Re: [imapext] AD review of draft-ietf-imapapnd-appendlimit-extension-06

[Jayantheesh S B <j.sb@sea.samsung.com>]

Thanks Barry.

We have updated the Section 6 with the proposed text. 

Please find the latest one attached. If everyone is fine with this version, I will upload the same.

Regards,
Jay
-----Original Message-----
From: barryleiba@gmail.com [mailto:barryleiba@gmail.com] On Behalf Of Barry Leiba
Sent: Thursday, December 17, 2015 6:21 PM
To: Jayantheesh S B
Cc: Narendra Bisht; Alexey Melnikov; imapext@ietf.org; S Moonesamy (sm+ietf@elandsys.com); S Moonesamy (sm+ietf@elandnews.com)
Subject: Re: [imapext] AD review of draft-ietf-imapapnd-appendlimit-extension-06

> Say a server has a limit of 50 MB. Before this extension, an attacker 
> first tries to APPEND 25 MB and it succeeds.
> Then he tries  40MB and that too succeeds. Finally he tries 60 MB to 
> find the limit of server and use that as start of attack. With this 
> extension the attacker can find the limit in no time, making it easy 
> for him to attack.

OK, I see the point now.  It seems a little thin (but, then, the document does already say it is) -- I can just try to append 300MB, using non-synch literal, right from the start.

But perhaps this will be more satisfying:

OLD
   The IMAP APPENDLIMIT extension described in this document can
   conceivably be used to facilitate Denial-of-Service attacks.
   Specifically, the information contained in the APPENDLIMIT capability
   and use of the APPEND command make it somewhat quicker and easier to
   devise an efficacious Denial-of-Service attack.  However, unless
   implementations are very weak, these extensions do not create any
   vulnerability that has not always existed with IMAP.
NEW
   The IMAP APPENDLIMIT extension described in this document can
   conceivably be used to facilitate Denial-of-Service attacks by allowing
   an attacker to home in on a critical value right away.  The attacker
   might want to send a large data block to the server repeatedly,
   forcing the server to process the block, but would not want to limit
   the scope of its attack by filling an actual mailbox with successful
   appends.  Without this extension, the attacker needs to guess: a
   too-small guess results in an appended message that takes up the
   user's quota, while a far-too-large guess might simply cause the
   server to terminate the connection because of suspected abuse.

   But with this extension, the attacker can immediately choose a
   value that's a little too large, but not so much as to trigger an "abuse"
   response, making it easier to mount such an attack.

   To mitigate this extension's input to such an attack, a server might
   take a harder line on message sizes that are above the APPENDLIMIT
   value -- because the client knows the limit and should not even be
   trying to send such commands, a server might consider even a single
   attempt to be abusive, and terminate the IMAP connection straight
   away.
END

How's that work for you?

Barry