IETF Logo Mail Archive

Re: [pcp] Posted auth req slide that was edited during meeting

Alper Yegin <alper.yegin@yegin.org> Fri, 15 March 2013 03:18 UTC

Return-Path: <alper.yegin@yegin.org>
X-Original-To: pcp@ietfa.amsl.com
Delivered-To: pcp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BEDFC11E8188 for <pcp@ietfa.amsl.com>; Thu, 14 Mar 2013 20:18:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -101.998
X-Spam-Level:
X-Spam-Status: No, score=-101.998 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001, J_CHICKENPOX_66=0.6, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Bzd+xaePqrfI for <pcp@ietfa.amsl.com>; Thu, 14 Mar 2013 20:18:57 -0700 (PDT)
Received: from mout.perfora.net (mout.perfora.net [74.208.4.195]) by ietfa.amsl.com (Postfix) with ESMTP id DA8F011E8158 for <pcp@ietf.org>; Thu, 14 Mar 2013 20:18:56 -0700 (PDT)
Received: from [10.119.24.4] (94-23-174-41.ovh.net [94.23.174.41]) by mrelay.perfora.net (node=mrus2) with ESMTP (Nemesis) id 0LpbaA-1UuKsg48VK-00fWa3; Thu, 14 Mar 2013 23:18:55 -0400
Mime-Version: 1.0 (Apple Message framework v1283)
Content-Type: multipart/alternative; boundary="Apple-Mail=_9A874992-EB97-42E9-90A2-76CE869EE96F"
From: Alper Yegin <alper.yegin@yegin.org>
In-Reply-To: <341064315C6D0D498193B256F238CF9747C9C9@TK5EX14MBXW603.wingroup.windeploy.ntdev.microsoft.com>
Date: Fri, 15 Mar 2013 05:18:44 +0200
Message-Id: <5EF8B214-6563-47C7-9D48-621D9D5E1B29@yegin.org>
References: <341064315C6D0D498193B256F238CF9747C9C9@TK5EX14MBXW603.wingroup.windeploy.ntdev.microsoft.com>
To: Dave Thaler <dthaler@microsoft.com>
X-Mailer: Apple Mail (2.1283)
X-Provags-ID: V02:K0:RGdVOgKOC/NWyEwupp1V82rvntXnfsagWB6fytvlw9t h913rgq00L5YcnpWnDx5pRn1Ak0Bkehiu9tsbe+OwfLnWzg9mB Byti5AuYsEjDRVNU8ivG9k4xuVX96QqHCS55oXDzHDd1b+s7Ws 1DcCiQtUKRRspoSR+hVIjFWZe5zLRQTBlC7WEBDOMOdCq9ROg7 v8U0IvzJ0uV3P/KyAqzLO6ltvf0FXxLbwhhVYhoB/OsqK2/XDG +AUi4YTihPVUekB9Nl9FhpUTFR2UKBeuqdcWzihJJEliI7DsDV gnEEBlkGPAI28q8PD3Seuwha96dsH1bX+WufNmYAJFv/ytzieA B8+tzqb6KDfVUjH8Q5csCWPdp+4z6L40fSuyBhojn
Cc: "pcp@ietf.org" <pcp@ietf.org>
Subject: Re: [pcp] Posted auth req slide that was edited during meeting
X-BeenThere: pcp@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: PCP wg discussion list <pcp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pcp>, <mailto:pcp-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/pcp>
List-Post: <mailto:pcp@ietf.org>
List-Help: <mailto:pcp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pcp>, <mailto:pcp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 15 Mar 2013 03:18:57 -0000

On Mar 14, 2013, at 9:19 PM, Dave Thaler wrote:

> I just uploaded the slide started editing during the meeting into the proceedings:
> http://www.ietf.org/proceedings/86/slides/slides-86-pcp-18.pdf
>  
> During the meeting the chairs heard rough consensus to use option 4 as the
> basis on which to start the discussion on the list.   Feel free to point out problems
> with it.

Yeah, let me do that.

Option 4 is based on using "expired" security associations as if they did not expire.

This is obviously a bad idea. There's a reason why they are expired. Using them beyond expiration is plain nullifying the protection aimed by setting finite lifetimes on them. 
(If people are so convinced that using them beyond expiration is a fine idea, then maybe we should set their lifetime to infinity(!)

DoS vulnerability was given as  the justification for using expired SAs. The idea is that, the server would use the expired SA to integrity-protect the message and the client wouldn't  be duped into responding to spoofed messages. 
So, the client is getting DoS attacked by a server engaging it to perform a single authentication? No way.
You could be talking about a server getting DoS attacked when (what appears to be) 1000s of clients engaging it to perform authentication. That gives you DoS. And…. and you have no protection for that! When (what appears to be) fresh clients talk to the server, server&client have no expired/unexpired SAs to integrity protect the authentication messaging.

Once again, I am not aware of any protocols designed to use of expired SAs.
I asked for an example, and example given was human users OKing browser pop-ups when they encounter expired certificates.
People cluelessly OKing whatever the pop-up says is plain trouble. They OK it even when it says the certificate does not match the domain name. You see where this can lead to?
Market overly relaxing security solutions in order to achieve certain amount of practicality at the expense of "proper security" is a different ball game.
It is not something we shall fold back into our protocol design.

Alper






>  
> -Dave
> _______________________________________________
> pcp mailing list
> pcp@ietf.org
> https://www.ietf.org/mailman/listinfo/pcp

v2.23.0 | Report a Bug | By Email