Re: [Dots] AD review of draft-ietf-dots-signal-channel-25 (2nd Part)
<mohamed.boucadair@orange.com> Thu, 17 January 2019 08:17 UTC
Return-Path: <mohamed.boucadair@orange.com>
X-Original-To: dots@ietfa.amsl.com
Delivered-To: dots@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0B2EC130E25; Thu, 17 Jan 2019 00:17:46 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pKsTfbJdvIOD; Thu, 17 Jan 2019 00:17:42 -0800 (PST)
Received: from orange.com (mta134.mail.business.static.orange.com [80.12.70.34]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7C042130DC4; Thu, 17 Jan 2019 00:17:42 -0800 (PST)
Received: from opfednr07.francetelecom.fr (unknown [xx.xx.xx.71]) by opfednr20.francetelecom.fr (ESMTP service) with ESMTP id 43gH4h66w4z1yfh; Thu, 17 Jan 2019 09:17:40 +0100 (CET)
Received: from Exchangemail-eme2.itn.ftgroup (unknown [xx.xx.31.17]) by opfednr07.francetelecom.fr (ESMTP service) with ESMTP id 43gH4h582pzFpX5; Thu, 17 Jan 2019 09:17:40 +0100 (CET)
Received: from OPEXCAUBM34.corporate.adroot.infra.ftgroup (10.114.13.92) by OPEXCLILM24.corporate.adroot.infra.ftgroup (10.114.31.17) with Microsoft SMTP Server (TLS) id 14.3.408.0; Thu, 17 Jan 2019 09:17:40 +0100
Received: from OPEXCAUBMA2.corporate.adroot.infra.ftgroup ([fe80::e878:bd0:c89e:5b42]) by OPEXCAUBM34.corporate.adroot.infra.ftgroup ([::1]) with mapi id 14.03.0415.000; Thu, 17 Jan 2019 09:17:40 +0100
From: mohamed.boucadair@orange.com
To: "Konda, Tirumaleswar Reddy" <TirumaleswarReddy_Konda@McAfee.com>, Benjamin Kaduk <kaduk@mit.edu>
CC: "draft-ietf-dots-signal-channel@ietf.org" <draft-ietf-dots-signal-channel@ietf.org>, "dots@ietf.org" <dots@ietf.org>
Thread-Topic: AD review of draft-ietf-dots-signal-channel-25 (2nd Part)
Thread-Index: AdSth/4V4uJk+YuhSsWU4l/lLLRChwAFrvywABL91YAADwLuEAAEi3XQ
Date: Thu, 17 Jan 2019 08:17:39 +0000
Message-ID: <787AE7BB302AE849A7480A190F8B93302EA08F0D@OPEXCAUBMA2.corporate.adroot.infra.ftgroup>
References: <787AE7BB302AE849A7480A190F8B93302EA08269@OPEXCAUBMA2.corporate.adroot.infra.ftgroup> <BYAPR16MB279064AFE1D99F1455E32466EA820@BYAPR16MB2790.namprd16.prod.outlook.com> <20190116222741.GK91727@kduck.mit.edu> <BYAPR16MB27905389000C0C35DF02CB2AEA830@BYAPR16MB2790.namprd16.prod.outlook.com>
In-Reply-To: <BYAPR16MB27905389000C0C35DF02CB2AEA830@BYAPR16MB2790.namprd16.prod.outlook.com>
Accept-Language: fr-FR, en-US
Content-Language: fr-FR
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.114.13.247]
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/dots/A8GglQtxZPRihRlFpNF54BjtYt4>
Subject: Re: [Dots] AD review of draft-ietf-dots-signal-channel-25 (2nd Part)
X-BeenThere: dots@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "List for discussion of DDoS Open Threat Signaling \(DOTS\) technology and directions." <dots.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dots>, <mailto:dots-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dots/>
List-Post: <mailto:dots@ietf.org>
List-Help: <mailto:dots-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dots>, <mailto:dots-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 17 Jan 2019 08:17:46 -0000
Re-, Please see inline. Cheers, Med > -----Message d'origine----- > De : Konda, Tirumaleswar Reddy [mailto:TirumaleswarReddy_Konda@McAfee.com] > Envoyé : jeudi 17 janvier 2019 07:54 > À : Benjamin Kaduk > Cc : BOUCADAIR Mohamed TGI/OLN; draft-ietf-dots-signal-channel@ietf.org; > dots@ietf.org > Objet : RE: AD review of draft-ietf-dots-signal-channel-25 (2nd Part) > > > -----Original Message----- > > From: Benjamin Kaduk <kaduk@mit.edu> > > Sent: Thursday, January 17, 2019 3:58 AM > > To: Konda, Tirumaleswar Reddy <TirumaleswarReddy_Konda@McAfee.com> > > Cc: mohamed.boucadair@orange.com; draft-ietf-dots-signal- > > channel@ietf.org; dots@ietf.org > > Subject: Re: AD review of draft-ietf-dots-signal-channel-25 (2nd Part) > > > > This email originated from outside of the organization. Do not click links > or > > open attachments unless you recognize the sender and know the content is > > safe. > > > > On Wed, Jan 16, 2019 at 01:30:01PM +0000, Konda, Tirumaleswar Reddy > > wrote: > > > > -----Original Message----- > > > > From: Dots <dots-bounces@ietf.org> On Behalf Of > > > > mohamed.boucadair@orange.com > > > > Sent: Wednesday, January 16, 2019 4:11 PM > > > > To: Benjamin Kaduk <kaduk@mit.edu>; draft-ietf-dots-signal- > > > > channel@ietf.org > > > > Cc: dots@ietf.org > > > > Subject: Re: [Dots] AD review of draft-ietf-dots-signal-channel-25 > > > > (2nd Part) > > > > > > > > > > > > > > > > Re-, > > > > > > > > Please see inline. > > > > > > > > Cheers, > > > > Med > > > > > > > > > -----Message d'origine----- > > > > > De : Benjamin Kaduk [mailto:kaduk@mit.edu] Envoyé : mercredi 16 > > > > > janvier 2019 01:14 À : draft-ietf-dots-signal-channel@ietf.org > > > > > Cc : dots@ietf.org > > > > > Objet : AD review of draft-ietf-dots-signal-channel-25 > > > > > > > > > > > > > > > Section 4.4 > > > > > > > > > > GET: DOTS clients may use the GET method to subscribe to DOTS > > > > > server status messages, or to retrieve the list of its > > > > > mitigations maintained by a DOTS server (Section 4.4.2). > > > > > > > > > > I'm not really a canonical HTTP expert, but I suspect that using > > > > > GET to "subscribe" will raise some eyebrows at later stages of > review. > > > > > > > > [Med] We are following RFC7641. I would be surprised if this is an > issue. > > > > > > > > Maybe > > > > > we should just leave it as-is and wait for such review to arrive, > > > > > though, rather than trying to do something preemptively. > > > > > > > > [Med] Yes. > > > > Sounds good. > > > > > > > > > > > > I don't know if this is the proper section to talk about it, but > > > > > we should probably have some text justifying the use of > > > > > application-layer acknowledgment as opposed to just using > > Confirmable CoAP messages. > > > > > > > > [Med] I'm not sure to understand this one. Which "application-layer > > > > acknowledgment" are you referring to? > > > > Maybe I was just misreading. Does > > > > Requests marked by the DOTS client as Non-confirmable messages are > > sent at regular intervals until a response is received from the DOTS > > server. > > > > refer to a "response" at the application layer (as opposed to the CoAP > layer)? > > No, the non-confirmable response is returned at the CoAP layer itself. [Med] Yes. We can make this change if neeed: s/until a response/until a CoAP response. > > > > > > > > > > > > > Section 4.4.1 > > > > > > > > > > If Figure 5 is going to use actual/example values for cuid and > > > > > mid, then I'd suggest also using actual/example values for the > > > > > JSON fields (instead of "integer" and "string" and such). > > > > > > > > [Med] I split the figure into two so that we don't have this problem. > > > > > > > > > > > > > > cuid: Stands for Client Unique Identifier. A globally unique > > > > > identifier that is meant to prevent collisions among DOTS > clients, > > > > > especially those from the same domain. It MUST be generated by > > > > > DOTS clients. > > > > > > > > > > In order to get global uniqueness we either need sufficient > > > > > randomness or a hierarchical allocation strategy. Since we > > > > > recommend a strategy that involves hashing the (public) client > > > > > certificate, we may also want to note that this value does not > > > > > need to be unguessable. If a random allocation is possible, I > > > > > suggest giving guidance on how many random bits must be used to > > > > > sufficiently ensure global uniqueness (128 might be enough). > > > > > > > > [Med] An attack vector that can be achieved if the cuid is guessable > > > > is if a misbehaving client from within the client's domain succeeds > > > > to be granted access by the server and then uses the cuid of another > > > > client of the domain to delete active mitigation/etc. > > > > > > > > For this attack vector to happen, the misbehaving client needs to > > > > pass security validation checks by the server. Therefore, I'm not > > > > sure if it is worth to add an allocation reco given this perquisite. > > > > > > > > Thoughts? > > > > I don't think we need to have text around 'cuid' allocation, but should > > mention the possibility of this spoofing attack by a compromised client, in > > the security considerations. [Med] OK. > > > > > UUID discussed in https://tools.ietf.org/html/rfc4122 is another way of > > generating a globally unique identifier. A compromised DOTS client can > sniff > > the TLS 1.2 handshake, use the client certificate to identify the "cuid" > used > > by another DOTS client. This attack is not possible with TLS 1.3 (TLS > > handshake is encrypted). > > > > For 1.3 the attacker would need to have data from a server in order to see > > another client's certificate, yes, which is presumably a harder attack. > > Yup, will update Security Considerations. > [Med] OK. > > > > I don't think a UUID reference would be very valuable here. > > If cuid collision happens, UUID can be used to generate the cuid. [Med] Indeed. Text updated. > > > > > > > > > > > > > > > > > The output of the cryptographic hash > algorithm > > > > > is truncated to 16 bytes; truncation is done by stripping off > the > > > > > final 16 bytes. The truncated output is base64url encoded. > > > > > > > > > > side note: Truncation to 128 bits reduces the collision resistance > > > > > to 64-bit strength, though this is probably acceptable in this use > case. > > > > > > > > > > DOTS servers MUST return 4.09 (Conflict) error code to a DOTS > peer > > > > > to notify that the 'cuid' is already in-use by another DOTS > > > > > client. Upon receipt of that error code, a new 'cuid' MUST be > > > > > generated by the DOTS peer. > > > > > > > > > > Is there any way in which this situation could arise during some > > > > > sort of migration scenario? > > > > > > > > [Med] This can be for example a client which does not follow the > > "SHOULD" > > > > for creating the cuid. > > > > Of course. I'm wondering if a legitmiate client that does follow the > > "SHOULD" could ever see this error code in the absence of an attack, for > > example if the client's network address changes. > > Yes, I too don't think a legitimate client will see this error code in the > absence of an attack. > > > > > > > > > > > > > Client-domain DOTS gateways MUST handle 'cuid' collision > directly > > > > > and it is RECOMMENDED that 'cuid' collision is handled directly > by > > > > > server-domain DOTS gateways. > > > > > > > > > > Is a gateway supposed to know if it is "client-side" or "server-side" > > > > > by explicit configuration or some more automatic method? > > > > > > > > [Med] This can be done by an explicit configuration. > > > > Okay. Let's wait to see if any other reviewers ask for clarifying text > that this > > can only be known via explicit configuration. [Med] OK. > > > > > > > > > > > > 'cuid' and 'mid' MUST NOT appear in the PUT request message body. > > > > > > > > > > Do we need to say this given that there's no obvious structure in > > > > > which to put them? (That is, is this just a reminder to > > > > > implementors of a previous version of the draft versus guidance to > > > > > new > > > > > implementations?) > > > > > > > > [Med] We used to have those in the message body in previous versions > > > > of the spec/implementations. Furthermore, there are cases where > > > > "mid" is allowed to be included in the message body (e.g., PUT > > > > response). We included this note for implementers because of some > > > > behaviors observed during past interops. > > > > Okay. (I think this is actually one of the things I asked before and you > > already answered; sorry for the duplication.) [Med] No problem. > > > > > > > > > > > > The prefix list MUST NOT include broadcast, loopback, or > multicast > > > > > addresses. These addresses are considered as invalid values. > > > > > In > > > > > > > > > > Does "invalid" mean that the particular address gets ignored or > > > > > that the entire request is rejected? > > > > > > > > [Med] The expected behavior is covered by this text: > > > > > > > > " ... or contains invalid or unknown parameters, the DOTS server > > > > MUST reply with 4.00 (Bad Request)." > > > > > > > > > > > > > > target-fqdn: A list of Fully Qualified Domain Names (FQDNs) > > > > > identifying resources under attack. An FQDN is the full name > of a > > > > > resource, rather than just its hostname. For example, "venera" > is > > > > > a hostname, and "venera.isi.edu" is an FQDN [RFC1983]. > > > > > > > > > > I would suggest referring to draft-ietf-dnsop-terminology-bis > > > > > rather than trying to reproduce a definition of FQDN. > > > > > > > > > > > > > [Med] I added an informative reference to draft-ietf-dnsop-terminology- > > bis. > > > > Thanks > > > > > > > We also may want to note that the DNS view can change depending on > > > > > the vantage point used to make the observation. > > > > > > > > [Med] Not sure what to do with this one given that the text says: > > > > > > > > "How a name is passed to an underlying name resolution library is > > > > implementation- and deployment-specific." > > > > I was thinking something like "the results returned for resolving a name > can > > depend on many factors, including when the request was made and the > > address of the DNS resolver used -- there is no guarantee that the DOTS > > server will resolve a name to the same addresses that the DOTS client > does". > [Med] I added this NEW text: The use of FQDNs may be suboptimal because: * It induces both an extra load and increased delays on the DOTS server to handle and manage DNS resolution requests. * It does not guarantee that the DOTS server will resolve a name to the same IP addresses that the DOTS client does. > Good point, will update draft. > > > > > > > > > > > > > On page 18 we say that server-domain DOTS gateways "MUST supply > > > > > [...] 'cdid'", but the previous paragraph says that there SHOULD > > > > > be a configuration option for whether to insert 'cdid' on such > systems. > > > > > The two requirements are in conflict; which was intended? (I > > > > > assume the MUST -- why would it be desired to not have the > > > > > information > > > > > available?) > > > > > > > > [Med] This text is about gateways that are instructed to insert the > > > > cdid parameter. gateways facing a client's domain are in this case. > > > > > > > > I updated the text with "server-domain DOTS gateways instructed to > > > > insert the 'cdid' parameter MUST supply.." > > > > Ah, that makes sense -- thanks. > > > > > > > > > > > > The same paragraph also says that the 'cdid' is "likely to be the > > > > > same as" the 'cuid', though in addition to the listed reasons the > > > > > client only has a SHOULD requirement to follow this procedure for > > > > > generating 'cuid'; it may be worth noting the client's leeway here as > > well. > > > > > > > > [Med] Yes, this is why we have "likely" in the text. > > > > > > > > > > > > > > If a DOTS client is provisioned, for example, with distinct > > > > > certificates as a function of the peer server-domain DOTS > gateway, > > > > > distinct 'cdid' values may be supplied by a server-domain DOTS > > > > > gateway. The ultimate DOTS server MUST treat those 'cdid' > values > > > > > as equivalent. > > > > > > > > > > Is this paragraph trying to say that a client might supply > > > > > different certs to different gateways in the same domain > > > > > > > > [Med] Yes. > > > > > > > > (e.g., if one such > > > > > gateway does not support ecdsa certs)? It was pretty confusing on > > > > > the first read, in particular how the ultimate DOTS server would > > > > > know that the different 'cdid' values actually correspond to the > > > > > same client [domain]. > > > > > > > > [Med] This is supposed to be provisioned on the server. This is > > > > deployment- specific; hence no mention in the draft. > > > > Ah, thanks for the explanation. I don't have any suggested rewording that > > would help clarify -- all I can come up with is to add ", when configured > to > > know they represent the same client", which is both long and not really > > saying anything new. > > > > > > > > > > > > DOTS servers MUST ignore 'cdid' attributes that are directly > > > > > supplied by source DOTS clients or client-domain DOTS gateways. > > > > > This implies that first server-domain DOTS gateways MUST strip > > > > > 'cdid' attributes supplied by DOTS clients. DOTS servers > SHOULD > > > > > support a configuration parameter to identify DOTS gateways > that > > > > > are trusted to supply 'cdid' attributes. > > > > > > > > > > Is there any mechanism (e.g., autodetection) other than this by > > > > > which servers/proxies can learn about the topology information > > > > > needed to fulfil these requirements? > > > > > > > > [Med] I'm not aware of such mechanism. > > > > Okay, thanks. > > > > > > > > > > > > Because of the complexity to handle partial failure cases, this > > > > > specification does not allow for including multiple mitigation > > > > > requests in the same PUT request. Concretely, a DOTS client MUST > > NOT > > > > > include multiple 'scope' parameters in the same PUT request. > > > > > > > > > > "multiple 'scope' parameters" reads like a CBOR object with > > > > > duplicate keys; is this intended to refer to a multi-valued array? > > > > > > > > [Med] What is intended is that the scope list should include only one > > entry.. > > > > > > > > I can change to "multiple 'scope' clauses" > > > > I'm not sure how different that is. It sounds like you're trying to avoid > > "multiple entries in the 'scope' array"? > > Yes, proposed wording to say "MUST NOT include multiple entries in the > 'scope' array" looks better. [Med] Fixed. > > > > > > > > > > > > > The DOTS server couples the DOTS signal and data channel sessions > > > > > using the DOTS client identity and optionally the 'cdid' > > > > > parameter > > > > > > > > > > This requires the client to use the same certificate to > > > > > authenticate the signal and data channels to a given server (even > > > > > when a gateway is in use). Above, we discussed cases where a > > > > > client might have multiple certificates available. > > > > > > > > [Med] Actually, the text above applies also if distinct certificates > are used. > > > > Equivalent "client identity" are supposed to be known to the server > > > > by an out of band means. In all cases, the identity (same or > > > > equivalent) is used to couple the sessions. > > > > Hmm. If we are talking anything fancier than just comparing Subject > > information from the certificate (which apparently I forgot about when I > > wrote the above!), I think we may want to have some text in the document > > mentioning the possibility of out of band configuration. > > Nothing fancy, the two certificates will have the same distinguished name > (DN) in the subject field. > A CA can issue multiple certificates with the same DN to the DOTS client (or > subject). > > > > > > > Where do we specify the requirement to use the > > > > > same certificate for signal and data channels? > > > > > > > > [Med] We don't have such requirement in existing DOTS documents. > > > > > > > > > > > > > > DOTS agents can safely > > > > > ignore Vendor-Specific parameters they don't understand. > > > > > > > > > > This is not a very useful statemnet if the agent must know that a > > > > > parameter is vendor-specific in order to safely ignore it. > > > > > > > > [Med] The agent relies on the cbor key value to determine that a > > > > parameter can be safely ignored or not (comprehension-required). A > > > > range of keys is reserved for comprehension-optional. An agent > > > > checks the range to which belong a parameter, and then behaves > > accordingly. > > > > If we really mean comprehension-optional, maybe we should just say that, > > instead of "Vendor-Specific". > > Yes, will update. [Med] Fixed. > > > > > > > > > > > > > If the DOTS server does not find the 'mid' parameter value > conveyed > > > > > in the PUT request in its configuration data, it MAY accept the > > > > > mitigation request by sending back a 2.01 (Created) response to > the > > > > > DOTS client; the DOTS server will consequently try to mitigate the > > > > > attack. > > > > > > > > > > If the DOTS server finds the 'mid' parameter value conveyed in the > > > > > PUT request in its configuration data bound to that DOTS client, > it > > > > > MAY update the mitigation request, and a 2.04 (Changed) response > is > > > > > returned to indicate a successful update of the mitigation > request. > > > > > > > > > > There are two "MAY"s spread across these two paragraphs; do we > > > > > want to say anything about in what cases the server might want to > > > > > have different behavior (i.e., ignore the MAY)? > > > > > > > > > > > > > [Med] For the first MAY, a typical example is when a rate limit is > enforced: > > > > > > > > Rate-limiting DOTS requests, including those with new 'cuid' values, > > > > from the same DOTS client defends against DoS attacks that would > > > > result in varying the 'cuid' to exhaust DOTS server resources. > Rate- > > > > limit policies SHOULD be enforced on DOTS gateways (if deployed) and > > > > DOTS servers > > > > > > > > For the second MAY, the server may have more visibility on the > > > > attack and then may decide to update accordingly. > > > > > > > > I don't know if it is worth to add examples. Any preference? > > > > I would lean towards adding "A server could reject mitigation requests when > > it is near capacity or needs to rate-limit a particular client, for > example" for > > the former, but leaving the latter as-is. But I have no strong preferences > > here and am happy to advance the document either way. > [Med] Fixed. Thanks.
- Re: [Dots] AD review of draft-ietf-dots-signal-ch… mohamed.boucadair
- Re: [Dots] AD review of draft-ietf-dots-signal-ch… Konda, Tirumaleswar Reddy
- Re: [Dots] AD review of draft-ietf-dots-signal-ch… Benjamin Kaduk
- Re: [Dots] AD review of draft-ietf-dots-signal-ch… Konda, Tirumaleswar Reddy
- Re: [Dots] AD review of draft-ietf-dots-signal-ch… mohamed.boucadair