IETF Logo Mail Archive

Re: [imapext] Kathleen Moriarty's No Objection on draft-ietf-imapapnd-appendlimit-extension-08: (with COMMENT)

Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com> Wed, 06 January 2016 04:06 UTC

Return-Path: <kathleen.moriarty.ietf@gmail.com>
X-Original-To: imapext@ietfa.amsl.com
Delivered-To: imapext@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D77581A9036; Tue, 5 Jan 2016 20:06:20 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7SMHDNgU4O-k; Tue, 5 Jan 2016 20:06:19 -0800 (PST)
Received: from mail-wm0-x22b.google.com (mail-wm0-x22b.google.com [IPv6:2a00:1450:400c:c09::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1EF0F1A9030; Tue, 5 Jan 2016 20:06:19 -0800 (PST)
Received: by mail-wm0-x22b.google.com with SMTP id b14so58085257wmb.1; Tue, 05 Jan 2016 20:06:19 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=/fI5+Pi6ouxpihWwS8ktjhIZmKZz2oWFtYSq5H5dI2I=; b=TrDJNQMf/PY+HN4Qm/xD5RZuBxtPAxfSPVhFjLvV95/eqoHunrT9ZVLDYmopVBThef wkRqtg7VroUwiktfQRi2d/kFZtHjmiXb87TXuP44/IyoDMtWqo2R4ZAbVfbaUh46Umww jJodhP0lMms/GoQu5OiSYl16b4hYfXA0QoeIoNHGYulrahl/yVcdLu8HCtt650zbL0yG 8MpV3AWFrc/KFfquyAcfWaRyZIVEmm3ZOQ/piU6G2J8fkQBp+bq2sQumvvEMwAxD5bzC p3Y8GT5ARICont2VBXw8aMU8UUUe5Fn4h9vamR0eY5HK630e3BwMjmBx5kGDEqgMrCd6 INGA==
MIME-Version: 1.0
X-Received: by 10.28.111.194 with SMTP id c63mr7764228wmi.90.1452053177732; Tue, 05 Jan 2016 20:06:17 -0800 (PST)
Received: by 10.28.52.65 with HTTP; Tue, 5 Jan 2016 20:06:17 -0800 (PST)
In-Reply-To: <CALaySJLo3o7j2qJNxrLaGKntHhURme=tTy5vCPM9sDR7NU4hVg@mail.gmail.com>
References: <20160106012803.29192.54119.idtracker@ietfa.amsl.com> <CALaySJLo3o7j2qJNxrLaGKntHhURme=tTy5vCPM9sDR7NU4hVg@mail.gmail.com>
Date: Tue, 05 Jan 2016 23:06:17 -0500
Message-ID: <CAHbuEH6kMq2bQkCvWuY3pd8-81xt3VGfN4YoPV7cVhf1VehzoA@mail.gmail.com>
From: Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>
To: Barry Leiba <barryleiba@computer.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <http://mailarchive.ietf.org/arch/msg/imapext/4SKQ3wV_Jjl-lS85ohutLYeqGhc>
Cc: draft-ietf-imapapnd-appendlimit-extension@ietf.org, imapapnd-chairs@ietf.org, The IESG <iesg@ietf.org>, "imapext@ietf.org" <imapext@ietf.org>, SM <sm+ietf@elandsys.com>
Subject: Re: [imapext] Kathleen Moriarty's No Objection on draft-ietf-imapapnd-appendlimit-extension-08: (with COMMENT)
X-BeenThere: imapext@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Discussion of IMAP extensions <imapext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/imapext>, <mailto:imapext-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/imapext/>
List-Post: <mailto:imapext@ietf.org>
List-Help: <mailto:imapext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/imapext>, <mailto:imapext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 06 Jan 2016 04:06:21 -0000

Hi Barry,


On Tue, Jan 5, 2016 at 10:55 PM, Barry Leiba <barryleiba@computer.org> wrote:
>> First, this extension lets you find out the limit for either the server
>> or individual mailboxes, so shouldn't the first part of the description
>> focus on a possible DoS filling up those resources?
>
> I don't understand where you're going with this.  This has nothing to
> do with a storage limit -- that's handled by the QUOTA extension
> that's a separate thing, and any client can already fill up the quota
> of the user it's logged in as.

Yes, I understand that.

>
> This extension is about limiting the size of a single message, because
> servers have such limitations and currently have no way to tell the
> client about them.  The only purpose of this extension is to let a
> client discover a server's size limit for a single message.

In section 3, it also discusses per mailbox limitations.  The draft
covers both the option for this extension being used for the server
and on a per mailbox basis.  This also comes up in the security
considerations section.

>
> The security considerations need to be about how that knowledge can be
> used to breach security.  The answer to that is "it can't, really",
> but the one issue we came up with is documented there.
>
> Do you have any specific security considerations to suggest that are
> specific to this extension: the ability for a client to discover what
> a server's policy limit is on the size of a single message?

The security considerations section doesn't read well IMO.

When it gets to the following sentence:

"But with this extension, the attacker can immediately choose a value
that's a little too large,"

It doesn't read well to me.  Why would they chose a value that's a
little too large?  Too large for what?  They already have the size
limit per server or per mailbox.  Does this mean they will send a
bunch of messages with the append size maxed out for the mailbox or
the server to fill the quota?

Then with the sentence:

"To mitigate this

   extension's input to such an attack, a server might take a harder

   line on message sizes that are above the APPENDLIMIT value "

Why isn't it explicit in that such messages should/MUST be rejected?
For the security consideration, this seems like an expected response
to prevent additional problems (checking that size limitations are met
to avoid buffer overrun scenarios in code).

Thanks,
Kathleen

>
>> Then, it's a common security programming practice to enforce size
>> limitations in code.  Why is there a focus on an attacker sending append
>> content that exceeds the allowable size rather than just saying that such
>> append content should be rejected?
>
> A server will always have to be able to deal (in code) with messages
> greater than the maximum size they allow, because IMAP syntactically
> allows them to be transmitted.  The server can only say "NO" to
> appending the message after it receives it.  The security
> considerations are talking about whether the server might do something
> harsher to a client that appears to be abusive -- kicking it off and
> disabling the account, for example.
>
> Barry



-- 

Best regards,
Kathleen

v2.23.0 | Report a Bug | By Email