IETF Logo Mail Archive

Re: [Geopriv] WGLC: draft-ietf-geopriv-http-location-delivery-05.txt - cullen comments

Cullen Jennings <fluffy@cisco.com> Wed, 02 April 2008 01:58 UTC

Return-Path: <geopriv-bounces@ietf.org>
X-Original-To: geopriv-archive@megatron.ietf.org
Delivered-To: ietfarch-geopriv-archive@core3.amsl.com
Received: from core3.amsl.com (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 0E7A33A6C47; Tue, 1 Apr 2008 18:58:40 -0700 (PDT)
X-Original-To: geopriv@core3.amsl.com
Delivered-To: geopriv@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 6206F3A6B76 for <geopriv@core3.amsl.com>; Tue, 1 Apr 2008 18:58:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.484
X-Spam-Level:
X-Spam-Status: No, score=-1.484 tagged_above=-999 required=5 tests=[AWL=5.115, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1CQNmbwhaoyI for <geopriv@core3.amsl.com>; Tue, 1 Apr 2008 18:58:38 -0700 (PDT)
Received: from sj-iport-3.cisco.com (sj-iport-3.cisco.com [171.71.176.72]) by core3.amsl.com (Postfix) with ESMTP id 6862C3A69F4 for <geopriv@ietf.org>; Tue, 1 Apr 2008 18:58:38 -0700 (PDT)
Received: from sj-dkim-1.cisco.com ([171.71.179.21]) by sj-iport-3.cisco.com with ESMTP; 01 Apr 2008 18:58:38 -0700
Received: from sj-core-1.cisco.com (sj-core-1.cisco.com [171.71.177.237]) by sj-dkim-1.cisco.com (8.12.11/8.12.11) with ESMTP id m321wcv3015989; Tue, 1 Apr 2008 18:58:38 -0700
Received: from [192.168.4.177] (sjc-fluffy-vpn1.cisco.com [10.25.236.82]) by sj-core-1.cisco.com (8.13.8/8.13.8) with SMTP id m321vnf4012600; Wed, 2 Apr 2008 01:58:37 GMT
From: Cullen Jennings <fluffy@cisco.com>
To: Mary Barnes <mary.barnes@nortel.com>
In-Reply-To: <F66D7286825402429571678A16C2F5EE02B2A9AA@zrc2hxm1.corp.nortel.com>
Impp: xmpp:cullenfluffyjennings@jabber.org
References: <F66D7286825402429571678A16C2F5EE0209E1D9@zrc2hxm1.corp.nortel.com><933578BA-7701-4C7B-96CC-9FF2D2860C83@nostrum.com> <D3FD5CD1-565E-4727-84D9-516B5B5605D0@estacado.net> <04E4E912-3A2D-46A7-9AF6-A6737BA523EE@cisco.com> <F66D7286825402429571678A16C2F5EE028CB7E0@zrc2hxm1.corp.nortel.com> <47E8140A.2020208@bbn.com> <F66D7286825402429571678A16C2F5EE02B2A9AA@zrc2hxm1.corp.nortel.com>
Message-Id: <347E37E7-0889-4CC5-BF32-1892D1B5218E@cisco.com>
Mime-Version: 1.0 (Apple Message framework v919.2)
Date: Tue, 01 Apr 2008 18:58:30 -0700
X-Mailer: Apple Mail (2.919.2)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; l=5259; t=1207101518; x=1207965518; c=relaxed/simple; s=sjdkim1004; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version; d=cisco.com; i=fluffy@cisco.com; z=From:=20Cullen=20Jennings=20<fluffy@cisco.com> |Subject:=20Re=3A=20WGLC=3A=20draft-ietf-geopriv-http-locat ion-delivery-05.txt=20-=20cullen=20comments |Sender:=20; bh=nE8CtV9Idbwky19Ad+CKu6BbJoQVjNwm8dcBaAU3rDU=; b=YLhiv9oGT8VTya6vt34GK57zwupTMHIczbUlWrlgDBvGHiQyD0UkP9COQq QcuDWYoLldJbWmBWDkXL2FCETc57u7osskSvt6xJH3IUApS1WT7PyHOE4GAJ bg1yRs3kRDQ2JNM94nncSl8g4gqnVtgbpb9q7+OhugrBH3EbX7SKg=;
Authentication-Results: sj-dkim-1; header.From=fluffy@cisco.com; dkim=pass ( sig from cisco.com/sjdkim1004 verified; );
Cc: GEOPRIV <geopriv@ietf.org>
Subject: Re: [Geopriv] WGLC: draft-ietf-geopriv-http-location-delivery-05.txt - cullen comments
X-BeenThere: geopriv@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Geographic Location/Privacy <geopriv.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/geopriv>, <mailto:geopriv-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:geopriv@ietf.org>
List-Help: <mailto:geopriv-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/geopriv>, <mailto:geopriv-request@ietf.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: geopriv-bounces@ietf.org
Errors-To: geopriv-bounces@ietf.org

Sorry was on vacation last week (or trying to be) and just read this.  
Richard's text for the IP Address issue looks good to me.


On Apr 1, 2008, at 2:04 PM, Mary Barnes wrote:
> Group and Cullen,
>
> Are you all okay with the simplified text Richard has proposed for the
> current section 10.1.1?  I believe it addresses the concerns raised by
> Cullen and Hannes on the security section.  I would rather get the
> feedback now and be able to ship the -06 than to receive feedback  
> after
> the -06 is out.
>
> Thanks,
> Mary.
>
> -----Original Message-----
> From: Richard Barnes [mailto:rbarnes@bbn.com]
> Sent: Monday, March 24, 2008 3:50 PM
> To: Barnes, Mary (RICH2:AR00)
> Cc: Cullen Jennings; GEOPRIV
> Subject: Re: WGLC: draft-ietf-geopriv-http-location-delivery-05.txt -
> cullen comments
>
> Cullen, Mary,
>
> When I suggested the text for 10.1.1, para 3, I had momentarily
> forgotten about RFC 2818 and the iPAddress subjectAltName.  We do need
> slightly more than "Use RFC 2818", since RFC 2818 only applies to the
> HTTP binding, and we also want to say that the same checks should be
> available for other bindings.  I suggest that section 10.1.1 be
> condensed to the following:
>
> "
> This document assumes that the LIS to be contacted is identified  
> either
> by an IP address or a domain name, as is the case for a LIS discovered
> via [ID.ietf-geopriv-lis-discovery].  When the HELD transaction is
> conducted using TLS [RFC2246], the LIS can authenticate its identity
> (either as a domain name or as an IP address) to the client by
> presenting a certificate containing that identifier as a  
> subjectAltName
> (i.e., as an iPAddress or dNSName, respectively).  (In the case of the
> HTTP binding described above, this is exactly the authentication
> described by [RFC2818])  Any binding of HELD MUST be capable of being
> transacted over TLS so that the client can request the above
> authentication, and a LIS implementation for a binding MUST include  
> this
> feature.  Note that in order for the presented certificate to be valid
> at the client, the client must be able to validate the certificate; in
> particular, the validation path of the certificate must end in one of
> the client's trust anchors, even if that trust anchor is the LIS
> certificate itself.
> "
>
> Good catch, Cullen, thanks.
> --RB
>
>> Section 10.1.1, 3rd para. I find all this pretty hand wavy to
>> understand how reverse DNS lookups to to find a host name then hope
>> the server certificate matches the hostname will actually achieve the
>> security goals. In scenarios that I have heard about  where people
>> don't want to use a DNS name for the LIS, it is because they want it
>> to work without DNS. I would think a better solution for LIS that
>> don't want to have a DNS name would be to say that if the LIS was
>> identified by a IP address and TLS was used, then the certificate
>> needed to have the servers IP address as one of the entries of type
> ipAddress in the SubjectAltName.
>> If we did this, servers with IP addresses would work petty much like
>> servers with DNS names and for the cases where the LIS was identified
>> with an IP address, and no DNS would be used.
>> [MB]  This is a good point and I welcome feedback from others  
>> (Richard
>
>> in particular, whom I've cc'ed) on this topic. We did not have the
>> reverse DNS lookups as part of the security solution until this
>> version, so this is all new text, with some new concepts. [/MB]
>
> [RLB]
> Cullen: Good point.  I had momentarily forgotten about RFC 2818 when I
> suggested this mechanisms, and in fact, your suggestion is what's
> actually in RFC 2818.  This part should just say "Use RFC 2818
> mechanisms to authenticate that the LIS you're talking to  
> corresponds to
> the DNS name or IP address you used to contact it".
> [/RLB]
>
>>
>> Section 10.1.1, 3rd para, last sentence and last point in section
>> 10.3: The IP Spoofing issues. This doc normatively references and
>> suggests domains SHOULD do the things in [5] and [9] (RFC 2827 and
>> 3704). This worried me because it is pretty clear that lots of
>> networks will not follow this advice and I started thinking about how
>> much worse does the security of LOST get if you don't do either of
>> these. I'm not actually convinced that it makes much difference. If  
>> an
>
>> attacker can only spoof a source address but can't change the routing
>> such that the responses to that address come back to them, as the
>> document discuss, there is no big deal because a request is not  
>> routed
>
>> to them. To be more specific, the attacker does not even manage to  
>> set
> up a TCP connection.
>> Now clearly 2827 is a general good idea but not sure it actually is
>> relevant to this document. I think it would be worth considering if
>> this makes sense or not and if this could just be removed.
>> [MB] I'm slightly confused by your reference to LOST above, but see
>> your point about considering whether this concept is useful for HELD.
>> And, per the point above, would appreciate feedback from others as to
>> whether this should be removed. [/MB]
>
>

_______________________________________________
Geopriv mailing list
Geopriv@ietf.org
https://www.ietf.org/mailman/listinfo/geopriv

v2.23.0 | Report a Bug | By Email