0:14ca:9138:a5a2:b80] (unknown [IPv6:2601:641:300:5fb0:14ca:9138:a5a2:b80]) by c8a.amsl.com (Postfix) with ESMTPSA id BADDC423462C; Fri, 31 May 2024 15:24:06 -0700 (PDT)
From: Rebecca VanRheenen <rvanrheenen@amsl.com>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.120.23.2.7\))
Message-Id: <0FF24849-A969-4B45-8687-DA38C5F0D7F3@amsl.com>
Date: Fri, 31 May 2024 15:24:06 -0700
To: Deb Cooley <debcooley1@gmail.com>, Paul Wouters <paul.wouters@aiven.io>
X-Mailer: Apple Mail (2.3608.120.23.2.7)
Message-ID-Hash: WWFONQGUPCSJDGG37T6NV7SPLTA45OW2
X-Message-ID-Hash: WWFONQGUPCSJDGG37T6NV7SPLTA45OW2
X-MailFrom: rvanrheenen@amsl.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-curdle.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: RFC Editor <rfc-editor@rfc-editor.org>, mbaushke ietf <mbaushke.ietf@gmail.com>, logan@hackers.mu, curdle@ietf.org
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [Curdle] Erratum ID #5502
List-Id: "List for discussion of potential new security area wg." <curdle.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/curdle/zkqzCn3j52aghgCCqxvbGdcwgTk>
List-Archive: <https://mailarchive.ietf.org/arch/browse/curdle>
List-Help: <mailto:curdle-request@ietf.org?subject=help>
List-Owner: <mailto:curdle-owner@ietf.org>
List-Post: <mailto:curdle@ietf.org>
List-Subscribe: <mailto:curdle-join@ietf.org>
List-Unsubscribe: <mailto:curdle-leave@ietf.org>
Hi Deb and Paul, Mark Baushke, one of the authors of RFC 8270, sent an email today regarding Erratum ID #5502 (https://www.rfc-editor.org/errata/eid5502) This erratum was originally marked as editorial, but I changed the Type to “Technical”. As Stream Approver, please review and set the Status and Type accordingly (see the definitions at https://www.rfc-editor.org/errata-definitions/) Note that I’m sending this to you both as ADs of the Security Area as the curdle WG has concluded. Mark recommends rejecting the erratum: > https://www.rfc-editor.org/errata/eid5502 proposes to change section 5 to allow for operating systems with rate limiting logging in some cases. I have no strong objection to this suggestion. I suppose that the notes for this errata could be added to section 5 as clarification of when an administrator may wish to use rate limited logging, but that was not suggested by Eugene Adell (the author or this errata). The important point is that the administrator understand the attack vector risk involved in this logging. However, it is not clear what course of action an administrator has when seeing such log messages, so the usefulness of this kind of logging seems marginal at best and the security considerations advice to just silently drop these connections without logging them still seems best. ... > My current opinion is that … eid5502 … be marked as REJECTED. I also searched for previous emails about this erratum and found the following: Mark Baushke (2018-09-21): > For myself, given that RFC 8270 is moving from 1024-bit DH groups as a > minimum to 2048-bit DH groups as a minimum, I believe that ignoring any > group which is not at least 2048-bits is likely to be the correct > behavior regardless of any rate-limited logging behavior which might be > available for some implementations of the SSH protocol. > > If the proposed DH group does not meet the new minimum, then the > connection should fail. I do not see an immediate need to add possible > mitigations to the security considerations section. Ben Kaduk (2018-09-23): > Such mitigations would be outside the scope of an erratum anyway, as I see > it. You may review the report at: https://www.rfc-editor.org/errata/eid5502 Information on how to verify errata reports can be found at: https://www.rfc-editor.org/how-to-verify/ Further information on errata can be found at: https://www.rfc-editor.org/errata.php Thank you, RFC Editor/rv
- [Curdle] Erratum ID #5502 Rebecca VanRheenen