RE: [rddp] Re: SecDir review assignment
Black_David@emc.com Thu, 20 April 2006 22:29 UTC
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1FWheG-00057B-38; Thu, 20 Apr 2006 18:29:16 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1FWheE-000576-IU for rddp@ietf.org; Thu, 20 Apr 2006 18:29:14 -0400
Received: from mexforward.lss.emc.com ([168.159.213.200]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1FWheD-0001up-41 for rddp@ietf.org; Thu, 20 Apr 2006 18:29:14 -0400
Received: from mailhub.lss.emc.com (sesha.lss.emc.com [10.254.144.12]) by mexforward.lss.emc.com (Switch-3.1.8/Switch-3.1.7) with ESMTP id k3KMTCtO009224; Thu, 20 Apr 2006 18:29:12 -0400 (EDT)
Received: from MAHO3MSX2.corp.emc.com (maho3msx2.corp.emc.com [128.221.11.32]) by mailhub.lss.emc.com (Switch-3.1.6/Switch-3.1.7) with ESMTP id k3KMT5dv016659; Thu, 20 Apr 2006 18:29:08 -0400 (EDT)
Received: by maho3msx2.corp.emc.com with Internet Mail Service (5.5.2653.19) id <JF77S03C>; Thu, 20 Apr 2006 18:28:46 -0400
Message-ID: <F222151D3323874393F83102D614E05502B66A34@CORPUSMX20A.corp.emc.com>
From: Black_David@emc.com
To: derek@ihtfp.com, secdir-secretary@MIT.EDU
Subject: RE: [rddp] Re: SecDir review assignment
Date: Thu, 20 Apr 2006 18:28:43 -0400
MIME-Version: 1.0
X-Mailer: Internet Mail Service (5.5.2653.19)
Content-Type: text/plain
X-PMX-Version: 4.7.1.128075, Antispam-Engine: 2.3.0.1, Antispam-Data: 2006.4.20.151107
X-PerlMx-Spam: Gauge=, SPAM=0%, Reason='EMC_BODY_1+ -3, EMC_FROM_0+ -2, NO_REAL_NAME 0, __C230066_P5 0, __CP_NOT_1 0, __CP_URI_IN_BODY 0, __CT 0, __CT_TEXT_PLAIN 0, __HAS_MSGID 0, __HAS_X_MAILER 0, __IMS_MSGID 0, __IMS_MUA 0, __MIME_TEXT_ONLY 0, __MIME_VERSION 0, __SANE_MSGID 0, __STOCK_CRUFT 0'
X-Spam-Score: 0.2 (/)
X-Scan-Signature: f8184d7d4d1b986353eb58ea3e887935
Cc: hartmans-ietf@MIT.EDU, pcain@acmehacking.com, housley@vigilsec.com, Black_David@emc.com, rddp@ietf.org
X-BeenThere: rddp@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "IETF Remote Direct Data Placement \(rddp\) WG" <rddp.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/rddp>, <mailto:rddp-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:rddp@ietf.org>
List-Help: <mailto:rddp-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/rddp>, <mailto:rddp-request@ietf.org?subject=subscribe>
Errors-To: rddp-bounces@ietf.org
Derek, Thanks for your review of this and the applicability draft. It looks like all the issues involve wording, but I wanted to make a few comments on some of your concerns that may appear to be technical: -------- > Section 2.3.4 Initialization of RNIC Data Structures for > Data Transfer > > It says: > > Note that an implementation may not have a Page Translation Table > (i.e. it may support a direct mapping between an STag and a Data > Buffer). In this case threats and mitigations associated with the > Page Translation Table are not relevant. > > I don't believe this is true. I think that the security implications > of STag to Data Buffer mapping is JUST as relevant as having the Page > Translation Table. The threats are all about an attacker trying to > get data into (or out of) a buffer they are not authorized to access. I believe that what was intended was to say that if there is no Page Translation Table, then attacks based on changing its contents or exhausting its resources are impossible. The text will need to be rephrased to say that. ------------- > Section 5.4.2 TLS is Inappropriate for DDP/RDMAP Security [... snip ...] > So I don't think it's fair to blame TLS for problems that are > really a result of using TCP. I believe both protocols share the blame, and the text should be revised to make it clear that it is the TLS/TCP combination that has the drawback. ------------- > 6.3.2 Using RDMA Read to Access Stale Data > > It says: > > Because of this, the local ULP SHOULD ensure that no stale data > is contained in the buffer before remote read access rights are > granted (this can be done by zeroing the contents of the memory, > for example). > > This reduces the threat to a race condition, but the threat still > remains. It is still possible for an attacker to read this buffer, > only the time window is reduced before the data is zero'd. A better > approach would be a means to allow the ULP to inform the DDP/RDMAP > that the buffer is available. This text needs some clarifying editing, because it is attempting to describe the "better approach," namely to zero a not-remotely- accessible buffer *before* authorizing remote access to it. Thanks, --David (rddp WG chair) ---------------------------------------------------- David L. Black, Senior Technologist EMC Corporation, 176 South St., Hopkinton, MA 01748 +1 (508) 293-7953 FAX: +1 (508) 293-7786 black_david@emc.com Mobile: +1 (978) 394-7754 ---------------------------------------------------- > -----Original Message----- > From: Derek Atkins [mailto:derek@ihtfp.com] > Sent: Wednesday, April 19, 2006 5:58 PM > To: secdir-secretary@MIT.EDU > Cc: Russ Housley; Pat Cain; Sam Hartman; rddp@ietf.org > Subject: [rddp] Re: SecDir review assignment > > Hi, > > I was asked to review draft-ietf-rddp-security-08.txt. Enclosed > below are my comments. > > -derek > > ---- > > Section 2.2.4 Protection Domain (PD) > > It says: > > Protection > Domains are assigned to two of the resources of concern, Stream > Context Memory and STags associated with Page Translation Table > entries and data buffers. > > This is confusing. What are the "two resources of concern"? I > don't know how to parse the rest of this sentence into two objects, > in my reading I see three: > > 1) Stream Context Memory > 2) STags associated with Page Translation Table entires > 3) data buffers > > I suspect some simple punctuation marks could help here. > > ---- > > Section 2.3.2 Non-Privileged Data Interface Semantics > > It says: > > . Three RDMAP data transfer mechanisms are > defined, one using Untagged data transfer (Send Type Messages), > and one using Tagged data transfer (RDMA Read Responses and RDMA > Writes). > > Maybe my math is wrong, but I only count two mechanisms here: > > 1) using Untagged data transfer (Send Type Messages) > 2) using Tagged data transfer (RDMA Read Responses and RDMA Writes) > > What's the third? > > -- > > A couple paragraphs later it says: > > For data reception, for DDP it can receive Untagged > Messages into buffers that have been posted on the Receive Queue > or Shared Receive Queue. > > This sentence doesn't parse properly. I think you need to remove > the second "for" and the following "it", so it reads: > > For data reception, DDP can receive ... > > ---- > > Section 2.3.4 Initialization of RNIC Data Structures for > Data Transfer > > It says: > > Note that an implementation may not have a Page Translation Table > (i.e. it may support a direct mapping between an STag and a Data > Buffer). In this case threats and mitigations associated with the > Page Translation Table are not relevant. > > I don't believe this is true. I think that the security implications > of STag to Data Buffer mapping is JUST as relevant as having the Page > Translation Table. The threats are all about an attacker trying to > get data into (or out of) a buffer they are not authorized to access. > The threats are the same regardless of the number of layers of mapping > involved. Indeed, one would think that the Page Translation Table > makes protecting the Data Buffer EASIER, because you can add columns > to the table to include the Stream, PD, and access right information > directly in the PTT, sort of like the IPsec PAD. > > ---- > > Section 5.4.2 TLS is Inappropriate for DDP/RDMAP Security > > Part 2 talks about TLS as a connection oriented protocol and > goes on to talk about the problems of buffering and reordering > of packets. But that's really a red-herring. It's not TLS > that causes that. It's TCP! TCP requires the buffering of > out-of-order packets, because TCP assures in-order streams of > data. So it's not TLS that causes the problem, but the choice > of using TCP. TLS doesn't run on top of UDP. I don't know > if TLS runs on top of SCTP. > > So I don't think it's fair to blame TLS for problems that are > really a result of using TCP. > > ---- > > Section 6.2.1 Buffer Overrun - RDMA Write or Read Response > > I really like this section. This should be emphasized more. > > ---- > > 6.3.2 Using RDMA Read to Access Stale Data > > It says: > > Because of this, the local ULP SHOULD ensure that no stale data > is contained in the buffer before remote read access rights are > granted (this can be done by zeroing the contents of the memory, > for example). > > This reduces the threat to a race condition, but the threat still > remains. It is still possible for an attacker to read this buffer, > only the time window is reduced before the data is zero'd. A better > approach would be a means to allow the ULP to inform the DDP/RDMAP > that the buffer is available. E.g., allow even an Non-Privileged ULP > to notify the engine that a buffer is "in process" and not available.. > Sort of like marking the buffer (or stag) as "Busy". That way the > Stream can only make buffers available that have valid data and you > don't get invalid data buffers. > > ---- > > Section 8 Security considerations > > Says, in its entirety: > > This entire document is focused on security considerations. > > > While this statement is true, it still might be useful to reiterate > the key points of the document. E.g.: > > - you must validate your inputs > - dont do this, do do that, ... > - etc. > > > > Sam Weiler <weiler@tislabs.com> writes: > > > ---------- Forwarded message ---------- > > Date: Wed, 05 Apr 2006 16:49:04 -0400 > > From: The IESG <iesg-secretary@ietf.org> > > To: IETF-Announce <ietf-announce@ietf.org> > > Cc: rddp@ietf.org > > Subject: Last Call: 'DDP/RDMAP Security' to Proposed Standard > > > > The IESG has received a request from the Remote Direct Data Placement WG to > > consider the following documents: > > > > - 'DDP/RDMAP Security ' > > <draft-ietf-rddp-security-08.txt> as a Proposed Standard > > - 'Applicability of Remote Direct Memory Access Protocol (RDMA) and Direct Data > > Placement (DDP) ' > > <draft-ietf-rddp-applicability-05.txt> as an Informational RFC > > > > The IESG plans to make a decision in the next few weeks, and solicits > > final comments on this action. Please send any comments to the > > iesg@ietf.org or ietf@ietf.org mailing lists by 2006-04-19. > > > > The file can be obtained via > > http://www.ietf.org/internet-drafts/draft-ietf-rddp-security-08.txt > > > http://www.ietf.org/internet-drafts/draft-ietf-rddp-applicabil > ity-05.txt > > > > > > _______________________________________________ > > IETF-Announce mailing list > > IETF-Announce@ietf.org > > https://www1.ietf.org/mailman/listinfo/ietf-announce > > > > > > > > > > -- > Derek Atkins 617-623-3745 > derek@ihtfp.com www.ihtfp.com > Computer and Internet Security Consultant > > _______________________________________________ > rddp mailing list > rddp@ietf.org > https://www1.ietf.org/mailman/listinfo/rddp > _______________________________________________ rddp mailing list rddp@ietf.org https://www1.ietf.org/mailman/listinfo/rddp
- RE: [rddp] Re: SecDir review assignment Black_David
- Re: [rddp] Re: SecDir review assignment Derek Atkins
- RE: [rddp] Re: SecDir review assignment Jim Pinkerton
- RE: [rddp] Re: SecDir review assignment Pat Thaler
- RE: [rddp] Re: SecDir review assignment Jim Pinkerton