Re: [Idr] Adam Roach's No Objection on draft-ietf-idr-shutdown-08: (with COMMENT)
Job Snijders <job@ntt.net> Wed, 24 May 2017 18:15 UTC
Return-Path: <job@ntt.net>
X-Original-To: idr@ietfa.amsl.com
Delivered-To: idr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 348B0128D3E for <idr@ietfa.amsl.com>; Wed, 24 May 2017 11:15:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hWHCD7xiN1nJ for <idr@ietfa.amsl.com>; Wed, 24 May 2017 11:15:40 -0700 (PDT)
Received: from mail3.mlpsca01.us.to.gin.ntt.net (mail3.mlpsca01.us.to.gin.ntt.net [IPv6:2001:418:3ff:3::22]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DBF8412940D for <idr@ietf.org>; Wed, 24 May 2017 11:15:38 -0700 (PDT)
Received: by mail3.mlpsca01.us.to.gin.ntt.net with esmtpsa (TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.89) (envelope-from <job@ntt.net>) id 1dDaos-0006J6-NZ (job@us.ntt.net) for idr@ietf.org; Wed, 24 May 2017 18:15:38 +0000
Received: by mail-wr0-f176.google.com with SMTP id w50so59788971wrc.0 for <idr@ietf.org>; Wed, 24 May 2017 11:15:38 -0700 (PDT)
X-Gm-Message-State: AODbwcD2mPbej/eREqk0FRIWLE1dtjti6/MtWhaDZlN4QI/XT/ofporP SlwZ2nhgAbkQnFHAYek2VVC+sHAbr1gK
X-Received: by 10.223.174.209 with SMTP id y75mr20633125wrc.82.1495649736983; Wed, 24 May 2017 11:15:36 -0700 (PDT)
MIME-Version: 1.0
References: <149559358944.28506.18362121959782542849.idtracker@ietfa.amsl.com> <CA+b+ERmg33vdOywz=Krw_30vdwWpMYLS_EZRSE+bfrHcS12GUA@mail.gmail.com> <CA+b+ERmamUOaUjnNX2FM0Qh+S7Gz-7f7PVHXiVzczZg2rvMtwQ@mail.gmail.com> <CA+b+ERnyJAU4xe6EiwsER9gG3Np9L6F4aEQWt0ZT405mzYg5wg@mail.gmail.com> <53c58824-e5fa-88e1-b092-b2e285906514@nostrum.com>
In-Reply-To: <53c58824-e5fa-88e1-b092-b2e285906514@nostrum.com>
From: Job Snijders <job@ntt.net>
Date: Wed, 24 May 2017 18:15:26 +0000
X-Gmail-Original-Message-ID: <CACWOCC86iDeFEceWG3P3W0UQEXTZXb2ogwuwrQ8OApFThWafcQ@mail.gmail.com>
Message-ID: <CACWOCC86iDeFEceWG3P3W0UQEXTZXb2ogwuwrQ8OApFThWafcQ@mail.gmail.com>
To: Adam Roach <adam@nostrum.com>, Job Snijders <job@ntt.net>, Robert Raszuk <robert@raszuk.net>, The IESG <iesg@ietf.org>, aretana@cisco.com, draft-ietf-idr-shutdown@ietf.org, idr@ietf.org, idr-chairs@ietf.org, skh@ndzh.com
Content-Type: multipart/alternative; boundary="001a114767fc482a840550491748"
Archived-At: <https://mailarchive.ietf.org/arch/msg/idr/fd5Ko23zl38G_BDAbEEBPdqw4hc>
Subject: Re: [Idr] Adam Roach's No Objection on draft-ietf-idr-shutdown-08: (with COMMENT)
X-BeenThere: idr@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Inter-Domain Routing <idr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/idr>, <mailto:idr-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/idr/>
List-Post: <mailto:idr@ietf.org>
List-Help: <mailto:idr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/idr>, <mailto:idr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 24 May 2017 18:15:42 -0000
Do you have a text suggestion, or does what is proposed here work? I'd also like to point out that it is strange to anticipate vendors entirely ignoring normative text like "MUST". Spec violations should be dealt with by robust error handling, and guidance from the market. I consider it somewhat out of scope for the document to define, specify and teach people what "visual spoofing attacks" are. We'll remove the sentence about "confusion character", you are right that it doesn't add much. NEW 6. Security Considerations This document uses UTF-8 encoding for the Shutdown Communication. There are a number of security issues with UNICODE. Implementers and operator are advised to review UNICODE TR36 [UTR36] to learn about these issues. UTF-8 "Shortest Form" encoding is REQUIRED to guard against the technical issues outlined in UTR36. This specification minimizes the effects of visual syslog spoofing attacks by limiting the length of the Shutdown Communication. Users of this mechanism should be aware that unless a transport that provides integrity is used for the BGP session in question, a Shutdown Communication message could be forged. Unless a transport that provides confidentiality is used, a Shutdown Communication message could be snooped by an attacker. These issues are common to any BGP message but may be of greater interest in the context of this proposal since the information carried in the message is generally expected to be used for human-to-human communication. Refer to the related considerations in [RFC4271] and [RFC4272]. Users of this mechanism should consider applying data minimization practises as outlined in Section 6.1 [RFC6973] as a received Shutdown Communication may be used at the receiver's discretion. Kind regards, Job On Wed, 24 May 2017 at 19:53, Adam Roach <adam@nostrum.com> wrote: > I'm putting this back on the relevant lists, as I believe we need to have > this conversation in the open. > > The problem that this text is apparently referring to is preventing the > spoofing of syslog messages or the output of other CLI tools (which I read > as similar to the concern Warren raises). > > If this is the attack the text in the security section is attempting to > describe, I think it misses the mark: I can't get from the words there to > the concept of spoofing syslog messages. This is exacerbated by the > presence of the clause "due to character confusion" as part of the > description, as this raises the specter of UTF-8 confusables, which doesn't > seem to be the related to the concern here. > > Concretely, what I'm asking: please be clear in the security section -- > with an example, if necessary -- so that implementors understand what is > being prevented. It's perfectly fine to say "don't send more than 128 > bytes," but if implementors don't understand *why*, then they'll do it > anyway (cf. the prohibition on DNS names starting with numbers, or chaining > CNAM records in DNS: both are -- or were at a time -- prohibited by spec, > but widely implemented nonetheless, because the explanation about *why* not > to do them was completely unclear). > > > /a > > > On 5/24/17 1:57 AM, Robert Raszuk wrote: > > Just FYI ... > > I raised the exact same point during WG review and we agreed with Job that > it is not about spoofing, but "visual attack". Other then limited size of > the msg no other means of mitigation are needed by developer. > > Cheers > R. > > On May 24, 2017 04:39, "Adam Roach" <adam@nostrum.com> wrote: > > Adam Roach has entered the following ballot position for > draft-ietf-idr-shutdown-08: No Objection > > When responding, please keep the subject line intact and reply to all > email addresses included in the To and CC lines. (Feel free to cut this > introductory paragraph, however.) > > > Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html > for more information about IESG DISCUSS and COMMENT positions. > > > The document, along with other ballot positions, can be found here: > https://datatracker.ietf.org/doc/draft-ietf-idr-shutdown/ > > > > ---------------------------------------------------------------------- > COMMENT: > ---------------------------------------------------------------------- > > The portion of Section 6 (Security Considerations) that discusses > confusable characters is describing a problem that isn't obvious on first > reading. As these strings are human-produced and human-consumed, it's not > clear what harm would arise through the use of spoofing. If there is a > real risk here that the authors are aware of, it should be described in > more detail to allow implemetors to more adeptly steer around it. If not, > the statement around spoofing should probably be removed so as to avoid > implementors scratching their heads regarding what mitigating actions > they might take. > > > _______________________________________________ > Idr mailing list > Idr@ietf.org > https://www.ietf.org/mailman/listinfo/idr > > > > _______________________________________________ > Idr mailing list > Idr@ietf.org > https://www.ietf.org/mailman/listinfo/idr >
- [Idr] Adam Roach's No Objection on draft-ietf-idr… Adam Roach
- Re: [Idr] Adam Roach's No Objection on draft-ietf… Adam Roach
- Re: [Idr] Adam Roach's No Objection on draft-ietf… Job Snijders
- Re: [Idr] Adam Roach's No Objection on draft-ietf… Adam Roach
- Re: [Idr] Adam Roach's No Objection on draft-ietf… Job Snijders