IETF Logo Mail Archive

[dmarc-ietf] Security Considerations in aggregate-reporting

Matthäus Wander <mail@wander.science> Fri, 22 March 2024 23:14 UTC

Return-Path: <mail@wander.science>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 06F3DC14F6AB for <dmarc@ietfa.amsl.com>; Fri, 22 Mar 2024 16:14:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.107
X-Spam-Level:
X-Spam-Status: No, score=-2.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=wander.science header.b="nYEZ26U3"; dkim=neutral reason="invalid (unsupported algorithm ed25519-sha256)" header.d=wander.science header.b="geKe4qS7"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oQzf2mP4Mz9U for <dmarc@ietfa.amsl.com>; Fri, 22 Mar 2024 16:14:35 -0700 (PDT)
Received: from mail.swznet.de (cathay.swznet.de [IPv6:2a01:4f8:13b:2048::113]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1EADFC14F6E8 for <dmarc@ietf.org>; Fri, 22 Mar 2024 16:14:35 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=wander.science; s=2023-05-rsa; h=Subject:Content-Transfer-Encoding: Content-Type:From:To:MIME-Version:Date:Message-ID:In-Reply-To:Cc:References: Sender:Reply-To; bh=wwDKHkiLBUjZl17Ps8XexaXdZJY8sskbq7MBTPSfuoY=; b=nYEZ26U3K I3zUZBNIzjfRZrGvKaKFLegHCHA86FEeL6PF72wQAGwgcvULu8XXPmDjNkOAsftHWZGZYDB8QNCCf OJCmerwvVBNLqfT7Lcts9wBMh1YYHE/cAJc3BKhlWxhnuy6RWaOOjsiMZCnk9PS5n91DuBgRoE3Wc JYukT/mCSp8dHWv9xRcHMdynQ0kgjAh1EPzzGDvBz4gkuKG81UVH/MIwKUtuiA25mCNVjv+zr2hU9 8MnPvDNEWOw5l2AXUdya7aQmWI65TcAEfMkhenkqW2cMbjNkc/ARemYCMu2tEvdiocf93vR7dQmyD gUdiMLtzRIvECnMmlR8DyzamA==;
DKIM-Signature: v=1; a=ed25519-sha256; q=dns/txt; c=relaxed/relaxed; d=wander.science; s=2023-05-ed25519; h=Subject:Content-Transfer-Encoding: Content-Type:From:To:MIME-Version:Date:Message-ID:In-Reply-To:Cc:References: Sender:Reply-To; bh=wwDKHkiLBUjZl17Ps8XexaXdZJY8sskbq7MBTPSfuoY=; b=geKe4qS7h WZSDL5/UMa/Y/ub9DvtUJhLM4uhqWO0Io1IhM5pWQJmcRB0mo1kO9OguSsq8NdBPupyFMafNsd/BQ ==;
Received: from dynamic-2a01-0c23-759a-e200-5d6c-d74f-0d21-a974.c23.pool.telefonica.de ([2a01:c23:759a:e200:5d6c:d74f:d21:a974]) by mail.swznet.de with esmtpsa (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.94.2) (envelope-from <mail@wander.science>) id 1rno5o-0004J9-TP for dmarc@ietf.org; Sat, 23 Mar 2024 00:14:33 +0100
Message-ID: <58c6791d-5597-40db-9a3c-f87d03a58674@wander.science>
Date: Sat, 23 Mar 2024 00:14:30 +0100
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
Content-Language: en-US
To: dmarc@ietf.org
From: Matthäus Wander <mail@wander.science>
Autocrypt: addr=mail@wander.science; keydata= xjMEX32k2xYJKwYBBAHaRw8BAQdAnfSBcaYKuP99+S+Cv7yM2MC5uDVgjDHq72XoUkvDduTN Jk1hdHRow6R1cyBXYW5kZXIgPG1haWxAd2FuZGVyLnNjaWVuY2U+wpYEExYIAD4WIQRN5cud QSNuO9g4P/vwPFqQ1RKslAUCX32k2wIbAwUJCWYBgAULCQgHAgYVCgkICwIEFgIDAQIeAQIX gAAKCRDwPFqQ1RKslBHNAP92aGE3RVTUoVtAOMVyEzC5kpipuYgwEUBGohcKJ6FlkwEAyvGn 2Cqw6T/GOCgcZb3NlOLAAh83v3GOLnbiQxzZgQ3OOARffaTbEgorBgEEAZdVAQUBAQdAMtpC ADRykYF4hU5t/d1ItWsCVcQTrUXARpFGk4s8shADAQgHwn4EGBYIACYWIQRN5cudQSNuO9g4 P/vwPFqQ1RKslAUCX32k2wIbDAUJCWYBgAAKCRDwPFqQ1RKslI9HAP908/+/2MpEH/63y93a 1WB5pcYFy9Do/b0AQjjkfP+ZVQD9EaC+bOBrNgJzHFwhJAHI0l2KD79pMSgXSllPlA0dBQg=
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 7bit
X-SA-Exim-Connect-IP: 2a01:c23:759a:e200:5d6c:d74f:d21:a974
X-SA-Exim-Mail-From: mail@wander.science
X-SA-Exim-Version: 4.2.1 (built Sat, 13 Feb 2021 17:57:42 +0000)
X-SA-Exim-Scanned: Yes (on mail.swznet.de)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/a_djQxSJCPzQFpYPxm_7yCy1SF8>
Subject: [dmarc-ietf] Security Considerations in aggregate-reporting
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 22 Mar 2024 23:14:39 -0000

The Security Considerations section of aggregate-reporting-14 currently 
consists of a placeholder. Suggested text follows.

7. Security Considerations

Aggregate reports are supposed to be processed automatically. An 
attacker might attempt to compromise the integrity or availability of 
the report processor by sending ill-formed reports. In particular, the 
archive decompressor and XML parser are at risk to resource exhaustion 
attacks (zip bomb or XML bomb).

The data contained within aggregate reports may be forged. An attacker 
might attempt to interfere by submitting false reports in masses.

See also the security considerations of [dmarc-bis] (Section 11).

Regards,
Matt

v2.23.0 | Report a Bug | By Email