IETF Logo Mail Archive

Re: [imapext] Kathleen Moriarty's No Objection on draft-ietf-imapapnd-appendlimit-extension-08: (with COMMENT)

S Moonesamy <sm+ietf@elandsys.com> Wed, 06 January 2016 20:31 UTC

Return-Path: <sm@elandsys.com>
X-Original-To: imapext@ietfa.amsl.com
Delivered-To: imapext@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B234A1A0379; Wed, 6 Jan 2016 12:31:23 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.8
X-Spam-Level:
X-Spam-Status: No, score=-1.8 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, T_DKIM_INVALID=0.01, T_RP_MATCHES_RCVD=-0.01] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2IVCfNHimzKT; Wed, 6 Jan 2016 12:31:22 -0800 (PST)
Received: from mx.ipv6.elandsys.com (mx.ipv6.elandsys.com [IPv6:2001:470:f329:1::1]) by ietfa.amsl.com (Postfix) with ESMTP id 48E681A0377; Wed, 6 Jan 2016 12:31:22 -0800 (PST)
Received: from SUBMAN.elandsys.com ([197.226.208.165]) (authenticated bits=0) by mx.elandsys.com (8.14.5/8.14.5) with ESMTP id u06KUs8F018964 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 6 Jan 2016 12:31:05 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=opendkim.org; s=mail2010; t=1452112270; x=1452198670; bh=anGxHC5I2C2Z9lm2+y00M4I9FCw3BwzHjjK8z2lVIMI=; h=Date:To:From:Subject:Cc:In-Reply-To:References; b=zs5MZgm/IMAm4MYwF1DkIKgjR8CUF+5J8dSRO4M/nu/OOSWYx2u9QKbJsDuksj0XC cGWIjgEcN5se6U/Rb01Q3IUh3iQF1ltZ6cDYXoMx8YsSgEc/09rhvSVSetW40k/5NM 8Rith2xZyF9NHtl/VrD5GMTj/tXTnwNf7leDIQ0A=
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=elandsys.com; s=mail; t=1452112270; x=1452198670; i=@elandsys.com; bh=anGxHC5I2C2Z9lm2+y00M4I9FCw3BwzHjjK8z2lVIMI=; h=Date:To:From:Subject:Cc:In-Reply-To:References; b=HMgDoKAeMcj5nOaWE2n2tg4KO9+e7Pq+KKsQ4V9pavULfAK3vAl91P9e6mDbOyOLF Q/S+Up6f0h9cwazyIJpggkOfAjBKh5Wq/FawHsGAJSC0balmvaJYk69ItE+8buXl/p WvhjPgqXnjcsNa0IZKjaFqkP7+5NfwWaImq/WVTk=
Message-Id: <6.2.5.6.2.20160106122818.0d566218@elandnews.com>
X-Mailer: QUALCOMM Windows Eudora Version 6.2.5.6
Date: Wed, 06 Jan 2016 12:30:43 -0800
To: Jayantheesh S B <j.sb@sea.samsung.com>, Narendra Singh Bisht <narendrasingh.bisht@gmail.com>
From: S Moonesamy <sm+ietf@elandsys.com>
In-Reply-To: <F8822335-25E8-4A5A-A13C-05E9F16068B3@gmail.com>
References: <20160106012803.29192.54119.idtracker@ietfa.amsl.com> <CALaySJLo3o7j2qJNxrLaGKntHhURme=tTy5vCPM9sDR7NU4hVg@mail.gmail.com> <CAHbuEH6kMq2bQkCvWuY3pd8-81xt3VGfN4YoPV7cVhf1VehzoA@mail.gmail.com> <CALaySJJeNHOLM2q9tixVBGzgmVcbwbugJ73-vZ-QyNyUCXzNmw@mail.gmail.com> <F8822335-25E8-4A5A-A13C-05E9F16068B3@gmail.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format="flowed"
Archived-At: <http://mailarchive.ietf.org/arch/msg/imapext/9tFSe0bbLkddDUHAEzcgTZlaCjA>
Cc: imapapnd-chairs@ietf.org, draft-ietf-imapapnd-appendlimit-extension@ietf.org, Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>, The IESG <iesg@ietf.org>, imapext@ietf.org, Barry Leiba <barryleiba@computer.org>
Subject: Re: [imapext] Kathleen Moriarty's No Objection on draft-ietf-imapapnd-appendlimit-extension-08: (with COMMENT)
X-BeenThere: imapext@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Discussion of IMAP extensions <imapext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/imapext>, <mailto:imapext-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/imapext/>
List-Post: <mailto:imapext@ietf.org>
List-Help: <mailto:imapext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/imapext>, <mailto:imapext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 06 Jan 2016 20:31:23 -0000

Hi Jay, Naren,
At 04:57 06-01-2016, Kathleen Moriarty wrote:
> >> The security considerations section doesn't read well IMO.
> >
> > That's entirely possible.
> >
> >> When it gets to the following sentence:
> >>
> >> "But with this extension, the attacker can immediately choose a value
> >> that's a little too large,"
> >>
> >> It doesn't read well to me.  Why would they chose a value that's a
> >> little too large?  Too large for what?  They already have the size
> >> limit per server or per mailbox.  Does this mean they will send a
> >> bunch of messages with the append size maxed out for the mailbox or
> >> the server to fill the quota?
> >
> > The point of the attack isn't filling a mailbox; it's sending
> > boatloads of data to the server.  Suppose there's a limit of 2 MB.  If
> > the client sends 2 MB messages repeatedly, those messages will
> > eventually cause the mailbox to hit the quota, and further attempts to
> > bombard the server will be rejected.  But messages that are, say,
> > 2.1MB will fail to append (the server will respond "NO" to them), and
> > the client can keep bombarding the server with such messages.  The
> > text is trying to warn about that, suggesting that the server might
> > "take a hard line" -- that is, take more serious action than just
> > saying "NO" to the append attempts, but perhaps actually lock out the
> > account until someone checks out the situation.
>
>This point wasn't clear to me from the current text.  I'd suggest 
>updating it to make it more clear.
>
> >
> >> Why isn't it explicit in that such messages should/MUST be rejected?
> >
> > The messages themselves will be rejected (they APPEND command will get
> > "NO" for a response), but the damage -- the sending of a lot of data
> > unnecessarily -- will have already been done.
>
>Can this be made more clear as well?  It's not in the current text.

Could you please suggest some text to address the above?

Regards,
S. Moonesamy (as document shepherd)

v2.23.0 | Report a Bug | By Email