Re: [OAUTH-WG] Adam Roach's No Objection on draft-ietf-oauth-native-apps-11: (with COMMENT)

Adam Roach <> Tue, 23 May 2017 16:53 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 0113D1201F8; Tue, 23 May 2017 09:53:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.88
X-Spam-Status: No, score=-1.88 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RP_MATCHES_RCVD=-0.001, T_SPF_HELO_PERMERROR=0.01, T_SPF_PERMERROR=0.01] autolearn=unavailable autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id SVdmUqpbfCTL; Tue, 23 May 2017 09:53:26 -0700 (PDT)
Received: from ( [IPv6:2001:470:d:1130::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id DF71C1200C5; Tue, 23 May 2017 09:53:25 -0700 (PDT)
Received: from Orochi.local ( []) (authenticated bits=0) by (8.15.2/8.15.2) with ESMTPSA id v4NGrDpH016662 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NO); Tue, 23 May 2017 11:53:14 -0500 (CDT) (envelope-from
X-Authentication-Warning: Host [] claimed to be Orochi.local
To: Alexey Melnikov <>, William Denniss <>
Cc:, Hannes Tschofenig <>,, The IESG <>,
References: <> <> <> <>
From: Adam Roach <>
Message-ID: <>
Date: Tue, 23 May 2017 11:53:08 -0500
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:52.0) Gecko/20100101 Thunderbird/52.1.1
MIME-Version: 1.0
In-Reply-To: <>
Content-Type: multipart/alternative; boundary="------------0D53017DEE4387F52677BBB4"
Content-Language: en-US
Archived-At: <>
Subject: Re: [OAUTH-WG] Adam Roach's No Objection on draft-ietf-oauth-native-apps-11: (with COMMENT)
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: OAUTH WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 23 May 2017 16:53:27 -0000

On 5/23/17 05:09, Alexey Melnikov wrote:
> On Tue, May 23, 2017, at 10:24 AM, Alexey Melnikov wrote:
>> Hi William,
>> On 22 May 2017, at 23:14, William Denniss < 
>> <>> wrote:
>>>     Section 8.1 makes the statement that "Loopback IP based redirect
>>>     URIs may
>>>     be susceptible to interception by other apps listening on the same
>>>     loopback interface." That's not how TCP listener sockets work:
>>>     for any
>>>     given IP address, they guarantee single-process access to a port
>>>     at any
>>>     one time. (Exceptions would include processes with root access,
>>>     but an
>>>     attacking process with that level of access is going to be
>>>     impossible to
>>>     defend against). While mostly harmless, the statement appears to
>>>     be false
>>>     on its face, and should be removed or clarified.
>>> Will be removed in the next update. Thank you.
>> Actually, I disagree with Adam on this, because what he says is OS 
>> specific. So I think the text is valuable and should stay.
> In particular, I think SO_REUSEADDR socket option is widely 
> implemented, both on Windows and Linux.

Okay, after doing a lot of digging, this appears to be much more 
complicated than it should be [1]. Linux (as of 3.9) does allow multiple 
_listeners_ on a single IP/Address pair (and does load balancing among 
them o_O), but only if they're both using SO_REUSEADDR ("don't do that 
then" would be good advice). Windows allows the kind of hijacking 
described in the document unless SO_EXCLUSIVEADDRUSE is set (and it 
might be good advice in this document to suggest setting it).

So I'm okay with the paragraph staying in, although I would like to see 
it qualified with "on some operating systems", and would like to see a 
note (probably in section B.3) recommending the use of 
SO_EXCLUSIVEADDRUSE on listening sockets.



[1] The most comprehensive explanation of facts on the ground that I 
could find is