Re: [Dots] AD review of draft-ietf-dots-rfc8782-bis-04

mohamed.boucadair@orange.com Tue, 02 March 2021 14:41 UTC

Return-Path: <mohamed.boucadair@orange.com>
X-Original-To: dots@ietfa.amsl.com
Delivered-To: dots@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 01FDC3A1943; Tue, 2 Mar 2021 06:41:50 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.118
X-Spam-Level:
X-Spam-Status: No, score=-2.118 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=orange.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DCOfV9avLsDp; Tue, 2 Mar 2021 06:41:47 -0800 (PST)
Received: from relais-inet.orange.com (relais-inet.orange.com [80.12.70.35]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4A57E3A193E; Tue, 2 Mar 2021 06:41:47 -0800 (PST)
Received: from opfednr07.francetelecom.fr (unknown [xx.xx.xx.71]) by opfednr22.francetelecom.fr (ESMTP service) with ESMTP id 4Dqfw91dZkzymV; Tue, 2 Mar 2021 15:41:45 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=orange.com; s=ORANGE001; t=1614696105; bh=ow1HIbJnrfBcQmLWi1K/Yg4FY59O3BCAQ1yNKAkpFF0=; h=From:To:Subject:Date:Message-ID:Content-Type: Content-Transfer-Encoding:MIME-Version; b=CrR7savuDuAuL6fF3D8su9Wsexsb6tT7/yuaPGqVLGKiM3KlDJMcG8WNnSrsrAljo 756JE+1OClbCWFFsbO92kZiVq6ojmoIsZL3af6GJPZwRwfGKSAzRmaKcabPMeVj5RE kdY/MyGBCo/eoxaiWVePIj6IeUMMTSiP+OTN0HdX0L2OIQm5lT63vPKHknpMxlTPmo UfoPHLvn6gTIZMbJlV5o5NBIuikJ7VEBqjYxpJhweU4hLp3d70mUXy8OQKoGlBYGe2 WX6xv5lxYMZbWxMAu74agqD5NG5AdvyUeu4HiXm/TCcxs+3XcxpRbcvutyP8aGExb0 +Wh5aUsXEKNpQ==
Received: from Exchangemail-eme6.itn.ftgroup (unknown [xx.xx.13.89]) by opfednr07.francetelecom.fr (ESMTP service) with ESMTP id 4Dqfw90jLjzFpWk; Tue, 2 Mar 2021 15:41:45 +0100 (CET)
From: <mohamed.boucadair@orange.com>
To: Benjamin Kaduk <kaduk@mit.edu>, "draft-ietf-dots-rfc8782-bis.all@ietf.org" <draft-ietf-dots-rfc8782-bis.all@ietf.org>
CC: "dots@ietf.org" <dots@ietf.org>
Thread-Topic: [Dots] AD review of draft-ietf-dots-rfc8782-bis-04
Thread-Index: AQHXDudfUjC2TTSeqkyC6YxgVIbyaKpwweMg
Date: Tue, 2 Mar 2021 14:41:38 +0000
Message-ID: <22059_1614696105_603E4EA9_22059_10_1_787AE7BB302AE849A7480A190F8B9330315DBE21@OPEXCAUBMA2.corporate.adroot.infra.ftgroup>
References: <20210301220755.GK21@kduck.mit.edu>
In-Reply-To: <20210301220755.GK21@kduck.mit.edu>
Accept-Language: fr-FR, en-US
Content-Language: fr-FR
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.114.13.245]
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/dots/XMN6AnDbu4CkH6wqipbhqTucgck>
Subject: Re: [Dots] AD review of draft-ietf-dots-rfc8782-bis-04
X-BeenThere: dots@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "List for discussion of DDoS Open Threat Signaling \(DOTS\) technology and directions." <dots.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dots>, <mailto:dots-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dots/>
List-Post: <mailto:dots@ietf.org>
List-Help: <mailto:dots-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dots>, <mailto:dots-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 02 Mar 2021 14:41:50 -0000

Hi Ben, 

Thank you for the review. 

A diff is available at https://www.ietf.org/rfcdiff?url1=draft-ietf-dots-rfc8782-bis&url2=https://raw.githubusercontent.com/boucadair/rfc8782-yang-update/master/draft-ietf-dots-rfc8782-bis.txt 

Also updated 7049 to 8949 (and sections).

Please see inline. 

Cheers,
Med

> -----Message d'origine-----
> De : Dots [mailto:dots-bounces@ietf.org] De la part de Benjamin Kaduk
> Envoyé : lundi 1 mars 2021 23:08
> À : draft-ietf-dots-rfc8782-bis.all@ietf.org
> Cc : dots@ietf.org
> Objet : [Dots] AD review of draft-ietf-dots-rfc8782-bis-04
> 
> Hi all,
> 
> Sorry to have taken so long on this one -- I opened it up a couple
> times thinking "I'll just look at the diff from 8782; it'll be easy",
> but then halfway in I realized I did actually want to give some
> careful attention to the YANG changes and ran out of time.
> 
> The good news is that it's generally in good shape -- I'll request
> the IETF LC (it will be extended due to the IETF 110 overlap) and the
> following comments can be considered along with the last-call
> comments.
> 
> Thanks for the good work!
> 
> -Ben
> 
> 
> We'll have to bump the copyright year in the YANG because I was too
> slow at processing this :(
> 
> Should we say anything about what an implementation should do if it
> receives cuid/cdid/mid/sid in the payload body (e.g., ignore it or
> check for consistency with the received URI-Path)?

[Med] We do already have the following: 

   'cuid' and 'mid' MUST NOT appear in the PUT request message body
   (Figure 6).

and 

   If the request is missing a mandatory attribute, does not include
   'cuid' or 'mid' Uri-Path options, includes multiple 'scope'
   parameters, or contains invalid or unknown parameters, the DOTS
                  ^^^^^^^^^^^^^^^^
   server MUST reply with 4.00 (Bad Request).

> 
> Section 3.1
> 
>    same CBOR key value and CBOR major type.  The only upgrade that is
>    required to [RFC8782] implementations is to handle the CBOR key
> value
>    range "128-255" as comprehension-optional instead of
> comprehension-
>    required.  Note that this range is anticipated to be used by the
> DOTS
>    telemetry [I-D.ietf-dots-telemetry] in which the following means
> are
>    supported to avoid that a DOTS signal channel message enriched
> with
>    telemetry data will exacerbate message failure: (1) DOTS agents
> use
> 
> nit: I suggest s/are supported to avoid that a DOTS signal channel
> message enriched with telemetry data will exacerbate message
> failure/are used to prevent message processing failure of a DOTS
> signal channel message enriched with telemetry data/ -- the "avoid"
> and "failure" are quite far apart in the original, which can be hard
> to process.
> ^

[Med] Fixed. 

> Section 5.3
> 
>            container conflict-information {
>              description
>                "Indicates that a conflict is detected.
>                 Must only be used for responses.";
> 
> The "must only be used for responses" is mechanically redundant with
> the "direction" choice, now, so it should probably be removed.
> 

[Med] Agree. 

>                list acl-list {
>                  when "../../conflict-cause ="
>                     + " 'conflict-with-acceptlist'";
>                  key "acl-name";
>                  description
>                    "List of conflicting ACLs as defined in the DOTS
> data
>                     channel.  These ACLs are uniquely defined by
>                     cuid and acl-name.";
> 
> Now that cuid is moved out of the structure and into the Uri-Path
> option, we have a new opportunity for separability of payload and
> metadata. The security considerations should discuss what prevents a
> "slice and dice" attack that uses a given payload on a different
> connection or in a different context such that it is interprted in
> the context of a different cuid.  (DTLS ought to be enough, assuming
> a request or response does not get split across datagrams.)

[Med] Not sure if there is much to add because this falls under this text: 

   If the 'cuid' is guessable, a misbehaving DOTS client from within the
   client's domain can use the 'cuid' of another DOTS client of the
   domain to delete or alter active mitigations.  For this attack vector
   to happen, the misbehaving client needs to pass the security
   validation checks by the DOTS server, and eventually the checks of a
   client-domain DOTS gateway.

   A similar attack can be achieved by a compromised DOTS client that
   can sniff the TLS 1.2 handshake, use the client certificate to
   identify the 'cuid' used by another DOTS client.  This attack is not
   possible if algorithms such as version 4 Universally Unique
   IDentifiers (UUIDs) in Section 4.4 of [RFC4122] are used to generate
   the 'cuid' because such UUIDs are not a deterministic function of the
   client certificate.  Likewise, this attack is not possible with TLS
   1.3 because most of the TLS handshake is encrypted and the client
   certificate is not visible to eavesdroppers.

> 
> (Likewise for 'sid' no longer in the signal-config messages.)
> 
> 
> redirected-signal/alt-server is now an inet:domain-name but 8782 has
> it as "string".  AFAICT that does not result in an encoding change
> but please confirm.

[Med] I confirm. 

> 
> 
>    sx:structure dots-signal {
>      description
>        "Main structure for DOTS signal message.
> 
>         A DOTS signal message can be a mitigation, a configuration,
>         or a redirected signal message.";
> 
> Should this description list "heartbeat" as well?

[Med] Yes. This will echo 5.1:

   "A DOTS signal message can be
   a mitigation, a configuration, a redirect, or a heartbeat message."

> 
> Section 7.1
> 
> Will whichever author noticed please file an errata report against
> RFC
> 8782 for the random "i" in the middle of "The Server Name Indication
> (SNI) extension [RFC6066] i defines a mechanism"?  I'd be happy to
> mark it verified.
> 

[Med] Done. 

> Section 9
> 
>    The following list of common CoAP errors that are implemented by
> DOTS
>    servers.  This list is not exhaustive, other errors defined by
> CoAP
>    and associated RFCs may be applicable.
> 
> nit: comma splice
> 

[Med] Changed to "... exhaustive; other ..."

>    o  4.15 (Unsupported Content-Format) is returned by the DOTS
> server
>       when the Content-Format used in the request is not formatted as
>       "application/dots+cbor" (Section 4).
> 
> nit: I think either the Content-Format used "is not"
> application/dots+cbor, or "the request is not formatted as"
> application/dots+cbor.  The current formulation seems to say that the
> Content-Format itself is formatted, which is weird.
> 

[Med] Fixed.

> Section 10.6.1.1
> 
> We recently had draft-ietf-mpls-lsp-ping-registries-update come
> through to, among other things, change some ranges from "private use"
> to "first come, first served", since in the type of deployment they
> have the "private use" could not really remain private.  That is
> probably less of a concern for DOTS, but I mention it just in case it
> is relevant.
> 
> _______________________________________________
> Dots mailing list
> Dots@ietf.org
> https://www.ietf.org/mailman/listinfo/dots

_________________________________________________________________________________________________________________________

Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc
pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler
a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration,
Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci.

This message and its attachments may contain confidential or privileged information that may be protected by law;
they should not be distributed, used or copied without authorisation.
If you have received this email in error, please notify the sender and delete this message and its attachments.
As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified.
Thank you.