Re: [Dots] Secdir last call review of draft-ietf-dots-signal-channel-30
<mohamed.boucadair@orange.com> Fri, 15 March 2019 06:47 UTC
Return-Path: <mohamed.boucadair@orange.com>
X-Original-To: dots@ietfa.amsl.com
Delivered-To: dots@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 37AF7130E2F; Thu, 14 Mar 2019 23:47:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TGevkOQFHN2O; Thu, 14 Mar 2019 23:47:30 -0700 (PDT)
Received: from orange.com (mta239.mail.business.static.orange.com [80.12.66.39]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C768A127887; Thu, 14 Mar 2019 23:47:29 -0700 (PDT)
Received: from opfedar03.francetelecom.fr (unknown [xx.xx.xx.5]) by opfedar25.francetelecom.fr (ESMTP service) with ESMTP id 44LGNJ006bz8st3; Fri, 15 Mar 2019 07:47:27 +0100 (CET)
Received: from Exchangemail-eme6.itn.ftgroup (unknown [xx.xx.13.98]) by opfedar03.francetelecom.fr (ESMTP service) with ESMTP id 44LGNH5sLtzCqkX; Fri, 15 Mar 2019 07:47:27 +0100 (CET)
Received: from OPEXCAUBMA2.corporate.adroot.infra.ftgroup ([fe80::e878:bd0:c89e:5b42]) by OPEXCAUBM7F.corporate.adroot.infra.ftgroup ([fe80::d9:d3cd:85bd:d331%21]) with mapi id 14.03.0439.000; Fri, 15 Mar 2019 07:47:27 +0100
From: mohamed.boucadair@orange.com
To: Stephen Farrell <stephen.farrell@cs.tcd.ie>, "secdir@ietf.org" <secdir@ietf.org>
CC: "draft-ietf-dots-signal-channel.all@ietf.org" <draft-ietf-dots-signal-channel.all@ietf.org>, "ietf@ietf.org" <ietf@ietf.org>, "dots@ietf.org" <dots@ietf.org>
Thread-Topic: Secdir last call review of draft-ietf-dots-signal-channel-30
Thread-Index: AQHU2oSfRsTGH2X350i3IMDpwuRCCqYMOY8A
Date: Fri, 15 Mar 2019 06:47:27 +0000
Message-ID: <787AE7BB302AE849A7480A190F8B93302EA3E475@OPEXCAUBMA2.corporate.adroot.infra.ftgroup>
References: <155257761487.2625.10003476313108979036@ietfa.amsl.com> <787AE7BB302AE849A7480A190F8B93302EA3DFC8@OPEXCAUBMA2.corporate.adroot.infra.ftgroup> <72f7b85c-74fb-0f79-8211-50043c2b4b47@cs.tcd.ie>
In-Reply-To: <72f7b85c-74fb-0f79-8211-50043c2b4b47@cs.tcd.ie>
Accept-Language: fr-FR, en-US
Content-Language: fr-FR
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.114.13.247]
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/dots/Df1yZDjgXCrVh0hwYzzSRkHNoxA>
Subject: Re: [Dots] Secdir last call review of draft-ietf-dots-signal-channel-30
X-BeenThere: dots@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "List for discussion of DDoS Open Threat Signaling \(DOTS\) technology and directions." <dots.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dots>, <mailto:dots-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dots/>
List-Post: <mailto:dots@ietf.org>
List-Help: <mailto:dots-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dots>, <mailto:dots-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 15 Mar 2019 06:47:32 -0000
Hi Stephen, Please see inline. Cheers, Med > -----Message d'origine----- > De : Stephen Farrell [mailto:stephen.farrell@cs.tcd.ie] > Envoyé : jeudi 14 mars 2019 17:40 > À : BOUCADAIR Mohamed TGI/OLN; secdir@ietf.org > Cc : draft-ietf-dots-signal-channel.all@ietf.org; ietf@ietf.org; > dots@ietf.org > Objet : Re: Secdir last call review of draft-ietf-dots-signal-channel-30 > > > Hiya, > > Just on two bits below... > > I'm happy to chat more but also fine that you and the ADs can > sort this out according to however the ADs see this. > > On 14/03/2019 16:17, mohamed.boucadair@orange.com wrote: > > >> I think there's one issue with this draft that'd be well worth > >> discussion and/or fixing: > >> > >> - p12: Why does the cuid need to be so static? I would have thought > >> that an identifier that can change more often than a key pair would > >> have been better, esp if this could be used in a CPE. (Creating a > >> new long-lived identifier for a CPE seems like a bad plan if it's > >> not really needed.) For example, one could use both the SPKI and a > >> timestamp as input for a recommended way to generate a cuid and > >> that should be as unique, but much more easily changed. That could > >> also mitigate the possible TLS1.2 client-cert snooping issue > >> mentioned on p90. > > > > [Med] cuid is used for avoidance detection but also as a stable key > > to identify resources at the server side. Any change of the cuid will > > lead to a failure in accessing the resources. Furthermore, this > > identifier is used to "glue" the signal and data channels. > > > > The spec does not forbid the clients to change its cuid, but to do > > so, the client will need to manage state migration. > > Yep, I get that. But the current alg that's described for > cuid calculation has the effect of creating an identifier > with the same lifetime as a key pair. Assuming keys are > harder to change than cuids it seems better to encourage > clients to not make such a tight linkage between cuid and > keys, esp. if the client is on a CPE. (And it avoids the > TLS1.2 snooping issue as noted.) > > I'd encourage you to consider maybe saying some more about > how clients can change cuid, but even if not, to provide > a cuid calculation example that doesn't link only to the > key pair. [Med] The text already cites RFC 4122 as an alternate scheme. Will consider how to enhance the text. Thanks. > > >> - Couldn't a bad actor in control of an authorised DOTS client > >> colluding with the controller of a DDoS attack use this to probe > >> the system to see how their attack is going and change the attack > >> to be more effective? > > > > [Med] The client will only see the reports for attacks it detected > > and signaled. That bad actor won't signal the attack in the first > > place! > > Perhaps I wasn't clear. ISTM that all clients can get information > about how an attack is being seen at other clients, isn't that > right? [Med] No. A client can only get information that is bound to it. (The spec does talk about that IIRC.) The colluding client > might or might not be under attack but non-compromised clients will > presumably ask for the attack to be mitigated. So the colluding > client could use this protocol to probe and see how well or badly > the DDoS-mitigation infrastructure is handling an ongoing attack. > I'm basically saying that that may be noteworthy as a security > consideration. > > Cheers, > S. > > > > > > I don't > >> think any protocol change could help there, but perhaps you could > >> give some guidance to implementers to try catch such cases (e.g., > >> if the probing DOTS client's local n/w doesn't actually appear to > >> be under attack). > >> > >
- [Dots] Secdir last call review of draft-ietf-dots… Stephen Farrell via Datatracker
- Re: [Dots] Secdir last call review of draft-ietf-… mohamed.boucadair
- Re: [Dots] Secdir last call review of draft-ietf-… Stephen Farrell
- Re: [Dots] Secdir last call review of draft-ietf-… Konda, Tirumaleswar Reddy
- Re: [Dots] Secdir last call review of draft-ietf-… mohamed.boucadair
- Re: [Dots] Secdir last call review of draft-ietf-… mohamed.boucadair
- Re: [Dots] Secdir last call review of draft-ietf-… Konda, Tirumaleswar Reddy
- Re: [Dots] Secdir last call review of draft-ietf-… Stephen Farrell
- Re: [Dots] Secdir last call review of draft-ietf-… mohamed.boucadair
- Re: [Dots] Secdir last call review of draft-ietf-… Konda, Tirumaleswar Reddy
- Re: [Dots] Secdir last call review of draft-ietf-… mohamed.boucadair
- Re: [Dots] Secdir last call review of draft-ietf-… Michael Richardson
- Re: [Dots] Secdir last call review of draft-ietf-… Konda, Tirumaleswar Reddy
- Re: [Dots] Secdir last call review of draft-ietf-… mohamed.boucadair