[saag] Fwd: AD evaluation of draft-gont-numeric-ids-sec-considerations-04
Benjamin Kaduk <kaduk@mit.edu> Tue, 21 July 2020 04:13 UTC
Return-Path: <kaduk@mit.edu>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2B2293A13A0; Mon, 20 Jul 2020 21:13:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.92
X-Spam-Level:
X-Spam-Status: No, score=-1.92 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_MSPIKE_H4=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id l8Uxm3HxlUJ1; Mon, 20 Jul 2020 21:13:43 -0700 (PDT)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 13A7B3A139F; Mon, 20 Jul 2020 21:13:42 -0700 (PDT)
Received: from kduck.mit.edu ([24.16.140.251]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by outgoing.mit.edu (8.14.7/8.12.4) with ESMTP id 06L4Dcgt026279 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 21 Jul 2020 00:13:41 -0400
Date: Mon, 20 Jul 2020 21:13:38 -0700
From: Benjamin Kaduk <kaduk@mit.edu>
To: saag@ietf.org
Cc: draft-gont-numeric-ids-sec-considerations@ietf.org
Message-ID: <20200721041338.GC41010@kduck.mit.edu>
References: <20200717204604.GV41010@kduck.mit.edu>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <20200717204604.GV41010@kduck.mit.edu>
User-Agent: Mutt/1.12.1 (2019-06-15)
Archived-At: <https://mailarchive.ietf.org/arch/msg/saag/8CRgca7Ip9evFjNF0xVHzmghvi4>
Subject: [saag] Fwd: AD evaluation of draft-gont-numeric-ids-sec-considerations-04
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 21 Jul 2020 04:13:45 -0000
Forwarding my review comments to SAAG since I forgot to put it in the original email... -Ben On Fri, Jul 17, 2020 at 01:46:08PM -0700, Benjamin Kaduk wrote: > Hi Fernando, Ivan, > > While this is nominally just a single AD's evaluation of the document, I > find that the general tone and structure are not a great match for what > I was expecting, given the secdispatch session several IETFs ago. > (Shame on me for taking so long to do the review, yes.) I don't want to > be imposing my own preferences on what should really be a community > document, though, so I'm copying my comments to the SAAG list as well, > to get broader feedback and ensure that I can be reined in when I'm > getting too far from the consensus position. > > I have several points that seem particularly important or potentially > contentious; however, because they will make more sense in the context > of the rest of the document, I am leaving them embedded in the inline > comments, and will mark them with "[*]". > > Abstract > > For more than 30 years, a large number of implementations of the TCP/ > IP protocol suite have been subject to a variety of attacks, with > effects ranging from Denial of Service (DoS) or data injection, to > information leakage that could be exploited for pervasive monitoring. > > This much historical background is probably overkill for an Abstract. > > The root of these issues has been, in many cases, the poor selection > of transient numeric identifiers in such protocols, usually as a > result of insufficient or misleading specifications. This document > formally updates RFC3552, such that RFCs are required to include a > security and privacy analysis of the transient numeric identifiers > they specify. > > I might reformulate the whole thing as something more like: > > % Poor selection of transient numerical identifiers in protocols such as > % the TCP/IP suite has historically led to a number of attacks on > % implementations, ranging from Denial of Service (DoS) to data > % injection and information leakage that can be exploited by pervasive > % monitoring. To prevent such flaws in future protocols and > % implementations, this document updates RFC 3552, requiring future RFCs > % to contain analysis of the security and privacy properties of any > % transient numeric identifiers specified by the protocol. > > Section 1 > > Interface Identifiers (IIDs). These identifiers usually have > specific properties that must be satisfied such that they do not > result in negative interoperability implications (e.g. uniqueness > during a specified period of time), and an associated failure > > nit: comma after "e.g.". > > For more than 30 years, a large number of implementations of the TCP/ > IP protocol suite have been subject to a variety of attacks, with > > (editorial) the transition from the previous paragraph might flow better > if this was something like "The TCP/IP protocol suite alone has been > subject to variety of attacks on its numerical identifiers over the past > 30 years or more, with [...]". > > o Predictable DNS TxIDs > > [DNS TxIDs are pretty hard to argue for being part of the "TCP/IP > protocol suite", so I added a hedge word "alone" in my previous > suggestion] > > Section 2 > > What's wrong with the RFC 4949 definition of "identifier"? > (We'd still want to keep the discussion about "transient", of course.) > > Also, we should pick up the new BCP 14 boilerplate from RFC 8174. > > Section 3 > > [*] Overall, I find this section longer than I expected, spending "too > much time" on examples and evangelizing. I have some specific comments > below, but I'm not sure that just addressing the specific comments would > change the overall impression that the section gives. > > While assessing protocol specifications and implementations regarding > the use of transient numeric identifiers > [I-D.gont-numeric-ids-history], we found that most of the issues > discussed in this document arise as a result of one of the following > conditions: > > (editorial) A potential rewording that hews closer to "typical RFC > style" might be: > > % A recent survey of transient numerical identifier usage in protocol > % specifications and implementations [I-D.gont-numeric-ids-history] > % revealed that most of the issues discussed in this document arise as a > % result of one of the following conditions: > > A number of protocol implementations (too many of them) simply > overlook the security and privacy implications of identifiers. > Examples of them are the specification of TCP port numbers in > [...] > On the other hand, there are a number of protocol specifications that > over-specify some of their associated protocol identifiers. For > example, [RFC4291] essentially results in link-layer addresses being > embedded in the IPv6 Interface Identifiers (IIDs) when the > [...] > > I wonder if the writing would be tighter if we diverged from the "one > bullet point, one paragraph" style. Consider: > > % Both under-specifying and over-specifying identifier contents is > % hazardous. TCP port numbers and sequence numbers [RFC0793] and DNS > % TxID [RFC1035] were under-specified, leading to implementations that > % used predictable values and thus were vulnerable to numberous off-path > % attacks. Over-specification, as for IPv6 Interface Identifiers (IIDs) > % [RFC4291] and Fragment Identification values [RFC2460], leaves > % implementations unable to respond to security and privacy issues > % stemming from the mandated algorithm -- IPv6 IIDs need not expose > % privacy-sensitive link-layer addresses, and predictable Fragment > % Identifiers invite the same off-path attacks that plague TCP. > > Finally, there are protocol implementations that simply fail to > comply with existing protocol specifications. For example, some > popular operating systems (notably Microsoft Windows) still fails to > implement transport-protocol port randomization, as specified in > [RFC6056]. > > It's not clear that this chunk speaks to the third bullet point; from > the IETF perspective, implementation of ("compliance with") our > protocols is optional, and there's not a lever in place to force people > to take updates when we revise/update the spec. Implementing only part > of a spec is a problem, but if we want to lament lack of adoption of > follow-on updates, we should be writing things differently. > > By requiring protocol specifications to clearly specify the > interoperability requirements for the transient numeric identifiers > they specify, the constraints in the possible algorithms to generate > them, as well as possible over-specification of such identifiers, > become evident. Furthermore, requiring specifications to include a > > nit(?): I'm not sure whether "constraints" is the right word here -- > what is being constrained, and by whom? Would "limitations" or "risks" > be workable? > > security and privacy analysis of the transient numeric identifiers > they specify prevents the corresponding considerations from being > overlooked at the time a protocol is specified. > > [*] I really don't think this is an appropriate way to phrase what we're > doing. To specifically *require* authors to include an analysis that > covers these particular points seems to be quite a divergence from RFC > 3552 -- while the presence of a security considerations section in RFCs > is required, what RFC 3552 claims to provide is just guidelines for how > to write such a section. Isn't what we're doing here just an > incremental addition to that guidance, not a new hard requirement on > authors? > > Section 4 > > [*] Similarly to Section 3, this section felt significantly longer than > I was expecting. Could you say something about the motivation for > putting content here as opposed to (e.g.) > draft-irtf-pearg-numeric-ids-generation? (Note, this section currently > references draft-gont-predictable-numeric-ids, which is IIRC the > pre-split consolidated document.) > > [The list itself is good; no complaints about that.] > > Adherence to the one-paragraph-follow-up-per-bullet-point style may be > at the crux of the matter, here, too. Perhaps we could just slightly > expand the elements of the list itself and avoid having large chunks of > text after it entirely. > > When one identifier is employed across contexts where such constancy > is not needed, activity correlation is made made possible. For > example, [RFC4291] essentially results in link-layer addresses being > embedded in the IPv6 Interface Identifiers (IIDs) when the > interoperability requirement of uniqueness could be achieved in other > > (We mentioned the IID+link-layer address before; it's a bit hard for me > to justify having discussion about it in two places in this document.) > > Re-using identifiers across different layers or protocols ties the > security and privacy of the protocol re-using the identifier to the > security and privacy properties of the original identifier (over > which the protocol re-using the identifier may have no control > regarding its generation). Besides, when re-using an identifier > > It's also probably worth noting that this makes the privacy (and, to > some extent, security) analysis harder, since you can no longer just > consider each protoco in isolation and instead have to look at the > combined system. > > Section 5 > > [*] This seems like the meat of the document, but it's at risk of > getting lost due to the size of Sections 3 and 4. Perhaps the > Introduction should specifically say something like "the key guidelines > for protocol designers are found in Section 5" to call it out. > > Protocol specifications that specify transient numeric identifiers > MUST: > > [*] This gets into the same question as above about "RFC 3552 doesn't > require specific things in the security considerations; why should we?". > I think we should rephrase this, perhaps: > > % When a protocol specifies transient numerical identifiers, it is > % critical for the security and privacy considerations to include > % anlysis that: > > (with the corresponding verb tense changes for the list itself). > > 1. Clearly specify the interoperability requirements for the > aforementioned identifiers. > > Hmm, would it be fair to say "interoperability (i.e., functional)"? > > 2. Provide a security and privacy analysis of the aforementioned > identifiers. > > This one is perhaps redundant with the revised lead-in, though. > > Section 7 > > This entire document is about the security and privacy implications > of transient numeric identifiers, and formally updates [RFC3552] such > that the "Security Considerations" sections of RFCs are required to > > [if the other changes go through, the "required" wording will need to be > tweaked] > > Section 9.1 > > We seem to only be using RFCs 793, 2460, 6056, and 8200 as examples, so > they would be okay to relegate to the Informative References section. > > Section 9.2 > > Keeping [I-D.gont-predictable-numeric-ids] around for the > Acknowledgments makes sense, but (as noted above) we should refer to the > appropriate post-split document(s) in the main body text. > > Section 9.3 > > Please consolidate into Section 9.2 > > > Thanks, > > Ben
- [saag] Fwd: AD evaluation of draft-gont-numeric-i… Benjamin Kaduk
- [saag] Fwd: AD evaluation of draft-gont-numeric-i… Benjamin Kaduk
- Re: [saag] AD evaluation of draft-gont-numeric-id… Fernando Gont