Re: [Dime] Benjamin Kaduk's Discuss on draft-ietf-dime-rfc4006bis-08: (with DISCUSS and COMMENT)
Ben Campbell <ben@nostrum.com> Thu, 24 May 2018 19:29 UTC
Return-Path: <ben@nostrum.com>
X-Original-To: dime@ietfa.amsl.com
Delivered-To: dime@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A414112E8C7; Thu, 24 May 2018 12:29:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.88
X-Spam-Level:
X-Spam-Status: No, score=-1.88 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, T_SPF_HELO_PERMERROR=0.01, T_SPF_PERMERROR=0.01] autolearn=unavailable autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AMxLRm4nwTVL; Thu, 24 May 2018 12:29:29 -0700 (PDT)
Received: from nostrum.com (raven-v6.nostrum.com [IPv6:2001:470:d:1130::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B4DA712EB0B; Thu, 24 May 2018 12:29:26 -0700 (PDT)
Received: from [10.0.1.91] (cpe-66-25-7-22.tx.res.rr.com [66.25.7.22]) (authenticated bits=0) by nostrum.com (8.15.2/8.15.2) with ESMTPSA id w4OJTNd0082711 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NO); Thu, 24 May 2018 14:29:24 -0500 (CDT) (envelope-from ben@nostrum.com)
X-Authentication-Warning: raven.nostrum.com: Host cpe-66-25-7-22.tx.res.rr.com [66.25.7.22] claimed to be [10.0.1.91]
From: Ben Campbell <ben@nostrum.com>
Message-Id: <A429C8DE-A476-4A56-8F17-2A6B8C3A57C1@nostrum.com>
Content-Type: multipart/signed; boundary="Apple-Mail=_8E437D6E-E5E3-4CCA-9BDB-50FC16CDC3AA"; protocol="application/pgp-signature"; micalg="pgp-sha512"
Mime-Version: 1.0 (Mac OS X Mail 11.3 \(3445.6.18\))
Date: Thu, 24 May 2018 14:29:22 -0500
In-Reply-To: <20180524192400.GL32807@kduck.kaduk.org>
Cc: Spencer Dawkins at IETF <spencerdawkins.ietf@gmail.com>, yuvalif=40yahoo.com@dmarc.ietf.org, draft-ietf-dime-rfc4006bis@ietf.org, dime-chairs@ietf.org, dime@ietf.org, IESG <iesg@ietf.org>
To: Benjamin Kaduk <kaduk@mit.edu>
References: <152699690275.31181.16673564293046142291.idtracker@ietfa.amsl.com> <57F7AC78-C094-402D-8834-3AC049EED31E@nostrum.com> <380581659.4450262.1527064311638@mail.yahoo.com> <20180523135822.GA32807@kduck.kaduk.org> <1467920717.4840713.1527142671894@mail.yahoo.com> <CAKKJt-f+=M+VHReeE-0=787kkSNgGZp6nzX6i9+dbOEoF-yBCA@mail.gmail.com> <20180524131619.GH32807@kduck.kaduk.org> <D1953E63-04AF-48C0-854A-914F8E77E20E@nostrum.com> <20180524192400.GL32807@kduck.kaduk.org>
X-Mailer: Apple Mail (2.3445.6.18)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dime/BZmEaW37RI7QQj9DRN9GOd09J5A>
Subject: Re: [Dime] Benjamin Kaduk's Discuss on draft-ietf-dime-rfc4006bis-08: (with DISCUSS and COMMENT)
X-BeenThere: dime@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Diameter Maintanence and Extentions Working Group <dime.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dime>, <mailto:dime-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dime/>
List-Post: <mailto:dime@ietf.org>
List-Help: <mailto:dime-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dime>, <mailto:dime-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 24 May 2018 19:29:31 -0000
> On May 24, 2018, at 2:24 PM, Benjamin Kaduk <kaduk@mit.edu> wrote: > > On Thu, May 24, 2018 at 02:17:31PM -0500, Ben Campbell wrote: >> >> >>> On May 24, 2018, at 8:16 AM, Benjamin Kaduk <kaduk@MIT.EDU> wrote: >>> >>> ... it's unclear to me that this document is the right place for >>> such guidance. That is, instead of a concrete recommendation, I had >>> in mind just giving some extra facts that would allow the reader to >>> consider the security implications of their deployment (this is the >>> Security Considerations, after all), as in something like: >>> >>> This document includes a redirection facility whereby the service >>> provider can redirect (in an application-specific way) the end user >>> to an alternate location when their credits have expired. This is >>> useful in that it allows for the user to return to normal service >>> quickly, but also exposes additional risks and attack surface. In >>> particular, this redirection can potentially occur at an >>> arbitrary point in a user's session, potentially without any >>> additional contextual confirmation available to the user that the >>> redirection is driven by the network. Such a confirmation is >>> important because, in many application protocols, the communication >>> peer is also capable of inducing redirection, and when the peer is >>> an attacker, the redirection can be to an attacker-controlled site. >>> In particular, such sites may be "phishing" sites designed to appear >>> similar to legitimate payment sites in an attempt to obtain users' >>> payment information for fraudulent uses. Because of the potentially >>> harmful consequences of arbitrary redirection by an attacker (such >>> as to phishing sites), it can be important for users and service >>> providers to be aware of the risk and take measures to ensure that >>> sensitive information (such as payment information) is only used for >>> legitmiate purposes. If an out-of-band signalling channel is >>> available to provide contextual information that a redirection is >>> triggered by the network as opposed to a communications peer, that >>> can provide a highly effective mechanism for remediating this class >>> of risk. >>> >>> (The above may well be too wordy and could benefit from editing, of >>> course.) >> >> Based on our discussion on the telechat, how about something like the following? >> >> "This document includes a redirection facility whereby the service >> provider can redirect (in an application-specific way) the end user >> to an alternate location when their credits have expired. This is >> useful in that it allows for the user to return to normal service >> quickly, but also exposes additional risks and attack surface. In >> particular, this redirection can potentially occur at an >> arbitrary point in a user's session, potentially without any >> additional contextual confirmation available to the user that the >> redirection is driven by the network. This lack of confirmation matters >> because, in many application protocols, the communication >> peer is also capable of inducing redirection. When the peer is >> an attacker, the redirection can be to an attacker-controlled site. >> In particular, such sites may be "phishing" sites designed to appear >> similar to legitimate payment sites in an attempt to obtain users' >> payment information for fraudulent uses. When users become used >> to such redirection, they may have difficulty distinguishing such > > "such" might be ambiguous here; maybe "network-induced" or > "network-driven”? Good point. > >> attacks from legitimate redirections. >> >> Because of the potentially >> harmful consequences of arbitrary redirection by an attacker (such >> as to phishing sites), it can be important for users and service >> providers to be aware of the risk and take measures to ensure that >> sensitive information (such as payment information) is only used for >> legitmiate purposes. Operators should follow industry best practices > > I see my typo for "legitimate" is preserved :) > >> for the specific application layer protocol to reduce the chances that >> such attacks could be mistaken for legitimate redirection. The details >> of such practice are out of scope for this document." > > The above nitpicking aside, I think this text suffices to resolve my > DISCUSS point. > (And I guess we're going with removing "instead of" > to resolve the other one?) That is my understanding. But in both cases, I suggest holding your DISCUSS until the updates show up in a revised draft. Thanks! Ben.
- [Dime] Benjamin Kaduk's Discuss on draft-ietf-dim… Benjamin Kaduk
- Re: [Dime] Benjamin Kaduk's Discuss on draft-ietf… Ben Campbell
- Re: [Dime] Benjamin Kaduk's Discuss on draft-ietf… Yuval Lifshitz
- Re: [Dime] Benjamin Kaduk's Discuss on draft-ietf… Benjamin Kaduk
- Re: [Dime] Benjamin Kaduk's Discuss on draft-ietf… Yuval Lifshitz
- Re: [Dime] Benjamin Kaduk's Discuss on draft-ietf… Spencer Dawkins at IETF
- Re: [Dime] Benjamin Kaduk's Discuss on draft-ietf… Benjamin Kaduk
- Re: [Dime] Benjamin Kaduk's Discuss on draft-ietf… Ben Campbell
- Re: [Dime] Benjamin Kaduk's Discuss on draft-ietf… Benjamin Kaduk
- Re: [Dime] Benjamin Kaduk's Discuss on draft-ietf… Ben Campbell
- Re: [Dime] Benjamin Kaduk's Discuss on draft-ietf… Benjamin Kaduk
- Re: [Dime] Benjamin Kaduk's Discuss on draft-ietf… Yuval Lifshitz
- Re: [Dime] Benjamin Kaduk's Discuss on draft-ietf… Benjamin Kaduk
- Re: [Dime] Benjamin Kaduk's Discuss on draft-ietf… Yuval Lifshitz
- Re: [Dime] Benjamin Kaduk's Discuss on draft-ietf… Benjamin Kaduk
- Re: [Dime] Benjamin Kaduk's Discuss on draft-ietf… Yuval Lifshitz