Re: [mile] Ben Campbell's Discuss on draft-ietf-mile-xmpp-grid-09: (with DISCUSS and COMMENT)

Ben Campbell <ben@nostrum.com> Mon, 25 March 2019 13:54 UTC

Return-Path: <ben@nostrum.com>
X-Original-To: mile@ietfa.amsl.com
Delivered-To: mile@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C6755120470; Mon, 25 Mar 2019 06:54:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.679
X-Spam-Level:
X-Spam-Status: No, score=-1.679 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_INVALID=0.1, DKIM_SIGNED=0.1, HTML_MESSAGE=0.001, T_SPF_HELO_PERMERROR=0.01, T_SPF_PERMERROR=0.01] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=fail (1024-bit key) reason="fail (message has been altered)" header.d=nostrum.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QX2qZFYM7Zvh; Mon, 25 Mar 2019 06:54:34 -0700 (PDT)
Received: from nostrum.com (raven-v6.nostrum.com [IPv6:2001:470:d:1130::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8E43A120475; Mon, 25 Mar 2019 06:54:30 -0700 (PDT)
Received: from dhcp-9259.meeting.ietf.org (dhcp-9259.meeting.ietf.org [31.133.146.89]) (authenticated bits=0) by nostrum.com (8.15.2/8.15.2) with ESMTPSA id x2PDraAq016256 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NO); Mon, 25 Mar 2019 08:53:42 -0500 (CDT) (envelope-from ben@nostrum.com)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=nostrum.com; s=default; t=1553522068; bh=JdlvUOsmCDhgr7SqZYh06/hk4UxEfsALU4ugfgs2hVE=; h=From:Subject:Date:In-Reply-To:Cc:To:References; b=dv//ajUecsmZ4s8YMdI9dZm2yGNiinCzagF3Bvmi0m8CvRO8liT0HCjM2zutAywEd 8tDR0RpLAVPi27jZJDchfcCVJZk6kXNJrcmwtal7D8CS8n+Y5RjEIclznp3oTDFVXf 3gphVHeusHG/EYUK/aiqA69J+kROfIGXh69nOjY8=
From: Ben Campbell <ben@nostrum.com>
Message-Id: <D6708F32-5073-4CB8-84EF-0E2035D5323A@nostrum.com>
Content-Type: multipart/signed; boundary="Apple-Mail=_01ACBAE0-5D31-42A4-86F5-17288A7FF5EC"; protocol="application/pgp-signature"; micalg=pgp-sha512
Mime-Version: 1.0 (Mac OS X Mail 12.2 \(3445.102.3\))
Date: Mon, 25 Mar 2019 14:53:32 +0100
In-Reply-To: <1d13de82-402c-a22c-c6af-8f12af72a389@mozilla.com>
Cc: "Nancy Cam-Winget (ncamwing)" <ncamwing@cisco.com>, The IESG <iesg@ietf.org>, "draft-ietf-mile-xmpp-grid@ietf.org" <draft-ietf-mile-xmpp-grid@ietf.org>, "mile@ietf.org" <mile@ietf.org>, "mile-chairs@tools.ietf.org" <mile-chairs@tools.ietf.org>, Takeshi Takahashi <takeshi_takahashi@nict.go.jp>, "mile-chairs@ietf.org" <mile-chairs@ietf.org>
To: Peter Saint-Andre <stpeter@mozilla.com>
References: <154821326562.13271.17282561556237229622.idtracker@ietfa.amsl.com> <4BD85B49-9F10-4724-B5C7-B4257D8A83CD@cisco.com> <8125411B-783D-4469-B60B-422FA4E447FF@cisco.com> <50DCB5B2-8045-4878-ACA2-A9BE1246DFF1@cisco.com> <C92CD6AF-CC03-4734-8CB4-2FACD071EBFC@cisco.com> <840D870A-36F9-4B32-918B-8F4A3D04EBDF@cisco.com> <7F9B5B96-D304-44B4-88D3-A598450477FF@nostrum.com> <2cee29b8-99ce-2053-6044-2c2e4c501557@mozilla.com> <1d13de82-402c-a22c-c6af-8f12af72a389@mozilla.com>
X-Mailer: Apple Mail (2.3445.102.3)
Archived-At: <https://mailarchive.ietf.org/arch/msg/mile/W4V1kxXRvpOghN6jfxeQ7vErSa0>
Subject: Re: [mile] Ben Campbell's Discuss on draft-ietf-mile-xmpp-grid-09: (with DISCUSS and COMMENT)
X-BeenThere: mile@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Managed Incident Lightweight Exchange, IODEF extensions and RID exchanges" <mile.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mile>, <mailto:mile-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mile/>
List-Post: <mailto:mile@ietf.org>
List-Help: <mailto:mile-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mile>, <mailto:mile-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 25 Mar 2019 13:54:40 -0000

Looks good, thanks!

I have cleared.

Ben.

> On Mar 25, 2019, at 2:52 PM, Peter Saint-Andre <stpeter@mozilla.com>; wrote:
> 
> On 3/24/19 3:14 PM, Peter Saint-Andre wrote:
>> On 3/24/19 1:32 PM, Ben Campbell wrote:
>>> Hi, apologies for not getting back to this sooner. I’m trying to close
>>> or clarify my DISCUSS points prior to stepping down from the IESG this
>>> week. Please see inline:
>>> 
>>> Thanks!
>>> 
>>> Ben.
>>> 
>>>> On Mar 4, 2019, at 6:49 PM, Nancy Cam-Winget (ncamwing)
>>>> <ncamwing@cisco.com <mailto:ncamwing@cisco.com>> wrote:
>>>> 
>>>> Hi Ben,
>>>>     Thanks for the careful review and comments, please see answers below:
>>>> 
>>>>     On 1/22/19, 19:14, "Ben Campbell" <ben@nostrum.com
>>>> <mailto:ben@nostrum.com>> wrote:
>>>> 
>>>> 
> 
> <snip/>
> 
>>>>         2) The security considerations suggest that the use of TLS
>>>> mitigates  all of
>>>>         the "network attacks". However, the potential or eavesdropping
>>>> or data
>>>>         modification are only mentioned in terms of such "network
>>>> attacks". It is also
>>>>         possible for the controller (aka XMPP server) to do those
>>>> things unless some
>>>>         sort of e2e protection is used. This is not discussed in the
>>>> sections about how
>>>>         the controller is trusted, nor is it discussed in the
>>>> countermeasures sections.
>>>>         There is a mention of e2e protection in the privacy
>>>> considerations, but I think
>>>>         that really needs treatment under the security considerations.
>>>>     [NCW] Section 8.2.3 does try to delineate the controller attacks,
>>>> but we can add the
>>>>     Notion of eavesdropping and modification attacks there as well.
>>>> As to the considerations,
>>>>     We can add in 8.3.3 a sentence to the effect of using e2e
>>>> protection to address this attack.
>>> 
>>> Unless you expect to really have e2e protection, it’s more important to
>>> discuss the effects of not having it.
>> 
>> True. I'll draft text about that (probably later today).
> 
> I propose adding a new subsection under "Countermeasures":
> 
> 8.3.6.  End-to-End Encryption of Messages
> 
>   Because it is expected that there will be a relatively large number
>   of Consumers for every Topic, for purposes of content discovery and
>   scaling this document specifies a "one-to-many" communications
>   pattern using the XMPP Publish-Subscribe extension.  Unfortunately,
>   there is no standardized technology for end-to-end encryption of one-
>   to-many messages in XMPP.  This implies that messages can be subject
>   to eavesdropping, data injection, and data modification attacks
>   within a Broker or Controller.  If it is necessary to mitigate
>   against such attacks, implementers would need to select a messaging
>   pattern other than [XEP-0060], most likely the basic "instant
>   messaging" pattern specified in [RFC6121] with a suitable XMPP
>   extension for end-to-end encryption (such as [RFC3923] or a more
>   modern method such as [XEP-0384]).  The description of such an
>   approach is out of scope for this document.
> 
> Peter