IETF Logo Mail Archive

Re: [rddp] Re: SecDir review assignment

Derek Atkins <derek@ihtfp.com> Fri, 21 April 2006 20:45 UTC

Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1FX2VV-0004vE-KR; Fri, 21 Apr 2006 16:45:37 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1FWyS1-0005WM-8W for rddp@ietf.org; Fri, 21 Apr 2006 12:25:45 -0400
Received: from mail.ihtfp.org ([204.107.200.6]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1FWyRy-0000h3-I7 for rddp@ietf.org; Fri, 21 Apr 2006 12:25:45 -0400
Received: from cliodev.pgp.com (unknown [63.251.255.85]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "cliodev.ihtfp.com", Issuer "IHTFP Consulting Certification Authority" (verified OK)) by mail.ihtfp.org (Postfix) with ESMTP id 50CDABD8301; Fri, 21 Apr 2006 12:25:32 -0400 (EDT)
Received: (from warlord@localhost) by cliodev.pgp.com (8.13.1/8.13.1/Submit) id k3LGPB1E001454; Fri, 21 Apr 2006 12:25:11 -0400
From: Derek Atkins <derek@ihtfp.com>
To: Black_David@emc.com
Subject: Re: [rddp] Re: SecDir review assignment
References: <F222151D3323874393F83102D614E05502B66A34@CORPUSMX20A.corp.emc.com>
Date: Fri, 21 Apr 2006 12:25:11 -0400
In-Reply-To: <F222151D3323874393F83102D614E05502B66A34@CORPUSMX20A.corp.emc.com> (Black David's message of "Thu, 20 Apr 2006 18:28:43 -0400")
Message-ID: <sjmejzqzyjc.fsf@cliodev.pgp.com>
User-Agent: Gnus/5.110003 (No Gnus v0.3) Emacs/21.3 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 578c2c9d0cb01ffe6e1ca36540edd070
X-Mailman-Approved-At: Fri, 21 Apr 2006 16:45:36 -0400
Cc: hartmans-ietf@MIT.EDU, pcain@acmehacking.com, housley@vigilsec.com, secdir-secretary@MIT.EDU, rddp@ietf.org
X-BeenThere: rddp@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "IETF Remote Direct Data Placement \(rddp\) WG" <rddp.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/rddp>, <mailto:rddp-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:rddp@ietf.org>
List-Help: <mailto:rddp-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/rddp>, <mailto:rddp-request@ietf.org?subject=subscribe>
Errors-To: rddp-bounces@ietf.org

Yes, your descriptions sound good to me.

Technically I did not have significant concerns of these drafts.

-derek

Black_David@emc.com writes:

> Derek,
>
> Thanks for your review of this and the applicability draft.  It
> looks like all the issues involve wording, but I wanted to make
> a few comments on some of your concerns that may appear to be technical:
>
> --------
>
>> Section 2.3.4  Initialization of RNIC Data Structures for 
>> Data Transfer  
>> 
>> It says:
>> 
>>    Note that an implementation may not have a Page Translation Table 
>>    (i.e. it may support a direct mapping between an STag and a Data 
>>    Buffer). In this case threats and mitigations associated with the 
>>    Page Translation Table are not relevant. 
>> 
>> I don't believe this is true.  I think that the security implications
>> of STag to Data Buffer mapping is JUST as relevant as having the Page
>> Translation Table.  The threats are all about an attacker trying to
>> get data into (or out of) a buffer they are not authorized to access.
>
> I believe that what was intended was to say that if there is no Page
> Translation Table, then attacks based on changing its contents or
> exhausting its resources are impossible.  The text will need to be
> rephrased to say that.
>
> -------------
>
>> Section 5.4.2  TLS is Inappropriate for DDP/RDMAP Security
>
> [... snip ...]
>
>> So I don't think it's fair to blame TLS for problems that are
>> really a result of using TCP.
>
> I believe both protocols share the blame, and the text should be
> revised to make it clear that it is the TLS/TCP combination that
> has the drawback.
>
> -------------
>
>> 6.3.2  Using RDMA Read to Access Stale Data 
>> 
>> It says:
>> 
>>    Because of this, the local ULP SHOULD ensure that no stale data 
>>    is contained in the buffer before remote read access rights are 
>>    granted (this can be done by zeroing the contents of the memory, 
>>    for example).  
>> 
>> This reduces the threat to a race condition, but the threat still
>> remains.  It is still possible for an attacker to read this buffer,
>> only the time window is reduced before the data is zero'd.  A better
>> approach would be a means to allow the ULP to inform the DDP/RDMAP
>> that the buffer is available.
>
> This text needs some clarifying editing, because it is attempting
> to describe the "better approach," namely to zero a not-remotely-
> accessible buffer *before* authorizing remote access to it.
>
> Thanks,
> --David (rddp WG chair)
> ----------------------------------------------------
> David L. Black, Senior Technologist
> EMC Corporation, 176 South St., Hopkinton, MA  01748
> +1 (508) 293-7953             FAX: +1 (508) 293-7786
> black_david@emc.com        Mobile: +1 (978) 394-7754
> ----------------------------------------------------
>
>
>
>> -----Original Message-----
>> From: Derek Atkins [mailto:derek@ihtfp.com] 
>> Sent: Wednesday, April 19, 2006 5:58 PM
>> To: secdir-secretary@MIT.EDU
>> Cc: Russ Housley; Pat Cain; Sam Hartman; rddp@ietf.org
>> Subject: [rddp] Re: SecDir review assignment
>> 
>> Hi,
>> 
>> I was asked to review draft-ietf-rddp-security-08.txt.  Enclosed
>> below are my comments.
>> 
>> -derek
>> 
>> ----
>> 
>> Section 2.2.4  Protection Domain (PD)
>> 
>> It says:
>> 
>>                                 Protection 
>>    Domains are assigned to two of the resources of concern, Stream 
>>    Context Memory and STags associated with Page Translation Table 
>>    entries and data buffers. 
>> 
>> This is confusing.  What are the "two resources of concern"?  I
>> don't know how to parse the rest of this sentence into two objects,
>> in my reading I see three:
>> 
>>   1) Stream Context Memory
>>   2) STags associated with Page Translation Table entires
>>   3) data buffers
>> 
>> I suspect some simple punctuation marks could help here.
>> 
>> ----
>> 
>> Section 2.3.2  Non-Privileged Data Interface Semantics 
>> 
>> It says:
>> 
>>          . Three RDMAP data transfer mechanisms are 
>>    defined, one using Untagged data transfer (Send Type Messages), 
>>    and one using Tagged data transfer (RDMA Read Responses and RDMA 
>>    Writes).
>> 
>> Maybe my math is wrong, but I only count two mechanisms here:
>> 
>>   1) using Untagged data transfer (Send Type Messages)
>>   2) using Tagged data transfer (RDMA Read Responses and RDMA Writes)
>> 
>> What's the third?
>> 
>> --
>> 
>> A couple paragraphs later it says:
>> 
>>               For data reception, for DDP it can receive Untagged 
>>    Messages into buffers that have been posted on the Receive Queue 
>>    or Shared Receive Queue. 
>> 
>> This sentence doesn't parse properly.  I think you need to remove
>> the second "for" and the following "it", so it reads:
>> 
>>          For data reception, DDP can receive ...
>> 
>> ----
>> 
>> Section 2.3.4  Initialization of RNIC Data Structures for 
>> Data Transfer  
>> 
>> It says:
>> 
>>    Note that an implementation may not have a Page Translation Table 
>>    (i.e. it may support a direct mapping between an STag and a Data 
>>    Buffer). In this case threats and mitigations associated with the 
>>    Page Translation Table are not relevant. 
>> 
>> I don't believe this is true.  I think that the security implications
>> of STag to Data Buffer mapping is JUST as relevant as having the Page
>> Translation Table.  The threats are all about an attacker trying to
>> get data into (or out of) a buffer they are not authorized to access.
>> The threats are the same regardless of the number of layers of mapping
>> involved.  Indeed, one would think that the Page Translation Table
>> makes protecting the Data Buffer EASIER, because you can add columns
>> to the table to include the Stream, PD, and access right information
>> directly in the PTT, sort of like the IPsec PAD.
>> 
>> ----
>> 
>> Section 5.4.2  TLS is Inappropriate for DDP/RDMAP Security 
>> 
>> Part 2 talks about TLS as a connection oriented protocol and
>> goes on to talk about the problems of buffering and reordering
>> of packets.  But that's really a red-herring.  It's not TLS
>> that causes that.  It's TCP!  TCP requires the buffering of
>> out-of-order packets, because TCP assures in-order streams of
>> data.  So it's not TLS that causes the problem, but the choice
>> of using TCP.  TLS doesn't run on top of UDP.   I don't know
>> if TLS runs on top of SCTP.
>> 
>> So I don't think it's fair to blame TLS for problems that are
>> really a result of using TCP.
>> 
>> ----
>> 
>> Section 6.2.1  Buffer Overrun - RDMA Write or Read Response 
>> 
>> I really like this section.  This should be emphasized more.
>> 
>> ----
>> 
>> 6.3.2  Using RDMA Read to Access Stale Data 
>> 
>> It says:
>> 
>>    Because of this, the local ULP SHOULD ensure that no stale data 
>>    is contained in the buffer before remote read access rights are 
>>    granted (this can be done by zeroing the contents of the memory, 
>>    for example).  
>> 
>> This reduces the threat to a race condition, but the threat still
>> remains.  It is still possible for an attacker to read this buffer,
>> only the time window is reduced before the data is zero'd.  A better
>> approach would be a means to allow the ULP to inform the DDP/RDMAP
>> that the buffer is available.  E.g., allow even an Non-Privileged ULP
>> to notify the engine that a buffer is "in process" and not available..
>> Sort of like marking the buffer (or stag) as "Busy".  That way the
>> Stream can only make buffers available that have valid data and you
>> don't get invalid data buffers.
>> 
>> ----
>> 
>> Section 8  Security considerations 
>> 
>> Says, in its entirety:
>> 
>>    This entire document is focused on security considerations. 
>> 
>> 
>> While this statement is true, it still might be useful to reiterate
>> the key points of the document.   E.g.:
>> 
>>   - you must validate your inputs
>>   - dont do this, do do that, ...
>>   - etc.
>> 
>> 
>> 
>> Sam Weiler <weiler@tislabs.com> writes:
>> 
>> > ---------- Forwarded message ----------
>> > Date: Wed, 05 Apr 2006 16:49:04 -0400
>> > From: The IESG <iesg-secretary@ietf.org>
>> > To: IETF-Announce <ietf-announce@ietf.org>
>> > Cc: rddp@ietf.org
>> > Subject: Last Call: 'DDP/RDMAP Security' to Proposed Standard
>> >
>> > The IESG has received a request from the Remote Direct Data Placement WG
> to
>> > consider the following documents:
>> >
>> > - 'DDP/RDMAP Security '
>> >    <draft-ietf-rddp-security-08.txt> as a Proposed Standard
>> > - 'Applicability of Remote Direct Memory Access Protocol (RDMA) and
> Direct Data
>> >    Placement (DDP) '
>> >    <draft-ietf-rddp-applicability-05.txt> as an Informational RFC
>> >
>> > The IESG plans to make a decision in the next few weeks, and solicits
>> > final comments on this action.  Please send any comments to the
>> > iesg@ietf.org or ietf@ietf.org mailing lists by 2006-04-19.
>> >
>> > The file can be obtained via
>> > http://www.ietf.org/internet-drafts/draft-ietf-rddp-security-08.txt
>> > 
>> http://www.ietf.org/internet-drafts/draft-ietf-rddp-applicabil
>> ity-05.txt
>> >

-- 
       Derek Atkins                 617-623-3745
       derek@ihtfp.com             www.ihtfp.com
       Computer and Internet Security Consultant

_______________________________________________
rddp mailing list
rddp@ietf.org
https://www1.ietf.org/mailman/listinfo/rddp

v2.23.0 | Report a Bug | By Email