IETF Logo Mail Archive

Re: [kitten] Review of draft-ietf-kitten-channel-bound-flag-04

Sam Hartman <hartmans@mit.edu> Mon, 18 February 2019 21:39 UTC

Return-Path: <hartmans@mit.edu>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 011BB13104B for <kitten@ietfa.amsl.com>; Mon, 18 Feb 2019 13:39:17 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.253
X-Spam-Level:
X-Spam-Status: No, score=-0.253 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RDNS_DYNAMIC=0.982, SPF_SOFTFAIL=0.665] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id f7e91fp2KF7q for <kitten@ietfa.amsl.com>; Mon, 18 Feb 2019 13:39:15 -0800 (PST)
Received: from mail.suchdamage.org (ec2-52-9-186-167.us-west-1.compute.amazonaws.com [52.9.186.167]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F0E28131051 for <kitten@ietf.org>; Mon, 18 Feb 2019 13:39:14 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by mail.suchdamage.org (Postfix) with ESMTP id 3C3422BCF5; Mon, 18 Feb 2019 16:39:14 -0500 (EST)
Received: from mail.suchdamage.org ([127.0.0.1]) by localhost (mail.suchdamage.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jC623K0G6zaa; Mon, 18 Feb 2019 16:39:13 -0500 (EST)
Received: from carter-zimmerman.suchdamage.org (c-24-91-242-186.hsd1.ma.comcast.net [24.91.242.186]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "laptop", Issuer "laptop" (not verified)) (Authenticated sender: hartmans-laptop) by mail.suchdamage.org (Postfix) with ESMTPSA; Mon, 18 Feb 2019 16:39:13 -0500 (EST)
Received: by carter-zimmerman.suchdamage.org (Postfix, from userid 8042) id 4A9CFC0944; Mon, 18 Feb 2019 16:39:12 -0500 (EST)
From: Sam Hartman <hartmans@mit.edu>
To: Sam Hartman <hartmans-ietf@mit.edu>
Cc: kitten@ietf.org
References: <tslbm38vl8h.fsf@suchdamage.org>
Date: Mon, 18 Feb 2019 16:39:12 -0500
In-Reply-To: <tslbm38vl8h.fsf@suchdamage.org> (Sam Hartman's message of "Mon, 18 Feb 2019 16:29:34 -0500")
Message-ID: <tslva1gu67z.fsf@suchdamage.org>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/26.1 (gnu/linux)
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha256"; protocol="application/pgp-signature"
Archived-At: <https://mailarchive.ietf.org/arch/msg/kitten/UOMiUSi_NCCUYjQiNLCq3mYvRWY>
Subject: Re: [kitten] Review of draft-ietf-kitten-channel-bound-flag-04
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 18 Feb 2019 21:39:17 -0000

>>>>> "Sam" == Sam Hartman <hartmans-ietf@mit.edu> writes:

nnel
    >> bindings to GSS_Accept_sec_context(), and b) not indicated
    >> support for the ret_channel_bound_flag flag, then the mechanism
    >> MUST fail to establish a security context if the initiator did
    >> not provide channel bindings data.  This requirement is critical
    >> for security purposes, to make applications predating this
    >> document secure, and this requirement reflects actual
    >> implementations as deployed.

    Sam> Actually, this behavior is inconsistent with RFC 7055 section
    Sam> 5.6.2 and with the Moonshot implementation of the ABFAB GSS-API
    Sam> mechanism.  In that mechanism, if the initiator provides null
    Sam> channel bindings, the acceptor channel bindings are always
    Sam> ignored.  I'm not seeing the security issue here.  If you are
    Sam> using channel bindings as a MITM defense rather than as an
    Sam> additional layer of security, you need to do something like
    Sam> SASL does and have a plus and minus varient of your protocol
    Sam> and always pass in channel bindings.

    Sam> There's also what I think is a real operational issue here.
    Sam> You may not be able to know what your channel bindings are on
    Sam> an acceptor.  Depending on whether you are behind a TLS
    Sam> accelerator, reverse proxy or the like, it may affect your
    Sam> ability to know your channel bindings.

I meant to go back and revise my review before sending.
I think it's something worth fixing that Kerberos and ABFAB have
inconsistent behavior here, and I do think it's worth standardizing.

I think  we're in a good position.  If we were to decide to relax the
behavior we'd be changing Kerberos in a manner where all authentications
that succeed today would continue to succeed.  Kerberos is much much
much more widely deployed than ABFAB.
If we were to decide to make the behavior as strict as described in this
draft, then we'd be potentially breaking valid uses of ABFAB, but I
think the ABFAB deployment is small enough that it is reasonable to do
that.

However, I think that the decision as to what to do should be based on
analysis of applications where one side uses channel bindings and the
other does not.  Since I'm not actually aware of any significant
applications that do that, I'll hold off until my previous question on
that issue is answered before forming my opinion on the correct
behavior.

v2.23.0 | Report a Bug | By Email