IETF Logo Mail Archive

Re: [paws] Kathleen Moriarty's Discuss on draft-ietf-paws-protocol-14: (with DISCUSS)

Vincent Chen <vchen@google.com> Thu, 21 August 2014 17:26 UTC

Return-Path: <vchen@google.com>
X-Original-To: paws@ietfa.amsl.com
Delivered-To: paws@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 663761A06DD for <paws@ietfa.amsl.com>; Thu, 21 Aug 2014 10:26:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.046
X-Spam-Level:
X-Spam-Status: No, score=-2.046 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RP_MATCHES_RCVD=-0.668, SPF_PASS=-0.001] autolearn=unavailable
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IStelBvFL4Gb for <paws@ietfa.amsl.com>; Thu, 21 Aug 2014 10:26:00 -0700 (PDT)
Received: from mail-vc0-x22e.google.com (mail-vc0-x22e.google.com [IPv6:2607:f8b0:400c:c03::22e]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C77A21A06D0 for <paws@ietf.org>; Thu, 21 Aug 2014 10:25:59 -0700 (PDT)
Received: by mail-vc0-f174.google.com with SMTP id la4so11095826vcb.19 for <paws@ietf.org>; Thu, 21 Aug 2014 10:25:59 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=knnoP0PjaRDVO/SfAlaUt3qSBXRqVH1Me2ia+lFXVU4=; b=l3zgzgWAdbBBCxK6trzvVU4nwc3Qspog8vmGL2FuX04LAcjOPq/VdzyJnWL75pBfyX dUqP8mkkKyv+d9PIAlCQ2UpjwFiXPgP5Z+rD3BugwUoQ+i3B+xpuM4fLMae80+9GXmn0 eo1vEjQENCBRxdaLStynMvFfIb1/fbfil5wuUc8BCbVm4srTnHjolGOKGh58O64wu7bk lQ5Mc+uVHxEIKQ+3T79r8ZdmxF3SBMlvGD9SY/ziBAQqWEY8iuW++bUvUcddaXwncC10 PGFiPN9haJbfwZKPYShsJiRUbj2mddb0gwpivQz+x3kIEswPH6rl4XLpGuQLvMS6hH3D 0rxw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=knnoP0PjaRDVO/SfAlaUt3qSBXRqVH1Me2ia+lFXVU4=; b=BuCA7AysJumeU44IJUVo17d1BEmi0herbe9vOUcr2wZTJ9l69OXuD+FAzqzMNi2GtC 6cl7V6m05B9hrRBeId2NHvKZfYmVxxryP3uyYIk9T4Tq7cEej/x45is+6HkMM7SqGo3l 0RnOfinJxmHnv/epw2qXZhx/oteH5qu3ONXGuGqf/Y1yJqVUsWzNdOkV3Cu8UplB7Gin skodRdyTlleGQM/6F33aLNRRtVSAsjWwOz9//N/T8a7JDChCVSE1cXF5uY4cgX221I50 2txwJohfwZUSCQVNNP31BIP7droXUkWnJ/I3iTh0G49urc1Bhj+9EpzW0+GWksf6HwBw Z5ww==
X-Gm-Message-State: ALoCoQnHI0vGVMzgKhhWGC7kx1J/3x3Vkqk6KCCj6D+gLluGjM4JIgNoPyqQ5BneAcARYr2gdjGF
MIME-Version: 1.0
X-Received: by 10.221.64.142 with SMTP id xi14mr23375948vcb.31.1408641958966; Thu, 21 Aug 2014 10:25:58 -0700 (PDT)
Received: by 10.52.177.226 with HTTP; Thu, 21 Aug 2014 10:25:58 -0700 (PDT)
In-Reply-To: <CAHbuEH7Ms5QuMwgFXy9OuXTcgvGR-9AyDJMnX-T7qEHema84-Q@mail.gmail.com>
References: <20140820203127.25270.64032.idtracker@ietfa.amsl.com> <53F50D2D.2010203@qti.qualcomm.com> <CAHbuEH4RsF4kkUd8qO+bsCbzs6xRB=TL6hg2GyGWKf8OvJjViw@mail.gmail.com> <CABEV9RP7Dzk46JsUQ15z8kMvTGNOUCUjWmzQkVGyQbnjpvkLRA@mail.gmail.com> <CAHbuEH4+=tUQNRmURd3r047UYhSe=LPyJVZUEq4X+uYDMOaWrw@mail.gmail.com> <CAHbuEH7Ms5QuMwgFXy9OuXTcgvGR-9AyDJMnX-T7qEHema84-Q@mail.gmail.com>
Date: Thu, 21 Aug 2014 10:25:58 -0700
Message-ID: <CABEV9RPHCq14oF9CYdVmn0NHaqfQf1mton0WE9-Hn1zMCHyfqw@mail.gmail.com>
From: Vincent Chen <vchen@google.com>
To: Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>
Content-Type: multipart/alternative; boundary="001a113312a6949be905012703a1"
Archived-At: http://mailarchive.ietf.org/arch/msg/paws/nEkkFJF_qaXY8gVgirI6qiwqQno
Cc: "paws@ietf.org" <paws@ietf.org>, "paws-chairs@tools.ietf.org" <paws-chairs@tools.ietf.org>, Pete Resnick <presnick@qti.qualcomm.com>, The IESG <iesg@ietf.org>, draft-ietf-paws-protocol@tools.ietf.org
Subject: Re: [paws] Kathleen Moriarty's Discuss on draft-ietf-paws-protocol-14: (with DISCUSS)
X-BeenThere: paws@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Protocol to Access White Space database \(PAWS\)" <paws.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/paws>, <mailto:paws-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/paws/>
List-Post: <mailto:paws@ietf.org>
List-Help: <mailto:paws-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/paws>, <mailto:paws-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 21 Aug 2014 17:26:03 -0000

Kathleen,

Apologies for my poorly worded response. The first paragraph of Section 10
states:

   PAWS is a protocol whereby a Master Device requests a schedule of
   available spectrum at its location (or location of its Slave Devices)
   before it (they) can operate using those frequencies.


The fact that it's "public information" is parenthetical in my response.

Section 8 discusses extensibility. Should there just be a statement in
there that no extensions
should be made to return sensitive information about devices? That it
should be focused
on just returning available-spectrum information?

Would that be sufficient?

Thanks.



On Thu, Aug 21, 2014 at 8:13 AM, Kathleen Moriarty <
kathleen.moriarty.ietf@gmail.com> wrote:

> Chatted a bit with Pete and he sees the point we are down to now.  To be
> clear, I think we are down to a comment and would just like to finish up
> the discussion and then I'll update the tracker since we are close here.
>
>
> On Thu, Aug 21, 2014 at 8:05 AM, Kathleen Moriarty <
> kathleen.moriarty.ietf@gmail.com> wrote:
>
>>
>>
>>
>> On Thu, Aug 21, 2014 at 4:15 AM, Vincent Chen <vchen@google.com> wrote:
>>
>>> Thanks to Pete for responding.
>>>
>>> Additional comments inline.
>>>
>>>
>>> On Wed, Aug 20, 2014 at 3:09 PM, Kathleen Moriarty <
>>> kathleen.moriarty.ietf@gmail.com> wrote:
>>>
>>>>
>>>>
>>>>
>>>> On Wed, Aug 20, 2014 at 5:03 PM, Pete Resnick <
>>>> presnick@qti.qualcomm.com> wrote:
>>>>
>>>>> On 8/20/14 3:31 PM, Kathleen Moriarty wrote:
>>>>>
>>>>>> ------------------------------------------------------------
>>>>>> ----------
>>>>>> DISCUSS:
>>>>>> ------------------------------------------------------------
>>>>>> ----------
>>>>>> [...]
>>>>>>
>>>>>> Can clients query any database entries or is the interface restricted
>>>>>> to
>>>>>> the list of supported interactions?   I assume the answer is that it
>>>>>> is
>>>>>> limited to the set of database interactions defined, but could not
>>>>>> find
>>>>>> any statement saying that in this draft or the prior requirements in
>>>>>> RFC6953.
>>>>>>
>>>>>>
>>>>>
>>>>> I'm not sure exactly what you mean here. Are you asking whether the
>>>>> client or server ask for/send back more than the minimum data? Sure, that's
>>>>> what the "*other" business is about. Or are you asking whether additional
>>>>> queries/responses can be defined? I suppose they could. But I'm not sure
>>>>> what you're asking, or what the concern is. Can you elaborate?
>>>>
>>>>
>>>> There wasn't an explicit statement that you need to define new
>>>> query/responses through extensions, so that coupled with the possibility of
>>>> unauthenticated sessions had me worrying that more data could be exposed
>>>> then intended.  A statement in the security considerations section (maybe)
>>>> after the MAY for authentication that helps state the limitation of the
>>>> interface to this and approved extensions would help.  The risk would be
>>>> additional query/responses that let you get at more data than was intended
>>>> (some of the privacy related information or fingerprinting possibilities
>>>> would be the concern.
>>>>
>>>
>>> The security considerations section started by saying that the Database
>>> provides
>>> available spectrum information, which is public information. Nothing
>>> else can be retrieved
>>> from the Database.
>>>
>>
> I don't see this text, can you point it out?  I may be missing it, but
> would have expected it as one of the listed protection steps in section 10
> or maybe as part of 10.1.
>
> I really think what I am looking for should have been in the requirements
> document for the protocol and any extensions.  With an assumption that only
> public information will be provided over the unauthenticated sessions,
> limiting the scope of access to public information access through the
> defined interface (which you are doing) would be good to close out with a
> statement to that requirement.
>
> Since I think this does really belong in the prior document, but could go
> here, I will consider this at the comment level and would appreciate it if
> you could point out where I might be missing text that only public
> information is available through the defined interface.
>
> Thank you!
>
>
>>> Does Pete's point about the DeviceDescriptor being an echo of the
>>> request also resolve this
>>> concern?
>>>
>>>
>>>>
>>>> Earlier in the draft it sounds as if authentication is required until
>>>> you get to that statement towards the end of the security considerations
>>>> section.
>>>>
>>>
>>> NOTE: Since the Database returns the same available-spectrum answer for
>>> the same combination of (device type, location), regardless of what
>>> requests came before or after, authentication of the client seems to add
>>> little benefit. I.e., spoofing by rogue devices does not impact the answer
>>> given to well-behaved devices.
>>>
>>
>> Yes, Pete's point on DeviceDescriptor did help with some of my concerns
>> and sorry that I somehow missed it on my first read of the draft.   I'm not
>> asking for authentication to be required, so maybe that was misunderstood.
>>  I didn't see anywhere a statement that extensions to this interface have
>> to be defined and should consider this premise information (authentication
>> is not required and the larger database does contain information that could
>> be used for profiling the overall system or fingerprinting devices.
>>  Although, watching the other discusses, some of the requirements on fields
>> are changing a bit and maybe the concerns are lowering as a result, but
>> we'll have to see where that winds up.  I understand that the current
>> interface limits what can be retrieved.  In some other protocols, I've seen
>> an informational statement to ensure those writing extensions are cognizant
>> of the reasons for the limitations imposed.  It looks like you have done a
>> pretty good job on it and I was hoping to see a statement on the
>> limitations for the purpose of possible extensions in the future following
>> the patterns.  I don't think I saw them spelled out in the requirements RFC.
>>
>> Thanks,
>> Kathleen
>>
>>>
>>>
>>>
>>>>
>>>>>
>>>>>  Authentication is only a MAY in the Security Considerations Section,
>>>>>> which raises another possible concern for me.
>>>>>>
>>>>>> Since clients can get back pretty much all of the defined datatypes
>>>>>> (DeviceDescriptor is one example)
>>>>>>
>>>>>
>>>>> The client only gets back the DeviceDescriptor that it sent to the
>>>>> server in the request so that the client can match the response to the
>>>>> query.
>>>>>
>>>>> Sorry, I missed that very important point in the query/response
>>>> description somehow.
>>>>
>>>>
>>>>>
>>>>>  and authentication is not required,
>>>>>> there should be a discussion on the risks of revealing this
>>>>>> information
>>>>>> for both the privacy reasons Stephen and Alissa outlined as well as
>>>>>> possible security concerns.  I think this should be on a field basis
>>>>>> in
>>>>>> terms of sensitive elements where relevant.
>>>>>>
>>>>>>
>>>>>
>>>>> The rest of the responses are the publicly available spectrum
>>>>> information. I'm not seeing sensitive data there.
>>>>>
>>>>> Yep, for the current queries, I missed that you were only getting the
>>>> response that included the DeviceDescriptor information you sent.  Sorry
>>>> about that!
>>>>
>>>>>
>>>>>  I could see how you might want/need the types of information gathered
>>>>>> within an administrative domain or accessed by a restricted set of
>>>>>> users,
>>>>>> but revealing data like what is contained in deviceDescriptor
>>>>>> (includes
>>>>>> model) as well as sensitive fields in other classes
>>>>>> (AntennaCharacteristics) seems like a risk as it could be used in
>>>>>> targeted attacks if there are known vulnerabilities to those devices.
>>>>>> The attacks could target specific regions at specific times to effect
>>>>>> events or to be used as part of some larger attack (could include
>>>>>> physical).  This may sound crazy, but layered attacks are very real.
>>>>>>
>>>>>>
>>>>>
>>>>> This seems like it would be a problem for sniffing unencrypted data
>>>>> *from* another client, but I'm not getting how this sort of attack works by
>>>>> a client owned by the attacker querying the database.
>>>>>
>>>>  This is just the kind of thing you might be able to do with the full
>>>> set of info.  I think just responding on the first item would be good
>>>> enough as I missed an important point.
>>>>
>>>>>
>>>>> Before I get back to the rest of your query, help me understand this
>>>>> far.
>>>>
>>>>
>>>> Thank you!
>>>>
>>>>>
>>>>>
>>>>> pr
>>>>>
>>>>> --
>>>>> Pete Resnick<http://www.qualcomm.com/~presnick/>
>>>>> Qualcomm Technologies, Inc. - +1 (858)651-4478
>>>>>
>>>>>
>>>>
>>>>
>>>> --
>>>>
>>>> Best regards,
>>>> Kathleen
>>>>
>>>
>>>
>>>
>>> --
>>> -vince
>>>
>>
>>
>>
>> --
>>
>> Best regards,
>> Kathleen
>>
>
>
>
> --
>
> Best regards,
> Kathleen
>



-- 
-vince

v2.23.0 | Report a Bug | By Email