IETF Logo Mail Archive

Re: [Idr] WG Adoption call for draft-snijders-idr-shutdown (11/16 to 11/30)

Job Snijders <job@ntt.net> Mon, 21 November 2016 16:54 UTC

Return-Path: <job@ntt.net>
X-Original-To: idr@ietfa.amsl.com
Delivered-To: idr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 29335129590 for <idr@ietfa.amsl.com>; Mon, 21 Nov 2016 08:54:25 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.432
X-Spam-Level:
X-Spam-Status: No, score=-3.432 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, RP_MATCHES_RCVD=-1.497, SPF_SOFTFAIL=0.665] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SV7ZxvfEw46D for <idr@ietfa.amsl.com>; Mon, 21 Nov 2016 08:54:23 -0800 (PST)
Received: from mail3.dllstx09.us.to.gin.ntt.net (mail3.dllstx09.us.to.gin.ntt.net [IPv6:2001:418:3ff:5::26]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A3A78129570 for <idr@ietf.org>; Mon, 21 Nov 2016 08:54:23 -0800 (PST)
Received: by mail3.dllstx09.us.to.gin.ntt.net with esmtpsa (TLSv1.2:DHE-RSA-AES256-GCM-SHA384:256) (Exim 4.84_2) (envelope-from <job@ntt.net>) id 1c8rrJ-0005Y1-RY (job@us.ntt.net); Mon, 21 Nov 2016 16:54:23 +0000
Date: Mon, 21 Nov 2016 17:54:18 +0100
From: Job Snijders <job@ntt.net>
To: Martin Hannigan <Martin.Hannigan@microsoft.com>
Message-ID: <20161121165418.GI1236@Hanna.local>
References: <013f01d2404d$3dfff610$b9ffe230$@ndzh.com> <39991BB5-28C6-414F-A1BE-F5132DE2E012@microsoft.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <39991BB5-28C6-414F-A1BE-F5132DE2E012@microsoft.com>
X-Clacks-Overhead: GNU Terry Pratchett
User-Agent: Mutt/1.7.1 (2016-10-04)
Archived-At: <https://mailarchive.ietf.org/arch/msg/idr/2LKPFO6A0EU96bQf79QLPfJu2h4>
Cc: 'idr wg' <idr@ietf.org>
Subject: Re: [Idr] WG Adoption call for draft-snijders-idr-shutdown (11/16 to 11/30)
X-BeenThere: idr@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Inter-Domain Routing <idr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/idr>, <mailto:idr-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/idr/>
List-Post: <mailto:idr@ietf.org>
List-Help: <mailto:idr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/idr>, <mailto:idr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 21 Nov 2016 16:54:25 -0000

On Sun, Nov 20, 2016 at 08:04:54PM +0000, Martin Hannigan wrote:
> This is useful. On the security considerations, I’m having a little
> bit of a fail grokking what visual spoofing means in this case? Is
> there way to spoof a cease message from a third party and create a
> message like “tear down, gone forever” in an unsecured (not MD5 or
> other secured mechanism) or is the reference to UTR36 more perfunctory
> and along the lines of “don’t send money to someone sending a request
> in this message including example@sample.com as a target address?

Visual spoofing exists in (at least) two forms, one is on the character
level: where innocuous characters are replaced with variants for
nefarious purposes, for example the following look alike but are
different: Greek Ο, Latin O, and Cyrillic О. The other variant is where
somehow a newline, newpage, feedpage or enough spaces to wrap the line
are inserted, and the receiving side might incorrectly think there are
more than 1 syslog messages where in reality its just 1 message,
containing a communication + syslog-like content.

To counter this the length of the string is limited to be very brief. If
one is allowed to insert say 4000 bytes worth of Shutdown Communication,
you could easily 'visually spoof' half a page worth of fake-syslog. The
receiving side might think his/her router is in big trouble and perform
an emergency reboot or upgrade based on false information.

Further reading: (search bing.com for 'visual spoofing')

    https://en.wikipedia.org/wiki/IDN_homograph_attack
    http://unicode.org/reports/tr36/#visual_spoofing

Another defense is to squash likely garbage and not print that. So one
should replace the garbage with U+FFFD "replacement character" so that
"drã©op table XXX;" becomes "dr�op table XXX;" and not "drop table
XXX;". The next version of the draft will provide more guidance on that.

This draft is breaking a lance for IDR in that it is the first draft (as
far as I know) to carefully consider the security aspects of using UTF-8
at this level.

I think UTF-8 is the right choice, it can be done (many industries have
gone before us), there is more than Roman script in this world, but
we'll need to make implementors aware.

> Any real concern over buffer overflows?

The clearly defined upperbound length of the BGP PDU, the Cease
NOTIFICATION and the length marker for the Shutdown Communication itself
can help mitigate these. I don't think there are any real new
considerations here. Normal printf, strlcpy, strlcat recommendations
apply. It was an explicit choice to not use a NUL-termination.

I welcome feedback from others, I wouldn't dare to proclaim I'm anything
close to an expert.

Kind regards,

Job

v2.23.0 | Report a Bug | By Email