Re: [OAUTH-WG] Adam Roach's No Objection on draft-ietf-oauth-native-apps-11: (with COMMENT)

William Denniss <wdenniss@google.com> Sat, 03 June 2017 00:43 UTC

Return-Path: <wdenniss@google.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B6EC812420B for <oauth@ietfa.amsl.com>; Fri, 2 Jun 2017 17:43:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id o3Ds-0zmhJgh for <oauth@ietfa.amsl.com>; Fri, 2 Jun 2017 17:43:30 -0700 (PDT)
Received: from mail-it0-x234.google.com (mail-it0-x234.google.com [IPv6:2607:f8b0:4001:c0b::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5E131129AA3 for <oauth@ietf.org>; Fri, 2 Jun 2017 17:43:25 -0700 (PDT)
Received: by mail-it0-x234.google.com with SMTP id m47so33665095iti.0 for <oauth@ietf.org>; Fri, 02 Jun 2017 17:43:25 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=oTSwHtiPGO8QfH1o5Ts5+CuX+MrH/myBFBFLFK2rZso=; b=FuCor2U6aeart/XXRZVxx/MGyYaGp0+EQtTNLu+cJFMroIEiO9j35FLkpfgp7akFhL UzyrtSgNMx6vMWupIrnAzaT1CmYjO1P4IRsovch/iYbCmiCbE0mF1BH2+zaQZKcGnLlj o61tYM8ZDdgbv66ynJCk0YfStJGKhE5+SivMI5SakCisCRvupZRP76inJx4BKwNjrY+S aSWLABRMgnSnOGKTvPEzIDqmwQABnZfgUrP/jsHSI851K2g863eqxm9Qpn5unLvWXuVz tRE2bJAi3L+2/+nVjQxm8ueudaC2DBDGrx+1n4goqsYSRA9Paqg2sPQv8NQ1gFV+z/Rr PO+A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=oTSwHtiPGO8QfH1o5Ts5+CuX+MrH/myBFBFLFK2rZso=; b=Gg7QaI903gcgPAO6GC7jY4yPcK9dEaGykMJsNWyG9FfNT1HnmJkzUSCgkuMspRWIHE 4a0u6sHvhJJz2zyiGEVTKEmiiqmjNozAu8wF8i820plX5jx8K7ZToOhewg+UO6pQZfEf N3QmWk+tBEqWQbUvhG81mXf6zJJ9S+fBFobiUSngHWqPqmztO3Mo2xEdO6uw4QRFqFcD /Q0kpn6SlKC+YGeXC2O73w/PLPYchLCsdqJvX2KIbncWfbJmgIqBxjVsdon1aCwhNyH3 Wb3Bf+d2T/2lQYONn0XQ/QfDSjVNJB5EA53SytQNOs/StazzSXQ6mYh4N+T4KvjZlfH1 cbhA==
X-Gm-Message-State: AODbwcAhfWkL/nV3AFQ8iuHtG63DLbmrMljUdOXpyKnQpmesHziVKKOk nG1oF6O6sLRxA+z5wapLng4eUrl++Lt1
X-Received: by 10.107.134.91 with SMTP id i88mr5785088iod.53.1496450604282; Fri, 02 Jun 2017 17:43:24 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.79.35.37 with HTTP; Fri, 2 Jun 2017 17:43:03 -0700 (PDT)
In-Reply-To: <eed235aa-745b-a918-cbb2-348f3dab6c12@nostrum.com>
References: <149548482877.9096.13896958451655712801.idtracker@ietfa.amsl.com> <CAAP42hAcc5qGCxMC-Qj=G5BKQ9kRv9N6_pdtjH8mxUCcFCD_8g@mail.gmail.com> <1D2FDD6E-3DA0-4E7C-BBF3-1A6146F7889B@fastmail.fm> <1495534158.1405045.985657536.26AE401D@webmail.messagingengine.com> <eed235aa-745b-a918-cbb2-348f3dab6c12@nostrum.com>
From: William Denniss <wdenniss@google.com>
Date: Fri, 2 Jun 2017 17:43:03 -0700
Message-ID: <CAAP42hC2xq=AmGVyz3dhQWTMnfLWHtzLeuNq269PSAhRw=ntbA@mail.gmail.com>
To: Adam Roach <adam@nostrum.com>
Cc: Alexey Melnikov <aamelnikov@fastmail.fm>, draft-ietf-oauth-native-apps@ietf.org, Hannes Tschofenig <Hannes.Tschofenig@gmx.net>, "oauth@ietf.org" <oauth@ietf.org>, The IESG <iesg@ietf.org>, oauth-chairs@ietf.org
Content-Type: multipart/alternative; boundary="001a113ecd98b1b1c90551038eff"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/eEZ71c-xta3lqdHNdqiSBwRH91E>
Subject: Re: [OAUTH-WG] Adam Roach's No Objection on draft-ietf-oauth-native-apps-11: (with COMMENT)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 03 Jun 2017 00:43:32 -0000

On Tue, May 23, 2017 at 9:53 AM, Adam Roach <adam@nostrum.com>; wrote:

> On 5/23/17 05:09, Alexey Melnikov wrote:
>
> On Tue, May 23, 2017, at 10:24 AM, Alexey Melnikov wrote:
>
> Hi William,
>
> On 22 May 2017, at 23:14, William Denniss <wdenniss@google.com>; wrote:
>
> Section 8.1 makes the statement that "Loopback IP based redirect URIs may
> be susceptible to interception by other apps listening on the same
> loopback interface." That's not how TCP listener sockets work: for any
> given IP address, they guarantee single-process access to a port at any
> one time. (Exceptions would include processes with root access, but an
> attacking process with that level of access is going to be impossible to
> defend against). While mostly harmless, the statement appears to be false
> on its face, and should be removed or clarified.
>
>
> Will be removed in the next update. Thank you.
>
>
> Actually, I disagree with Adam on this, because what he says is OS
> specific. So I think the text is valuable and should stay.
>
> In particular, I think SO_REUSEADDR socket option is widely implemented,
> both on Windows and Linux.
>
>
> Okay, after doing a lot of digging, this appears to be much more
> complicated than it should be [1]. Linux (as of 3.9) does allow multiple
> _listeners_ on a single IP/Address pair (and does load balancing among them
> o_O), but only if they're both using SO_REUSEADDR ("don't do that then"
> would be good advice). Windows allows the kind of hijacking described in
> the document unless SO_EXCLUSIVEADDRUSE is set (and it might be good advice
> in this document to suggest setting it).
>

Thank you Alexey and Adam for the discussion and research!

I've added notes to both the Windows and Linux implementation details
(staged for v12).


> So I'm okay with the paragraph staying in, although I would like to see it
> qualified with "on some operating systems", and would like to see a note
> (probably in section B.3) recommending the use of SO_EXCLUSIVEADDRUSE on
> listening sockets.
>

Added the qualifier "on some operating systems" for the next version.

/a
>
>
> ____
>
> [1] The most comprehensive explanation of facts on the ground that I could
> find is https://stackoverflow.com/questions/14388706/socket-
> options-so-reuseaddr-and-so-reuseport-how-do-they-differ-do-they-mean-t
>