Re: [Emu] Secdir last call review of draft-ietf-emu-rfc7170bis-15
Alan DeKok <aland@deployingradius.com> Sun, 03 March 2024 23:02 UTC
Return-Path: <aland@deployingradius.com>
X-Original-To: emu@ietfa.amsl.com
Delivered-To: emu@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 889D3C14F603; Sun, 3 Mar 2024 15:02:29 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.91
X-Spam-Level:
X-Spam-Status: No, score=-1.91 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oIBqF82KHn6z; Sun, 3 Mar 2024 15:02:24 -0800 (PST)
Received: from mail.networkradius.com (mail.networkradius.com [62.210.147.122]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 92E73C14E515; Sun, 3 Mar 2024 15:02:15 -0800 (PST)
Received: from smtpclient.apple (135-23-95-173.cpe.pppoe.ca [135.23.95.173]) by mail.networkradius.com (Postfix) with ESMTPSA id 1FE612A3; Sun, 3 Mar 2024 23:02:11 +0000 (UTC)
Authentication-Results: NetworkRADIUS; dmarc=none (p=none dis=none) header.from=deployingradius.com
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3696.120.41.1.1\))
From: Alan DeKok <aland@deployingradius.com>
In-Reply-To: <c7a59cf9-b5f0-40bf-9c9b-496fdf89484a@app.fastmail.com>
Date: Sun, 03 Mar 2024 18:02:10 -0500
Cc: David Mandelberg <david@mandelberg.org>, secdir@ietf.org, draft-ietf-emu-rfc7170bis.all@ietf.org, EMU WG <emu@ietf.org>, last-call@ietf.org
Content-Transfer-Encoding: quoted-printable
Message-Id: <E6327251-F06D-4022-80B5-5AD6C85836E4@deployingradius.com>
References: <170934966282.22720.15728977796194077360@ietfa.amsl.com> <2A5A060E-241C-433E-A281-037BA1D53437@deployingradius.com> <c7a59cf9-b5f0-40bf-9c9b-496fdf89484a@app.fastmail.com>
To: Alexander Clouter <alex+ietf@coremem.com>
X-Mailer: Apple Mail (2.3696.120.41.1.1)
Archived-At: <https://mailarchive.ietf.org/arch/msg/emu/HmFUqHwTbnncpnfLr_YUx7ZPaT4>
Subject: Re: [Emu] Secdir last call review of draft-ietf-emu-rfc7170bis-15
X-BeenThere: emu@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "EAP Methods Update \(EMU\)" <emu.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/emu>, <mailto:emu-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/emu/>
List-Post: <mailto:emu@ietf.org>
List-Help: <mailto:emu-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/emu>, <mailto:emu-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 03 Mar 2024 23:02:29 -0000
On Mar 3, 2024, at 2:05 PM, Alexander Clouter <alex+ietf@coremem.com> wrote: > Took me a moment to figure out what David was pointing to but I think you are incorrect. > > In Section 5.3 (Computing the Compound MAC), you are calculating the MAC through blind concatenation and there is no machinery in there to distinguish "this bit was in the server->peer" and "this bit was in the peer->server"; unfortunately if only a NUL byte has been used to join the concatenation it could have fixed this. > > So the idea is an attacker could strip off the *last* Outer-TLV and instead graft it as an Outer-TLV to the following packet in the opposite direction. The MACs would then match. The attacker has to do this in both directions, as each end calculates the compound MAC using what it sent (cached locally), and what it received (potentially modified by the attacker). But as David said, I don't think this will accomplish anything in practice. The attacker can modify the server -> peer exchange to add an Outer-TLV, but can only add an Outer TLV which the peer is expected to send to the server. And the list of TLVs is limited by the table in Section 4.3.1: Request Response Success Failure TLVs 0-1 0 0 0 Authority-ID 0-1 0-1 0 0 Identity-Type 0+ 0+ 0 0 Vendor-Specific I'm at a loss for what bad things will happen here. If an on-path attacker wants to cause the session to fail, he can just mangle *all* of the data, and cause the session to fail that way. Why play games with outer TLVs? The only thing the attacker could do is add an Identity-Hint (server to peer) which the peer will send anyways. So that won't change anything. The Vendor-Specific TLVs might be more problematic. Perhaps we should just forbid them as Outer TLVs? > My proposal would be to just use a dummy (marked optional) Outer-TLV that would be ignored by the other end to avoid this problem; sort of like GREASE...but to fix an insecurity instead. I think that changes existing implementations. Unless the recommendation is for each end to add a dummy Outer-TLV which implementations are *known* to ignore. Alan DeKok.
- [Emu] Secdir last call review of draft-ietf-emu-r… David Mandelberg via Datatracker
- Re: [Emu] Secdir last call review of draft-ietf-e… Alexander Clouter
- Re: [Emu] Secdir last call review of draft-ietf-e… David Mandelberg
- Re: [Emu] [secdir] Secdir last call review of dra… Alan DeKok
- Re: [Emu] Secdir last call review of draft-ietf-e… Alexander Clouter
- Re: [Emu] Secdir last call review of draft-ietf-e… Alan DeKok
- Re: [Emu] Secdir last call review of draft-ietf-e… Alexander Clouter
- Re: [Emu] Secdir last call review of draft-ietf-e… Alan DeKok
- Re: [Emu] Secdir last call review of draft-ietf-e… Alexander Clouter