IETF Logo Mail Archive

Re: [Dime] Benjamin Kaduk's Discuss on draft-ietf-dime-rfc4006bis-08: (with DISCUSS and COMMENT)

Benjamin Kaduk <kaduk@mit.edu> Thu, 24 May 2018 19:24 UTC

Return-Path: <kaduk@mit.edu>
X-Original-To: dime@ietfa.amsl.com
Delivered-To: dime@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 77947129BBF; Thu, 24 May 2018 12:24:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.201
X-Spam-Level:
X-Spam-Status: No, score=-4.201 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rjwtMLWaCo2T; Thu, 24 May 2018 12:24:14 -0700 (PDT)
Received: from dmz-mailsec-scanner-6.mit.edu (dmz-mailsec-scanner-6.mit.edu [18.7.68.35]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 366F1127869; Thu, 24 May 2018 12:24:14 -0700 (PDT)
X-AuditID: 12074423-6abff700000069f1-26-5b07115c31e9
Received: from mailhub-auth-1.mit.edu ( [18.9.21.35]) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by dmz-mailsec-scanner-6.mit.edu (Symantec Messaging Gateway) with SMTP id 58.D6.27121.C51170B5; Thu, 24 May 2018 15:24:12 -0400 (EDT)
Received: from outgoing.mit.edu (OUTGOING-AUTH-1.MIT.EDU [18.9.28.11]) by mailhub-auth-1.mit.edu (8.13.8/8.9.2) with ESMTP id w4OJOAuR010972; Thu, 24 May 2018 15:24:10 -0400
Received: from kduck.kaduk.org (24-107-191-124.dhcp.stls.mo.charter.com [24.107.191.124]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id w4OJO1eJ013462 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Thu, 24 May 2018 15:24:05 -0400
Date: Thu, 24 May 2018 14:24:01 -0500
From: Benjamin Kaduk <kaduk@mit.edu>
To: Ben Campbell <ben@nostrum.com>
Cc: Spencer Dawkins at IETF <spencerdawkins.ietf@gmail.com>, yuvalif=40yahoo.com@dmarc.ietf.org, draft-ietf-dime-rfc4006bis@ietf.org, dime-chairs@ietf.org, dime@ietf.org, IESG <iesg@ietf.org>
Message-ID: <20180524192400.GL32807@kduck.kaduk.org>
References: <152699690275.31181.16673564293046142291.idtracker@ietfa.amsl.com> <57F7AC78-C094-402D-8834-3AC049EED31E@nostrum.com> <380581659.4450262.1527064311638@mail.yahoo.com> <20180523135822.GA32807@kduck.kaduk.org> <1467920717.4840713.1527142671894@mail.yahoo.com> <CAKKJt-f+=M+VHReeE-0=787kkSNgGZp6nzX6i9+dbOEoF-yBCA@mail.gmail.com> <20180524131619.GH32807@kduck.kaduk.org> <D1953E63-04AF-48C0-854A-914F8E77E20E@nostrum.com>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="T4sUOijqQbZv57TR"
Content-Disposition: inline
In-Reply-To: <D1953E63-04AF-48C0-854A-914F8E77E20E@nostrum.com>
User-Agent: Mutt/1.9.1 (2017-09-22)
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFrrKKsWRmVeSWpSXmKPExsUixCmqrBsjyB5tcGifjMX8ztPsFmsPplnM 7V3BZrFk4gRWixl/JjJbLJuyh9micfVPFgd2jxPLrrB67Jx1l91jyZKfTB6zdj5hCWCJ4rJJ Sc3JLEst0rdL4MrYNvkOc8FNzYprBxewNTDeUupi5OCQEDCReP0nuouRi0NIYDGTxPUbt5kh nI2MEj/P97NAOFeZJFa+XQuU4eRgEVCVeHT+HSOIzSagItHQfRksLiKgJPG8eStYA7PALUaJ jvt/wRLCAtkSnyZMYAOxeYHWnVrRBbViD7PE2+8XGCESghInZz5hAbGZBcokLmzrYQa5j1lA WmL5Pw6QMKeAvcSZ5S2sILaogLLE3r5D7BMYBWYh6Z6FpHsWQjdEWEvixr+XTBjC2hLLFr5m hrBtJdate8+ygJF9FaNsSm6Vbm5iZk5xarJucXJiXl5qka6ZXm5miV5qSukmRlAssbso72B8 2ed9iFGAg1GJh3fDAbZoIdbEsuLK3EOMkhxMSqK8a/8BhfiS8lMqMxKLM+KLSnNSiw8xqgDt erRh9QVGKZa8/LxUJRHe7l9AdbwpiZVVqUX5MGXSHCxK4rw5ixijhQTSE0tSs1NTC1KLYLIy HBxKErzyAuzRQoJFqempFWmZOSUIaSYOzkOMEhw8QMPngtTwFhck5hZnpkPkTzHqcnS8n9LD LAR2gZQ4bytIkQBIUUZpHtwcUGqUyN5f84pRHOhFYd61IFU8wLQKN+kV0BImoCUXlzODLClJ REhJNTDmV7+f+zX9t7nnwnfXG+ur2NkmeW1/0iiZHn/7/ZW++tK1291O1Z3LucvHk5aeGx2+ 56lU/BdLifnnE0v51+969Er+uMMGRW4D1mt3Rer990mUmmbN73zRyz8rg6HsPNftTY+y4ja0 XZv4qVJEetnGGHnNwwz9Exg1S24++9bMsjFOYeLnQ55KLMUZiYZazEXFiQBPvZhPaAMAAA==
Archived-At: <https://mailarchive.ietf.org/arch/msg/dime/xF7KS5i7rmwgazq3Twcg5BMadMY>
Subject: Re: [Dime] Benjamin Kaduk's Discuss on draft-ietf-dime-rfc4006bis-08: (with DISCUSS and COMMENT)
X-BeenThere: dime@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Diameter Maintanence and Extentions Working Group <dime.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dime>, <mailto:dime-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dime/>
List-Post: <mailto:dime@ietf.org>
List-Help: <mailto:dime-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dime>, <mailto:dime-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 24 May 2018 19:24:17 -0000

On Thu, May 24, 2018 at 02:17:31PM -0500, Ben Campbell wrote:
> 
> 
> > On May 24, 2018, at 8:16 AM, Benjamin Kaduk <kaduk@MIT.EDU> wrote:
> > 
> > ... it's unclear to me that this document is the right place for
> > such guidance.  That is, instead of a concrete recommendation, I had
> > in mind just giving some extra facts that would allow the reader to
> > consider the security implications of their deployment (this is the
> > Security Considerations, after all), as in something like:
> > 
> > This document includes a redirection facility whereby the service
> > provider can redirect (in an application-specific way) the end user
> > to an alternate location when their credits have expired.  This is
> > useful in that it allows for the user to return to normal service
> > quickly, but also exposes additional risks and attack surface.  In
> > particular, this redirection can potentially occur at an
> > arbitrary point in a user's session, potentially without any
> > additional contextual confirmation available to the user that the
> > redirection is driven by the network.  Such a confirmation is
> > important because, in many application protocols, the communication
> > peer is also capable of inducing redirection, and when the peer is
> > an attacker, the redirection can be to an attacker-controlled site.
> > In particular, such sites may be "phishing" sites designed to appear
> > similar to legitimate payment sites in an attempt to obtain users'
> > payment information for fraudulent uses.  Because of the potentially
> > harmful consequences of arbitrary redirection by an attacker (such
> > as to phishing sites), it can be important for users and service
> > providers to be aware of the risk and take measures to ensure that
> > sensitive information (such as payment information) is only used for
> > legitmiate purposes.  If an out-of-band signalling channel is
> > available to provide contextual information that a redirection is
> > triggered by the network as opposed to a communications peer, that
> > can provide a highly effective mechanism for remediating this class
> > of risk.
> > 
> > (The above may well be too wordy and could benefit from editing, of
> > course.)
> 
> Based on our discussion on the telechat, how about something like the following?
> 
> "This document includes a redirection facility whereby the service
> provider can redirect (in an application-specific way) the end user
> to an alternate location when their credits have expired.  This is
> useful in that it allows for the user to return to normal service
> quickly, but also exposes additional risks and attack surface.  In
> particular, this redirection can potentially occur at an
> arbitrary point in a user's session, potentially without any
> additional contextual confirmation available to the user that the
> redirection is driven by the network.  This lack of confirmation matters
> because, in many application protocols, the communication
> peer is also capable of inducing redirection. When the peer is
> an attacker, the redirection can be to an attacker-controlled site.
> In particular, such sites may be "phishing" sites designed to appear
> similar to legitimate payment sites in an attempt to obtain users'
> payment information for fraudulent uses. When users become used
> to such redirection, they may have difficulty distinguishing such

"such" might be ambiguous here; maybe "network-induced" or
"network-driven"?

> attacks from legitimate redirections.
> 
> Because of the potentially
> harmful consequences of arbitrary redirection by an attacker (such
> as to phishing sites), it can be important for users and service
> providers to be aware of the risk and take measures to ensure that
> sensitive information (such as payment information) is only used for
> legitmiate purposes. Operators should follow industry best practices

I see my typo for "legitimate" is preserved :)

> for the specific application layer protocol to reduce the chances that
> such attacks could be mistaken for legitimate redirection. The details
> of such practice are out of scope for this document."

The above nitpicking aside, I think this text suffices to resolve my
DISCUSS point.  (And I guess we're going with removing "instead of"
to resolve the other one?)

-Benjamin

v2.23.0 | Report a Bug | By Email