[OPSEC] Roman Danyliw's Discuss on draft-ietf-opsec-probe-attribution-07: (with DISCUSS and COMMENT)
Roman Danyliw via Datatracker <noreply@ietf.org> Tue, 04 July 2023 13:12 UTC
Return-Path: <noreply@ietf.org>
X-Original-To: opsec@ietf.org
Delivered-To: opsec@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id D9DD8C1519AA; Tue, 4 Jul 2023 06:12:49 -0700 (PDT)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
From: Roman Danyliw via Datatracker <noreply@ietf.org>
To: The IESG <iesg@ietf.org>
Cc: draft-ietf-opsec-probe-attribution@ietf.org, opsec-chairs@ietf.org, opsec@ietf.org, furry13@gmail.com, furry13@gmail.com
X-Test-IDTracker: no
X-IETF-IDTracker: 11.3.0
Auto-Submitted: auto-generated
Precedence: bulk
Reply-To: Roman Danyliw <rdd@cert.org>
Message-ID: <168847636988.23180.16211496796614010068@ietfa.amsl.com>
Date: Tue, 04 Jul 2023 06:12:49 -0700
Archived-At: <https://mailarchive.ietf.org/arch/msg/opsec/biS4iuCNaeS0z4CDNfQUBBeEw1M>
Subject: [OPSEC] Roman Danyliw's Discuss on draft-ietf-opsec-probe-attribution-07: (with DISCUSS and COMMENT)
X-BeenThere: opsec@ietf.org
X-Mailman-Version: 2.1.39
List-Id: opsec wg mailing list <opsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsec>, <mailto:opsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/opsec/>
List-Post: <mailto:opsec@ietf.org>
List-Help: <mailto:opsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsec>, <mailto:opsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 04 Jul 2023 13:12:49 -0000
Roman Danyliw has entered the following ballot position for draft-ietf-opsec-probe-attribution-07: Discuss When responding, please keep the subject line intact and reply to all email addresses included in the To and CC lines. (Feel free to cut this introductory paragraph, however.) Please refer to https://www.ietf.org/about/groups/iesg/statements/handling-ballot-positions/ for more information about how to handle DISCUSS and COMMENT positions. The document, along with other ballot positions, can be found here: https://datatracker.ietf.org/doc/draft-ietf-opsec-probe-attribution/ ---------------------------------------------------------------------- DISCUSS: ---------------------------------------------------------------------- It isn’t clear how the safest practice is not to always ignore this attribution information? ** The text notes in numerous places that this is only intended for “researchers with good intentions” (Section 1 and 7) but it isn’t clear how this intention translates into the workflow of the probe recipient (i.e., how does a recipient know it came from someone with good intentions?). Specifically: -- Per the out-of-band attribution (Section 3), the suggested workflow is directing a network defender to visit an arbitrary location of the attackers choosing (i.e., by spoofing the probe source address) or by redirecting the defender to an infrastructure controlled by the attacker. This seems risky as this location could be serving malware or the connection itself could be facilitating a DDOS reflector-style attack. -- Per the in-path attribution (Section 4), there are no integrity guarantees so any on-path attacker could also modify legitimate attribution information to information of their choosing. See out-of-band attribution. ** Section 7. If a recipient cannot confirm the information or does not wish to do so, it should treat the flows as if there were no probe attribution. What does confirmation mean in this case? How is that realized? Per the URI-based attribution, there is no strong binding between the sender and the information. As the Section 7 text notes, nothing prevents false attribution (i.e., attributing the traffic to someone else to cover my own behavior) or a false flag (e.g., attributing the traffic to someone else so as to blame them)? Additionally, nothing prevents an attacker from staffing a response to an email or telephone provided in the URI. If the network defender makes contact via provided mechanisms, why should there be any confidence in that communication? ---------------------------------------------------------------------- COMMENT: ---------------------------------------------------------------------- Thank you to Tiru Reddy for the SECDIR review. ** Section 3. What is the procedure for handling multiple reverse DNS records being returned? ** Section 3 * else (or in addition), the Probe Description URI is "https://[2001:db8:dead::1]/.well-known/probing.txt". If there is no certificate associated to this address (e.g., via [RFC8738]), then there will be a certificate verification issue. -- RF8738 is cited as an example. Can its relationship to the described workflow be explained -- What is the implication of there being a certificate verification issue? Does the information get discarded? ** Section 4. * For a UDP datagram [RFC768], include it in the data payload if its content has no structure; * For a TCP segment [RFC9293], include it in the data payload if its content has no structure; What does “… has no structure mean”? ** Section 4. * For an IPv6 packet [RFC8200], include it in a PadN option either inside a Hop-by-Hop or Destination Options header. Doesn’t Section 3.5.1.1 of RFC9288 guide transit routers to drop hop-by-hop traffic?
- [OPSEC] Roman Danyliw's Discuss on draft-ietf-ops… Roman Danyliw via Datatracker
- Re: [OPSEC] Roman Danyliw's Discuss on draft-ietf… Eric Vyncke (evyncke)
- Re: [OPSEC] Roman Danyliw's Discuss on draft-ietf… Roman Danyliw