Re: Re-review of draft-ietf-simple-imdn
Eric Burger <eburger@standardstrack.com> Wed, 14 May 2008 04:21 UTC
Return-Path: <ietf-bounces@ietf.org>
X-Original-To: ietf-archive@megatron.ietf.org
Delivered-To: ietfarch-ietf-archive@core3.amsl.com
Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 7D8913A68F7; Tue, 13 May 2008 21:21:22 -0700 (PDT)
X-Original-To: ietf@core3.amsl.com
Delivered-To: ietf@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id AFF743A6877; Tue, 13 May 2008 21:21:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KEsDGcLDWX85; Tue, 13 May 2008 21:21:18 -0700 (PDT)
Received: from gs19.inmotionhosting.com (gs19b.inmotionhosting.com [66.117.3.189]) by core3.amsl.com (Postfix) with ESMTP id 7F5B03A67D4; Tue, 13 May 2008 21:21:18 -0700 (PDT)
Received: from [124.17.15.2] (port=36151 helo=[172.31.13.16]) by gs19.inmotionhosting.com with esmtps (TLSv1:AES128-SHA:128) (Exim 4.68) (envelope-from <eburger@standardstrack.com>) id 1Jw8TP-0006D4-4J; Tue, 13 May 2008 21:20:19 -0700
Message-Id: <C5B56A4A-1901-41F6-B47E-C04F51D813E6@standardstrack.com>
From: Eric Burger <eburger@standardstrack.com>
To: Eric Rescorla <ekr@networkresonance.com>
In-Reply-To: <20080503211234.0377B5081A@romeo.rtfm.com>
Mime-Version: 1.0 (Apple Message framework v912)
Subject: Re: Re-review of draft-ietf-simple-imdn
Date: Wed, 14 May 2008 12:20:21 +0800
References: <20080503211234.0377B5081A@romeo.rtfm.com>
X-Mailer: Apple Mail (2.912)
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - gs19.inmotionhosting.com
X-AntiAbuse: Original Domain - ietf.org
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - standardstrack.com
X-Source:
X-Source-Args:
X-Source-Dir:
Cc: secdir@mit.edu, ietf@ietf.org, simple@ietf.org, iesg@ietf.org
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: IETF Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://www.ietf.org/mailman/private/ietf>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: ietf-bounces@ietf.org
Errors-To: ietf-bounces@ietf.org
Inline
On May 4, 2008, at 5:12 AM, Eric Rescorla wrote:
> I originally reviewed version -06 of this document
> (2008-02-8). Examining the diff, it does not appear to me that any of
> my comments from my previous review. Looking back in my mail folder, I
> don't see any reasponses from the authors telling me my review was
> wrong, so I'm retransmitting it here.
>
> -Ekr
>
> $Id: draft-ietf-simple-imdn-06-rev.txt,v 1.1 2008/02/08 18:17:54 ekr
> Exp $
>
> This document describes a mechanism for IM senders to request status
> notifications for their IMs. The sender attaches a header specifying
> the status conditions he wants to be notified of and intermediaries
> and the receiving UA notify the sender (or someone else of his choice)
> subject to policy constraints.
>
> One thing I'm not clear on is how the recipient determines where to
> send the IMDN. Are they supposed to read the "From" field? One thing
> that I don't get is how the IMDN-Route header interacts here.
> It looks to me like this gets stuffed in the "To" in the IMDN.
You are right - we go on and on about IMDN-Record-Route, but we never
explicitly say what to do if there is no IMDN-Record-Route. How about
the following text, inserted after the IMDN-Record-Route handling
paragraph:
If there is no IMDN-Record-Route header field, the IM Recipient
MUST send the IMDN to the URI in the From header field.
> What happens if someone puts an IMDN-Record-Route that points
> to an IMDN-ignorant UA?
We need to make it clear that an intermediary can only intermediate on
its own behalf.
How about the following text change in the Intermediary Behaviour
section:
OLD
An intermediary MAY choose to remain on the path of IMDNs for a
specific IM. It can do so by adding a CPIM IMDN-Record-Route header
field as the top IMDN-Record-Route header field and populating it with
its own address.
NEW
An intermediary MAY choose to remain on the path of IMDNs for a
specific IM. It can do so by adding a CPIM IMDN-Record-Route header
field as the top IMDN-Record-Route header field. The value of this
field MUST be the intermediary's own address.
I was mulling over whether this introduces a security issue.
Specifically, what if a malicious intermediary wants to perform a DDoS
attack on an unsuspecting UA? The intermediary could spew a bunch of
messages towards other UAs, asking them to send IMDNs to DDoS target
by setting the topmost Record-Route to the target machine. The good
news is this takes a similar amount of resources as that intermediary
attacking the target directly. The bad news is the IMDN-Record-Route
mechanism provides a mechanism for the malicious node to hide its
identity from the target. The same issue arises if the node simply
puts in the target node as the From field of the IM and requests an
IMDN. The only trace would be server logs, which could identify the
malicious node as the source of the bogus IMDN requests.
How about we add the following to the "threats in the IMDN system"
list in the Security Considerations section:
A malicious intermediary or node attempts to flood a target
node with IMDNs by inserting the target's address in the From
field or IMDN-Record-Route field
And this text towards the end of the section:
One way to address the potential for a malicious node to use
the IMDN system to anonomize attacks is to log all IMDN
requests on the IM Recipient User Agent. This allows for tracking
of attacks, if only after they occur. Note this also puts a
burden on
the IM Recipient User Agent host. Limited User Agents may not
be able to preserve much of a log.
> Overall, this document seems pretty well written and clearly lays out
> the security issues.
>
> That said, I'm concerned about the bounce/reflection threats discussed
> in S 14 (where the sender asks for notification to a third party
> victim). I'm particularly concerned about the "note" field, since a
> natural implementation seems to be to include an excerpt from the
> message you're acknowledging. This draft identifies the threat but
> doesn't specify any mechanism for ameliorating them. I think some
> suggested mechanisms would be appoprirate here, or at least some
> analysis of what the potential mechanisms were and why they would or
> would not work.
The <note> field is stupid IMHO. I'm taking that to the list. Thanks
for "noting" it, and I am embarrassed it is in the draft at all.
> Other comments: I would avoid the term "non-repudiation" if at all
> possible in S 5.3 and later. It's just so overloaded now that it's
> hard to know what it means.
Fixed
> S 6.5. A little more explanation of why IMDN-Record-Route is useful
> would help.
Done
> S 7.1.1.1. Why does Message-ID need any randomness at all as opposed
> to uniqueness? And if it needs randomness, why is 32 enough?
The randomness property makes it more difficult for malicious nodes
guessing Message-IDs and thus being able to pass IMDNs through
filtering mechanisms.
IYHO, is 32-bits enough? You're the expert; I'm just guessing!
> S 7.1.3. Note that you can pack the state into the messageid if
> you're willing to make large message ids and hte stte is small.
Message-ID could be used for tracking in addition to IMDN, so
combining the two would not be a good thing.
> S 11.1
>
> An IMDN Payload is an XML document [6] that MUST be well formed and
> MUST be valid according to schemas, including extension schemas,
> available to the validater and applicable to the XML document. The
> IMDN Payload MUST be based on XML 1.0 and MUST be encoded using
> UTF-8.
>
> Is this a requirement that the receiver validate the XML?
On the one hand, I suppose it is. On the other hand, that is totally
unenforceable. Can this one slide under the radar?
> S 12.1.1. Why can't anonymous senders request notifications?
Where would one send the IMDN to?
> S 14.3. See above comemnts about nonrepudiation
Fixed.
> -Ekr
_______________________________________________
IETF mailing list
IETF@ietf.org
https://www.ietf.org/mailman/listinfo/ietf
- Re-review of draft-ietf-simple-imdn Eric Rescorla
- Re: Re-review of draft-ietf-simple-imdn Eric Burger
- Re: Re-review of draft-ietf-simple-imdn Eric Rescorla
- Randomness of Message-ID in IMDN Eric Burger
- Re: Randomness of Message-ID in IMDN Eric Rescorla
- Re: Randomness of Message-ID in IMDN Eric Burger
- Re: Randomness of Message-ID in IMDN Frank Ellermann
- Re: Re-review of draft-ietf-simple-imdn Frank Ellermann
- Re: Randomness of Message-ID in IMDN Eric Rescorla
- Re: Randomness of Message-ID in IMDN Frank Ellermann
- Re: Randomness of Message-ID in IMDN Eric Burger