IETF Logo Mail Archive

Re: [Dime] Benjamin Kaduk's Discuss on draft-ietf-dime-rfc4006bis-08: (with DISCUSS and COMMENT)

Ben Campbell <ben@nostrum.com> Thu, 24 May 2018 19:29 UTC

Return-Path: <ben@nostrum.com>
X-Original-To: dime@ietfa.amsl.com
Delivered-To: dime@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A414112E8C7; Thu, 24 May 2018 12:29:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.88
X-Spam-Level:
X-Spam-Status: No, score=-1.88 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, T_SPF_HELO_PERMERROR=0.01, T_SPF_PERMERROR=0.01] autolearn=unavailable autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AMxLRm4nwTVL; Thu, 24 May 2018 12:29:29 -0700 (PDT)
Received: from nostrum.com (raven-v6.nostrum.com [IPv6:2001:470:d:1130::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B4DA712EB0B; Thu, 24 May 2018 12:29:26 -0700 (PDT)
Received: from [10.0.1.91] (cpe-66-25-7-22.tx.res.rr.com [66.25.7.22]) (authenticated bits=0) by nostrum.com (8.15.2/8.15.2) with ESMTPSA id w4OJTNd0082711 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NO); Thu, 24 May 2018 14:29:24 -0500 (CDT) (envelope-from ben@nostrum.com)
X-Authentication-Warning: raven.nostrum.com: Host cpe-66-25-7-22.tx.res.rr.com [66.25.7.22] claimed to be [10.0.1.91]
From: Ben Campbell <ben@nostrum.com>
Message-Id: <A429C8DE-A476-4A56-8F17-2A6B8C3A57C1@nostrum.com>
Content-Type: multipart/signed; boundary="Apple-Mail=_8E437D6E-E5E3-4CCA-9BDB-50FC16CDC3AA"; protocol="application/pgp-signature"; micalg="pgp-sha512"
Mime-Version: 1.0 (Mac OS X Mail 11.3 \(3445.6.18\))
Date: Thu, 24 May 2018 14:29:22 -0500
In-Reply-To: <20180524192400.GL32807@kduck.kaduk.org>
Cc: Spencer Dawkins at IETF <spencerdawkins.ietf@gmail.com>, yuvalif=40yahoo.com@dmarc.ietf.org, draft-ietf-dime-rfc4006bis@ietf.org, dime-chairs@ietf.org, dime@ietf.org, IESG <iesg@ietf.org>
To: Benjamin Kaduk <kaduk@mit.edu>
References: <152699690275.31181.16673564293046142291.idtracker@ietfa.amsl.com> <57F7AC78-C094-402D-8834-3AC049EED31E@nostrum.com> <380581659.4450262.1527064311638@mail.yahoo.com> <20180523135822.GA32807@kduck.kaduk.org> <1467920717.4840713.1527142671894@mail.yahoo.com> <CAKKJt-f+=M+VHReeE-0=787kkSNgGZp6nzX6i9+dbOEoF-yBCA@mail.gmail.com> <20180524131619.GH32807@kduck.kaduk.org> <D1953E63-04AF-48C0-854A-914F8E77E20E@nostrum.com> <20180524192400.GL32807@kduck.kaduk.org>
X-Mailer: Apple Mail (2.3445.6.18)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dime/BZmEaW37RI7QQj9DRN9GOd09J5A>
Subject: Re: [Dime] Benjamin Kaduk's Discuss on draft-ietf-dime-rfc4006bis-08: (with DISCUSS and COMMENT)
X-BeenThere: dime@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Diameter Maintanence and Extentions Working Group <dime.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dime>, <mailto:dime-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dime/>
List-Post: <mailto:dime@ietf.org>
List-Help: <mailto:dime-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dime>, <mailto:dime-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 24 May 2018 19:29:31 -0000


> On May 24, 2018, at 2:24 PM, Benjamin Kaduk <kaduk@mit.edu> wrote:
> 
> On Thu, May 24, 2018 at 02:17:31PM -0500, Ben Campbell wrote:
>> 
>> 
>>> On May 24, 2018, at 8:16 AM, Benjamin Kaduk <kaduk@MIT.EDU> wrote:
>>> 
>>> ... it's unclear to me that this document is the right place for
>>> such guidance.  That is, instead of a concrete recommendation, I had
>>> in mind just giving some extra facts that would allow the reader to
>>> consider the security implications of their deployment (this is the
>>> Security Considerations, after all), as in something like:
>>> 
>>> This document includes a redirection facility whereby the service
>>> provider can redirect (in an application-specific way) the end user
>>> to an alternate location when their credits have expired.  This is
>>> useful in that it allows for the user to return to normal service
>>> quickly, but also exposes additional risks and attack surface.  In
>>> particular, this redirection can potentially occur at an
>>> arbitrary point in a user's session, potentially without any
>>> additional contextual confirmation available to the user that the
>>> redirection is driven by the network.  Such a confirmation is
>>> important because, in many application protocols, the communication
>>> peer is also capable of inducing redirection, and when the peer is
>>> an attacker, the redirection can be to an attacker-controlled site.
>>> In particular, such sites may be "phishing" sites designed to appear
>>> similar to legitimate payment sites in an attempt to obtain users'
>>> payment information for fraudulent uses.  Because of the potentially
>>> harmful consequences of arbitrary redirection by an attacker (such
>>> as to phishing sites), it can be important for users and service
>>> providers to be aware of the risk and take measures to ensure that
>>> sensitive information (such as payment information) is only used for
>>> legitmiate purposes.  If an out-of-band signalling channel is
>>> available to provide contextual information that a redirection is
>>> triggered by the network as opposed to a communications peer, that
>>> can provide a highly effective mechanism for remediating this class
>>> of risk.
>>> 
>>> (The above may well be too wordy and could benefit from editing, of
>>> course.)
>> 
>> Based on our discussion on the telechat, how about something like the following?
>> 
>> "This document includes a redirection facility whereby the service
>> provider can redirect (in an application-specific way) the end user
>> to an alternate location when their credits have expired.  This is
>> useful in that it allows for the user to return to normal service
>> quickly, but also exposes additional risks and attack surface.  In
>> particular, this redirection can potentially occur at an
>> arbitrary point in a user's session, potentially without any
>> additional contextual confirmation available to the user that the
>> redirection is driven by the network.  This lack of confirmation matters
>> because, in many application protocols, the communication
>> peer is also capable of inducing redirection. When the peer is
>> an attacker, the redirection can be to an attacker-controlled site.
>> In particular, such sites may be "phishing" sites designed to appear
>> similar to legitimate payment sites in an attempt to obtain users'
>> payment information for fraudulent uses. When users become used
>> to such redirection, they may have difficulty distinguishing such
> 
> "such" might be ambiguous here; maybe "network-induced" or
> "network-driven”?

Good point.

> 

>> attacks from legitimate redirections.
>> 
>> Because of the potentially
>> harmful consequences of arbitrary redirection by an attacker (such
>> as to phishing sites), it can be important for users and service
>> providers to be aware of the risk and take measures to ensure that
>> sensitive information (such as payment information) is only used for
>> legitmiate purposes. Operators should follow industry best practices
> 
> I see my typo for "legitimate" is preserved :)
> 
>> for the specific application layer protocol to reduce the chances that
>> such attacks could be mistaken for legitimate redirection. The details
>> of such practice are out of scope for this document."
> 
> The above nitpicking aside, I think this text suffices to resolve my
> DISCUSS point.
>  (And I guess we're going with removing "instead of"
> to resolve the other one?)

That is my understanding. But in both cases, I suggest holding your DISCUSS until the updates show up in a revised draft.

Thanks!

Ben.

v2.23.0 | Report a Bug | By Email