Re: [mile] Secdir review: draft-ietf-mile-5070-bis-22

"Roman D. Danyliw" <rdd@cert.org> Mon, 20 June 2016 14:08 UTC

Return-Path: <rdd@cert.org>
X-Original-To: mile@ietfa.amsl.com
Delivered-To: mile@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2C54A12D113; Mon, 20 Jun 2016 07:08:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.3
X-Spam-Level:
X-Spam-Status: No, score=-4.3 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cert.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QTk3ch-Aispl; Mon, 20 Jun 2016 07:08:18 -0700 (PDT)
Received: from plainfield.sei.cmu.edu (plainfield.sei.cmu.edu [192.58.107.45]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 802B512B04A; Mon, 20 Jun 2016 07:08:18 -0700 (PDT)
Received: from pawpaw.sei.cmu.edu (pawpaw.sei.cmu.edu [10.64.21.22]) by plainfield.sei.cmu.edu (8.14.4/8.14.4/1543) with ESMTP id u5KE8HvB013703; Mon, 20 Jun 2016 10:08:17 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cert.org; s=jthatj15xw2j; t=1466431697; bh=rZWzytZuhszCPfaApZzAxGPdqsGGlA/J73o2EgaKt3E=; h=From:To:CC:Subject:Date:Message-ID:References:In-Reply-To: Content-Type:Content-Transfer-Encoding:MIME-Version:Sender: Reply-To; b=BtZccMCi43TGc1QnbfLn06PaF07HLUcSMTnH1J+iBET819d8wwVvUwbP+lKvEi+2d xyKNlwnWM3SQm5v7ZmXHXS8gFVPaMxx0X2AJ+hikftpVLR7hKeE1SGCg22BHjVOsz9 qsi66Uh1IQgi9bEWnU+naDaN+RNBcKtFIqFKTL1I=
Received: from CASSINA.ad.sei.cmu.edu (cassina.ad.sei.cmu.edu [10.64.28.249]) by pawpaw.sei.cmu.edu (8.14.4/8.14.4/1543) with ESMTP id u5KE8DPd024194; Mon, 20 Jun 2016 10:08:13 -0400
Received: from MARATHON.ad.sei.cmu.edu ([10.64.28.250]) by CASSINA.ad.sei.cmu.edu ([10.64.28.249]) with mapi id 14.03.0279.002; Mon, 20 Jun 2016 10:08:12 -0400
From: "Roman D. Danyliw" <rdd@cert.org>
To: "Roman D. Danyliw" <rdd@cert.org>, Robert Sparks <rjsparks@nostrum.com>
Thread-Topic: Secdir review: draft-ietf-mile-5070-bis-22
Thread-Index: AQHRuqVpyhJwvFfMKk6M7OkSPkYlWZ/VizoAgBz3tpA=
Date: Mon, 20 Jun 2016 14:08:12 +0000
Message-ID: <359EC4B99E040048A7131E0F4E113AFCD97667E5@marathon>
References: <15b7d5f0-63e9-15b9-b7d5-47a6be10c760@nostrum.com> <359EC4B99E040048A7131E0F4E113AFCD974F81A@marathon>
In-Reply-To: <359EC4B99E040048A7131E0F4E113AFCD974F81A@marathon>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.64.22.6]
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/mile/w_yn_srx7W8ALoBw8Kp3e26-9fA>
Cc: "mile@ietf.org" <mile@ietf.org>, "draft-ietf-mile-rfc5070-bis.all@ietf.org" <draft-ietf-mile-rfc5070-bis.all@ietf.org>, "iesg@ietf.org" <iesg@ietf.org>, "secdir@ietf.org" <secdir@ietf.org>
Subject: Re: [mile] Secdir review: draft-ietf-mile-5070-bis-22
X-BeenThere: mile@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "Managed Incident Lightweight Exchange, IODEF extensions and RID exchanges" <mile.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mile>, <mailto:mile-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mile/>
List-Post: <mailto:mile@ietf.org>
List-Help: <mailto:mile-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mile>, <mailto:mile-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 20 Jun 2016 14:08:20 -0000

Hello Robert!

> -----Original Message-----
> From: Roman D. Danyliw [mailto:rdd@cert.org]
> Sent: Thursday, June 02, 2016 1:03 AM
> To: Robert Sparks <rjsparks@nostrum.com>;
> Cc: secdir@ietf.org; iesg@ietf.org; draft-ietf-mile-rfc5070-bis.all@ietf.org;
> mile@ietf.org
> Subject: RE: Secdir review: draft-ietf-mile-5070-bis-22
> 
> Hello Robert!
> 
> Thanks again for this review.  Comments are inline ...
> 
> > -----Original Message-----
> > From: Robert Sparks [mailto:rjsparks@nostrum.com]
> > Sent: Monday, May 30, 2016 2:44 PM
> > To: secdir@ietf.org; iesg@ietf.org;
> > draft-ietf-mile-rfc5070-bis.all@ietf.org
> > Subject: Secdir review: draft-ietf-mile-5070-bis-22
> >
> > I have reviewed this document as part of the security directorate's
> > ongoing effort to review all IETF documents being processed by the
> > IESG.  These comments were written primarily for the benefit of the
> > security area directors.  Document editors and WG chairs should treat
> > these comments just like any other last call comments.
> >
> > Document : draft-ietf-mile-rfc5070bis-22
> >
> > Summary: This document has minor issues that should be addressed
> > before publication as Proposed Standard
> >
> > This document defines a document format for exchanging information
> > between operational security teams. It points out standardized
> > mechanisms for transporting the documents (RFC6545 and RFC6546), to
> > provide confidentiality, integrity, and authenticity, but does not
> > restrict the use of the format to within those protocols.  Instead, it
> > provides a generic set of "Processing Considerations" in section 4,
> > which are augmented by the Security Considerations in section 9.
> >
> > There are some minor issues with this approach that should be
> > addressed before publication.

[snip]
 
> > 2) The document notes (in Section 9.1) that some fields in the
> > document format may contain executable content. It is not clear which
> > fields are being mentioned, or what _kind_ of executable content is
> > being carried. Explicitly calling out the fields that this document
> > defines at this point, and characterizing their content would help.
> > The precautions you might need to take against a regex are different
> > from those you would take against arbitrary bytecode the recipient might
> be asked to execute.
> 
> The areas of concern would be:
> 
> (1) any classes that can have "binary strings" per Section 2.5 since this would
> allow binary code to be embedded in the document.  The affected classes
> are those of type iodef:ExtensionType and RecordPattern;
> (2) the EmailMessage and EmailBody classes
> (3) the DetectionPattern class, as it could specify a machine readable
> configuration for a device or application
> (4) the URL class that could reference a location containing executable
> content
> (5) the AdditionalData class which contain pretty much anything
> 
> (1) - (4) are places in the data model where binary blobs or text scripts could
> be inserted by design.  With (5), this is a an extension on which there are no
> constraints.  Technically, executable content also be put into any of the
> classes but the parser is unlikely to read them as such.
> 
> Clarifying language referencing these classes can be added to the security
> considerations.

The updated text in -23 reads as follows:

9.1.  Security
[snip]
   Executable content of various forms could be embedded into the IODEF
   document directly or through an extension.  Implementation MUST
   handle this content with care to prevent unintentional automated
   execution.  The following classes are explicitly intended to
   represent content that might be executable:

   o  All classes of type iodef:ExtensionType and the RecordPattern
      class can represent arbitrary binary strings such as legitimate
      software programs or malware.

   o  The EmailMessage and EmailBody classes can represent email
      attachments that can contain arbitrary content.

   o  The DetectionPattern class could specify a machine-readable
      configuration that directs the execution of the corresponding
      tool.

> > 3) There are several fields that are characterized as "meaningful to
> > the sender and recipient". This implies that the document cannot be
> > interpreted outside some out-of-band prior arrangement defining the
> > context in which those fields are meaningful. The document should
> > explicitly mention the need for such prior arrangements in the
> > Security Consideration section, and note the danger of attempting to
> > interpret those fields if the ability to ensure the message falls
> > within that pre-arranged context is suspect. The existing text around
> > ensuring proper authentication of the sender and recipient is a start,
> > but is not sufficient. While considering the problems with
> > interpreting these fields in the wrong context, the document should
> > recognize the possibility that a given sender/recipient pair might
> > have _two different_ arrangements about what these fields mean,
> especially given the passage of sufficient time.
> 
> Agreed.  There needs to be language added to the security considerations to
> discuss profiling and out-of-band arrangements.  In scanning through the
> document, DefinedCOA, is one of those.  What are the other fields you
> caught?

The updated text in -23 reads as follows:

9.1.  Security
[snip]
   Certain classes may require out-of-band coordination to agree upon
   their semantics (e.g., Confidence@rating="low" or DefinedCOA).  This
   coordination MUST occur prior to operational data exchange to prevent
   the incorrect interpretation of these select data elements.  When
   parsing these data elements, implementations should validate, when
   possible, that they conform to the agreed upon semantics.  These
   semantics may need to be periodically reevaluated.

> > Nits:
> >
> > A) Section 2.11 calls out to RFC4519 to defined the syntax of
> > telephone numbers.  The document calls out to E.123, which provides
> > guidelines for representing phone numbers but does not define a
> > rigorous format useful for a protocol field.  If it's important to
> > exchange phone numbers in an interoperable way, consider pointing to
> something with more structure.
> > Do you
> > want the string to conform to E.164?  Would it be useful to have
> > something as structured as a tel: URI?

The updated text in -23 reads as follows:

2.11.  Telephone Number

   A telephone number is represented in the information model by the
   PHONE data type.  The format of the PHONE data type is documented in
   [E.164].

   [E.164]    ITU Telecommunication Standardization Sector, "The
              International Public Telecommunication Numbering Plan",
              ITU-T Recommendation E.164 (02/05), February 2005.

> > B) Section 4.1 says a character encoding MUST be explicitly specified,
> > but then immediately shows an example of a document with no character
> > encoding...
> 
> Good point.  That will be fixed.  Upon further review, the example with no
> encoding also doesn't make sense given the MUST above in the text saying it
> always needs to be specified.  The two examples in this section are from
> RFC5070 but they don't align with the text updated in this draft.

The updated text in -23 reads as follows:

4.1.  Encoding

   Every IODEF document MUST begin with an XML declaration and MUST
   specify the XML version used.  The character encoding MUST also be
   explicitly specified.  UTF-8 [RFC3629] SHOULD be used unless UTF-16
   [RFC2781] is necessary.  Encodings other than UTF-8 and UTF-16 SHOULD
   NOT be used.  The IODEF conforms to all XML data encoding conventions
   and constraints.

   The XML declaration with UTF-8 character encoding will read as
   follows:

   <?xml version="1.0" encoding="UTF-8" ?>

> > C) (micronit) The use of [RFC-ENUM] as a reference number is distracting.
> > Please change the reference tag to [RFC7495].

The updated text in -23 reads as follows:

   [RFC7495]  Montville, A. and D. Black, "IODEF Enumeration Reference
              Format", RFC 7495, January 2015.

Thanks again for your detailed review.

Roman