[secdir] secdir review of draft-ietf-regext-rfc7484bis
"Scott G. Kelly" <scott@hyperthought.com> Tue, 30 November 2021 17:42 UTC
Return-Path: <scott@hyperthought.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 43C983A07BC for <secdir@ietfa.amsl.com>; Tue, 30 Nov 2021 09:42:43 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.552
X-Spam-Level:
X-Spam-Status: No, score=-0.552 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_BL_SPAMCOP_NET=1.347, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jM11fLHlBqdS for <secdir@ietfa.amsl.com>; Tue, 30 Nov 2021 09:42:41 -0800 (PST)
Received: from smtp100.iad3a.emailsrvr.com (smtp100.iad3a.emailsrvr.com [173.203.187.100]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2A6713A143B for <secdir@ietf.org>; Tue, 30 Nov 2021 09:42:40 -0800 (PST)
Received: from app14.wa-webapps.iad3a (relay-webapps.rsapps.net [172.27.255.140]) by smtp21.relay.iad3a.emailsrvr.com (SMTP Server) with ESMTP id 0BD17251A1; Tue, 30 Nov 2021 12:42:40 -0500 (EST)
Received: from hyperthought.com (localhost.localdomain [127.0.0.1]) by app14.wa-webapps.iad3a (Postfix) with ESMTP id F07B8600BA; Tue, 30 Nov 2021 12:42:39 -0500 (EST)
Received: by apps.rackspace.com (Authenticated sender: scott@hyperthought.com, from: scott@hyperthought.com) with HTTP; Tue, 30 Nov 2021 09:42:39 -0800 (PST)
X-Auth-ID: scott@hyperthought.com
Date: Tue, 30 Nov 2021 09:42:39 -0800
From: "Scott G. Kelly" <scott@hyperthought.com>
To: "secdir@ietf.org" <secdir@ietf.org>, "iesg@ietf.org" <iesg@ietf.org>, draft-ietf-regext-rfc7484bis.all@ietf.org
MIME-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Importance: Normal
X-Priority: 3 (Normal)
X-Type: plain
X-Client-IP: 73.93.184.62
Message-ID: <1638294159.982316211@apps.rackspace.com>
X-Mailer: webmail/19.0.13-RC
X-Classification-ID: 2f904963-70a9-42d1-a429-cf35882d605c-1-1
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/27QBOOI9wqh0aJTTGvdWstmTsok>
Subject: [secdir] secdir review of draft-ietf-regext-rfc7484bis
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 30 Nov 2021 17:42:44 -0000
I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. The summary of the review is almost ready This review is quite late, but still ahead of the telechat, so I hope it is useful. From the abstract: This document specifies a method to find which Registration Data Access Protocol (RDAP) server is authoritative to answer queries for a requested scope, such as domain names, IP addresses, or Autonomous System numbers. This document obsoletes RFC7484 Here is the security considerations section: "By providing a bootstrap method to find RDAP servers, this document helps to ensure that the end users will get the RDAP data from an authoritative source, instead of from rogue sources. The method has the same security properties as the RDAP protocols themselves. The transport used to access the registries can be more secure by using TLS [RFC8446], which IANA supports. Additional considerations on using RDAP are described in [RFC7481]." Because this document is updating RFC7484, and because these security considerations are copied verbatim from that doc, I hesitate to raise my concern. Nonetheless, I think the assertion that this document "helps to ensure that the end users will get the RDAP data from an authoritative source, instead of from rogue sources." is questionable. I think the suggestion to use TLS helps, but I think it would be better to say something like this: "This document specifies a method to find which RDAP server is authoritative to answer queries for a requested scope, such as domain names, IP addresses, or Autonomous System numbers. If this data is not authenticated, an adversary may inject data that redirects the user to a rogue RDAP server. A robust authentication method such as may be provided by TLS [RFC8446] SHOULD be utilized to protect against this. Additional considerations on using RDAP are described in [RFC7481]." I'm not attached to the precise wording, but I think implementers should be told what the risks are, and how to mitigate them. I don't think the current security considerations quite hit that aspiration. --Scott
- [secdir] secdir review of draft-ietf-regext-rfc74… Scott G. Kelly
- Re: [secdir] secdir review of draft-ietf-regext-r… Benjamin Kaduk
- Re: [secdir] secdir review of draft-ietf-regext-r… Marc Blanchet