IETF Logo Mail Archive

Re: [Ecrit] planned-changes: two questions

Randall Gellens <rg+ietf@randy.pensive.org> Tue, 31 August 2021 21:50 UTC

Return-Path: <rg+ietf@randy.pensive.org>
X-Original-To: ecrit@ietfa.amsl.com
Delivered-To: ecrit@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 792B53A0848 for <ecrit@ietfa.amsl.com>; Tue, 31 Aug 2021 14:50:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.889
X-Spam-Level:
X-Spam-Status: No, score=-1.889 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, SPF_PASS=-0.001, T_FORGED_RELAY_MUA_TO_MX=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RIz_nWnlpQ2n for <ecrit@ietfa.amsl.com>; Tue, 31 Aug 2021 14:50:01 -0700 (PDT)
Received: from turing.pensive.org (turing.pensive.org [99.111.97.161]) by ietfa.amsl.com (Postfix) with ESMTP id A10B83A0843 for <ecrit@ietf.org>; Tue, 31 Aug 2021 14:50:00 -0700 (PDT)
Received: from [99.111.97.181] (99.111.97.161) by turing.pensive.org with ESMTP (EIMS X 3.3.9); Tue, 31 Aug 2021 14:49:59 -0700
From: "Randall Gellens" <rg+ietf@randy.pensive.org>
To: "Brian Rosen" <br@brianrosen.net>
Cc: "Caron, Guy" <g.caron@bell.ca>, ECRIT <ecrit@ietf.org>
Date: Tue, 31 Aug 2021 14:49:59 -0700
X-Mailer: MailMate (1.13.2r5673)
Message-ID: <FE842AC5-6C9A-4134-A285-E31273D2759D@randy.pensive.org>
In-Reply-To: <8247DFD7-D3B3-44BC-9EE7-A2EF4B994A01@brianrosen.net>
References: <A0FC259C-DF34-4496-9013-422006278DA6@randy.pensive.org> <FB2A33E8-E146-404B-B150-1496C40510EF@brianrosen.net> <5577e2e6daa4405bbe12ef61675e1f55@bell.ca> <DE195D79-5A01-48EE-95CA-6C4B82E0886D@brianrosen.net> <e6e17f501711441188119cdfbe384d3d@bell.ca> <3AD58DEC-1DC9-4BC0-B55C-4E782E4AAA74@brianrosen.net> <E20342E7-2EFB-4479-96C2-85B4B7E16989@randy.pensive.org> <A7D59E8E-A014-4CC8-A0FF-5F58E81C6D4A@brianrosen.net> <A8261C28-AB16-44A7-9E3F-D9EED7B6E6DE@randy.pensive.org> <9433989A-85D7-41B9-96EA-313ADC0F02CD@brianrosen.net> <851c82ef56714b8a917761d98234093a@bell.ca> <0F5C2109-77E1-495E-9768-94E28DC6A76A@brianrosen.net> <0619e49202b146298d1bf7e01ec16fe2@bell.ca> <8247DFD7-D3B3-44BC-9EE7-A2EF4B994A01@brianrosen.net>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="=_MailMate_80281531-E502-4074-BC9C-0B1225774697_="
Embedded-HTML: [{"HTML":[462, 39373], "plain":[131, 12112], "uuid":"78B73CEE-847B-497F-B835-18D753B1319F"}]
Archived-At: <https://mailarchive.ietf.org/arch/msg/ecrit/315Ez4je-EGDlQZ7-fSZLXP6DBc>
Subject: Re: [Ecrit] planned-changes: two questions
X-BeenThere: ecrit@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Emergency Context Resolution with Internet Technologies <ecrit.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ecrit>, <mailto:ecrit-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ecrit/>
List-Post: <mailto:ecrit@ietf.org>
List-Help: <mailto:ecrit-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ecrit>, <mailto:ecrit-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 31 Aug 2021 21:50:08 -0000

The IDs are entirely up to the server.  The server can aggregate them.

--Randall

On 31 Aug 2021, at 14:11, Brian Rosen wrote:

> It could limit it, but that would be a problem if it limited it such 
> that a large planned change properly registered couldn’t work.  In 
> some areas, they change hundreds of thousands of address points in a 
> large annexation.  It’s not typically millions, but you could 
> imagine something like a county that dumps a new Site/Structure list 
> where there wasn’t one before that triggers this kind of 
> notification.
>
> That doesn’t change the need for start and limit if the list can be 
> big.  Lots of systems I know have pretty severe limits on the size of 
> an upload response for interfaces like this.
>
> Hmmm, start and limit go the wrong way.  The notification is the POST. 
>  Start and Limit are for a GET.  We would have to implement an 
> equivalent on the registration.
>
> Brian
>
>> On Aug 31, 2021, at 4:57 PM, Caron, Guy <g.caron@bell.ca> wrote:
>>
>> The size of the list could be a policy at the Server.
>>
>> Guy
>>
>> De : Brian Rosen <br@brianrosen.net>
>> Envoyé : 31 août 2021 16:55
>> À : Caron, Guy <g.caron@bell.ca>
>> Cc : Randall Gellens <rg+ietf@randy.pensive.org>rg>; ECRIT 
>> <ecrit@ietf.org>
>> Objet : [EXT]Re: [Ecrit] planned-changes: two questions
>>
>> If we did that, we would have to implement limit and start to handle 
>> a large list.
>>
>> Brian
>>
>>
>>
>> On Aug 31, 2021, at 4:38 PM, Caron, Guy <g.caron@bell.ca 
>> <mailto:g.caron@bell.ca>> wrote:
>>
>> If we make <revalidateLocation> a list of IDs, one notification per 
>> URI per planned change would be sufficient.
>>
>> Guy
>>
>> De : Brian Rosen <br@brianrosen.net <mailto:br@brianrosen.net>>
>> Envoyé : 31 août 2021 15:35
>> À : Randall Gellens <rg+ietf@randy.pensive.org 
>> <mailto:rg+ietf@randy.pensive.org>>
>> Cc : Caron, Guy <g.caron@bell.ca <mailto:g.caron@bell.ca>>; ECRIT 
>> <ecrit@ietf.org <mailto:ecrit@ietf.org>>
>> Objet : [EXT]Re: [Ecrit] planned-changes: two questions
>>
>> No.
>>
>> There is one URI, but many IDs, one per unique record at the LoST 
>> server that is involved in a planned change.  The one URI will 
>> receive one notification per ID it has registered for.
>>
>>
>>
>>
>>
>> On Aug 31, 2021, at 2:56 PM, Randall Gellens 
>> <rg+ietf@randy.pensive.org <mailto:rg+ietf@randy.pensive.org>> wrote:
>>
>> i understand that the concern is allowing a client to leverage the 
>> LoST server to attack a large number of targets, I'm just not clear 
>> mechanically how such leverage potentially works. Each validation 
>> query can store a URI, and that URI may get associated with a large 
>> number of locations. Maybe there's a street name change or an 
>> annexation. So maybe thousands or tens or hundreds of thousands of 
>> locations are potentially invalidated. They all have the same URI 
>> associated with them, so the LoST server connects to the URI once and 
>> POSTs one notification, no?
>> --Randall
>> On 31 Aug 2021, at 10:53, Brian Rosen wrote:
>> Of course an attacker would conceal itself and register multiple URIs 
>> under different identities.  But the bigger  problem is that if a 
>> large planned change occurred, the victim could receive a large 
>> number of notifications it didn’t expect.
>>
>> With a test transition, we know that the client expects to see 
>> notifications, we only need one per URI (we could specify one per 
>> domain — after the scheme and before the first slash).  If we 
>> don’t get the ID, we know not to allow that URI to be provisioned.  
>> So it’s one test transaction vs a large number of planned change 
>> transactions.
>>
>> Brian
>>
>>
>>
>>
>> On Aug 31, 2021, at 1:35 PM, Randall Gellens 
>> <rg+ietf@randy.pensive.org <mailto:rg+ietf@randy.pensive.org>> wrote:
>>
>> If a malicious client registers a URI that is designed to attack a 
>> third site, the test transaction causes the LoST server to connect to 
>> it and POST a command. Without a test transaction, the LoST server 
>> stores the URI and at a future time connects to it and sends a 
>> command. Either way, a LoST client can register potentially one URI 
>> per queried location, and a LoST server will connect to that URI and 
>> POST a message. A queried location could be tied to many other 
>> locations, so there could be many locations for which a change would 
>> trigger the LoST server to use the URI, but is that worse?
>> --Randall
>> On 31 Aug 2021, at 10:27, Brian Rosen wrote:
>> If the work group wants to have the LoST server keep the URI until 
>> expressly deleted, that’s okay with me.
>>
>> Authenticating the client to the server doesn’t mean the URI is 
>> authenticated.  We can’t restrict the URI to be the same entity as 
>> the client running the LoST transaction.  And the clients are wide 
>> ranging.  Could be an enterprise running its own LIS for example.  We 
>> can’t assume the North American PKI is workable everywhere, and 
>> even that doesn’t extend to an enterprise LIS.  ISTM we have to run 
>> a test transaction with the notification service to make sure it’s 
>> what we think it is.
>>
>> Brian
>>
>>
>>
>>
>>
>> On Aug 31, 2021, at 9:01 AM, Caron, Guy <g.caron@bell.ca 
>> <mailto:g.caron@bell.ca>> wrote:
>>
>> Inline.
>>
>> Guy
>>
>> -----Message d'origine-----
>> De : Brian Rosen <br@brianrosen.net <mailto:br@brianrosen.net>>
>> Envoyé : 31 août 2021 08:11
>> À : Caron, Guy <g.caron@bell.ca <mailto:g.caron@bell.ca>>
>> Cc : Randall Gellens <rg+ietf@randy.pensive.org 
>> <mailto:rg+ietf@randy.pensive.org>>; ECRIT <ecrit@ietf.org 
>> <mailto:ecrit@ietf.org>>
>> Objet : [EXT]Re: [Ecrit] planned-changes: two questions
>>
>> You delete the URI when you delete the record in the LIS.
>> [GC] That's fine but that was not the question Randall posed. He 
>> asked whether the URI is deleted after a notification. I agree that 
>> if the Client does not host the location anymore that the URI 
>> associated with that location in the Server should be deleted. This 
>> could be achieved with an empty <plannedChange>.
>>
>> I don’t think this is covered in 5222.  The mechanism causes the 
>> LoST server to send notifications to the client, but the client is 
>> allowed to put any URI in the record, and it can add it to as many 
>> records as it wants.
>> [GC] I thought we agreed on using one generic URI per Client. Clients 
>> should be authenticated by the Servers.
>>  An evil implementation could record URIs against multiple targets 
>> that were unaware that the evil implementation did it, until they got 
>> a large number of PUSH transactions they didn’t expect or 
>> understand as a result of a large planned change.
>> [GC] Only authenticated Clients should be allowed to provide URIs to 
>> be stored by the Servers.
>>
>> The proposed mechanism qualifies the client URI before its used in a 
>> planned change.
>>
>> Brian
>>
>>
>>
>> On Aug 31, 2021, at 7:37 AM, Caron, Guy <g.caron@bell.ca 
>> <mailto:g.caron@bell.ca>> wrote:
>>
>> Well, this is not going in the direction I thought.
>>
>> What is the purpose of deleting the URIs at the Server 
>> post-validation?
>>
>> Regarding opening a new DoS, I guess I'm not following. Wouldn't this 
>> case be covered by the security considerations in RFC 5222?
>>
>> What you're proposing puts back significant load on the Servers (a 
>> key consideration for creating planned-changes in the first place) 
>> and complicates the mechanism.
>>
>> Guy
>>
>>
>> -----Message d'origine-----
>> De : Ecrit <ecrit-bounces@ietf.org <mailto:ecrit-bounces@ietf.org>> 
>> De la part de Brian Rosen Envoyé :
>> 30 août 2021 11:22 À : Randall Gellens <rg+ietf@randy.pensive.org 
>> <mailto:rg+ietf@randy.pensive.org>> Cc
>> : ECRIT <ecrit@ietf.org <mailto:ecrit@ietf.org>> Objet : [EXT]Re: 
>> [Ecrit] planned-changes: two
>> questions
>>
>> Answer 1: yes.  Since there is going to be a revalidation, just 
>> deleting the setting seems right to me.
>> Answer 2: Up to server.  If I were implementing, I would hash the 
>> real ID with the URI and some kind of predictable nonce.
>>
>> We probably have to say more about how the server identifies the 
>> client, so that replacement of the URI works.  Could we say we use 
>> the domain of the URI (the entire domain with all the dots) to 
>> identify the client, and anything can occur after it (meaning a slash 
>> and whatever)?  If we do that, then how would delete the 
>> notification?  Force there to be something other than the domain 
>> (ugly).  Explicit delete request?
>>
>> Hmmm, we’ve opened a DoS attack: a rogue client stores a bunch of 
>> URIs for servers it wants to victimize.  In North America we have a 
>> real simple solution for that, because we have a PKI, so we know, for 
>> sure, who the client is, and could restrict who we allow to store 
>> URIs, but that wouldn’t be true in general.  Also, it would be nice 
>> for the client to have confidence the mechanism worked before it 
>> needed it.
>>
>> So
>> Let’s add a “command” to plannedChange in the findService 
>> request.
>> And, have the client have a response to the notification which is the
>> ID (json with the 200)
>>
>>
>> The client starts by sending a command of “initialize”.  The 
>> domain is the identity of the client.  The response is an immediate 
>> notification to the with whatever LI was in the request and an ID.  
>> The  response by the client (which is the notification web server) is 
>> a piece of json containing the ID.  We can say that the LI in this 
>> initialize command could be something simple like the Country Code 
>> that wouldn’t get a planned change.
>>
>> Thereafter, the LoST server (notification client) periodically 
>> repeats this keepalive notification every day or week with the 
>> initialize LI.  The client has to respond with the ID.
>>
>> The regular notification request is a command of “notify”.  The 
>> server ignores a request for notification from an uninitialized 
>> client.
>> The notification can be deleted with a command of “delete”.  If 
>> you delete the initialize LI, then the server won’t send any more 
>> notifications to that client and deletes all URIs it was saving for 
>> that client.  The client would have to re-initialize to reset.
>>
>> Brian
>>
>>
>>
>> On Aug 27, 2021, at 5:41 PM, Randall Gellens 
>> <rg+ietf@randy.pensive.org <mailto:rg+ietf@randy.pensive.org>> wrote:
>>
>> I think we're moving to a model where:
>> - In a query, a client can request to be notified when the location
>> should be revalidated;
>> - In the response, the server provides an ID which the client
>> associates with the location it just validated;
>> - The server sends a notification to the URI, containing the ID;
>> - The client revalidates each location with which that ID is 
>> associated.
>>
>> Question 1: Does the server delete/inactivate the URI once it has 
>> sent the notification?
>>
>> Question 2: Presumably, when the client revalidates the location(s), 
>> it will again request notification.  Does the server return the same 
>> ID as before, or a different ID?  A different ID could perhaps be 
>> useful in edge cases where the server didn't send or the client 
>> didn't get the notification, but any utility seems small.  If it's 
>> the same ID, then the answer to question 1 can be that the URI 
>> remains active until the client asks to no longer be notified (by 
>> sending an empty URI?).
>>
>> --Randall
>>
>> _______________________________________________
>> Ecrit mailing list
>> Ecrit@ietf.org <mailto:Ecrit@ietf.org>
>> https://www.ietf.org/mailman/listinfo/ecrit 
>> <https://www.ietf.org/mailman/listinfo/ecrit>
>>
>> _______________________________________________
>> Ecrit mailing list
>> Ecrit@ietf.org <mailto:Ecrit@ietf.org>
>> https://www.ietf.org/mailman/listinfo/ecrit 
>> <https://www.ietf.org/mailman/listinfo/ecrit>
>> ----------------------------------------------------------------------
>> -------- External Email: Please use caution when opening links and
>> attachments / Courriel externe: Soyez prudent avec les liens et
>> documents joints
>>
>> ------------------------------------------------------------------------------
>> External Email: Please use caution when opening links and attachments 
>> / Courriel externe: Soyez prudent avec les liens et documents joints
>>
>>
>>
>> External Email: Please use caution when opening links and attachments 
>> / Courriel externe: Soyez prudent avec les liens et documents joints
>>
>> External Email: Please use caution when opening links and attachments 
>> / Courriel externe: Soyez prudent avec les liens et documents joints

v2.8.7 | Report a Bug | By Email