IETF Logo Mail Archive

Re: [Ecrit] planned-changes: two questions

Brian Rosen <br@brianrosen.net> Wed, 01 September 2021 23:16 UTC

Return-Path: <br@brianrosen.net>
X-Original-To: ecrit@ietfa.amsl.com
Delivered-To: ecrit@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E2A2C3A1D63 for <ecrit@ietfa.amsl.com>; Wed, 1 Sep 2021 16:16:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.887
X-Spam-Level:
X-Spam-Status: No, score=-1.887 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, T_SPF_PERMERROR=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=brianrosen-net.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MoZ1oSgejBxJ for <ecrit@ietfa.amsl.com>; Wed, 1 Sep 2021 16:16:41 -0700 (PDT)
Received: from mail-il1-x131.google.com (mail-il1-x131.google.com [IPv6:2607:f8b0:4864:20::131]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9B56F3A1D65 for <ecrit@ietf.org>; Wed, 1 Sep 2021 16:16:41 -0700 (PDT)
Received: by mail-il1-x131.google.com with SMTP id x5so975142ill.3 for <ecrit@ietf.org>; Wed, 01 Sep 2021 16:16:41 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=brianrosen-net.20150623.gappssmtp.com; s=20150623; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=4FtIasZAZXSkll3wylHOLqyA8FIh4/n3sKe2/i4+8SI=; b=sd1awDEd0i87BTQHVNOKEBXnCEkj3PXa8rFU1dhqchFHhMDaoGg/ebOGyv9w8JpMzp EPCwPaXYAbpR7ueYfTfZcRT+UKtC+gu+UjFi2P4iy4vnXuFKp0qisnK9T1SDv1O5uHAO eIBw6/0bdwpEohCFbLCsbfEvwLRa2Jv8vy80Q4llJZ9HJtt8g9FLiOpKmnJIDrzdC3kE E+syEeu5UcwJ4iBtBv3svJ5liaubUmd9ReGjvi/JrOIRwXaF6wLohOcXCycossAL5cii nhjMpHmkew7pFFk7rrIRLvREknKPgDpFt5tIRtddWsgBNg2pyHWK/qZcHpoNpTWVBEhz bwyw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=4FtIasZAZXSkll3wylHOLqyA8FIh4/n3sKe2/i4+8SI=; b=IjNIP6M14Cibipn37kA3tonKTurWU9xQhFclEi0d/+8IOVhxj9MnXUYUroTsnohFgc XzsBPH94txgAW8swjbR/yL6C1Ovz40S86k7IkJyNJZxs5ezOZ+OYjakrhCh2UhUFbtN2 BmtO23DNgnzEYSQ3drcp1ZDan3i17O4nzh0JKZvDXnwlf69YxNDN6NMEbAqTC58dJxee tR9EAHqDmwCkP0GFVUCTgjZfBX9MoqDoeyYkjv8DfNb91IrB54hDFPNqaHdqpdMstGZw PuS4inJF2SnJtpNa7gcqV20l+reObe4bsYl7c2zVz0YQfvKHgRP+5e+RBcCRcCemekCG N3pg==
X-Gm-Message-State: AOAM530fjTpMWM0pfkAEmaH067QHs5O1FIxGSsQ17RkZLtJFSTcfIjKZ CERMJ4N4O5l0PZ+JLNDggw2taA==
X-Google-Smtp-Source: ABdhPJzKlWRHrt0qY1/24WhC5gdDDiqTN7VTsbXk8W5WBriSZHUf7aIEc7VGvG375pLNIDSXcbogNw==
X-Received: by 2002:a05:6e02:130e:: with SMTP id g14mr125551ilr.81.1630538199132; Wed, 01 Sep 2021 16:16:39 -0700 (PDT)
Received: from smtpclient.apple (dynamic-acs-24-154-121-237.zoominternet.net. [24.154.121.237]) by smtp.gmail.com with ESMTPSA id m26sm589559ioj.54.2021.09.01.16.16.38 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Wed, 01 Sep 2021 16:16:38 -0700 (PDT)
From: Brian Rosen <br@brianrosen.net>
Message-Id: <CF2E8EDC-B38D-4742-B317-F3CE3E831578@brianrosen.net>
Content-Type: multipart/alternative; boundary="Apple-Mail=_7680B651-6AD1-47C8-B002-FA7840D414B0"
Mime-Version: 1.0 (Mac OS X Mail 14.0 \(3654.120.0.1.13\))
Date: Wed, 01 Sep 2021 19:16:37 -0400
In-Reply-To: <2b4abbef37be4131a87471af75b6e7da@bell.ca>
Cc: Randall Gellens <rg+ietf@randy.pensive.org>, ECRIT <ecrit@ietf.org>
To: "Caron, Guy" <g.caron@bell.ca>
References: <A0FC259C-DF34-4496-9013-422006278DA6@randy.pensive.org> <FB2A33E8-E146-404B-B150-1496C40510EF@brianrosen.net> <5577e2e6daa4405bbe12ef61675e1f55@bell.ca> <DE195D79-5A01-48EE-95CA-6C4B82E0886D@brianrosen.net> <e6e17f501711441188119cdfbe384d3d@bell.ca> <3AD58DEC-1DC9-4BC0-B55C-4E782E4AAA74@brianrosen.net> <E20342E7-2EFB-4479-96C2-85B4B7E16989@randy.pensive.org> <A7D59E8E-A014-4CC8-A0FF-5F58E81C6D4A@brianrosen.net> <2b4abbef37be4131a87471af75b6e7da@bell.ca>
X-Mailer: Apple Mail (2.3654.120.0.1.13)
Archived-At: <https://mailarchive.ietf.org/arch/msg/ecrit/tnsgKEnfqdCQunPkET8JUK8Po8E>
Subject: Re: [Ecrit] planned-changes: two questions
X-BeenThere: ecrit@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Emergency Context Resolution with Internet Technologies <ecrit.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ecrit>, <mailto:ecrit-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ecrit/>
List-Post: <mailto:ecrit@ietf.org>
List-Help: <mailto:ecrit-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ecrit>, <mailto:ecrit-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 01 Sep 2021 23:16:48 -0000

Inline

> On Sep 1, 2021, at 3:28 PM, Caron, Guy <g.caron@bell.ca> wrote:
> 
> Ok. You have convinced me of the necessity of validating the URI before the Server stores it and that the security considerations in RFC5222 do not cover this threat.
>  
> I observe that this vulnerability was already mentioned in the Security section of the planned-changes draft:
>  
> The server is subject to abuse by clients because it is being asked to store something and may need to send data to an uncontrolled URI.
>  
> However, the original threat vector and associated response is probably insufficient to cover the DoS you raised, hence this new proposal to test the URI.
>  
> So, I’m conceptually favorable to adding a mechanism to test the URI before being stored by the Server.
Good

>  
> I would like this mechanism to be as simple as possible and I think the goals can be achieved by testing the URI and receiving a response with at least one of the IDs previously supplied by the Server. I would leave it to policy at the Server to determine when and how often the URIs would be tested, with a recommendation (MUST? SHOULD?) to test it upon reception before storing it.
I think you are suggesting we add text that says the LoST server can send a notification to the LoST client that has no changes, and just serves as a keep alive.  I’m sure we can make that work but generally, I find this kind of implicit test to be less satisfactory than an explicit keep alive transaction.   I get that an actual change may not be seen as a change to the client, and thus it works with no real code, but it doesn’t seem as clean as an explicit keep alive.  I’d be interested in herring from others on that
>  
> We probably need to say something about what to do if the URI test fails. Do we inform the Client that provided the URI that it may have been compromised? Do we simply drop the URI silently? Do we block the Client that provided the URI entirely?
At minimum wait and try again, the client could be down for a while.  I would not allow a lot of location records to be marked with the URI that didn’t test valid.

I am somewhat leery of creating circumstances where the client has to go through and revalidate it’s entire record set because the mechanism failed in some way.  There clearly would be circumstances where that happened, but missing a keep alive shouldn’t be one of them.  The initial one however should be a hard block.  If you can’t get the first ID returned, then we have to not accept other registrations.
>  
> I’m not sure if the <command> thing is necessary since it requires the Server to keep state. I would think that if the URI has been tested and stored, it means it is active and valid until it is deleted through the reception of an empty <plannedChange> for example, or replaced through the reception of a new URI in <plannedChange>.
I don’t think there is any server state other than the URI is valid.  Each transaction stands alone.  

Without the delete, you can’t remove one location record from the set that gets notified of planned changes.  You can change the URI, but that changes it for all notifications.  

>  
> Lastly, I’m not sure we still need the warning ‘uriNotStored’ given that we’re going with one generic URI per Client. The only argument I can think of for keeping it would be the proliferation of Clients within the coverage aria of the Server that would be so large that the Server couldn’t store them all. A counter argument to that would be that doing so could be seen as giving privileges to certain Clients over others.

We’re creating circumstances where the client won’t get a notification.  I think we need to tell them that.  

One limit I might put on a client is how many locations they can ask to be notified.  If they try to set up a situation where no matter what changed, they get a notification, I think that may be too much to ask, and the server can have a limit.  It would be okay if it’s one URI per valid record at the LIS, but the LoST server doesn’t have that data.
>  
> Thanks,
>  
> Guy
>  
>  
> De : Brian Rosen <br@brianrosen.net> 
> Envoyé : 31 août 2021 13:54
> À : Randall Gellens <rg+ietf@randy.pensive.org>
> Cc : Caron, Guy <g.caron@bell.ca>; ECRIT <ecrit@ietf.org>
> Objet : [EXT]Re: [Ecrit] planned-changes: two questions
>  
> Of course an attacker would conceal itself and register multiple URIs under different identities.  But the bigger  problem is that if a large planned change occurred, the victim could receive a large number of notifications it didn’t expect.
>  
> With a test transition, we know that the client expects to see notifications, we only need one per URI (we could specify one per domain — after the scheme and before the first slash).  If we don’t get the ID, we know not to allow that URI to be provisioned.  So it’s one test transaction vs a large number of planned change transactions.
>  
> Brian
>  
> 
> 
> On Aug 31, 2021, at 1:35 PM, Randall Gellens <rg+ietf@randy.pensive.org <mailto:rg+ietf@randy.pensive.org>> wrote:
>  
> If a malicious client registers a URI that is designed to attack a third site, the test transaction causes the LoST server to connect to it and POST a command. Without a test transaction, the LoST server stores the URI and at a future time connects to it and sends a command. Either way, a LoST client can register potentially one URI per queried location, and a LoST server will connect to that URI and POST a message. A queried location could be tied to many other locations, so there could be many locations for which a change would trigger the LoST server to use the URI, but is that worse?
> --Randall
> On 31 Aug 2021, at 10:27, Brian Rosen wrote:
> If the work group wants to have the LoST server keep the URI until expressly deleted, that’s okay with me.
>  
> Authenticating the client to the server doesn’t mean the URI is authenticated.  We can’t restrict the URI to be the same entity as the client running the LoST transaction.  And the clients are wide ranging.  Could be an enterprise running its own LIS for example.  We can’t assume the North American PKI is workable everywhere, and even that doesn’t extend to an enterprise LIS.  ISTM we have to run a test transaction with the notification service to make sure it’s what we think it is.
>  
> Brian
>  
>  
> 
> 
> On Aug 31, 2021, at 9:01 AM, Caron, Guy <g.caron@bell.ca <mailto:g.caron@bell.ca>> wrote:
>  
> Inline.
> 
> Guy
> 
> -----Message d'origine-----
> De : Brian Rosen <br@brianrosen.net <mailto:br@brianrosen.net>> 
> Envoyé : 31 août 2021 08:11
> À : Caron, Guy <g.caron@bell.ca <mailto:g.caron@bell.ca>>
> Cc : Randall Gellens <rg+ietf@randy.pensive.org <mailto:rg+ietf@randy.pensive.org>>; ECRIT <ecrit@ietf.org <mailto:ecrit@ietf.org>>
> Objet : [EXT]Re: [Ecrit] planned-changes: two questions
> 
> You delete the URI when you delete the record in the LIS.
> [GC] That's fine but that was not the question Randall posed. He asked whether the URI is deleted after a notification. I agree that if the Client does not host the location anymore that the URI associated with that location in the Server should be deleted. This could be achieved with an empty <plannedChange>.
> 
> I don’t think this is covered in 5222.  The mechanism causes the LoST server to send notifications to the client, but the client is allowed to put any URI in the record, and it can add it to as many records as it wants.
> [GC] I thought we agreed on using one generic URI per Client. Clients should be authenticated by the Servers.
>  An evil implementation could record URIs against multiple targets that were unaware that the evil implementation did it, until they got a large number of PUSH transactions they didn’t expect or understand as a result of a large planned change.
> [GC] Only authenticated Clients should be allowed to provide URIs to be stored by the Servers.
> 
> The proposed mechanism qualifies the client URI before its used in a planned change.
> 
> Brian
> 
> 
> On Aug 31, 2021, at 7:37 AM, Caron, Guy <g.caron@bell.ca <mailto:g.caron@bell.ca>> wrote:
> 
> Well, this is not going in the direction I thought.
> 
> What is the purpose of deleting the URIs at the Server post-validation?
> 
> Regarding opening a new DoS, I guess I'm not following. Wouldn't this case be covered by the security considerations in RFC 5222?
> 
> What you're proposing puts back significant load on the Servers (a key consideration for creating planned-changes in the first place) and complicates the mechanism.
> 
> Guy
> 
> 
> -----Message d'origine-----
> De : Ecrit <ecrit-bounces@ietf.org <mailto:ecrit-bounces@ietf.org>> De la part de Brian Rosen Envoyé : 
> 30 août 2021 11:22 À : Randall Gellens <rg+ietf@randy.pensive.org <mailto:rg+ietf@randy.pensive.org>> Cc 
> : ECRIT <ecrit@ietf.org <mailto:ecrit@ietf.org>> Objet : [EXT]Re: [Ecrit] planned-changes: two 
> questions
> 
> Answer 1: yes.  Since there is going to be a revalidation, just deleting the setting seems right to me.
> Answer 2: Up to server.  If I were implementing, I would hash the real ID with the URI and some kind of predictable nonce.  
> 
> We probably have to say more about how the server identifies the client, so that replacement of the URI works.  Could we say we use the domain of the URI (the entire domain with all the dots) to identify the client, and anything can occur after it (meaning a slash and whatever)?  If we do that, then how would delete the notification?  Force there to be something other than the domain (ugly).  Explicit delete request?
> 
> Hmmm, we’ve opened a DoS attack: a rogue client stores a bunch of URIs for servers it wants to victimize.  In North America we have a real simple solution for that, because we have a PKI, so we know, for sure, who the client is, and could restrict who we allow to store URIs, but that wouldn’t be true in general.  Also, it would be nice for the client to have confidence the mechanism worked before it needed it.
> 
> So
> Let’s add a “command” to plannedChange in the findService request.  
> And, have the client have a response to the notification which is the 
> ID (json with the 200)
> 
> 
> The client starts by sending a command of “initialize”.  The domain is the identity of the client.  The response is an immediate notification to the with whatever LI was in the request and an ID.  The  response by the client (which is the notification web server) is a piece of json containing the ID.  We can say that the LI in this initialize command could be something simple like the Country Code that wouldn’t get a planned change.
> 
> Thereafter, the LoST server (notification client) periodically repeats this keepalive notification every day or week with the initialize LI.  The client has to respond with the ID.
> 
> The regular notification request is a command of “notify”.  The server ignores a request for notification from an uninitialized client.
> The notification can be deleted with a command of “delete”.  If you delete the initialize LI, then the server won’t send any more notifications to that client and deletes all URIs it was saving for that client.  The client would have to re-initialize to reset.
> 
> Brian
> 
> 
> On Aug 27, 2021, at 5:41 PM, Randall Gellens <rg+ietf@randy.pensive.org <mailto:rg+ietf@randy.pensive.org>> wrote:
> 
> I think we're moving to a model where:
> - In a query, a client can request to be notified when the location 
> should be revalidated;
> - In the response, the server provides an ID which the client 
> associates with the location it just validated;
> - The server sends a notification to the URI, containing the ID;
> - The client revalidates each location with which that ID is associated.
> 
> Question 1: Does the server delete/inactivate the URI once it has sent the notification?
> 
> Question 2: Presumably, when the client revalidates the location(s), it will again request notification.  Does the server return the same ID as before, or a different ID?  A different ID could perhaps be useful in edge cases where the server didn't send or the client didn't get the notification, but any utility seems small.  If it's the same ID, then the answer to question 1 can be that the URI remains active until the client asks to no longer be notified (by sending an empty URI?).
> 
> --Randall
> 
> _______________________________________________
> Ecrit mailing list
> Ecrit@ietf.org <mailto:Ecrit@ietf.org>
> https://www.ietf.org/mailman/listinfo/ecrit <https://www.ietf.org/mailman/listinfo/ecrit>
> 
> _______________________________________________
> Ecrit mailing list
> Ecrit@ietf.org <mailto:Ecrit@ietf.org>
> https://www.ietf.org/mailman/listinfo/ecrit <https://www.ietf.org/mailman/listinfo/ecrit>
> ----------------------------------------------------------------------
> -------- External Email: Please use caution when opening links and 
> attachments / Courriel externe: Soyez prudent avec les liens et 
> documents joints
> 
> ------------------------------------------------------------------------------
> External Email: Please use caution when opening links and attachments / Courriel externe: Soyez prudent avec les liens et documents joints
>  
>  
> External Email: Please use caution when opening links and attachments / Courriel externe: Soyez prudent avec les liens et documents joints

v2.23.0 | Report a Bug | By Email