Re: Call for Community Feedback: Guidance on Reporting Protocol Vulnerabilities

Toerless Eckert <tte@cs.fau.de> Mon, 26 October 2020 19:37 UTC

Return-Path: <eckert@i4.informatik.uni-erlangen.de>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F0E423A0E6C for <ietf@ietfa.amsl.com>; Mon, 26 Oct 2020 12:37:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.649
X-Spam-Level:
X-Spam-Status: No, score=-1.649 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HEADER_FROM_DIFFERENT_DOMAINS=0.25, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Z699ez-MqN-8 for <ietf@ietfa.amsl.com>; Mon, 26 Oct 2020 12:37:12 -0700 (PDT)
Received: from faui40.informatik.uni-erlangen.de (faui40.informatik.uni-erlangen.de [131.188.34.40]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 963243A0E69 for <ietf@ietf.org>; Mon, 26 Oct 2020 12:37:12 -0700 (PDT)
Received: from faui48f.informatik.uni-erlangen.de (faui48f.informatik.uni-erlangen.de [131.188.34.52]) by faui40.informatik.uni-erlangen.de (Postfix) with ESMTP id 15E85548068; Mon, 26 Oct 2020 20:37:07 +0100 (CET)
Received: by faui48f.informatik.uni-erlangen.de (Postfix, from userid 10463) id 0D44E440059; Mon, 26 Oct 2020 20:37:07 +0100 (CET)
Date: Mon, 26 Oct 2020 20:37:07 +0100
From: Toerless Eckert <tte@cs.fau.de>
To: "Salz, Rich" <rsalz=40akamai.com@dmarc.ietf.org>
Cc: Roman Danyliw <rdd@cert.org>, "ietf@ietf.org" <ietf@ietf.org>
Subject: Re: Call for Community Feedback: Guidance on Reporting Protocol Vulnerabilities
Message-ID: <20201026193707.GC59330@faui48f.informatik.uni-erlangen.de>
References: <5081794697df44d8bd76b675cf08dc23@cert.org> <EB7E8597-087A-4E84-A90E-DC8DF7F089EB@akamai.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
In-Reply-To: <EB7E8597-087A-4E84-A90E-DC8DF7F089EB@akamai.com>
User-Agent: Mutt/1.10.1 (2018-07-13)
Archived-At: <https://mailarchive.ietf.org/arch/msg/ietf/MdtiQiCakLosYcNZbZVvF2aVzUo>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 26 Oct 2020 19:37:15 -0000

Thanks, Roman

Great job on describing the "process". Unfortunately, i think our process sucks,
e.g. errata will only be applicable in a small subset of cases.

In general, it will not be possible to find community consensus to resolve
vulnerabilities, and even if there is consensus, doing document updates takes
even longer. Especially because in most cases you want to see good evidence
that the attack vector is likely to be used

(just had a discussion today on dnsop, where the first reaction to a
 protocol implementation hardening suggestion i wanted to make in a draft
 was rejected with "we have not seen this attack vector being a problem so far").

So, maybe we can while we have time step back a bit and think about what
we could do to incrementally improve our processes:

I would suggest creating two mailing lists:

  vulnerability-discuss@ietf.org or vulnerability-dispatch@ietf.org
  vulnerability-report@ietf.org

I think we don't need "protocol" in the names, because there are also
 vulnerabilities to operational practices from OPS. Or probably
vulnerabilities in data models (hmm... are there ? -).

The first list of course should serve as an easy entry point for anyone
worried about a particular vulnerability or the process and wants to get
answers. And hopefully it can be dispatched to the right WG  or more
specific mailing list. And then of course discuss about the process
because with something as new to the IETF as this we probably want to
experiment with the process.

The second list of course is what you called protocol-vulnerability@ietf.org

Ultimately, i think we will have the classical issue that more process on
this front would likely benefit from some intermediate output format
between draft/RFC and errata, i think Warren once called this
"living documents". And i think we should just experiment with that
starting with Wiki or the like.

Cheers
    Toerless


On Fri, Oct 23, 2020 at 07:58:29PM +0000, Salz, Rich wrote:
> I would put the "WE don't pay" sentence at the top, right after the intro paragraph.
> 
> ???On 10/23/20, 2:46 PM, "Roman Danyliw" <rdd@cert.org> wrote:
> 
>     Hi!
> 
>     The Internet Engineering Steering Group (IESG) is seeking community input on reporting protocol vulnerabilities to the IETF.  Specifically, the IESG is proposing guidance to be added to the website at [1] to raise awareness on how the IETF handles this information in the standards process.  The full text (which would be converted to a web page) is at:
> 
>     https://urldefense.proofpoint.com/v2/url?u=https-3A__www.ietf.org_media_documents_Guidance-5Fon-5FReporting-5FVulnerabilities-5Fto-5Fthe-5FIETF-5FsqEX1Ly.pdf&d=DwIFAg&c=96ZbZZcaMF4w0F4jpN6LZg&r=4LM0GbR0h9Fvx86FtsKI-w&m=ZJ9CHNaxYta4Rwzv9CsBCZ7S64SWbQDTXAsV8KWP_AU&s=WZ8lhkI2-LqfcEW09br2ItDhqh8U456y_8xZlTzatI0&e= 
> 
>     This text is intended to be written in an accessible style to help vulnerability researchers, who may not be familiar with the IETF, navigate existing processes to disclose and remediate these vulnerabilities.  With the exception of creating a last resort reporting email alias (protocol-vulnerability@ietf.org), this text is describing current practices in the IETF, albeit ones that may not be consistently applied.
> 
>     This guidance will serve as a complement to the recently written IETF LLC infrastructure and protocol vulnerability disclosure statement [2]. 
> 
>     The IESG appreciates any input from the community on the proposed text and will consider all input received by November 7, 2020.
> 
>     Regards,
>     Roman
>     (for the IESG)
> 
>     [1] This guidance text would be added to a new URL at https://urldefense.proofpoint.com/v2/url?u=https-3A__www.ietf.org_standards_rfcs_vulnerabilities&d=DwIFAg&c=96ZbZZcaMF4w0F4jpN6LZg&r=4LM0GbR0h9Fvx86FtsKI-w&m=ZJ9CHNaxYta4Rwzv9CsBCZ7S64SWbQDTXAsV8KWP_AU&s=lWrYlX1pV0mIGIcyUbXXN4Bl4YdeeGExr508slPDgW8&e= , and then referenced from https://urldefense.proofpoint.com/v2/url?u=http-3A__www.ietf.org_contact&d=DwIFAg&c=96ZbZZcaMF4w0F4jpN6LZg&r=4LM0GbR0h9Fvx86FtsKI-w&m=ZJ9CHNaxYta4Rwzv9CsBCZ7S64SWbQDTXAsV8KWP_AU&s=dVVEqnGAgxYTWKmevWh2AwAdymUCMQGs85MMBB2FYPs&e= , https://urldefense.proofpoint.com/v2/url?u=https-3A__www.ietf.org_standards_process_&d=DwIFAg&c=96ZbZZcaMF4w0F4jpN6LZg&r=4LM0GbR0h9Fvx86FtsKI-w&m=ZJ9CHNaxYta4Rwzv9CsBCZ7S64SWbQDTXAsV8KWP_AU&s=A2QnAr-kezfIPFF3J92rsAfyrfHzpdFR2gquELSO_5w&e= , https://urldefense.proofpoint.com/v2/url?u=https-3A__www.ietf.org_standards_rfcs_&d=DwIFAg&c=96ZbZZcaMF4w0F4jpN6LZg&r=4LM0GbR0h9Fvx86FtsKI-w&m=ZJ9CHNaxYta4Rwzv9CsBCZ7S64SWbQDTXAsV8KWP_AU&s=KtvC1SVlfZTcFhsHQ9RvF_nm856pcSrouxEKNahI5UQ&e= , and https://urldefense.proofpoint.com/v2/url?u=https-3A__www.ietf.org_topics_security_&d=DwIFAg&c=96ZbZZcaMF4w0F4jpN6LZg&r=4LM0GbR0h9Fvx86FtsKI-w&m=ZJ9CHNaxYta4Rwzv9CsBCZ7S64SWbQDTXAsV8KWP_AU&s=EN9keXxRYEMvBt-h9ugFVkY3-MUUAv-X9mP7OpOa_po&e= 
> 
>     [2] https://urldefense.proofpoint.com/v2/url?u=https-3A__www.ietf.org_about_administration_policies-2Dprocedures_vulnerability-2Ddisclosure&d=DwIFAg&c=96ZbZZcaMF4w0F4jpN6LZg&r=4LM0GbR0h9Fvx86FtsKI-w&m=ZJ9CHNaxYta4Rwzv9CsBCZ7S64SWbQDTXAsV8KWP_AU&s=VAKeetf0jcEomZCLvqzNjCqSADPvsRZPugO5CUryXDI&e= 
> 
>