[DNSOP] Review of draft-ietf-dnsop-rfc2845bis-02.txt

Mukund Sivaraman <muks@mukund.org> Mon, 19 November 2018 13:45 UTC

Return-Path: <muks@mukund.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9CF43130DC7 for <dnsop@ietfa.amsl.com>; Mon, 19 Nov 2018 05:45:42 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id q9KAEjDfabZO for <dnsop@ietfa.amsl.com>; Mon, 19 Nov 2018 05:45:39 -0800 (PST)
Received: from mail.banu.com (mail.banu.com [46.4.129.225]) by ietfa.amsl.com (Postfix) with ESMTP id B480512426A for <dnsop@ietf.org>; Mon, 19 Nov 2018 05:45:39 -0800 (PST)
Received: from jurassic (unknown [27.5.222.4]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.banu.com (Postfix) with ESMTPSA id 382EB32C00AC; Mon, 19 Nov 2018 13:45:37 +0000 (UTC)
Date: Mon, 19 Nov 2018 19:15:34 +0530
From: Mukund Sivaraman <muks@mukund.org>
To: dnsop@ietf.org
Message-ID: <20181119134534.GA1450@jurassic>
References: <154263221088.5303.2024597771109478075@ietfa.amsl.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <154263221088.5303.2024597771109478075@ietfa.amsl.com>
User-Agent: Mutt/1.9.2 (2017-12-15)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/OmOXo0c1qKzQ3tWPh0_ZF4ib20g>
Subject: [DNSOP] Review of draft-ietf-dnsop-rfc2845bis-02.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 19 Nov 2018 13:45:42 -0000

Hi Stephen, Francis

On Mon, Nov 19, 2018 at 04:56:50AM -0800, internet-drafts@ietf.org wrote:
> 
> A New Internet-Draft is available from the on-line Internet-Drafts directories.
> This draft is a work item of the Domain Name System Operations WG of the IETF.
> 
>         Title           : Secret Key Transaction Authentication for DNS (TSIG)
>         Authors         : Francis Dupont
>                           Stephen Morris
>                           Paul Vixie
>                           Donald E. Eastlake 3rd
>                           Olafur Gudmundsson
>                           Brian Wellington
> 	Filename        : draft-ietf-dnsop-rfc2845bis-02.txt
> 	Pages           : 26
> 	Date            : 2018-11-19

First, I want to point out that this is a bis document and not errata,
so it need not (and should not) be limited to just fixing the TSIG
authenication bypass attack. I strongly feel that RFC 2845 is unclearly
specified, and TSIG (the protocol) is over-specified. This bis revision
should make amends.

Two points that I request this WG to discuss are:

1. Sparsely TSIG signed TCP continuation messages (section 6.4 in draft)

2. Truncated MACs

I feel both should be obsoleted now to reduce implementation complexity
and scope for errors causing authentication bypass. I have talked about
these on this list before, but won't restate comments in support here to
prejudice discussion.

I previously reviewed this bis draft here:
https://www.ietf.org/mail-archive/web/dnsop/current/msg21227.html

Many of my review comments were responded to with the terse "17y"
comment by one of the authors.

However, ome of the comments from my previous review have been
incorporated into the current document, but some have not. I
specifically request Stephen to read the comments in my previous review
carefully comparing against the current text in context, because I feel
some of those changes still have to be made.

Soon after this TSIG authentication bypass attack was reported, during a
review of the BIND TSIG implementation by Ray Bellis and me, we found a
couple of other issues. One of them is not a real-world issue (to do
with under-specification of what to do with full MAC length having
non-integral number of octets - there are no such common HMACs
currently), and another that I'm not able to remember that had to do
with an off-by-1 (or something similar) on the fudge and time signed
fields. Do you have any recollection of it Ray?

		Mukund