Re: Call for Community Feedback: Guidance on Reporting Protocol Vulnerabilities

Toerless Eckert <> Tue, 27 October 2020 14:26 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 366E53A0D36 for <>; Tue, 27 Oct 2020 07:26:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.65
X-Spam-Status: No, score=-1.65 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HEADER_FROM_DIFFERENT_DOMAINS=0.25, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id yS96wxdkugc0 for <>; Tue, 27 Oct 2020 07:26:18 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 1F3793A0D2B for <>; Tue, 27 Oct 2020 07:26:17 -0700 (PDT)
Received: from ( [IPv6:2001:638:a000:4134::ffff:52]) by (Postfix) with ESMTP id CC561548019; Tue, 27 Oct 2020 15:26:12 +0100 (CET)
Received: by (Postfix, from userid 10463) id C6A8B440059; Tue, 27 Oct 2020 15:26:12 +0100 (CET)
Date: Tue, 27 Oct 2020 15:26:12 +0100
From: Toerless Eckert <>
To: "Salz, Rich" <>
Cc: Eliot Lear <>, Roman Danyliw <>, The IETF List <>
Subject: Re: Call for Community Feedback: Guidance on Reporting Protocol Vulnerabilities
Message-ID: <>
References: <> <> <> <> <>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <>
User-Agent: Mutt/1.10.1 (2018-07-13)
Archived-At: <>
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF-Discussion <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 27 Oct 2020 14:26:20 -0000

On Tue, Oct 27, 2020 at 01:59:35PM +0000, Salz, Rich wrote:
> Having worked on OpenSSL for many years, the absolute worst thing you can do is not respond to reported vulnerabilities.  Even if it???s just an auto-reply that says ???thanks we got it.???
> I also think it would be worth pointing out more strongly that we are interested in *protocol* errors, not *implementation* errors, and making that distinction clear.

Again, just to re-emphasize my desire that three should be an open discussion list for
vulnerabilities (vulnerability-discuss), because IMHO this is one of the likely repeatedly
 incurring points of contentions as to where to draw the line. Which IMHO needs to be explored.

One initial definition might be "implementation error is one that can be fixed without
changing the protocol spec text" (i guess, i have not seen a better definition).

So lets say i have seen enough cases where routers stopped forwarding any traffic because
they ran out of memory because someone attacked the router creating to much protocol
state. Lets pick your poison, in my case it was easily user generated multicast state,
others may prefer BGP or IGPs.

So... should the protcol spec have a requirement stating that implementations
MUST ensure this can not happen, and - oh, go figure out how to do that, not a
protocol issue ?

In patents, patent protection is only granted when the description is
sufficient to build a working model. So if you want to claim that a protocol
is not at fault for an attack, its description needs to be sufficient to
make it clear how to build a working model protecting against the attack.

If you apply that guideline to IETF protocol specs, you will draw blanks all
over the place. At least in routing.