Re: [lp-wan] [Last-Call] Secdir last call partial review of draft-ietf-lpwan-coap-static-context-hc-12
Ana Minaburo <ana@ackl.io> Tue, 26 May 2020 16:46 UTC
Return-Path: <ana@ackl.io>
X-Original-To: lp-wan@ietfa.amsl.com
Delivered-To: lp-wan@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5299C3A0A8B for <lp-wan@ietfa.amsl.com>; Tue, 26 May 2020 09:46:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=ackl-io.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jiOT1M1LBuJo for <lp-wan@ietfa.amsl.com>; Tue, 26 May 2020 09:46:06 -0700 (PDT)
Received: from mail-il1-x132.google.com (mail-il1-x132.google.com [IPv6:2607:f8b0:4864:20::132]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 84FCA3A0A8E for <lp-wan@ietf.org>; Tue, 26 May 2020 09:46:06 -0700 (PDT)
Received: by mail-il1-x132.google.com with SMTP id w18so21067826ilm.13 for <lp-wan@ietf.org>; Tue, 26 May 2020 09:46:06 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ackl-io.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=F9IdecfGG091m5X5fhyHhz5I8QzTQ+cd/EAt3uo+bCE=; b=bmK9mK7LtP4OPTdBW5K1qgQRkOycXfehnzKI4RQHrrPOmex655wITF1VAWN9TYGgTW 9xTlg4nnDfc2Hh7Sq0l2xFYJgWt0MHWLQTWRSqhk3Z9iCB8Nb+oOw21KmXUbgBzfHUXV oQQJP0UMkfx4Hmfry4Qgbup11G5fPsNRrGKbck0KNSCTGx/cspetHuapfF+8WxbicMvf OjtysqxJaQqwzXgT73JqgH7DjJwz0ZFuXKFeI/FY31kze/jfpCJAKxu7yQeo4kb+vZBL X8RR97yLp+DbY6eN2RxD7oQZPWBsZzC0MGi7KMErehhibL05kZIdP96Ew8MfjAND4sKE OJdw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=F9IdecfGG091m5X5fhyHhz5I8QzTQ+cd/EAt3uo+bCE=; b=IVoDanXWNxNLh9Jorv4wQjQy64iIhfgbqAGoMILGgboB7MCijK8OBrQgO0w8b0R3nT HD9zsKgl8kJWhDIrZPj/IHqZKnYwCBpHMy2adiD6Fu01961MzumTbIf0Q0pNAeTIzMBL tj1S92wq8foNeV5QpV0jsWiMp5xp71/XokXYOu5vjESTLGalQo9hk+zTh4fssclJxjZ5 0SH/rNxXBo48nn2jdaoTjDPErCeen+xNY2qMhNJaIFDoGSeJXh6aPtOnnv2QPucgheu+ j+WwY9uFz7hVIxK1dW/Tie1LSMHYs6gRtfbdPM0r9cKJv5aLagPI03yLbVmt5Q19/1lY kvDg==
X-Gm-Message-State: AOAM533aVmDWwoNR3WhSIcPXv8lNBxMjlFPgdJEmYcoQcLfckp+9gm3J RqIwkJKIwEtkdLikqjdumDpHHOhkk7hOeOVMNs2CmA==
X-Google-Smtp-Source: ABdhPJxBAU/QjsnLwcCbXZcibIuKG2PH+1NIyP4SM2vg64cYaeFacG45pCpJpSf3o7O+ZebggBqRATMlulmHotcleGM=
X-Received: by 2002:a92:d6cc:: with SMTP id z12mr1902574ilp.179.1590511564673; Tue, 26 May 2020 09:46:04 -0700 (PDT)
MIME-Version: 1.0
References: <158231113340.29033.17150460168186400041@ietfa.amsl.com> <20200221202332.GC53538@kduck.mit.edu>
In-Reply-To: <20200221202332.GC53538@kduck.mit.edu>
From: Ana Minaburo <ana@ackl.io>
Date: Tue, 26 May 2020 18:45:38 +0200
Message-ID: <CAAbr+nTkerPwSqihv=YTJ6g52xOFS1Kzt9-U7L4cJ+okVKZ4SQ@mail.gmail.com>
To: Benjamin Kaduk <kaduk@mit.edu>
Cc: Paul Wouters <paul@nohats.ca>, secdir@ietf.org, lp-wan <lp-wan@ietf.org>, last-call@ietf.org, draft-ietf-lpwan-coap-static-context-hc.all@ietf.org
Content-Type: multipart/alternative; boundary="000000000000d2df0505a68fd4c5"
Archived-At: <https://mailarchive.ietf.org/arch/msg/lp-wan/k_Szxg7O_9n6nGe6VVJmz_ABGZc>
Subject: Re: [lp-wan] [Last-Call] Secdir last call partial review of draft-ietf-lpwan-coap-static-context-hc-12
X-BeenThere: lp-wan@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Low-Power Wide Area Networking \(LP-WAN\), also known as LPWA or Low-Rate WAN \(LR-WAN\)" <lp-wan.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/lp-wan>, <mailto:lp-wan-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/lp-wan/>
List-Post: <mailto:lp-wan@ietf.org>
List-Help: <mailto:lp-wan-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/lp-wan>, <mailto:lp-wan-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 26 May 2020 16:46:08 -0000
Thank you for your review, a new version of the draft has been published today with a new security section. We have discussed this section during the virtual IETF meeting taking your inputs into account. The IETF datatracker status page for this draft is: https://datatracker.ietf.org/doc/draft-ietf-lpwan-coap-static-context-hc/ Ana On Fri, Feb 21, 2020 at 9:23 PM Benjamin Kaduk <kaduk@mit.edu> wrote: > Hi Paul, > > Thanks for doing the review and raising the potentially serious issues. > > On Fri, Feb 21, 2020 at 10:52:13AM -0800, Paul Wouters via Datatracker > wrote: > > > > Review is partially done. Another assignment may be needed to complete > it. > > > > Reviewer: Paul Wouters > > Review result: Serious Issues > > > > I have reviewed this document as part of the security directorate's > > ongoing effort to review all IETF documents being processed by the > > IESG. These comments were written primarily for the benefit of the > > security area directors. Document editors and WG chairs should treat > > these comments just like any other last call comments. > > > > I agree with the comments raised by the genart review by Theresa > Enghardt. The > > Security Section is just a reference to another document that specifies > in its > > own Security Consideration: > > > > As explained in Section 5, SCHC is expected to be implemented on top > > of LPWAN technologies, which are expected to implement security > > measures. > > > > This document explains that packets are wrapped in CoAP and then this > document > > can be used to compress fields, similar to the references document. But > now > > this is happening in the most outer layer, which the referenced document > > basically states that in its Security Considerations, it assumes the > outer > > layer has some kind of LPWAN based security meassures in place. > > > > It seems these two drafts need some coordination to determine where, how > and > > which Security Considerations are relevant. > > It does seem like it, since CoAP is not guaranteed to be used over a > physical medium with integrated security technologies (though many expected > use cases do). > > > Additionally, I'm a bit worried about multiple layers doing compression. > Can > > this lead to security issues? If not, why not? > > > > Where is it sais that compression states need to be checked for bogus > > instructions? How are these prevented? Think of the ever-decompressing > zip file > > hacks of the past. How are these DoS attacks prevented ? > > I think the "static context" nature of this compression mechanism prevents > issues with near-infinite expansion, at least, though there would of course > still be room for bugs when handling noncompliant input. > > -Ben > > > Other than this issue, I found Section 1 Introducion a bit confusing. It > seems > > to drop a reference to another document and then explain that other > document, > > without really talking about this document? Or if it does, it was not > very > > clear to me. > > > > I did not review this document for nits - my apologies but I ran out of > time. > > > > > > -- > > last-call mailing list > > last-call@ietf.org > > https://www.ietf.org/mailman/listinfo/last-call >
- [lp-wan] Secdir last call partial review of draft… Paul Wouters via Datatracker
- Re: [lp-wan] [Last-Call] Secdir last call partial… Benjamin Kaduk
- Re: [lp-wan] [Last-Call] Secdir last call partial… Ana Minaburo