IETF Logo Mail Archive

Re: [imapext] Kathleen Moriarty's No Objection on draft-ietf-imapapnd-appendlimit-extension-08: (with COMMENT)

Barry Leiba <barryleiba@computer.org> Wed, 06 January 2016 05:08 UTC

Return-Path: <barryleiba@gmail.com>
X-Original-To: imapext@ietfa.amsl.com
Delivered-To: imapext@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B9A721A9130; Tue, 5 Jan 2016 21:08:32 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.278
X-Spam-Level:
X-Spam-Status: No, score=-1.278 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5sLJ5qiXGuQp; Tue, 5 Jan 2016 21:08:31 -0800 (PST)
Received: from mail-ig0-x22b.google.com (mail-ig0-x22b.google.com [IPv6:2607:f8b0:4001:c05::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 72B5B1A9129; Tue, 5 Jan 2016 21:08:31 -0800 (PST)
Received: by mail-ig0-x22b.google.com with SMTP id ik10so25575467igb.1; Tue, 05 Jan 2016 21:08:31 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:cc:content-type; bh=hbLaF9xgtepjMdu0qM9TQmAPXs4mjOQ9IC0EGKgzFVs=; b=QP+6wuSjQElapLPy/Upm2qCA1H2kzomVOcGMxYl63H33NGAPf2i9qwT8ZEGV8ubTNu V+q0gz7GRag56DZZOCtxEAQ1fnGe6Mt3n5WIkhejP0IZE6VJEfjruNDokidABxdfEcQC 6k104MZ2mLzc6KmciuKBkrOmTuWabVm32LKcq2k09sRvhz1oM+rHSjfnxBoCpuX5209L UewO8qAD76mKCREnF3n3TIJeF8nev35SUPHZZANj+6+pbsukz0SJCKS3/rS45bRErL/K eHNebtVwv1zfffWot3EaCafAF3Lb31ne5mP4K5SKJXWV8rH7yBXCsS5USOfZ9vFU/wvQ Yzgg==
MIME-Version: 1.0
X-Received: by 10.51.17.39 with SMTP id gb7mr7954595igd.54.1452056910741; Tue, 05 Jan 2016 21:08:30 -0800 (PST)
Sender: barryleiba@gmail.com
Received: by 10.36.117.83 with HTTP; Tue, 5 Jan 2016 21:08:30 -0800 (PST)
In-Reply-To: <CAHbuEH6kMq2bQkCvWuY3pd8-81xt3VGfN4YoPV7cVhf1VehzoA@mail.gmail.com>
References: <20160106012803.29192.54119.idtracker@ietfa.amsl.com> <CALaySJLo3o7j2qJNxrLaGKntHhURme=tTy5vCPM9sDR7NU4hVg@mail.gmail.com> <CAHbuEH6kMq2bQkCvWuY3pd8-81xt3VGfN4YoPV7cVhf1VehzoA@mail.gmail.com>
Date: Wed, 06 Jan 2016 13:08:30 +0800
X-Google-Sender-Auth: sP0prs2qD0kt03TqMzxjs08V8Vk
Message-ID: <CALaySJJeNHOLM2q9tixVBGzgmVcbwbugJ73-vZ-QyNyUCXzNmw@mail.gmail.com>
From: Barry Leiba <barryleiba@computer.org>
To: Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <http://mailarchive.ietf.org/arch/msg/imapext/xafH_0H7ZHSAsB3y9TVmENSgfkM>
Cc: draft-ietf-imapapnd-appendlimit-extension@ietf.org, SM <sm+ietf@elandsys.com>, The IESG <iesg@ietf.org>, "imapext@ietf.org" <imapext@ietf.org>, imapapnd-chairs@ietf.org
Subject: Re: [imapext] Kathleen Moriarty's No Objection on draft-ietf-imapapnd-appendlimit-extension-08: (with COMMENT)
X-BeenThere: imapext@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Discussion of IMAP extensions <imapext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/imapext>, <mailto:imapext-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/imapext/>
List-Post: <mailto:imapext@ietf.org>
List-Help: <mailto:imapext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/imapext>, <mailto:imapext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 06 Jan 2016 05:08:32 -0000

>> This extension is about limiting the size of a single message, because
>> servers have such limitations and currently have no way to tell the
>> client about them.  The only purpose of this extension is to let a
>> client discover a server's size limit for a single message.
>
> In section 3, it also discusses per mailbox limitations.  The draft
> covers both the option for this extension being used for the server
> and on a per mailbox basis.  This also comes up in the security
> considerations section.

Server-wide limits and per-mailbox limits are no different with regard
to any security considerations.  I don't see where the Security
Considerations section says that they are.  Can you point to specific
text?

>> The security considerations need to be about how that knowledge can be
>> used to breach security.  The answer to that is "it can't, really",
>> but the one issue we came up with is documented there.
>>
>> Do you have any specific security considerations to suggest that are
>> specific to this extension: the ability for a client to discover what
>> a server's policy limit is on the size of a single message?
>
> The security considerations section doesn't read well IMO.

That's entirely possible.

> When it gets to the following sentence:
>
> "But with this extension, the attacker can immediately choose a value
> that's a little too large,"
>
> It doesn't read well to me.  Why would they chose a value that's a
> little too large?  Too large for what?  They already have the size
> limit per server or per mailbox.  Does this mean they will send a
> bunch of messages with the append size maxed out for the mailbox or
> the server to fill the quota?

The point of the attack isn't filling a mailbox; it's sending
boatloads of data to the server.  Suppose there's a limit of 2 MB.  If
the client sends 2 MB messages repeatedly, those messages will
eventually cause the mailbox to hit the quota, and further attempts to
bombard the server will be rejected.  But messages that are, say,
2.1MB will fail to append (the server will respond "NO" to them), and
the client can keep bombarding the server with such messages.  The
text is trying to warn about that, suggesting that the server might
"take a hard line" -- that is, take more serious action than just
saying "NO" to the append attempts, but perhaps actually lock out the
account until someone checks out the situation.

> Why isn't it explicit in that such messages should/MUST be rejected?

The messages themselves will be rejected (they APPEND command will get
"NO" for a response), but the damage -- the sending of a lot of data
unnecessarily -- will have already been done.

> For the security consideration, this seems like an expected response
> to prevent additional problems (checking that size limitations are met
> to avoid buffer overrun scenarios in code).

This has nothing to do with buffer overruns.  Servers already have to
deal with arbitrary sizes for literals, and they will already allocate
buffers based on the literal size that the client sends.  Buffer
overruns are not an issue here, and this extension does nothing that
changes that.

Barry

v2.23.0 | Report a Bug | By Email