IETF Logo Mail Archive

Re: [paws] Kathleen Moriarty's Discuss on draft-ietf-paws-protocol-14: (with DISCUSS)

Vincent Chen <vchen@google.com> Thu, 21 August 2014 08:15 UTC

Return-Path: <vchen@google.com>
X-Original-To: paws@ietfa.amsl.com
Delivered-To: paws@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 97BBA1A0720 for <paws@ietfa.amsl.com>; Thu, 21 Aug 2014 01:15:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.046
X-Spam-Level:
X-Spam-Status: No, score=-2.046 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RP_MATCHES_RCVD=-0.668, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yglCmDVFBrwP for <paws@ietfa.amsl.com>; Thu, 21 Aug 2014 01:15:56 -0700 (PDT)
Received: from mail-vc0-x233.google.com (mail-vc0-x233.google.com [IPv6:2607:f8b0:400c:c03::233]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D18951A0716 for <paws@ietf.org>; Thu, 21 Aug 2014 01:15:55 -0700 (PDT)
Received: by mail-vc0-f179.google.com with SMTP id hq11so10194971vcb.24 for <paws@ietf.org>; Thu, 21 Aug 2014 01:15:55 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=XHnsqSnbPqz7kzeWeZSC10kMoJ7RMFp0DPerXYFA+8c=; b=FeU0nR0siTFYuhZyinxdlFGqzFfO/Pm2kFAZwHoJDbp0PmS6EJy4G2oMi/oA4rsT2o JAgt3DJ2no63NKxr02CkXUKVrMHwFBEHv5BU8HrqD+/9BPpr5RFwzGKosi3/QOvOpVrm ojCxP/PiSLtyy6ncXoe8Ra2MxemfdE5h0y9s59PFNNxNVJxCMhdGq6FmRQ8wiDBR7H5s UvgkU+30ad7XzMMHF2ama06l6jS5eIMCJjGe/uc44GV30szEgsrU9Ja7NBBGsqhORLCq Da5h+OU3vijKTlBJGE92VgwMF5rWoF+qqQ55C+Ll75Qf/GphZUdtaOdCq2mT+3ZxUAq6 fDOA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=XHnsqSnbPqz7kzeWeZSC10kMoJ7RMFp0DPerXYFA+8c=; b=P6pjScXXJiZspYdh2jAMCVbHqXOkiKysoMKwulIVaYooXxSe16LQu2dZQ52DHqhfvd wW+75vyhftQoTfsMCNkOONI+HwfQpRt0IDq7W2hWHU5wo4M5+L3dc0uo41Qi9bXiCae1 JuGsLS/9etPNcwryyKAE39HtKU9X4FGCt47ChU0GZ1rg04rGNU88GPdzcFavmYyoCtDY YZ1/ZgWWt7LqW4iINTmoOJ3xr2mSmEpDmzgX05WwNZSCnB9buhOMRWuJGrhpgqaUkPow 4qO6YySHAnHc3VPmXc17Lx4g3XYnAgT38BP5JhLEaQy2/cyWfJlrhS45Le9MdZXHxZ9N OlWQ==
X-Gm-Message-State: ALoCoQlVe0uTZka39VUWW0nzipf7dEWKi9WqqzWenLWYGg8slE93XzFIv+GjVHZoQOiKEgYMtv13
MIME-Version: 1.0
X-Received: by 10.52.146.17 with SMTP id sy17mr11494357vdb.29.1408608954799; Thu, 21 Aug 2014 01:15:54 -0700 (PDT)
Received: by 10.52.177.226 with HTTP; Thu, 21 Aug 2014 01:15:54 -0700 (PDT)
In-Reply-To: <CAHbuEH4RsF4kkUd8qO+bsCbzs6xRB=TL6hg2GyGWKf8OvJjViw@mail.gmail.com>
References: <20140820203127.25270.64032.idtracker@ietfa.amsl.com> <53F50D2D.2010203@qti.qualcomm.com> <CAHbuEH4RsF4kkUd8qO+bsCbzs6xRB=TL6hg2GyGWKf8OvJjViw@mail.gmail.com>
Date: Thu, 21 Aug 2014 01:15:54 -0700
Message-ID: <CABEV9RP7Dzk46JsUQ15z8kMvTGNOUCUjWmzQkVGyQbnjpvkLRA@mail.gmail.com>
From: Vincent Chen <vchen@google.com>
To: Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>
Content-Type: multipart/alternative; boundary="bcaec52d598760fded05011f5475"
Archived-At: http://mailarchive.ietf.org/arch/msg/paws/BBmdGjQy77fCf7mClp4u3L5IF6o
Cc: "paws@ietf.org" <paws@ietf.org>, "paws-chairs@tools.ietf.org" <paws-chairs@tools.ietf.org>, Pete Resnick <presnick@qti.qualcomm.com>, The IESG <iesg@ietf.org>, draft-ietf-paws-protocol@tools.ietf.org
Subject: Re: [paws] Kathleen Moriarty's Discuss on draft-ietf-paws-protocol-14: (with DISCUSS)
X-BeenThere: paws@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Protocol to Access White Space database \(PAWS\)" <paws.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/paws>, <mailto:paws-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/paws/>
List-Post: <mailto:paws@ietf.org>
List-Help: <mailto:paws-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/paws>, <mailto:paws-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 21 Aug 2014 08:15:58 -0000

Thanks to Pete for responding.

Additional comments inline.


On Wed, Aug 20, 2014 at 3:09 PM, Kathleen Moriarty <
kathleen.moriarty.ietf@gmail.com> wrote:

>
>
>
> On Wed, Aug 20, 2014 at 5:03 PM, Pete Resnick <presnick@qti.qualcomm.com>
> wrote:
>
>> On 8/20/14 3:31 PM, Kathleen Moriarty wrote:
>>
>>> ----------------------------------------------------------------------
>>> DISCUSS:
>>> ----------------------------------------------------------------------
>>> [...]
>>>
>>> Can clients query any database entries or is the interface restricted to
>>> the list of supported interactions?   I assume the answer is that it is
>>> limited to the set of database interactions defined, but could not find
>>> any statement saying that in this draft or the prior requirements in
>>> RFC6953.
>>>
>>>
>>
>> I'm not sure exactly what you mean here. Are you asking whether the
>> client or server ask for/send back more than the minimum data? Sure, that's
>> what the "*other" business is about. Or are you asking whether additional
>> queries/responses can be defined? I suppose they could. But I'm not sure
>> what you're asking, or what the concern is. Can you elaborate?
>
>
> There wasn't an explicit statement that you need to define new
> query/responses through extensions, so that coupled with the possibility of
> unauthenticated sessions had me worrying that more data could be exposed
> then intended.  A statement in the security considerations section (maybe)
> after the MAY for authentication that helps state the limitation of the
> interface to this and approved extensions would help.  The risk would be
> additional query/responses that let you get at more data than was intended
> (some of the privacy related information or fingerprinting possibilities
> would be the concern.
>

The security considerations section started by saying that the Database
provides
available spectrum information, which is public information. Nothing else
can be retrieved
from the Database.

Does Pete's point about the DeviceDescriptor being an echo of the request
also resolve this
concern?


>
> Earlier in the draft it sounds as if authentication is required until you
> get to that statement towards the end of the security considerations
> section.
>

NOTE: Since the Database returns the same available-spectrum answer for the
same combination of (device type, location), regardless of what requests
came before or after, authentication of the client seems to add little
benefit. I.e., spoofing by rogue devices does not impact the answer given
to well-behaved devices.



>
>>
>>  Authentication is only a MAY in the Security Considerations Section,
>>> which raises another possible concern for me.
>>>
>>> Since clients can get back pretty much all of the defined datatypes
>>> (DeviceDescriptor is one example)
>>>
>>
>> The client only gets back the DeviceDescriptor that it sent to the server
>> in the request so that the client can match the response to the query.
>>
>> Sorry, I missed that very important point in the query/response
> description somehow.
>
>
>>
>>  and authentication is not required,
>>> there should be a discussion on the risks of revealing this information
>>> for both the privacy reasons Stephen and Alissa outlined as well as
>>> possible security concerns.  I think this should be on a field basis in
>>> terms of sensitive elements where relevant.
>>>
>>>
>>
>> The rest of the responses are the publicly available spectrum
>> information. I'm not seeing sensitive data there.
>>
>> Yep, for the current queries, I missed that you were only getting the
> response that included the DeviceDescriptor information you sent.  Sorry
> about that!
>
>>
>>  I could see how you might want/need the types of information gathered
>>> within an administrative domain or accessed by a restricted set of users,
>>> but revealing data like what is contained in deviceDescriptor (includes
>>> model) as well as sensitive fields in other classes
>>> (AntennaCharacteristics) seems like a risk as it could be used in
>>> targeted attacks if there are known vulnerabilities to those devices.
>>> The attacks could target specific regions at specific times to effect
>>> events or to be used as part of some larger attack (could include
>>> physical).  This may sound crazy, but layered attacks are very real.
>>>
>>>
>>
>> This seems like it would be a problem for sniffing unencrypted data
>> *from* another client, but I'm not getting how this sort of attack works by
>> a client owned by the attacker querying the database.
>>
> This is just the kind of thing you might be able to do with the full set
> of info.  I think just responding on the first item would be good enough as
> I missed an important point.
>
>>
>> Before I get back to the rest of your query, help me understand this far.
>
>
> Thank you!
>
>>
>>
>> pr
>>
>> --
>> Pete Resnick<http://www.qualcomm.com/~presnick/>
>> Qualcomm Technologies, Inc. - +1 (858)651-4478
>>
>>
>
>
> --
>
> Best regards,
> Kathleen
>



-- 
-vince

v2.46.0 | Report a Bug | By Email | System Status