Re: [imapext] AD review of draft-ietf-imapapnd-appendlimit-extension-06
Barry Leiba <barryleiba@computer.org> Thu, 17 December 2015 22:03 UTC
Return-Path: <barryleiba@gmail.com>
X-Original-To: imapext@ietfa.amsl.com
Delivered-To: imapext@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 82C341B30E9 for <imapext@ietfa.amsl.com>; Thu, 17 Dec 2015 14:03:32 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.278
X-Spam-Level:
X-Spam-Status: No, score=-1.278 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rr2Q8bIF6XNL for <imapext@ietfa.amsl.com>; Thu, 17 Dec 2015 14:03:30 -0800 (PST)
Received: from mail-vk0-x234.google.com (mail-vk0-x234.google.com [IPv6:2607:f8b0:400c:c05::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E5ECD1B30E6 for <imapext@ietf.org>; Thu, 17 Dec 2015 14:03:29 -0800 (PST)
Received: by mail-vk0-x234.google.com with SMTP id a189so54956771vkh.2 for <imapext@ietf.org>; Thu, 17 Dec 2015 14:03:29 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:cc:content-type; bh=Zx7tSBpI4FD4AhHbS6cC1/Olh+HZt/KPZSQ8oFi4M/4=; b=o4ea8Soapda35gXaKvbITUAlH3fkwU/Wf+Aa5Yx4pFLzCzMWC6KLC0klkcUy9qNXCc R+L+pJO+AKgbWE/mtNy5TiOiQqENa1WYwMNtAmMVUAO/2D3Db3LJ4pwm5xe7bAezKYGs njqLHKCaZjHQP6MUCZjaCPlpaJh/4zntl90DOg6lbozqgYD3DdWorr+xSzhmcRQ054RC vTaralxC0zgV8W/LhKZVS0DVxMQKqPLgoseurSpRVAs6od+C1ev9Kvv4UZlNeB/+LGxd CeWaziX8vLLYQLZsDPgFzsdOvRjVwbW4uJhxAleSXjHaCQSLlGHfhln1SowV8SwQXWPc ynSw==
MIME-Version: 1.0
X-Received: by 10.31.107.138 with SMTP id k10mr68233vki.27.1450389809071; Thu, 17 Dec 2015 14:03:29 -0800 (PST)
Sender: barryleiba@gmail.com
Received: by 10.31.182.211 with HTTP; Thu, 17 Dec 2015 14:03:28 -0800 (PST)
In-Reply-To: <0d5eee161a1e4e2ab78ea4696e6fa17e@SEAMBX01.sea.samsung.com>
References: <emcf7f771e-a84b-4df3-b9ff-06dd5417a655@bodybag> <5A5084CC-6733-45DB-B3D5-4F73285257D0@isode.com> <6679218db47f443794b1ce28452623eb@SEAMBX07.sea.samsung.com> <CAC4RtVDnirH1n1hjtLPpMAEYgBmdYmsQxo3WiXiErEFQYPP8gg@mail.gmail.com> <0d5eee161a1e4e2ab78ea4696e6fa17e@SEAMBX01.sea.samsung.com>
Date: Thu, 17 Dec 2015 17:03:28 -0500
X-Google-Sender-Auth: 7mB_KdaQx9QWoVpkSuli_WGW4DE
Message-ID: <CALaySJKURA5gPatPeddXj1twtjqZNh_j-G03JDEQZap38VbS1w@mail.gmail.com>
From: Barry Leiba <barryleiba@computer.org>
To: Jayantheesh S B <j.sb@sea.samsung.com>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <http://mailarchive.ietf.org/arch/msg/imapext/8YJJnFU7bogrugfLTBRCbiirYXg>
Cc: Alexey Melnikov <alexey.melnikov@isode.com>, Narendra Bisht <ns.bisht@sea.samsung.com>, "S Moonesamy (sm+ietf@elandnews.com)" <sm+ietf@elandnews.com>, "S Moonesamy (sm+ietf@elandsys.com)" <sm+ietf@elandsys.com>, "imapext@ietf.org" <imapext@ietf.org>
Subject: Re: [imapext] AD review of draft-ietf-imapapnd-appendlimit-extension-06
X-BeenThere: imapext@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Discussion of IMAP extensions <imapext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/imapext>, <mailto:imapext-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/imapext/>
List-Post: <mailto:imapext@ietf.org>
List-Help: <mailto:imapext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/imapext>, <mailto:imapext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 17 Dec 2015 22:03:32 -0000
> Please find the latest version of the draft (version 07) attached. As > per the review discussion, we have updated the draft. ... > We will upload the draft once if all the review comments has been addressed. This looks mostly good, and thanks very much for all the work on this. The ABNF and the Security Considerations still need a bit (see below). Some editorial nits to fix, as well, before it's ready to post. Below, "OLD" refers to text in the proposed -07 version. Except for the ABNF and Security considerations, these are all very minor editorial things. In the abstract, make it "APPEND commands" (plural). In the Introduction: OLD Several IMAP servers have limitation for mail upload size which is not published to the email client. When email client APPEND a mail with huge attachments, using non-synchronizing literals it fails due to size restriction set by the IMAP server. NEW Some IMAP servers have limits for mail upload size, and those limits are not published to the email client. When the email client APPENDs a message with huge attachments, using non-synchronizing literals, the APPEND fails because of the upload limit, but the client has already sent the message data anyway. END In Section 3: OLD IMAP server can have mailbox specific APPENDLIMIT value, which will not be advertised as part of CAPABILITY response. The IMAP server can publish NIL for a mailbox to convey that there is no APPENDLIMIT to that mailbox [RFC4466]. NEW An IMAP server can have mailbox-specific APPENDLIMIT values, which will not be advertised as part of CAPABILITY response. The IMAP server can publish specific values for each mailbox, and can publish "NIL" for a mailbox to convey that there is no APPENDLIMIT for that mailbox. END (I don't think there's any need for a citation to 4466 here; we'll have it below, by the ABNF.) In the section titles of 3.1 and 3.2, make it "STATUS response to the" (not "in the"). This was my error when I suggested the change; sorry. Similarly, in Section 3.2 take out the word "emit", which was there in error. In Section 5, I think you misunderstood Alexey's suggestion for using the 4466 changes. Let's try this; Alexey, please check that I got this right: Replace all the ABNF in Section 5 with this: NEW capability /= "APPENDLIMIT" ["=" number] ;; capability is defined in RFC 3501 status-att /= "APPENDLIMIT" ;; status-att is defined in RFC 3501 status-att-val /= "APPENDLIMIT" SP (number / nil) ;; status-att-val is defined in RFC 4466 END ...and also make this change: OLD [RFC3501] defines the non-terminals "capability", "resp-text-code" and "status-att". NEW [RFC3501] defines the non-terminals "capability" and "status-att", and [RFC4466] defines "status-att-val". END Reasoning: First, I think the extra level of indirection, making two lines per item, was only confusing. Second, there seem to be three things you need to do: (1) add the capability string, (2) add the APPENDLIMIT status option, and (3) add the APPENDLIMIT status response. Those three items do it. I don't know why you had the addition to resp-text-code -- it was always the wrong thing to have, and we missed it before. In the paragraph after the ABNF, change "A number indicating the fixed maximum" to "The number indicates the fixed maximum". In Section 6, my comment about the security considerations still needs to be addressed. You say this: The IMAP APPENDLIMIT extension described in this document can conceivably be used to facilitate Denial-of-Service attacks. Specifically, the information contained in the APPENDLIMIT capability and use of the APPEND command make it somewhat quicker and easier to devise an efficacious Denial-of-Service attack. However, unless implementations are very weak, these extensions do not create any vulnerability that has not always existed with IMAP. I still ask: Why does this information make it quicker and easier to do a DoS attack? I don't see it, and the document needs to explain it clearly. I can always, with or without this option, try to append a very large message using a non-synchronizing literal for the message data. What is it about this extension that makes it quicker, easier, or more effective (I'd avoid the more obscure word "efficacious")? Barry
- [imapext] AD review of draft-ietf-imapapnd-append… Barry Leiba
- Re: [imapext] AD review of draft-ietf-imapapnd-ap… Barry Leiba
- [imapext] Referencing RFC 2088 (was: AD review of… S Moonesamy
- Re: [imapext] Referencing RFC 2088 Alexey Melnikov
- Re: [imapext] Referencing RFC 2088 (was: AD revie… Adrien de Croy
- Re: [imapext] AD review of draft-ietf-imapapnd-ap… Jayantheesh S B
- Re: [imapext] AD review of draft-ietf-imapapnd-ap… Narendra Bisht
- Re: [imapext] Referencing RFC 2088 S Moonesamy
- Re: [imapext] AD review of draft-ietf-imapapnd-ap… Alexey Melnikov
- Re: [imapext] Referencing RFC 2088 (was: AD revie… Naren
- Re: [imapext] AD review of draft-ietf-imapapnd-ap… S Moonesamy
- Re: [imapext] AD review of draft-ietf-imapapnd-ap… Naren
- Re: [imapext] AD review of draft-ietf-imapapnd-ap… S Moonesamy
- Re: [imapext] AD review of draft-ietf-imapapnd-ap… Naren
- Re: [imapext] AD review of draft-ietf-imapapnd-ap… Alexey Melnikov
- Re: [imapext] AD review of draft-ietf-imapapnd-ap… Alexey Melnikov
- Re: [imapext] AD review of draft-ietf-imapapnd-ap… Jayantheesh S B
- Re: [imapext] AD review of draft-ietf-imapapnd-ap… S Moonesamy
- Re: [imapext] AD review of draft-ietf-imapapnd-ap… Barry Leiba
- Re: [imapext] AD review of draft-ietf-imapapnd-ap… S Moonesamy
- Re: [imapext] AD review of draft-ietf-imapapnd-ap… Jayantheesh S B
- Re: [imapext] AD review of draft-ietf-imapapnd-ap… Jayantheesh S B
- Re: [imapext] AD review of draft-ietf-imapapnd-ap… S Moonesamy
- Re: [imapext] AD review of draft-ietf-imapapnd-ap… Stu Brandt
- Re: [imapext] AD review of draft-ietf-imapapnd-ap… Jayantheesh S B
- Re: [imapext] AD review of draft-ietf-imapapnd-ap… Adrien de Croy
- Re: [imapext] AD review of draft-ietf-imapapnd-ap… Adrien de Croy
- Re: [imapext] AD review of draft-ietf-imapapnd-ap… Stu Brandt
- Re: [imapext] AD review of draft-ietf-imapapnd-ap… Adrien de Croy
- Re: [imapext] AD review of draft-ietf-imapapnd-ap… Adrien de Croy
- Re: [imapext] AD review of draft-ietf-imapapnd-ap… Arnt Gulbrandsen
- Re: [imapext] AD review of draft-ietf-imapapnd-ap… Dave Cridland
- Re: [imapext] AD review of draft-ietf-imapapnd-ap… Dave Cridland
- Re: [imapext] AD review of draft-ietf-imapapnd-ap… Arnt Gulbrandsen
- Re: [imapext] AD review of draft-ietf-imapapnd-ap… Alexey Melnikov
- Re: [imapext] AD review of draft-ietf-imapapnd-ap… Alexey Melnikov
- Re: [imapext] AD review of draft-ietf-imapapnd-ap… Alexey Melnikov
- Re: [imapext] AD review of draft-ietf-imapapnd-ap… Alexey Melnikov
- Re: [imapext] AD review of draft-ietf-imapapnd-ap… Adrien de Croy
- Re: [imapext] AD review of draft-ietf-imapapnd-ap… Adrien de Croy
- Re: [imapext] AD review of draft-ietf-imapapnd-ap… Alexey Melnikov
- Re: [imapext] AD review of draft-ietf-imapapnd-ap… Alexey Melnikov
- Re: [imapext] AD review of draft-ietf-imapapnd-ap… Jayantheesh S B
- Re: [imapext] AD review of draft-ietf-imapapnd-ap… Jayantheesh S B
- Re: [imapext] AD review of draft-ietf-imapapnd-ap… Barry Leiba
- Re: [imapext] AD review of draft-ietf-imapapnd-ap… Bron Gondwana
- Re: [imapext] AD review of draft-ietf-imapapnd-ap… Barry Leiba
- Re: [imapext] AD review of draft-ietf-imapapnd-ap… Adrien de Croy
- Re: [imapext] AD review of draft-ietf-imapapnd-ap… Alexey Melnikov
- Re: [imapext] AD review of draft-ietf-imapapnd-ap… Narendra Bisht
- Re: [imapext] AD review draft-ietf-imapapnd-appen… Alexey Melnikov
- Re: [imapext] AD review of draft-ietf-imapapnd-ap… Barry Leiba
- Re: [imapext] AD review draft-ietf-imapapnd-appen… Stu Brandt
- Re: [imapext] AD review of draft-ietf-imapapnd-ap… Alexey Melnikov
- Re: [imapext] AD review draft-ietf-imapapnd-appen… Alexey Melnikov
- Re: [imapext] AD review of draft-ietf-imapapnd-ap… Jayantheesh S B
- Re: [imapext] AD review draft-ietf-imapapnd-appen… S Moonesamy
- Re: [imapext] AD review of draft-ietf-imapapnd-ap… Barry Leiba
- Re: [imapext] AD review of draft-ietf-imapapnd-ap… Jayantheesh S B
- Re: [imapext] AD review of draft-ietf-imapapnd-ap… Jayantheesh S B
- Re: [imapext] AD review of draft-ietf-imapapnd-ap… Adrien de Croy
- Re: [imapext] AD review of draft-ietf-imapapnd-ap… Barry Leiba
- Re: [imapext] AD review of draft-ietf-imapapnd-ap… Jayantheesh S B
- Re: [imapext] AD review draft-ietf-imapapnd-appen… Dave Cridland
- Re: [imapext] AD review of draft-ietf-imapapnd-ap… Alexey Melnikov
- Re: [imapext] AD review draft-ietf-imapapnd-appen… Alexey Melnikov
- Re: [imapext] AD review of draft-ietf-imapapnd-ap… Jayantheesh S B
- Re: [imapext] AD review of draft-ietf-imapapnd-ap… Barry Leiba