IETF Logo Mail Archive

Re: [Gen-art] Gen-ART Telechat review of draft-ietf-pcp-authentication-13.txt

Sam Hartman <hartmans@painless-security.com> Tue, 07 July 2015 15:25 UTC

Return-Path: <hartmans@painless-security.com>
X-Original-To: gen-art@ietfa.amsl.com
Delivered-To: gen-art@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 158E81ACDE7 for <gen-art@ietfa.amsl.com>; Tue, 7 Jul 2015 08:25:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.91
X-Spam-Level:
X-Spam-Status: No, score=-1.91 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dY4itInkZZz0 for <gen-art@ietfa.amsl.com>; Tue, 7 Jul 2015 08:25:26 -0700 (PDT)
Received: from mail.painless-security.com (mail.painless-security.com [23.30.188.241]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 46D3F1ACD0A for <gen-art@ietf.org>; Tue, 7 Jul 2015 08:24:47 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mail.painless-security.com (Postfix) with ESMTP id 94DFD20730; Tue, 7 Jul 2015 11:24:27 -0400 (EDT)
Received: from mail.painless-security.com ([127.0.0.1]) by localhost (mail.suchdamage.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2V-mjd0oLtBP; Tue, 7 Jul 2015 11:24:27 -0400 (EDT)
Received: from carter-zimmerman.suchdamage.org (c-65-96-232-173.hsd1.ma.comcast.net [65.96.232.173]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "laptop", Issuer "laptop" (not verified)) by mail.painless-security.com (Postfix) with ESMTPS; Tue, 7 Jul 2015 11:24:27 -0400 (EDT)
Received: by carter-zimmerman.suchdamage.org (Postfix, from userid 8042) id 4C51488C32; Tue, 7 Jul 2015 11:24:43 -0400 (EDT)
From: Sam Hartman <hartmans@painless-security.com>
To: Paul Kyzivat <pkyzivat@alum.mit.edu>
References: <20150703040329.26422.22765.idtracker@ietfa.amsl.com> <913383AAA69FF945B8F946018B75898A478836EC@xmb-rcd-x10.cisco.com> <5599A773.40701@alum.mit.edu> <913383AAA69FF945B8F946018B75898A478868AF@xmb-rcd-x10.cisco.com> <559BE75E.9010904@alum.mit.edu>
Date: Tue, 07 Jul 2015 11:24:43 -0400
In-Reply-To: <559BE75E.9010904@alum.mit.edu> (Paul Kyzivat's message of "Tue, 07 Jul 2015 10:51:10 -0400")
Message-ID: <tslh9pgng78.fsf@mit.edu>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.3 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain
Archived-At: <http://mailarchive.ietf.org/arch/msg/gen-art/rsWOvlcLrcfGJ-Z8GrBjpgpEYX8>
Cc: General Area Review Team <gen-art@ietf.org>, "Tirumaleswar Reddy (tireddy)" <tireddy@cisco.com>, "draft-ietf-pcp-authentication.all@tools.ietf.org" <draft-ietf-pcp-authentication.all@tools.ietf.org>
Subject: Re: [Gen-art] Gen-ART Telechat review of draft-ietf-pcp-authentication-13.txt
X-BeenThere: gen-art@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "GEN-ART: General Area Review Team" <gen-art.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/gen-art>, <mailto:gen-art-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/gen-art/>
List-Post: <mailto:gen-art@ietf.org>
List-Help: <mailto:gen-art-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/gen-art>, <mailto:gen-art-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 07 Jul 2015 15:25:28 -0000

>>>>> "Paul" == Paul Kyzivat <pkyzivat@alum.mit.edu> writes:

    Paul> Do you agree with this conclusion? If not, please explain why
    Paul> you think my logic is wrong.

I partially agree with your conclusion.
I agree that we need a mechanism to resynchronize state, and I agree
that unsolicited announces aren't really good enough.

I think it's highly undesirable to permit some requests over a
five-tuple to be authenticated and some to not be authenticated.

You seem to be thinking of authentication as something that tends to
benefit the server.
In some deployments that's certainly true.
However, the client may gain significant benefit from:

* Gaining integrity protection over its communications

* Preventing third-parties from disrupting state it establishes.

So, for these reasons, I think it's very important that once a session
is established, only authenticated requests be accepted over that
five-tuple.

In addition, I think it's desirable that once a session is established,
a client be expected to re-authenticate if session state is lost, *not*
to send requests and let the server force re-authentication.

However, I do agree with you that we need a mechanism for the server to
indicate that it has lost state.
That's only a hint to the client.  Since that indication will not be
integrity-protected, it may be sent by an attacker.
A client MAY disregard it, for example if the client suspects a DOS
attack.  Generally, though a client SHOULD try and re-authenticate,
discarding the session state only when re-authentication is successful.

To get this right, it sounds like we need to:

* Describe how the server indicates session state lost

* Describe what clients do if the client is starting re-authentication
  but gets a response under the old session.  Presumably this is an
  indication that an attacker is trying to force re-authentication.

* Describe sufficient server behavior for what our client behavior is to
  work out well.  That is, if we say that when a client gains evidence
  the server actually does still have the session, we abandon the
  re-authentication, we need to make sure servers are still maintaining
  session state.

--Sam

v2.23.0 | Report a Bug | By Email