IETF Logo Mail Archive

Re: [Ecrit] planned-changes: two questions

Randall Gellens <rg+ietf@randy.pensive.org> Tue, 31 August 2021 17:35 UTC

Return-Path: <rg+ietf@randy.pensive.org>
X-Original-To: ecrit@ietfa.amsl.com
Delivered-To: ecrit@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 730733A1EEC for <ecrit@ietfa.amsl.com>; Tue, 31 Aug 2021 10:35:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.878
X-Spam-Level:
X-Spam-Status: No, score=-1.878 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, T_FORGED_RELAY_MUA_TO_MX=0.01, T_SPF_TEMPERROR=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5-wrcaQrNM8z for <ecrit@ietfa.amsl.com>; Tue, 31 Aug 2021 10:35:35 -0700 (PDT)
Received: from turing.pensive.org (turing.pensive.org [99.111.97.161]) by ietfa.amsl.com (Postfix) with ESMTP id 48F9C3A1EE9 for <ecrit@ietf.org>; Tue, 31 Aug 2021 10:35:35 -0700 (PDT)
Received: from [99.111.97.181] (99.111.97.161) by turing.pensive.org with ESMTP (EIMS X 3.3.9); Tue, 31 Aug 2021 10:35:34 -0700
From: "Randall Gellens" <rg+ietf@randy.pensive.org>
To: "Brian Rosen" <br@brianrosen.net>
Cc: "Caron, Guy" <g.caron@bell.ca>, ECRIT <ecrit@ietf.org>
Date: Tue, 31 Aug 2021 10:35:33 -0700
X-Mailer: MailMate (1.13.2r5673)
Message-ID: <E20342E7-2EFB-4479-96C2-85B4B7E16989@randy.pensive.org>
In-Reply-To: <3AD58DEC-1DC9-4BC0-B55C-4E782E4AAA74@brianrosen.net>
References: <A0FC259C-DF34-4496-9013-422006278DA6@randy.pensive.org> <FB2A33E8-E146-404B-B150-1496C40510EF@brianrosen.net> <5577e2e6daa4405bbe12ef61675e1f55@bell.ca> <DE195D79-5A01-48EE-95CA-6C4B82E0886D@brianrosen.net> <e6e17f501711441188119cdfbe384d3d@bell.ca> <3AD58DEC-1DC9-4BC0-B55C-4E782E4AAA74@brianrosen.net>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="=_MailMate_122F53A7-DD6A-4878-BB89-D1C436425E4C_="
Embedded-HTML: [{"HTML":[989, 28109], "plain":[658, 7339], "uuid":"85167882-4707-4DA7-AF04-D76EDFA3EC1F"}]
Archived-At: <https://mailarchive.ietf.org/arch/msg/ecrit/zNqQrk4x6Z0KCpsMgmorUIPWfWA>
Subject: Re: [Ecrit] planned-changes: two questions
X-BeenThere: ecrit@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Emergency Context Resolution with Internet Technologies <ecrit.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ecrit>, <mailto:ecrit-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ecrit/>
List-Post: <mailto:ecrit@ietf.org>
List-Help: <mailto:ecrit-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ecrit>, <mailto:ecrit-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 31 Aug 2021 17:35:42 -0000

If a malicious client registers a URI that is designed to attack a third 
site, the test transaction causes the LoST server to connect to it and 
POST a command.  Without a test transaction, the LoST server stores the 
URI and at a future time connects to it and sends a command.  Either 
way, a LoST client can register potentially one URI per queried 
location, and a LoST server will connect to that URI and POST a message. 
  A queried location could be tied to many other locations, so there 
could be many locations for which a change would trigger the LoST server 
to use the URI, but is that worse?

--Randall

On 31 Aug 2021, at 10:27, Brian Rosen wrote:

> If the work group wants to have the LoST server keep the URI until 
> expressly deleted, that’s okay with me.
>
> Authenticating the client to the server doesn’t mean the URI is 
> authenticated.  We can’t restrict the URI to be the same entity as 
> the client running the LoST transaction.  And the clients are wide 
> ranging.  Could be an enterprise running its own LIS for example.  We 
> can’t assume the North American PKI is workable everywhere, and even 
> that doesn’t extend to an enterprise LIS.  ISTM we have to run a 
> test transaction with the notification service to make sure it’s 
> what we think it is.
>
> Brian
>
>
>
>> On Aug 31, 2021, at 9:01 AM, Caron, Guy <g.caron@bell.ca> wrote:
>>
>> Inline.
>>
>> Guy
>>
>> -----Message d'origine-----
>> De : Brian Rosen <br@brianrosen.net <mailto:br@brianrosen.net>>
>> Envoyé : 31 août 2021 08:11
>> À : Caron, Guy <g.caron@bell.ca <mailto:g.caron@bell.ca>>
>> Cc : Randall Gellens <rg+ietf@randy.pensive.org 
>> <mailto:rg+ietf@randy.pensive.org>>; ECRIT <ecrit@ietf.org 
>> <mailto:ecrit@ietf.org>>
>> Objet : [EXT]Re: [Ecrit] planned-changes: two questions
>>
>> You delete the URI when you delete the record in the LIS.
>> [GC] That's fine but that was not the question Randall posed. He 
>> asked whether the URI is deleted after a notification. I agree that 
>> if the Client does not host the location anymore that the URI 
>> associated with that location in the Server should be deleted. This 
>> could be achieved with an empty <plannedChange>.
>>
>> I don’t think this is covered in 5222.  The mechanism causes the 
>> LoST server to send notifications to the client, but the client is 
>> allowed to put any URI in the record, and it can add it to as many 
>> records as it wants.
>> [GC] I thought we agreed on using one generic URI per Client. Clients 
>> should be authenticated by the Servers.
>>  An evil implementation could record URIs against multiple targets 
>> that were unaware that the evil implementation did it, until they got 
>> a large number of PUSH transactions they didn’t expect or 
>> understand as a result of a large planned change.
>> [GC] Only authenticated Clients should be allowed to provide URIs to 
>> be stored by the Servers.
>>
>> The proposed mechanism qualifies the client URI before its used in a 
>> planned change.
>>
>> Brian
>>
>>> On Aug 31, 2021, at 7:37 AM, Caron, Guy <g.caron@bell.ca> wrote:
>>>
>>> Well, this is not going in the direction I thought.
>>>
>>> What is the purpose of deleting the URIs at the Server 
>>> post-validation?
>>>
>>> Regarding opening a new DoS, I guess I'm not following. Wouldn't 
>>> this case be covered by the security considerations in RFC 5222?
>>>
>>> What you're proposing puts back significant load on the Servers (a 
>>> key consideration for creating planned-changes in the first place) 
>>> and complicates the mechanism.
>>>
>>> Guy
>>>
>>>
>>> -----Message d'origine-----
>>> De : Ecrit <ecrit-bounces@ietf.org> De la part de Brian Rosen 
>>> Envoyé :
>>> 30 août 2021 11:22 À : Randall Gellens <rg+ietf@randy.pensive.org> 
>>> Cc
>>> : ECRIT <ecrit@ietf.org> Objet : [EXT]Re: [Ecrit] planned-changes: 
>>> two
>>> questions
>>>
>>> Answer 1: yes.  Since there is going to be a revalidation, just 
>>> deleting the setting seems right to me.
>>> Answer 2: Up to server.  If I were implementing, I would hash the 
>>> real ID with the URI and some kind of predictable nonce.
>>>
>>> We probably have to say more about how the server identifies the 
>>> client, so that replacement of the URI works.  Could we say we use 
>>> the domain of the URI (the entire domain with all the dots) to 
>>> identify the client, and anything can occur after it (meaning a 
>>> slash and whatever)?  If we do that, then how would delete the 
>>> notification?  Force there to be something other than the domain 
>>> (ugly).  Explicit delete request?
>>>
>>> Hmmm, we’ve opened a DoS attack: a rogue client stores a bunch of 
>>> URIs for servers it wants to victimize.  In North America we have a 
>>> real simple solution for that, because we have a PKI, so we know, 
>>> for sure, who the client is, and could restrict who we allow to 
>>> store URIs, but that wouldn’t be true in general.  Also, it would 
>>> be nice for the client to have confidence the mechanism worked 
>>> before it needed it.
>>>
>>> So
>>> Let’s add a “command” to plannedChange in the findService 
>>> request.
>>> And, have the client have a response to the notification which is 
>>> the
>>> ID (json with the 200)
>>>
>>>
>>> The client starts by sending a command of “initialize”.  The 
>>> domain is the identity of the client.  The response is an immediate 
>>> notification to the with whatever LI was in the request and an ID.  
>>> The  response by the client (which is the notification web server) 
>>> is a piece of json containing the ID.  We can say that the LI in 
>>> this initialize command could be something simple like the Country 
>>> Code that wouldn’t get a planned change.
>>>
>>> Thereafter, the LoST server (notification client) periodically 
>>> repeats this keepalive notification every day or week with the 
>>> initialize LI.  The client has to respond with the ID.
>>>
>>> The regular notification request is a command of “notify”.  The 
>>> server ignores a request for notification from an uninitialized 
>>> client.
>>> The notification can be deleted with a command of “delete”.  If 
>>> you delete the initialize LI, then the server won’t send any more 
>>> notifications to that client and deletes all URIs it was saving for 
>>> that client.  The client would have to re-initialize to reset.
>>>
>>> Brian
>>>
>>>> On Aug 27, 2021, at 5:41 PM, Randall Gellens 
>>>> <rg+ietf@randy.pensive.org> wrote:
>>>>
>>>> I think we're moving to a model where:
>>>> - In a query, a client can request to be notified when the location
>>>> should be revalidated;
>>>> - In the response, the server provides an ID which the client
>>>> associates with the location it just validated;
>>>> - The server sends a notification to the URI, containing the ID;
>>>> - The client revalidates each location with which that ID is 
>>>> associated.
>>>>
>>>> Question 1: Does the server delete/inactivate the URI once it has 
>>>> sent the notification?
>>>>
>>>> Question 2: Presumably, when the client revalidates the 
>>>> location(s), it will again request notification.  Does the server 
>>>> return the same ID as before, or a different ID?  A different ID 
>>>> could perhaps be useful in edge cases where the server didn't send 
>>>> or the client didn't get the notification, but any utility seems 
>>>> small.  If it's the same ID, then the answer to question 1 can be 
>>>> that the URI remains active until the client asks to no longer be 
>>>> notified (by sending an empty URI?).
>>>>
>>>> --Randall
>>>>
>>>> _______________________________________________
>>>> Ecrit mailing list
>>>> Ecrit@ietf.org
>>>> https://www.ietf.org/mailman/listinfo/ecrit
>>>
>>> _______________________________________________
>>> Ecrit mailing list
>>> Ecrit@ietf.org
>>> https://www.ietf.org/mailman/listinfo/ecrit
>>> ----------------------------------------------------------------------
>>> -------- External Email: Please use caution when opening links and
>>> attachments / Courriel externe: Soyez prudent avec les liens et
>>> documents joints
>>
>> ------------------------------------------------------------------------------
>> External Email: Please use caution when opening links and attachments 
>> / Courriel externe: Soyez prudent avec les liens et documents joints

v2.8.7 | Report a Bug | By Email