IETF Logo Mail Archive

Re: [saag] should we revise rfc 3365?

Steven Bellovin <smb@cs.columbia.edu> Thu, 24 May 2012 00:08 UTC

Return-Path: <smb@cs.columbia.edu>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9404221F8736 for <saag@ietfa.amsl.com>; Wed, 23 May 2012 17:08:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.599
X-Spam-Level:
X-Spam-Status: No, score=-6.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 12EbmDfltJak for <saag@ietfa.amsl.com>; Wed, 23 May 2012 17:08:51 -0700 (PDT)
Received: from salak.cc.columbia.edu (salak.cc.columbia.edu [128.59.29.6]) by ietfa.amsl.com (Postfix) with ESMTP id 857F821F86F0 for <saag@ietf.org>; Wed, 23 May 2012 17:08:51 -0700 (PDT)
Received: from [192.168.2.166] (74-92-112-54-Philadelphia.hfc.comcastbusiness.net [74.92.112.54]) (user=smb2132 mech=PLAIN bits=0) by salak.cc.columbia.edu (8.14.4/8.14.3) with ESMTP id q4O08l5l018068 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NOT); Wed, 23 May 2012 20:08:48 -0400 (EDT)
Mime-Version: 1.0 (Apple Message framework v1278)
Content-Type: text/plain; charset="us-ascii"
From: Steven Bellovin <smb@cs.columbia.edu>
In-Reply-To: <4FBD6A78.2070204@cs.tcd.ie>
Date: Wed, 23 May 2012 20:08:47 -0400
Content-Transfer-Encoding: 7bit
Message-Id: <AB548AD5-9780-43A3-8A1D-BF2E470EB871@cs.columbia.edu>
References: <4FBD6A78.2070204@cs.tcd.ie>
To: Stephen Farrell <stephen.farrell@cs.tcd.ie>
X-Mailer: Apple Mail (2.1278)
X-No-Spam-Score: Local
X-Scanned-By: MIMEDefang 2.68 on 128.59.29.6
Cc: "saag@ietf.org" <saag@ietf.org>
Subject: Re: [saag] should we revise rfc 3365?
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/saag>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 24 May 2012 00:08:52 -0000

I'm very much in favor of security realism.  If something
doesn't work, it doesn't work.  One reason I wrote RFC 5406
is that protocols were specifying it as their security solution,
when (a) it was never implemented, and (b) it probably couldn't
work anyway.  DHCP AUTH is a good example -- the whole point
is minimal or no configuration.  I suspect that the proper
security spec there is "buy a switch that blocks rogue DHCP
(and IPv6 RA) packets)."

The specific changes, though, are a lot more difficult.  For
example, I'd leave the SIP stuff alone; I think there's a
disaster there waiting to happen, and I suspect that we will
see security implemented and deployed in a very big hurry.


On May 23, 2012, at 6:53 44PM, Stephen Farrell wrote:

> 
> Hi all,
> 
> Short version: go read the RFC and say if you think
> it needs an update.
> 
> Long version:
> 
> We've been talking about RFC 3261 but Sean and I
> have independently been thinking about whether
> there's work to be done on RFC 3365 [1] from
> 2002 which is the one that basically says you
> "MUST implement strong security in all protocols"
> and for very good reasons.
> 
> First, we are *not* proposing to back off from that
> general position. (We'll say that again in a
> minute in case you missed it:-)
> 
> Since 2002 however, we've seen some cases where
> this might end up being a bit counter-productive
> or where its not clear if or how 3365 applies.
> 
> DHCP AUTH [2] is frequently cited in DHCP
> security considerations. However, this is pure
> fiction, nobody uses it at all, and I'm not
> sure if anybody even implements it.
> 
> SIP e2e security [3] is well defined and has
> been implemented, but is ubiquitously unused,
> even though other SIP specifications tend(ed)
> to refer to it as if it solves their problems.
> 
> FLUTE [4] is a uni-directional protocol, that
> RECOMMENDS transport mode ESP, but where its not
> clear that you could sensibly do automated key
> management, if you really only have one-way
> connectivity. (Just including this one to show
> not all of 'em are as obvious as the above.)
> 
> In the purely fictional cases, there is a cost
> for developers clearly, but also a potential
> security downside, if there's a bunch of relatively
> untested code being deployed, or if some but not
> all people know which things are fictional and
> which not.
> 
> In these cases the trade-off seems to be between
> specifying MTI security vs. truth-in-advertising.
> Some of these are easy, (dhcp maybe), others are
> less easy (flute).
> 
> Truth-in-advertising seems like its a good thing,
> but its hard to see how to get that without also
> creating a future where lots of drafts say "we
> don't do security because nobody would use it."
> 
> I'm sure there are more existing cases along
> those lines.
> 
> 
> Separately, we're seeing a number of cases where
> something that is like, but is not, e2e security is
> being proposed. For example, for inserting adverts
> in IPTV [5], for supporting SSL accelerators [6]
> and perhaps in the near future, for so-called
> "tusted proxies" in HTTP/2.0 [7].
> 
> Again, there are probably more cases of this, but
> here the trade-off seems mainly to be between what
> are real use cases (sometimes already widely
> deployed) and e2e security.
> 
> 
> Our question to you: is it time that we revised
> RFC 3365 to say something about these issues, or
> more generally?
> 
> If so, then how? (Bearing in mind that we are *not*
> open to a revision that neuters the position taken
> in 3365.)
> 
> If you think RFC 3365 is still just fine and we
> should not try revise it, then saying that would
> also be good.
> 
> If a substantive discussion emerges we'd hope to
> talk about that in Vancouver in July, so nothing
> precipitous will happen. If this is greeted by
> silence, then we'll take it that you all like
> RFC 3365 and don't want us to do anything (except
> keep on pushing back when people don't specify
> mandatory-to-implement security:-) but that
> will continue to be problematic in cases like those
> mentioned above, so we may not be getting the
> best outcomes at the moment in such cases.
> 
> Thanks,
> Stephen and Sean.
> 
> [1] http://tools.ietf.org/html/bcp61
> [2] http://tools.ietf.org/html/rfc3118
> [3] http://tools.ietf.org/html/rfc3261
> [4] https://datatracker.ietf.org/doc/draft-ietf-rmt-flute-revised/
> [5] https://datatracker.ietf.org/doc/draft-ietf-avtext-splicing-for-rtp/
> [6] https://datatracker.ietf.org/doc/draft-ietf-appsawg-http-forwarded/
> [7] http://lists.w3.org/Archives/Public/ietf-http-wg/2012AprJun/0085.html
> 
> 
> 
> 
> 
> _______________________________________________
> saag mailing list
> saag@ietf.org
> https://www.ietf.org/mailman/listinfo/saag
> 


		--Steve Bellovin, https://www.cs.columbia.edu/~smb

v2.23.0 | Report a Bug | By Email