Re: [mile] Secdir review: draft-ietf-mile-5070-bis-22

"Roman D. Danyliw" <rdd@cert.org> Mon, 20 June 2016 14:24 UTC

Return-Path: <rdd@cert.org>
X-Original-To: mile@ietfa.amsl.com
Delivered-To: mile@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A6F1912D0DD; Mon, 20 Jun 2016 07:24:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.3
X-Spam-Level:
X-Spam-Status: No, score=-4.3 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cert.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mL2E09oY3Os8; Mon, 20 Jun 2016 07:24:20 -0700 (PDT)
Received: from plainfield.sei.cmu.edu (plainfield.sei.cmu.edu [192.58.107.45]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DCC35127058; Mon, 20 Jun 2016 07:24:19 -0700 (PDT)
Received: from timber.sei.cmu.edu (timber.sei.cmu.edu [10.64.21.23]) by plainfield.sei.cmu.edu (8.14.4/8.14.4/1543) with ESMTP id u5KEOIvi014132; Mon, 20 Jun 2016 10:24:18 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cert.org; s=jthatj15xw2j; t=1466432658; bh=2qbThVtKUK8d5Keh1X/VlEQedH7bMRQJAvlPfpQBTJ8=; h=From:To:CC:Subject:Date:Message-ID:References:In-Reply-To: Content-Type:Content-Transfer-Encoding:MIME-Version:Sender: Reply-To; b=k8x3TkmQNBpTCQKnS8sMcg6e6CrAlV51KjKCbl73/m1FRrt8CmUEkWd6n86DRiGAa G9Kfp0ZOqi1HiBmHPVsKDKCi7wLeyhwUbzjVWMBOF8WmdwVuTv9ltsVzxNbuZ9FoT/ wP85irIVQVfc4n0yUDdM2DXQw585jGrxTuhTp/m0=
Received: from CASSINA.ad.sei.cmu.edu (cassina.ad.sei.cmu.edu [10.64.28.249]) by timber.sei.cmu.edu (8.14.4/8.14.4/1543) with ESMTP id u5KEOHu2004688; Mon, 20 Jun 2016 10:24:17 -0400
Received: from MARATHON.ad.sei.cmu.edu ([10.64.28.250]) by CASSINA.ad.sei.cmu.edu ([10.64.28.249]) with mapi id 14.03.0279.002; Mon, 20 Jun 2016 10:24:16 -0400
From: "Roman D. Danyliw" <rdd@cert.org>
To: "kathleen.moriarty.ietf@gmail.com" <kathleen.moriarty.ietf@gmail.com>, Alexey Melnikov <alexey.melnikov@isode.com>
Thread-Topic: [mile] Secdir review: draft-ietf-mile-5070-bis-22
Thread-Index: AQHRuqVpyhJwvFfMKk6M7OkSPkYlWZ/VizoAgACacYCAADhPgIAcKwUg
Date: Mon, 20 Jun 2016 14:24:16 +0000
Message-ID: <359EC4B99E040048A7131E0F4E113AFCD9766828@marathon>
References: <15b7d5f0-63e9-15b9-b7d5-47a6be10c760@nostrum.com> <359EC4B99E040048A7131E0F4E113AFCD974F81A@marathon> <574FF391.6000806@isode.com> <BE4716FB-9630-4862-B688-704C3AD35178@gmail.com>
In-Reply-To: <BE4716FB-9630-4862-B688-704C3AD35178@gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.64.22.6]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/mile/uPHPtq_PvUvxKTP4jKA5x6_y2Jg>
Cc: "mile@ietf.org" <mile@ietf.org>, "secdir@ietf.org" <secdir@ietf.org>, "draft-ietf-mile-rfc5070-bis.all@ietf.org" <draft-ietf-mile-rfc5070-bis.all@ietf.org>, "iesg@ietf.org" <iesg@ietf.org>, Robert Sparks <rjsparks@nostrum.com>
Subject: Re: [mile] Secdir review: draft-ietf-mile-5070-bis-22
X-BeenThere: mile@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "Managed Incident Lightweight Exchange, IODEF extensions and RID exchanges" <mile.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mile>, <mailto:mile-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mile/>
List-Post: <mailto:mile@ietf.org>
List-Help: <mailto:mile-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mile>, <mailto:mile-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 20 Jun 2016 14:24:23 -0000

Hello!

> -----Original Message-----
> From: kathleen.moriarty.ietf@gmail.com
> [mailto:kathleen.moriarty.ietf@gmail.com]
> Sent: Thursday, June 02, 2016 8:13 AM
> To: Alexey Melnikov <alexey.melnikov@isode.com>;
> Cc: Roman D. Danyliw <rdd@cert.org>;; Robert Sparks
> <rjsparks@nostrum.com>;; mile@ietf.org; draft-ietf-mile-rfc5070-
> bis.all@ietf.org; iesg@ietf.org; secdir@ietf.org
> Subject: Re: [mile] Secdir review: draft-ietf-mile-5070-bis-22
> 
> Hello,
> 
> Thanks Robert for the detailed and helpful review.  Inline
> 
> Sent from my iPhone
> 
> > On Jun 2, 2016, at 4:51 AM, Alexey Melnikov
> <alexey.melnikov@isode.com>; wrote:
> >
> > Hi Roman,
> >
> >> On 02/06/2016 06:03, Roman D. Danyliw wrote:
> >> Hello Robert!
> >>
> >> Thanks again for this review.  Comments are inline ...
> >>
> >>> -----Original Message-----
> >>> From: Robert Sparks [mailto:rjsparks@nostrum.com]
> >>> Sent: Monday, May 30, 2016 2:44 PM
> >>> To: secdir@ietf.org; iesg@ietf.org;
> >>> draft-ietf-mile-rfc5070-bis.all@ietf.org
> >>> Subject: Secdir review: draft-ietf-mile-5070-bis-22
> >>>
> >>> I have reviewed this document as part of the security directorate's
> >>> ongoing effort to review all IETF documents being processed by the
> >>> IESG.  These comments were written primarily for the benefit of the
> >>> security area directors.  Document editors and WG chairs should
> >>> treat these comments just like any other last call comments.
> >>>
> >>> Document : draft-ietf-mile-rfc5070bis-22
> >>>
> >>> Summary: This document has minor issues that should be addressed
> >>> before publication as Proposed Standard
> >>>
> >>> This document defines a document format for exchanging information
> >>> between operational security teams. It points out standardized
> >>> mechanisms for transporting the documents (RFC6545 and RFC6546), to
> >>> provide confidentiality, integrity, and authenticity, but does not
> >>> restrict the use of the format to within those protocols.  Instead,
> >>> it provides a generic set of "Processing Considerations" in section
> >>> 4, which are augmented by the Security Considerations in section 9.
> >>>
> >>> There are some minor issues with this approach that should be
> >>> addressed before publication.
> >>>
> >>> 1) The document requires that implementations validate documents
> >>> against the schema, and reject any documents that fail validation.
> >>> In particular, Section
> >>> 5.2 Item 4 requires rejecting documents with an unrecognized element
> >>> in a supported namespace as a syntax error. Section 4.3 requires
> >>> implementations to
> >>> ->dynamically generate the schema used for validation from IANA
> >>> registries<-.
> >>> Section 5.2 Item 5 calls out that this dynamic generation has
> >>> security and performance implications, but does not describe them,
> >>> and has a very vague "SHOULD NOT download schemas at runtime" to
> >>> guard against them.  I seem to recall significant discussion in
> >>> other contexts of the issues with generating schema from IANA
> >>> registries at runtime.  Perhaps the ADs can provide pointers to
> >>> material generated from those discussions that the group can reference.
> >>> Otherwise, the threats need to be described in more detail, and the
> >>> operational complexity of exercising these extension points
> >>> (particularly given the requirement to reject documents that do not
> >>> validate against the content of the
> >>> registries) needs to be spelled out.
> >> To this analysis, I'll also add Stephen Farrell's COMMENT
> (https://www.ietf.org/mail-archive/web/mile/current/msg01885.html)
> against using validation and the security issues when checking the IANA
> registry; and that Alexey Melnikov has marked this issue as a DISCUSS
> (https://datatracker.ietf.org/doc/draft-ietf-mile-rfc5070-bis/ballot/).
> >>
> >> To the WG:
> >>
> >> Consideration #1
> >> ==============
> >>
> >> ---[ begin Item #4 of Section 5.2 ]---
> >>    4.  Implementations that encounter an unrecognized element in a
> >>        supported namespace MUST reject the document as a syntax error.
> >> ---[ end Item #4 of Section 5.2 ]---
> >>
> >> ** Do we want to weaken the validation requirement in Item #4 of
> Section 5.2 from MUST to MAY?
> >>
> >> IMO, this is a straightforward change that will provide more flexibility for
> implementations to process even non-conforming documents.
> > I don't mind, but I can also live with SHOULD here.
> 
> Agreed, SHOULD is a bit stronger.
> 
> >>  One minor concern here is that this may now lead to non-standard
> extensions.
> >>

The text in -23 was updated as follows:

5.2.  Extending Classes
[snip]
   4.  Implementations that encounter an unrecognized element, attribute
       or attribute value in a supported namespace SHOULD reject the
       document as a syntax error.

> >> Consideration #2
> >> ==============
> >> Item #5 of Section 5.2 cautions against dynamically regenerating the
> schema from registry values at run-time; but also from downloading the base
> schema then too.
> >>
> >> ---[ begin Item #5 of Section 5.2 ]---
> >>    5.  There are security and performance implications in requiring
> >>        implementations to dynamically download schemas at run time.
> >>        Therefore, implementations SHOULD NOT download schemas at
> runtime
> >>        unless the appropriate precautions are taken.  Implementations
> >>        also need to contend with the potential of significant network
> >>        and processing issues.
> >> ---[ end Item #5 of Section 5.2 ]---
> >>
> >> ** Do we want to strengthen the caution of not downloading the schema
> in real-time in Item #5 of Section 5.2 from SHOULD NOT to MUST NOT?
> >>
> >> IMO, yes.
> > Yes.
> 
> Yes

The text in -23 was updated as follows:

   5.  There are security and performance implications in requiring
       implementations to dynamically download schemas at run time.
       Therefore, implementations MUST NOT download schemas at runtime
       unless the appropriate precautions are taken.  Implementations
       also need to contend with the potential of significant network
       and processing issues.

Roman