Re: [saag] should we revise rfc 3365?
Steven Bellovin <smb@cs.columbia.edu> Thu, 24 May 2012 00:08 UTC
Return-Path: <smb@cs.columbia.edu>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9404221F8736 for <saag@ietfa.amsl.com>; Wed, 23 May 2012 17:08:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.599
X-Spam-Level:
X-Spam-Status: No, score=-6.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 12EbmDfltJak for <saag@ietfa.amsl.com>; Wed, 23 May 2012 17:08:51 -0700 (PDT)
Received: from salak.cc.columbia.edu (salak.cc.columbia.edu [128.59.29.6]) by ietfa.amsl.com (Postfix) with ESMTP id 857F821F86F0 for <saag@ietf.org>; Wed, 23 May 2012 17:08:51 -0700 (PDT)
Received: from [192.168.2.166] (74-92-112-54-Philadelphia.hfc.comcastbusiness.net [74.92.112.54]) (user=smb2132 mech=PLAIN bits=0) by salak.cc.columbia.edu (8.14.4/8.14.3) with ESMTP id q4O08l5l018068 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NOT); Wed, 23 May 2012 20:08:48 -0400 (EDT)
Mime-Version: 1.0 (Apple Message framework v1278)
Content-Type: text/plain; charset="us-ascii"
From: Steven Bellovin <smb@cs.columbia.edu>
In-Reply-To: <4FBD6A78.2070204@cs.tcd.ie>
Date: Wed, 23 May 2012 20:08:47 -0400
Content-Transfer-Encoding: 7bit
Message-Id: <AB548AD5-9780-43A3-8A1D-BF2E470EB871@cs.columbia.edu>
References: <4FBD6A78.2070204@cs.tcd.ie>
To: Stephen Farrell <stephen.farrell@cs.tcd.ie>
X-Mailer: Apple Mail (2.1278)
X-No-Spam-Score: Local
X-Scanned-By: MIMEDefang 2.68 on 128.59.29.6
Cc: "saag@ietf.org" <saag@ietf.org>
Subject: Re: [saag] should we revise rfc 3365?
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/saag>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 24 May 2012 00:08:52 -0000
I'm very much in favor of security realism. If something doesn't work, it doesn't work. One reason I wrote RFC 5406 is that protocols were specifying it as their security solution, when (a) it was never implemented, and (b) it probably couldn't work anyway. DHCP AUTH is a good example -- the whole point is minimal or no configuration. I suspect that the proper security spec there is "buy a switch that blocks rogue DHCP (and IPv6 RA) packets)." The specific changes, though, are a lot more difficult. For example, I'd leave the SIP stuff alone; I think there's a disaster there waiting to happen, and I suspect that we will see security implemented and deployed in a very big hurry. On May 23, 2012, at 6:53 44PM, Stephen Farrell wrote: > > Hi all, > > Short version: go read the RFC and say if you think > it needs an update. > > Long version: > > We've been talking about RFC 3261 but Sean and I > have independently been thinking about whether > there's work to be done on RFC 3365 [1] from > 2002 which is the one that basically says you > "MUST implement strong security in all protocols" > and for very good reasons. > > First, we are *not* proposing to back off from that > general position. (We'll say that again in a > minute in case you missed it:-) > > Since 2002 however, we've seen some cases where > this might end up being a bit counter-productive > or where its not clear if or how 3365 applies. > > DHCP AUTH [2] is frequently cited in DHCP > security considerations. However, this is pure > fiction, nobody uses it at all, and I'm not > sure if anybody even implements it. > > SIP e2e security [3] is well defined and has > been implemented, but is ubiquitously unused, > even though other SIP specifications tend(ed) > to refer to it as if it solves their problems. > > FLUTE [4] is a uni-directional protocol, that > RECOMMENDS transport mode ESP, but where its not > clear that you could sensibly do automated key > management, if you really only have one-way > connectivity. (Just including this one to show > not all of 'em are as obvious as the above.) > > In the purely fictional cases, there is a cost > for developers clearly, but also a potential > security downside, if there's a bunch of relatively > untested code being deployed, or if some but not > all people know which things are fictional and > which not. > > In these cases the trade-off seems to be between > specifying MTI security vs. truth-in-advertising. > Some of these are easy, (dhcp maybe), others are > less easy (flute). > > Truth-in-advertising seems like its a good thing, > but its hard to see how to get that without also > creating a future where lots of drafts say "we > don't do security because nobody would use it." > > I'm sure there are more existing cases along > those lines. > > > Separately, we're seeing a number of cases where > something that is like, but is not, e2e security is > being proposed. For example, for inserting adverts > in IPTV [5], for supporting SSL accelerators [6] > and perhaps in the near future, for so-called > "tusted proxies" in HTTP/2.0 [7]. > > Again, there are probably more cases of this, but > here the trade-off seems mainly to be between what > are real use cases (sometimes already widely > deployed) and e2e security. > > > Our question to you: is it time that we revised > RFC 3365 to say something about these issues, or > more generally? > > If so, then how? (Bearing in mind that we are *not* > open to a revision that neuters the position taken > in 3365.) > > If you think RFC 3365 is still just fine and we > should not try revise it, then saying that would > also be good. > > If a substantive discussion emerges we'd hope to > talk about that in Vancouver in July, so nothing > precipitous will happen. If this is greeted by > silence, then we'll take it that you all like > RFC 3365 and don't want us to do anything (except > keep on pushing back when people don't specify > mandatory-to-implement security:-) but that > will continue to be problematic in cases like those > mentioned above, so we may not be getting the > best outcomes at the moment in such cases. > > Thanks, > Stephen and Sean. > > [1] http://tools.ietf.org/html/bcp61 > [2] http://tools.ietf.org/html/rfc3118 > [3] http://tools.ietf.org/html/rfc3261 > [4] https://datatracker.ietf.org/doc/draft-ietf-rmt-flute-revised/ > [5] https://datatracker.ietf.org/doc/draft-ietf-avtext-splicing-for-rtp/ > [6] https://datatracker.ietf.org/doc/draft-ietf-appsawg-http-forwarded/ > [7] http://lists.w3.org/Archives/Public/ietf-http-wg/2012AprJun/0085.html > > > > > > _______________________________________________ > saag mailing list > saag@ietf.org > https://www.ietf.org/mailman/listinfo/saag > --Steve Bellovin, https://www.cs.columbia.edu/~smb
- [saag] should we revise rfc 3365? Stephen Farrell
- Re: [saag] should we revise rfc 3365? Mouse
- Re: [saag] should we revise rfc 3365? Steven Bellovin
- Re: [saag] should we revise rfc 3365? Joe Touch
- Re: [saag] should we revise rfc 3365? Mouse
- Re: [saag] should we revise rfc 3365? Tschofenig, Hannes (NSN - FI/Espoo)
- Re: [saag] should we revise rfc 3365? Tschofenig, Hannes (NSN - FI/Espoo)
- Re: [saag] should we revise rfc 3365? Mouse
- Re: [saag] should we revise rfc 3365? Nico Williams
- Re: [saag] should we revise rfc 3365? Stephen Farrell
- Re: [saag] should we revise rfc 3365? Stephen Farrell
- Re: [saag] should we revise rfc 3365? Stephen Farrell
- Re: [saag] should we revise rfc 3365? Mouse
- Re: [saag] should we revise rfc 3365? Tschofenig, Hannes (NSN - FI/Espoo)
- Re: [saag] should we revise rfc 3365? Tschofenig, Hannes (NSN - FI/Espoo)
- Re: [saag] should we revise rfc 3365? Tschofenig, Hannes (NSN - FI/Espoo)
- Re: [saag] should we revise rfc 3365? Mouse
- Re: [saag] should we revise rfc 3365? Mouse
- Re: [saag] should we revise rfc 3365? Joe Touch
- Re: [saag] should we revise rfc 3365? Nico Williams