IETF Logo Mail Archive

Re: [imapext] Kathleen Moriarty's No Objection on draft-ietf-imapapnd-appendlimit-extension-08: (with COMMENT)

Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com> Wed, 06 January 2016 23:47 UTC

Return-Path: <kathleen.moriarty.ietf@gmail.com>
X-Original-To: imapext@ietfa.amsl.com
Delivered-To: imapext@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DCB371A1BEE; Wed, 6 Jan 2016 15:47:17 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VNRX3mHVEAVw; Wed, 6 Jan 2016 15:47:16 -0800 (PST)
Received: from mail-wm0-x22a.google.com (mail-wm0-x22a.google.com [IPv6:2a00:1450:400c:c09::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D0A6F1A1B61; Wed, 6 Jan 2016 15:47:15 -0800 (PST)
Received: by mail-wm0-x22a.google.com with SMTP id u188so78627019wmu.1; Wed, 06 Jan 2016 15:47:15 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=rb3oVHtFmNTAqfFtTKLl8gAnEmOrmpYeXa1d8Rn2XNU=; b=q4BjP7zfk5qKxyW8liBa9SPgfJholL4LHL1qx5SyjZaf+p6wGlnamCl6o99cgbgP44 INpbMeco6yVZwiEL7QRXfAxuUdroTz2gH+09Db2YB1RtvBknQb57lc4F6za2lvJ3aES3 0DYZMErrY3IxFih84VjMLDW2QzOQRNLr2mt5I24CUGznM2edZ48f8lD3QkACo5LSbh2f Oxkh2IWBspvCbMiBU1ScH4ir2A0F3fEHtZ4PRepe+7Bt9TYJdOPlXv31RXeWHOm9ElAk 369moRJI0nmZSOLHbBqt7r3BNySoEmiIzfu+UC3Q+Wb3z36IBVLyA662GaP+581rVhWM F5sQ==
MIME-Version: 1.0
X-Received: by 10.194.222.195 with SMTP id qo3mr109307554wjc.51.1452124034457; Wed, 06 Jan 2016 15:47:14 -0800 (PST)
Received: by 10.28.52.65 with HTTP; Wed, 6 Jan 2016 15:47:14 -0800 (PST)
In-Reply-To: <CALaySJ+cH_v0fdO9dFwxgNZt71AcoBdQssJhb0NbOZvWB4EVJA@mail.gmail.com>
References: <20160106012803.29192.54119.idtracker@ietfa.amsl.com> <CALaySJLo3o7j2qJNxrLaGKntHhURme=tTy5vCPM9sDR7NU4hVg@mail.gmail.com> <CAHbuEH6kMq2bQkCvWuY3pd8-81xt3VGfN4YoPV7cVhf1VehzoA@mail.gmail.com> <CALaySJJeNHOLM2q9tixVBGzgmVcbwbugJ73-vZ-QyNyUCXzNmw@mail.gmail.com> <F8822335-25E8-4A5A-A13C-05E9F16068B3@gmail.com> <CALaySJ+cH_v0fdO9dFwxgNZt71AcoBdQssJhb0NbOZvWB4EVJA@mail.gmail.com>
Date: Wed, 06 Jan 2016 18:47:14 -0500
Message-ID: <CAHbuEH450_sXw47Ee-fxvVxypCT-5xy6=CNVYwK5kz4eOnYceg@mail.gmail.com>
From: Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>
To: Barry Leiba <barryleiba@computer.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <http://mailarchive.ietf.org/arch/msg/imapext/Aw6tDAs-cKAhNVJznXWbR4-InqM>
Cc: "draft-ietf-imapapnd-appendlimit-extension@ietf.org" <draft-ietf-imapapnd-appendlimit-extension@ietf.org>, "imapapnd-chairs@ietf.org" <imapapnd-chairs@ietf.org>, SM <sm+ietf@elandsys.com>, "imapext@ietf.org" <imapext@ietf.org>, The IESG <iesg@ietf.org>
Subject: Re: [imapext] Kathleen Moriarty's No Objection on draft-ietf-imapapnd-appendlimit-extension-08: (with COMMENT)
X-BeenThere: imapext@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Discussion of IMAP extensions <imapext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/imapext>, <mailto:imapext-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/imapext/>
List-Post: <mailto:imapext@ietf.org>
List-Help: <mailto:imapext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/imapext>, <mailto:imapext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 06 Jan 2016 23:47:18 -0000

On Wed, Jan 6, 2016 at 5:39 PM, Barry Leiba <barryleiba@computer.org> wrote:
>>>> "But with this extension, the attacker can immediately choose a value
>>>> that's a little too large,"
>>>>
>>>> It doesn't read well to me.  Why would they chose a value that's a
>>>> little too large?  Too large for what?  They already have the size
>>>> limit per server or per mailbox.  Does this mean they will send a
>>>> bunch of messages with the append size maxed out for the mailbox or
>>>> the server to fill the quota?
>>>
>>> The point of the attack isn't filling a mailbox; it's sending
>>> boatloads of data to the server.  Suppose there's a limit of 2 MB.  If
>>> the client sends 2 MB messages repeatedly, those messages will
>>> eventually cause the mailbox to hit the quota, and further attempts to
>>> bombard the server will be rejected.  But messages that are, say,
>>> 2.1MB will fail to append (the server will respond "NO" to them), and
>>> the client can keep bombarding the server with such messages.  The
>>> text is trying to warn about that, suggesting that the server might
>>> "take a hard line" -- that is, take more serious action than just
>>> saying "NO" to the append attempts, but perhaps actually lock out the
>>> account until someone checks out the situation.
>>
>> This point wasn't clear to me from the current text.  I'd suggest updating it to make it more clear.
>
> I think it is, so please suggest specific text that you think will
> help clarify it for you.

If we go back to my original comment, the last one:

"Then, it's a common security programming practice to enforce size
limitations in code.  Why is there a focus on an attacker sending
append content that exceeds the allowable size rather than just saying
that such append content should be rejected?"

This gets at the crux of the text in the security considerations
section.  This is essentially what's recommended, but take a round
about way to get to this recommendation.  Exceeding the allowed sizes
is not permitted to prevent this 'attack'.

You can leave it as-is, but I think the text can be more clear by
eliminating most of the introduction to the actual recommendation.


>
>>>> Why isn't it explicit in that such messages should/MUST be rejected?
>>>
>>> The messages themselves will be rejected (they APPEND command will get
>>> "NO" for a response), but the damage -- the sending of a lot of data
>>> unnecessarily -- will have already been done.
>>
>> Can this be made more clear as well?  It's not in the current text.
>
> No, it's not, because it's how IMAP works.  This really isn't
> something we need to make clear here: anyone implementing this already
> knows this and will already be doing it.  This is only about
> advertising an APPEND limit, not about how APPEND works and how you
> say "NO" to an APPEND command.

Barry, my comments are about that limit and I think drafts should be
readable by more than just those who implement mail (in this case).
The last sentences of the security considerations section contains the
same point I am making, but it takes a while to get to that
recommendation, so I'm not really sure why you are arguing this point
and thinking I am talking about anything other than the APPEND limit.

It says:

" To mitigate this
   extension's input to such an attack, a server might take a harder
   line on message sizes that are above the APPENDLIMIT value -- because
   the client knows the limit and should not even be trying to send such
   commands, a server might consider even a single attempt to be
   abusive, and terminate the IMAP connection straight away."

The whole section could be reduced by starting with this
recommendation and just stating that it prevents attacks on resources
by rejecting messages with sizes above the append limit.  There may be
other attacks that are guarded against with this recommendation as
well, so why limit it to this specific example and why lead with the
example.  I think it's more straightforward to just have the
recommendation and that it is to prevent attacks on resources.

If you don't want to fix it, that's fine.  It's just a comment.

Kathleen

>
> Barry



-- 

Best regards,
Kathleen

v2.30.2 | Report a Bug | By Email | System Status