IETF Logo Mail Archive

Re: [Idr] Adam Roach's No Objection on draft-ietf-idr-shutdown-08: (with COMMENT)

Job Snijders <job@ntt.net> Wed, 24 May 2017 18:15 UTC

Return-Path: <job@ntt.net>
X-Original-To: idr@ietfa.amsl.com
Delivered-To: idr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 348B0128D3E for <idr@ietfa.amsl.com>; Wed, 24 May 2017 11:15:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hWHCD7xiN1nJ for <idr@ietfa.amsl.com>; Wed, 24 May 2017 11:15:40 -0700 (PDT)
Received: from mail3.mlpsca01.us.to.gin.ntt.net (mail3.mlpsca01.us.to.gin.ntt.net [IPv6:2001:418:3ff:3::22]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DBF8412940D for <idr@ietf.org>; Wed, 24 May 2017 11:15:38 -0700 (PDT)
Received: by mail3.mlpsca01.us.to.gin.ntt.net with esmtpsa (TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.89) (envelope-from <job@ntt.net>) id 1dDaos-0006J6-NZ (job@us.ntt.net) for idr@ietf.org; Wed, 24 May 2017 18:15:38 +0000
Received: by mail-wr0-f176.google.com with SMTP id w50so59788971wrc.0 for <idr@ietf.org>; Wed, 24 May 2017 11:15:38 -0700 (PDT)
X-Gm-Message-State: AODbwcD2mPbej/eREqk0FRIWLE1dtjti6/MtWhaDZlN4QI/XT/ofporP SlwZ2nhgAbkQnFHAYek2VVC+sHAbr1gK
X-Received: by 10.223.174.209 with SMTP id y75mr20633125wrc.82.1495649736983; Wed, 24 May 2017 11:15:36 -0700 (PDT)
MIME-Version: 1.0
References: <149559358944.28506.18362121959782542849.idtracker@ietfa.amsl.com> <CA+b+ERmg33vdOywz=Krw_30vdwWpMYLS_EZRSE+bfrHcS12GUA@mail.gmail.com> <CA+b+ERmamUOaUjnNX2FM0Qh+S7Gz-7f7PVHXiVzczZg2rvMtwQ@mail.gmail.com> <CA+b+ERnyJAU4xe6EiwsER9gG3Np9L6F4aEQWt0ZT405mzYg5wg@mail.gmail.com> <53c58824-e5fa-88e1-b092-b2e285906514@nostrum.com>
In-Reply-To: <53c58824-e5fa-88e1-b092-b2e285906514@nostrum.com>
From: Job Snijders <job@ntt.net>
Date: Wed, 24 May 2017 18:15:26 +0000
X-Gmail-Original-Message-ID: <CACWOCC86iDeFEceWG3P3W0UQEXTZXb2ogwuwrQ8OApFThWafcQ@mail.gmail.com>
Message-ID: <CACWOCC86iDeFEceWG3P3W0UQEXTZXb2ogwuwrQ8OApFThWafcQ@mail.gmail.com>
To: Adam Roach <adam@nostrum.com>, Job Snijders <job@ntt.net>, Robert Raszuk <robert@raszuk.net>, The IESG <iesg@ietf.org>, aretana@cisco.com, draft-ietf-idr-shutdown@ietf.org, idr@ietf.org, idr-chairs@ietf.org, skh@ndzh.com
Content-Type: multipart/alternative; boundary="001a114767fc482a840550491748"
Archived-At: <https://mailarchive.ietf.org/arch/msg/idr/fd5Ko23zl38G_BDAbEEBPdqw4hc>
Subject: Re: [Idr] Adam Roach's No Objection on draft-ietf-idr-shutdown-08: (with COMMENT)
X-BeenThere: idr@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Inter-Domain Routing <idr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/idr>, <mailto:idr-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/idr/>
List-Post: <mailto:idr@ietf.org>
List-Help: <mailto:idr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/idr>, <mailto:idr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 24 May 2017 18:15:42 -0000

Do you have a text suggestion, or does what is proposed here work?

I'd also like to point out that it is strange to anticipate vendors
entirely ignoring normative text like "MUST". Spec violations should be
dealt with by robust error handling, and guidance from the market.

I consider it somewhat out of scope for the document to define, specify and
teach people what "visual spoofing attacks" are.

We'll remove the sentence about "confusion character", you are right that
it doesn't add much.

NEW

6.  Security Considerations

   This document uses UTF-8 encoding for the Shutdown Communication.
   There are a number of security issues with UNICODE.  Implementers and
   operator are advised to review UNICODE TR36 [UTR36] to learn about
   these issues.  UTF-8 "Shortest Form" encoding is REQUIRED to guard
   against the technical issues outlined in UTR36.  This
   specification minimizes the effects of visual syslog spoofing
attacks by limiting
   the length of the Shutdown Communication.

   Users of this mechanism should be aware that unless a transport that
   provides integrity is used for the BGP session in question, a
   Shutdown Communication message could be forged.  Unless a transport
   that provides confidentiality is used, a Shutdown Communication
   message could be snooped by an attacker.  These issues are common to
   any BGP message but may be of greater interest in the context of this
   proposal since the information carried in the message is generally
   expected to be used for human-to-human communication.  Refer to the
   related considerations in [RFC4271] and [RFC4272].

   Users of this mechanism should consider applying data minimization
   practises as outlined in Section 6.1 [RFC6973] as a received Shutdown
   Communication may be used at the receiver's discretion.


Kind regards,

Job

On Wed, 24 May 2017 at 19:53, Adam Roach <adam@nostrum.com> wrote:

> I'm putting this back on the relevant lists, as I believe we need to have
> this conversation in the open.
>
> The problem that this text is apparently referring to is preventing the
> spoofing of syslog messages or the output of other CLI tools (which I read
> as similar to the concern Warren raises).
>
> If this is the attack the text in the security section is attempting to
> describe, I think it misses the mark: I can't get from the words there to
> the concept of spoofing syslog messages. This is exacerbated by the
> presence of the clause "due to character confusion" as part of the
> description, as this raises the specter of UTF-8 confusables, which doesn't
> seem to be the related to the concern here.
>
> Concretely, what I'm asking: please be clear in the security section --
> with an example, if necessary -- so that implementors understand what is
> being prevented. It's perfectly fine to say "don't send more than 128
> bytes," but if implementors don't understand *why*, then they'll do it
> anyway (cf. the prohibition on DNS names starting with numbers, or chaining
> CNAM records in DNS: both are -- or were at a time -- prohibited by spec,
> but widely implemented nonetheless, because the explanation about *why* not
> to do them was completely unclear).
>
>
> /a
>
>
> On 5/24/17 1:57 AM, Robert Raszuk wrote:
>
> Just FYI ...
>
> I raised the exact same point during WG review and we agreed with Job that
> it is not about spoofing, but "visual attack". Other then limited size of
> the msg no other means of mitigation are needed by developer.
>
> Cheers
> R.
>
> On May 24, 2017 04:39, "Adam Roach" <adam@nostrum.com> wrote:
>
> Adam Roach has entered the following ballot position for
> draft-ietf-idr-shutdown-08: No Objection
>
> When responding, please keep the subject line intact and reply to all
> email addresses included in the To and CC lines. (Feel free to cut this
> introductory paragraph, however.)
>
>
> Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html
> for more information about IESG DISCUSS and COMMENT positions.
>
>
> The document, along with other ballot positions, can be found here:
> https://datatracker.ietf.org/doc/draft-ietf-idr-shutdown/
>
>
>
> ----------------------------------------------------------------------
> COMMENT:
> ----------------------------------------------------------------------
>
> The portion of Section 6 (Security Considerations) that discusses
> confusable characters is describing a problem that isn't obvious on first
> reading. As these strings are human-produced and human-consumed, it's not
> clear what harm would arise through the use of spoofing. If there is a
> real risk here that the authors are aware of, it should be described in
> more detail to allow implemetors to more adeptly steer around it. If not,
> the statement around spoofing should probably be removed so as to avoid
> implementors scratching their heads regarding what mitigating actions
> they might take.
>
>
> _______________________________________________
> Idr mailing list
> Idr@ietf.org
> https://www.ietf.org/mailman/listinfo/idr
>
>
>
> _______________________________________________
> Idr mailing list
> Idr@ietf.org
> https://www.ietf.org/mailman/listinfo/idr
>

v2.23.0 | Report a Bug | By Email