Re: [imapext] AD review of draft-ietf-imapapnd-appendlimit-extension-06
Jayantheesh S B <j.sb@sea.samsung.com> Fri, 18 December 2015 15:25 UTC
Return-Path: <j.sb@sea.samsung.com>
X-Original-To: imapext@ietfa.amsl.com
Delivered-To: imapext@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4AB781B3698 for <imapext@ietfa.amsl.com>; Fri, 18 Dec 2015 07:25:55 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fFfbQLSh89da for <imapext@ietfa.amsl.com>; Fri, 18 Dec 2015 07:25:53 -0800 (PST)
Received: from wguard02.sdsamerica.net (bware2.sdsamerica.net [206.67.236.192]) by ietfa.amsl.com (Postfix) with ESMTP id 7243C1B2ED3 for <imapext@ietf.org>; Fri, 18 Dec 2015 07:25:53 -0800 (PST)
From: Jayantheesh S B <j.sb@sea.samsung.com>
To: Jayantheesh S B <j.sb@sea.samsung.com>, Barry Leiba <barryleiba@computer.org>
Thread-Topic: [imapext] AD review of draft-ietf-imapapnd-appendlimit-extension-06
Thread-Index: AQHRMRx9gijbZuD2bkC3YmuL4+ER+J7DNZQAgAG44QD//9fycIAHkvBQgAB60gCAAFc2AIABQviAgAB8MgCAAG7TgIAAcV0AgAAI0AD//90ScIAAboIA//+1xJAAC/xnAAAJAJfAAA4t2RA=
Date: Fri, 18 Dec 2015 15:25:51 +0000
Message-ID: <90b6b6d7546d48a29928bc24122f23fe@SEAMBX01.sea.samsung.com>
References: <emcf7f771e-a84b-4df3-b9ff-06dd5417a655@bodybag> <5A5084CC-6733-45DB-B3D5-4F73285257D0@isode.com> <6679218db47f443794b1ce28452623eb@SEAMBX07.sea.samsung.com> <CAC4RtVDnirH1n1hjtLPpMAEYgBmdYmsQxo3WiXiErEFQYPP8gg@mail.gmail.com> <0d5eee161a1e4e2ab78ea4696e6fa17e@SEAMBX01.sea.samsung.com> <CALaySJKURA5gPatPeddXj1twtjqZNh_j-G03JDEQZap38VbS1w@mail.gmail.com> <4c5100ed28d442ad89a5a25028d10c8f@SEAMBX01.sea.samsung.com> <CALaySJLBkPfYc6mJzWV4wd9EhXq_h_i6umhUsZJEbcCW4ftPkw@mail.gmail.com> <98030ffd784145b6bb46a88fd6dbd769@SEAMBX01.sea.samsung.com>
In-Reply-To: <98030ffd784145b6bb46a88fd6dbd769@SEAMBX01.sea.samsung.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-transport-fromentityheader: Hosted
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Received-SPF: none
Archived-At: <http://mailarchive.ietf.org/arch/msg/imapext/Oo3sBy1oDqXFrqUcVAozn3_CGwI>
Cc: Alexey Melnikov <alexey.melnikov@isode.com>, Narendra Bisht <ns.bisht@sea.samsung.com>, "S Moonesamy (sm+ietf@elandnews.com)" <sm+ietf@elandnews.com>, "S Moonesamy (sm+ietf@elandsys.com)" <sm+ietf@elandsys.com>, "imapext@ietf.org" <imapext@ietf.org>
Subject: Re: [imapext] AD review of draft-ietf-imapapnd-appendlimit-extension-06
X-BeenThere: imapext@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Discussion of IMAP extensions <imapext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/imapext>, <mailto:imapext-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/imapext/>
List-Post: <mailto:imapext@ietf.org>
List-Help: <mailto:imapext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/imapext>, <mailto:imapext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 18 Dec 2015 15:25:55 -0000
Hi All, If everybody is fine with this version of draft, Shall I upload it? Kindly share your comments. Regards, Jay -----Original Message----- From: imapext [mailto:imapext-bounces@ietf.org] On Behalf Of Jayantheesh S B Sent: Thursday, December 17, 2015 7:08 PM To: Barry Leiba Cc: Alexey Melnikov; Narendra Bisht; S Moonesamy (sm+ietf@elandnews.com); S Moonesamy (sm+ietf@elandsys.com); imapext@ietf.org Subject: Re: [imapext] AD review of draft-ietf-imapapnd-appendlimit-extension-06 Thanks Barry. We have updated the Section 6 with the proposed text. Please find the latest one attached. If everyone is fine with this version, I will upload the same. Regards, Jay -----Original Message----- From: barryleiba@gmail.com [mailto:barryleiba@gmail.com] On Behalf Of Barry Leiba Sent: Thursday, December 17, 2015 6:21 PM To: Jayantheesh S B Cc: Narendra Bisht; Alexey Melnikov; imapext@ietf.org; S Moonesamy (sm+ietf@elandsys.com); S Moonesamy (sm+ietf@elandnews.com) Subject: Re: [imapext] AD review of draft-ietf-imapapnd-appendlimit-extension-06 > Say a server has a limit of 50 MB. Before this extension, an attacker > first tries to APPEND 25 MB and it succeeds. > Then he tries 40MB and that too succeeds. Finally he tries 60 MB to > find the limit of server and use that as start of attack. With this > extension the attacker can find the limit in no time, making it easy > for him to attack. OK, I see the point now. It seems a little thin (but, then, the document does already say it is) -- I can just try to append 300MB, using non-synch literal, right from the start. But perhaps this will be more satisfying: OLD The IMAP APPENDLIMIT extension described in this document can conceivably be used to facilitate Denial-of-Service attacks. Specifically, the information contained in the APPENDLIMIT capability and use of the APPEND command make it somewhat quicker and easier to devise an efficacious Denial-of-Service attack. However, unless implementations are very weak, these extensions do not create any vulnerability that has not always existed with IMAP. NEW The IMAP APPENDLIMIT extension described in this document can conceivably be used to facilitate Denial-of-Service attacks by allowing an attacker to home in on a critical value right away. The attacker might want to send a large data block to the server repeatedly, forcing the server to process the block, but would not want to limit the scope of its attack by filling an actual mailbox with successful appends. Without this extension, the attacker needs to guess: a too-small guess results in an appended message that takes up the user's quota, while a far-too-large guess might simply cause the server to terminate the connection because of suspected abuse. But with this extension, the attacker can immediately choose a value that's a little too large, but not so much as to trigger an "abuse" response, making it easier to mount such an attack. To mitigate this extension's input to such an attack, a server might take a harder line on message sizes that are above the APPENDLIMIT value -- because the client knows the limit and should not even be trying to send such commands, a server might consider even a single attempt to be abusive, and terminate the IMAP connection straight away. END How's that work for you? Barry
- [imapext] AD review of draft-ietf-imapapnd-append… Barry Leiba
- Re: [imapext] AD review of draft-ietf-imapapnd-ap… Barry Leiba
- [imapext] Referencing RFC 2088 (was: AD review of… S Moonesamy
- Re: [imapext] Referencing RFC 2088 Alexey Melnikov
- Re: [imapext] Referencing RFC 2088 (was: AD revie… Adrien de Croy
- Re: [imapext] AD review of draft-ietf-imapapnd-ap… Jayantheesh S B
- Re: [imapext] AD review of draft-ietf-imapapnd-ap… Narendra Bisht
- Re: [imapext] Referencing RFC 2088 S Moonesamy
- Re: [imapext] AD review of draft-ietf-imapapnd-ap… Alexey Melnikov
- Re: [imapext] Referencing RFC 2088 (was: AD revie… Naren
- Re: [imapext] AD review of draft-ietf-imapapnd-ap… S Moonesamy
- Re: [imapext] AD review of draft-ietf-imapapnd-ap… Naren
- Re: [imapext] AD review of draft-ietf-imapapnd-ap… S Moonesamy
- Re: [imapext] AD review of draft-ietf-imapapnd-ap… Naren
- Re: [imapext] AD review of draft-ietf-imapapnd-ap… Alexey Melnikov
- Re: [imapext] AD review of draft-ietf-imapapnd-ap… Alexey Melnikov
- Re: [imapext] AD review of draft-ietf-imapapnd-ap… Jayantheesh S B
- Re: [imapext] AD review of draft-ietf-imapapnd-ap… S Moonesamy
- Re: [imapext] AD review of draft-ietf-imapapnd-ap… Barry Leiba
- Re: [imapext] AD review of draft-ietf-imapapnd-ap… S Moonesamy
- Re: [imapext] AD review of draft-ietf-imapapnd-ap… Jayantheesh S B
- Re: [imapext] AD review of draft-ietf-imapapnd-ap… Jayantheesh S B
- Re: [imapext] AD review of draft-ietf-imapapnd-ap… S Moonesamy
- Re: [imapext] AD review of draft-ietf-imapapnd-ap… Stu Brandt
- Re: [imapext] AD review of draft-ietf-imapapnd-ap… Jayantheesh S B
- Re: [imapext] AD review of draft-ietf-imapapnd-ap… Adrien de Croy
- Re: [imapext] AD review of draft-ietf-imapapnd-ap… Adrien de Croy
- Re: [imapext] AD review of draft-ietf-imapapnd-ap… Stu Brandt
- Re: [imapext] AD review of draft-ietf-imapapnd-ap… Adrien de Croy
- Re: [imapext] AD review of draft-ietf-imapapnd-ap… Adrien de Croy
- Re: [imapext] AD review of draft-ietf-imapapnd-ap… Arnt Gulbrandsen
- Re: [imapext] AD review of draft-ietf-imapapnd-ap… Dave Cridland
- Re: [imapext] AD review of draft-ietf-imapapnd-ap… Dave Cridland
- Re: [imapext] AD review of draft-ietf-imapapnd-ap… Arnt Gulbrandsen
- Re: [imapext] AD review of draft-ietf-imapapnd-ap… Alexey Melnikov
- Re: [imapext] AD review of draft-ietf-imapapnd-ap… Alexey Melnikov
- Re: [imapext] AD review of draft-ietf-imapapnd-ap… Alexey Melnikov
- Re: [imapext] AD review of draft-ietf-imapapnd-ap… Alexey Melnikov
- Re: [imapext] AD review of draft-ietf-imapapnd-ap… Adrien de Croy
- Re: [imapext] AD review of draft-ietf-imapapnd-ap… Adrien de Croy
- Re: [imapext] AD review of draft-ietf-imapapnd-ap… Alexey Melnikov
- Re: [imapext] AD review of draft-ietf-imapapnd-ap… Alexey Melnikov
- Re: [imapext] AD review of draft-ietf-imapapnd-ap… Jayantheesh S B
- Re: [imapext] AD review of draft-ietf-imapapnd-ap… Jayantheesh S B
- Re: [imapext] AD review of draft-ietf-imapapnd-ap… Barry Leiba
- Re: [imapext] AD review of draft-ietf-imapapnd-ap… Bron Gondwana
- Re: [imapext] AD review of draft-ietf-imapapnd-ap… Barry Leiba
- Re: [imapext] AD review of draft-ietf-imapapnd-ap… Adrien de Croy
- Re: [imapext] AD review of draft-ietf-imapapnd-ap… Alexey Melnikov
- Re: [imapext] AD review of draft-ietf-imapapnd-ap… Narendra Bisht
- Re: [imapext] AD review draft-ietf-imapapnd-appen… Alexey Melnikov
- Re: [imapext] AD review of draft-ietf-imapapnd-ap… Barry Leiba
- Re: [imapext] AD review draft-ietf-imapapnd-appen… Stu Brandt
- Re: [imapext] AD review of draft-ietf-imapapnd-ap… Alexey Melnikov
- Re: [imapext] AD review draft-ietf-imapapnd-appen… Alexey Melnikov
- Re: [imapext] AD review of draft-ietf-imapapnd-ap… Jayantheesh S B
- Re: [imapext] AD review draft-ietf-imapapnd-appen… S Moonesamy
- Re: [imapext] AD review of draft-ietf-imapapnd-ap… Barry Leiba
- Re: [imapext] AD review of draft-ietf-imapapnd-ap… Jayantheesh S B
- Re: [imapext] AD review of draft-ietf-imapapnd-ap… Jayantheesh S B
- Re: [imapext] AD review of draft-ietf-imapapnd-ap… Adrien de Croy
- Re: [imapext] AD review of draft-ietf-imapapnd-ap… Barry Leiba
- Re: [imapext] AD review of draft-ietf-imapapnd-ap… Jayantheesh S B
- Re: [imapext] AD review draft-ietf-imapapnd-appen… Dave Cridland
- Re: [imapext] AD review of draft-ietf-imapapnd-ap… Alexey Melnikov
- Re: [imapext] AD review draft-ietf-imapapnd-appen… Alexey Melnikov
- Re: [imapext] AD review of draft-ietf-imapapnd-ap… Jayantheesh S B
- Re: [imapext] AD review of draft-ietf-imapapnd-ap… Barry Leiba