[mile] Benjamin Kaduk's Discuss on draft-ietf-mile-xmpp-grid-10: (with DISCUSS and COMMENT)
Benjamin Kaduk via Datatracker <noreply@ietf.org> Mon, 25 March 2019 21:40 UTC
Return-Path: <noreply@ietf.org>
X-Original-To: mile@ietf.org
Delivered-To: mile@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 434681200F5; Mon, 25 Mar 2019 14:40:32 -0700 (PDT)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
From: Benjamin Kaduk via Datatracker <noreply@ietf.org>
To: The IESG <iesg@ietf.org>
Cc: draft-ietf-mile-xmpp-grid@ietf.org, mile@ietf.org, Takeshi Takahashi <takeshi_takahashi@nict.go.jp>, mile-chairs@ietf.org, mile-chairs@ietf.org, takeshi_takahashi@nict.go.jp, mile@ietf.org
X-Test-IDTracker: no
X-IETF-IDTracker: 6.94.1
Auto-Submitted: auto-generated
Precedence: bulk
Reply-To: Benjamin Kaduk <kaduk@mit.edu>
Message-ID: <155355003226.24676.11013184390807731904.idtracker@ietfa.amsl.com>
Date: Mon, 25 Mar 2019 14:40:32 -0700
Archived-At: <https://mailarchive.ietf.org/arch/msg/mile/Q96qysesinEKvoO_4hvlYnwIZF4>
Subject: [mile] Benjamin Kaduk's Discuss on draft-ietf-mile-xmpp-grid-10: (with DISCUSS and COMMENT)
X-BeenThere: mile@ietf.org
X-Mailman-Version: 2.1.29
List-Id: "Managed Incident Lightweight Exchange, IODEF extensions and RID exchanges" <mile.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mile>, <mailto:mile-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mile/>
List-Post: <mailto:mile@ietf.org>
List-Help: <mailto:mile-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mile>, <mailto:mile-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 25 Mar 2019 21:40:33 -0000
Benjamin Kaduk has entered the following ballot position for draft-ietf-mile-xmpp-grid-10: Discuss When responding, please keep the subject line intact and reply to all email addresses included in the To and CC lines. (Feel free to cut this introductory paragraph, however.) Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html for more information about IESG DISCUSS and COMMENT positions. The document, along with other ballot positions, can be found here: https://datatracker.ietf.org/doc/draft-ietf-mile-xmpp-grid/ ---------------------------------------------------------------------- DISCUSS: ---------------------------------------------------------------------- Thank you for updating to describe this document as essentially an RFC206-style applicability statement; that helps a lot to frame what it is intending to deliver, and the other updates are improvements as well. That said, I think a couple of my DISCUSS points remain applicable: Section 8.2.3 still has text about how an XMPP Grid Controller could obtain XMPP-Grid Platform credentials and impersonate the XMPP Grid Platform even after the breach of the XMPP Grid Controller is repaired. The current MTI SASL mechanisms do not give the controller that ability, and it's only bad mechanisms like PLAIN that involve sending cleartext passwords/bearer tokens to the server that give an attacker that compromises the controller this ability. I think we need to clarify that this depends on the SASL mechanism used, and that the MTI mechanisms are not vulnerable to this attack. Suggested change: OLD: o Obtain and cache XMPP-Grid Platform credentials so they can be used to impersonate XMPP-Grid Platforms even after a breach of the XMPP-Grid Controller is repaired NEW: o Obtain and cache XMPP-Grid Platform credentials so they can be used to impersonate XMPP-Grid Platforms even after a breach of the XMPP-Grid Controller is repaired. Some SASL mechanisms (including the mandatory-to-implement SCRAM and EXTERNAL with TLS mutual certificate-based authentication) do not admit this class of attack, but others (such as PLAIN) are susceptible. The secdir review notes that the full implications of the participants' access to plaintext data are not covered. (This also relates to Ben's discuss point (2).) Some of them are covered by existing text, e.g., the trust model's instistence that the platforms preserve the confidentiality of sensitive data, but others are not. I repeat here the portions of the COMMENT section that seem relevant: Section 8.1.3 The controller is also trusted to preserve the integrity (and confidentiality against unauthorized parties) of the data flowing through it. Section 8.2.2 The authorized platform could advertise data that is incorrect with the intent to lead to incorrect actions by the recipients, without needing to exploit vulnerabilities in other systems or compromising them. Suggested additions: Section 8.1.3: o Preserve the integrity (and confidentiality against unauthorized parties) of the data flowing through it. Section 8.2.2 Advertise false data that leads to incorrect (e.g., potentially attacker-controlled or -induced) behavior of XMPP-Grid Platforms, by virtue of applying correct procdeures to the falsified input. ---------------------------------------------------------------------- COMMENT: ---------------------------------------------------------------------- Section 1 In the vein of Alissa's comments, I think this section is missing a high-level technical view, perhaps something like: The XMPP Grid does not introduce any new protocols or technologies, but rather describes a scheme by which XMPP pubsub functionality is used to quickly and efficiently distribute information relating to security incidents and their detection, potentially scaling to 100,000s of subscribers. XMPP service discovery allows for entities to learn about content distributed via the XMPP Grid via the registered "pubsub#type" identifiers, which also indicate the format of the data being distributed. It could also benefit from some more text placing this tool within the broader MILE scope. Section 4 The Platform in item (a) is only listed as having a source of security data, in which case I would expect the "typical" workflow to only involve it needing to publish, and not necessarily to subscribe or query. While I recognize that a typical workflow will include both publishing and subscribing, it may be worth mentioning that this Platform also desires to receive some information as well as having a source for it. Section 5 The Broker responds with the "disco#info" description, which SHOULD include an XMPP Data Form [XEP-0004] including a 'pubsub#type' field that specifies the supported namespace (in this example, the IODEF namespace defined in [RFC7970]): Isn't this more of a "the MILE XMPP grid won't work at all if you don't include a pubsub#type field that indicates iodef payloads"? I could see doing this as descriptive text about what happens, or as a MUST, but the SHOULD just doesn't seem right. Section 8 An XMPP-Grid Controller serves as an controlling broker for XMPP-Grid Platforms such as Enforcement Points, Policy Servers, CMDBs, and Sensors, using a publish-subscribe-search model of information exchange and lookup. [...] This jumps in quite quickly, using these terms that have not previously been defined and are part of a broader architecture that is not directly relevant to understanding this protocol. Is it necessary to mention them just in passing like this without other discussion? Section 8.1.3 The controller is also trusted to preserve the integrity (and confidentiality against unauthorized parties) of the data flowing through it. Section 8.2.2 The authorized platform could advertise data that is incorrect with the intent to lead to incorrect actions by the recipients, without needing to exploit vulnerabilities in other systems or compromising them. Section 8.2.3 o Mount an even more effective denial of service attack than a single XMPP-Grid Platform could There seem to be a number of ways in which the DoS effectiveness could be increased by a controller (compared to a platform), whether by inducing the many platforms to perform the same operation in an amplification-style attack, completely refusing to pass any traffic at all, sending floods of traffic to (certain) platforms or other targets, or otherwise. Do we care to make a distinction among them, or is that not helpful at this level of granularity? o Obtain and cache XMPP-Grid Platform credentials so they can be used to impersonate XMPP-Grid Platforms even after a breach of the XMPP-Grid Controller is repaired This would require that platforms are using things like SASL PLAIN authentication, and would not be possible if TLS mutual authentication or some other proof-of-possession-based authentication scheme is used for client authentication and authorization. It seems important to reiterate this distinction and point out the risks inherent in transmitting passwords to the remote party for verification. Furthermore, since Section 8.3.1 instructs us that we can only use SASL EXTERNAL or SCRAM, this sort of credential scraping would only occur if the EXTERNAL mechanism used permits it (which I believe to be somewhat unlikely), or if clients were misconfigured to allow non-permitted SASL mechanisms (which is, unfortunately, fairly likely to be the case somewhere). This behavior, particularly the risk of client misconfiguration, should be called out somewhere in the security considerations. o Obtain and cache XMPP-Grid Controller administrator credentials so they can be used to regain control of the XMPP-Grid Controller after the breach of the XMPP-Grid Controller is repaired (This also requires the use of non-proof-of-possession authentication schemes.) Section 8.3.1 be carried over TLS (minimally TLS 1.2 [RFC8446]) as described in [RFC6120] and updated by [RFC7590]. The XMPP-Grid Platform MUST Citing RFC 8446 (TLS 1.3) for TLS 1.2 is rather strange. The selection of which XMPP-Grid Platform authentication technique to use in any particular deployment is left to the administrator. But from a very short list of options! Why do we need to prevent the usage of other, equally secure, SASL mechanisms, for example, all the GSS-API mechanisms available via GS2 bridging? Section 8.3.2 The XMPP-Grid Controller MAY provide functional templates so that the administrator can configure a specific XMPP-Grid Platform as a DHCP [RFC2131] server and authorize only the operations and metadata types needed by a DHCP server to be permitted for that XMPP-Grid Platform. [...] Why is DHCP so privilged to be the only application protocol called out explicitly here? It seems that this is just an example and the same profiling/resterictions could be applied for any application protocol. unusual XMPP-Grid Platform behavior. XMPP-Grid Controllers SHOULD make it easy to revoke an XMPP-Grid Platform's authorization when I don't think "SHOULD make it easy" is particularly actionable for a normative requirement. Similarly for "SHOULD be hardened" in the next paragraph. Section 8.3.3 Administrators SHOULD NOT use password-based authentication but should instead use non-reusable credentials and multi-factor authentication (where available). [...] [see previous remarks about permitted SASL mechanisms] Section 8.3.5 While XMPP-Grid is designed for high scalability to 100,000s of Platforms, [...] Where is this documented? Section 8.3.6 nit?: I would not really describe CT as a "guideline for proper CA security", but rather a tool for discovering failures to maintain proper CA security. I think we need to be careful about recommending pinning, since it introduces a new DoS vector when there is a legitimate need to change certificates. If we're talking about pinning, we would presumably also want to recommend against pinning EE certificates and only intermediate or root CAs, and to have monitoring for imminent expiration events. Section 9 Another consideration for deployers is to enable end-to-end encryption to ensure the data is protected from the data layer to data layer and thus protect it from the transport layer. It's probably worth a(nother?) reminder that the mechanisms for doing so are out of scope for this document.
- [mile] Benjamin Kaduk's Discuss on draft-ietf-mil… Benjamin Kaduk via Datatracker
- Re: [mile] Benjamin Kaduk's Discuss on draft-ietf… Peter Saint-Andre