IETF Logo Mail Archive

Re: [imapext] AD review of draft-ietf-imapapnd-appendlimit-extension-06

Barry Leiba <barryleiba@computer.org> Thu, 17 December 2015 22:03 UTC

Return-Path: <barryleiba@gmail.com>
X-Original-To: imapext@ietfa.amsl.com
Delivered-To: imapext@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 82C341B30E9 for <imapext@ietfa.amsl.com>; Thu, 17 Dec 2015 14:03:32 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.278
X-Spam-Level:
X-Spam-Status: No, score=-1.278 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rr2Q8bIF6XNL for <imapext@ietfa.amsl.com>; Thu, 17 Dec 2015 14:03:30 -0800 (PST)
Received: from mail-vk0-x234.google.com (mail-vk0-x234.google.com [IPv6:2607:f8b0:400c:c05::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E5ECD1B30E6 for <imapext@ietf.org>; Thu, 17 Dec 2015 14:03:29 -0800 (PST)
Received: by mail-vk0-x234.google.com with SMTP id a189so54956771vkh.2 for <imapext@ietf.org>; Thu, 17 Dec 2015 14:03:29 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:cc:content-type; bh=Zx7tSBpI4FD4AhHbS6cC1/Olh+HZt/KPZSQ8oFi4M/4=; b=o4ea8Soapda35gXaKvbITUAlH3fkwU/Wf+Aa5Yx4pFLzCzMWC6KLC0klkcUy9qNXCc R+L+pJO+AKgbWE/mtNy5TiOiQqENa1WYwMNtAmMVUAO/2D3Db3LJ4pwm5xe7bAezKYGs njqLHKCaZjHQP6MUCZjaCPlpaJh/4zntl90DOg6lbozqgYD3DdWorr+xSzhmcRQ054RC vTaralxC0zgV8W/LhKZVS0DVxMQKqPLgoseurSpRVAs6od+C1ev9Kvv4UZlNeB/+LGxd CeWaziX8vLLYQLZsDPgFzsdOvRjVwbW4uJhxAleSXjHaCQSLlGHfhln1SowV8SwQXWPc ynSw==
MIME-Version: 1.0
X-Received: by 10.31.107.138 with SMTP id k10mr68233vki.27.1450389809071; Thu, 17 Dec 2015 14:03:29 -0800 (PST)
Sender: barryleiba@gmail.com
Received: by 10.31.182.211 with HTTP; Thu, 17 Dec 2015 14:03:28 -0800 (PST)
In-Reply-To: <0d5eee161a1e4e2ab78ea4696e6fa17e@SEAMBX01.sea.samsung.com>
References: <emcf7f771e-a84b-4df3-b9ff-06dd5417a655@bodybag> <5A5084CC-6733-45DB-B3D5-4F73285257D0@isode.com> <6679218db47f443794b1ce28452623eb@SEAMBX07.sea.samsung.com> <CAC4RtVDnirH1n1hjtLPpMAEYgBmdYmsQxo3WiXiErEFQYPP8gg@mail.gmail.com> <0d5eee161a1e4e2ab78ea4696e6fa17e@SEAMBX01.sea.samsung.com>
Date: Thu, 17 Dec 2015 17:03:28 -0500
X-Google-Sender-Auth: 7mB_KdaQx9QWoVpkSuli_WGW4DE
Message-ID: <CALaySJKURA5gPatPeddXj1twtjqZNh_j-G03JDEQZap38VbS1w@mail.gmail.com>
From: Barry Leiba <barryleiba@computer.org>
To: Jayantheesh S B <j.sb@sea.samsung.com>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <http://mailarchive.ietf.org/arch/msg/imapext/8YJJnFU7bogrugfLTBRCbiirYXg>
Cc: Alexey Melnikov <alexey.melnikov@isode.com>, Narendra Bisht <ns.bisht@sea.samsung.com>, "S Moonesamy (sm+ietf@elandnews.com)" <sm+ietf@elandnews.com>, "S Moonesamy (sm+ietf@elandsys.com)" <sm+ietf@elandsys.com>, "imapext@ietf.org" <imapext@ietf.org>
Subject: Re: [imapext] AD review of draft-ietf-imapapnd-appendlimit-extension-06
X-BeenThere: imapext@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Discussion of IMAP extensions <imapext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/imapext>, <mailto:imapext-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/imapext/>
List-Post: <mailto:imapext@ietf.org>
List-Help: <mailto:imapext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/imapext>, <mailto:imapext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 17 Dec 2015 22:03:32 -0000

> Please find the latest version of the draft (version 07) attached. As
> per the review discussion, we have updated the draft.
...
> We will upload the draft once if all the review comments has been addressed.

This looks mostly good, and thanks very much for all the work on this.
The ABNF and the Security Considerations still need a bit (see below).
Some editorial nits to fix, as well, before it's ready to post.
Below, "OLD" refers to text in the proposed -07 version.  Except for
the ABNF and Security considerations, these are all very minor
editorial things.

In the abstract, make it "APPEND commands" (plural).

In the Introduction:

OLD
   Several IMAP servers have limitation for mail upload size which is
   not published to the email client.  When email client APPEND a mail
   with huge attachments, using non-synchronizing literals it fails due
   to size restriction set by the IMAP server.
NEW
   Some IMAP servers have limits for mail upload size, and those limits
   are not published to the email client.  When the email client APPENDs
   a message with huge attachments, using non-synchronizing literals,
   the APPEND fails because of the upload limit, but the client has
   already sent the message data anyway.
END

In Section 3:

OLD
   IMAP server can have mailbox specific APPENDLIMIT value, which will
   not be advertised as part of CAPABILITY response.  The IMAP server
   can publish NIL for a mailbox to convey that there is no APPENDLIMIT
   to that mailbox [RFC4466].
NEW
   An IMAP server can have mailbox-specific APPENDLIMIT values, which
   will not be advertised as part of CAPABILITY response.  The IMAP
   server can publish specific values for each mailbox, and can publish
   "NIL" for a mailbox to convey that there is no APPENDLIMIT for that
   mailbox.
END

(I don't think there's any need for a citation to 4466 here; we'll
have it below, by the ABNF.)

In the section titles of 3.1 and 3.2, make it "STATUS response to the"
(not "in the").  This was my error when I suggested the change; sorry.

Similarly, in Section 3.2 take out the word "emit", which was there in error.

In Section 5, I think you misunderstood Alexey's suggestion for using
the 4466 changes.  Let's try this; Alexey, please check that I got
this right:

Replace all the ABNF in Section 5 with this:

NEW
   capability /= "APPENDLIMIT" ["=" number]
               ;; capability is defined in RFC 3501

   status-att /= "APPENDLIMIT"
               ;; status-att is defined in RFC 3501

   status-att-val /= "APPENDLIMIT" SP (number / nil)
               ;; status-att-val is defined in RFC 4466
END

...and also make this change:

OLD
   [RFC3501] defines the non-terminals
   "capability", "resp-text-code" and "status-att".
NEW
   [RFC3501] defines the non-terminals
   "capability" and "status-att", and [RFC4466] defines
   "status-att-val".
END

Reasoning:
First, I think the extra level of indirection, making two lines per
item, was only confusing.

Second, there seem to be three things you need to do: (1) add the
capability string, (2) add the APPENDLIMIT status option, and (3) add
the APPENDLIMIT status response.  Those three items do it.  I don't
know why you had the addition to resp-text-code -- it was always the
wrong thing to have, and we missed it before.

In the paragraph after the ABNF, change "A number indicating the fixed
maximum" to "The number indicates the fixed maximum".

In Section 6, my comment about the security considerations still needs
to be addressed.  You say this:

   The IMAP APPENDLIMIT extension described in this document can
   conceivably be used to facilitate Denial-of-Service attacks.
   Specifically, the information contained in the APPENDLIMIT capability
   and use of the APPEND command make it somewhat quicker and easier to
   devise an efficacious Denial-of-Service attack.  However, unless
   implementations are very weak, these extensions do not create any
   vulnerability that has not always existed with IMAP.

I still ask: Why does this information make it quicker and easier to
do a DoS attack?  I don't see it, and the document needs to explain it
clearly.  I can always, with or without this option, try to append a
very large message using a non-synchronizing literal for the message
data.  What is it about this extension that makes it quicker, easier,
or more effective (I'd avoid the more obscure word "efficacious")?

Barry

v2.23.0 | Report a Bug | By Email