Re: [secdir] Writing Security Considerations
Vincent Roca <vincent.roca@inria.fr> Thu, 27 June 2019 12:50 UTC
Return-Path: <vincent.roca@inria.fr>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A22B3120441 for <secdir@ietfa.amsl.com>; Thu, 27 Jun 2019 05:50:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.798
X-Spam-Level:
X-Spam-Status: No, score=-6.798 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=0.1, RCVD_IN_DNSWL_HI=-5, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DPZ-vQg_r0dp for <secdir@ietfa.amsl.com>; Thu, 27 Jun 2019 05:50:34 -0700 (PDT)
Received: from mail2-relais-roc.national.inria.fr (mail2-relais-roc.national.inria.fr [192.134.164.83]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8ABF11203BB for <secdir@ietf.org>; Thu, 27 Jun 2019 05:50:33 -0700 (PDT)
X-IronPort-AV: E=Sophos;i="5.63,423,1557180000"; d="scan'208,217";a="389371595"
Received: from moucherotte.inrialpes.fr ([194.199.28.14]) by mail2-relais-roc.national.inria.fr with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 27 Jun 2019 14:50:04 +0200
From: Vincent Roca <vincent.roca@inria.fr>
Message-Id: <5C18F02D-BACE-4251-99D9-AA8D0AEA7F37@inria.fr>
Content-Type: multipart/alternative; boundary="Apple-Mail=_F32A0BE0-3C8B-4B23-B058-12F77345E1A0"
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.11\))
Date: Thu, 27 Jun 2019 14:50:03 +0200
In-Reply-To: <7D1A00B2-3A6F-4B54-AE8F-9BB7771E6189@akamai.com>
Cc: Vincent Roca <vincent.roca@inria.fr>, secdir <secdir@ietf.org>
To: "Salz, Rich" <rsalz@akamai.com>, Yoav Nir <ynir.ietf@gmail.com>
References: <AB6D23B6-C4F2-466B-8DE2-75CF6FD6EF8A@gmail.com> <421EA63E-CD5F-4BCC-AA24-3BDBD7182B24@inria.fr> <558A448D-E5EE-4E3C-9B0A-F5B5490E793C@gmail.com> <7D1A00B2-3A6F-4B54-AE8F-9BB7771E6189@akamai.com>
X-Mailer: Apple Mail (2.3445.104.11)
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/2XFcWRo4uauyqbDnHJYURYIQtIY>
Subject: Re: [secdir] Writing Security Considerations
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 27 Jun 2019 12:50:38 -0000
Hello, The two messages I would suggest: - You, authors, think everything is fine, that your proposal does not introduce any new threat. Think it twice (or more), there’s probably something that’s worth being said; - And the Security Considerations section is also meant to help developers: in this specific case, it would have been nice to add a warning about this carbon copy in the reply packet, as we all discovered later. I think it’s a good example of cool protocol feature that can turn into a security nightmare if wrongly implemented. It’s worth explaining IMHO. But that’s just an idea, feel free to ignore my suggestion. Cheers, Vincent > Le 27 juin 2019 à 14:15, Salz, Rich <rsalz@akamai.com> a écrit : > > Well there’s also the fact that it was implemented in TLS but only intended for DTLS. > > But yeah, I’m still not sure what the lesson learned is. > > From: Yoav Nir <ynir.ietf@gmail.com> > Date: Thursday, June 27, 2019 at 12:33 AM > To: Vincent Roca <vincent.roca@inria.fr> > Cc: "secdir@ietf.org" <secdir@ietf.org> > Subject: Re: [secdir] Writing Security Considerations > > Hi, Vincent. > > Thanks, but I don’t know what kind of lesson there is in this for the general RFC-writing audience. > > Always call out when you have internal length fields because that can be done dangerously in C? > > I think mis-handling length fields has been an issue with protocols as long as protocols have been implemented. > > Yoav > > >> On 26 Jun 2019, at 9:57, Vincent Roca <vincent.roca@inria.fr <mailto:vincent.roca@inria.fr>> wrote: >> >> Hello Yoav and Linda, >> >> Good initiative. >> >> Since you’re looking for stories, here is a proposal, rooted in real life. >> RFC6520 (https://tools.ietf.org/html/rfc6520 <https://urldefense.proofpoint.com/v2/url?u=https-3A__tools.ietf.org_html_rfc6520&d=DwMFaQ&c=96ZbZZcaMF4w0F4jpN6LZg&r=4LM0GbR0h9Fvx86FtsKI-w&m=32H5KaerecFFfHL_RbK6_S3L5bwUE9K88_l69RYrvIQ&s=FbDzqETFX080s8nnVXHURz64o5cbrHAGdKknxxMVsBA&e=>) on TLS heartbeat extension has a pretty simple security considerations section: it says >> it does not introduce any new security consideration and it refers to two existing RFCs. >> >> We all know this TLS heartbeat extension has been the cause of the famous heartbleed OpenSSL vulnerability and associated attack. >> Of course the major problem comes from an erroneous implementation of the mechanism in OpenSSL: >> https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=96db9023b881d7cd9f379b0c154650d6c108e9a3 <https://urldefense.proofpoint.com/v2/url?u=https-3A__git.openssl.org_gitweb_-3Fp-3Dopenssl.git-3Ba-3Dcommitdiff-3Bh-3D96db9023b881d7cd9f379b0c154650d6c108e9a3&d=DwMFaQ&c=96ZbZZcaMF4w0F4jpN6LZg&r=4LM0GbR0h9Fvx86FtsKI-w&m=32H5KaerecFFfHL_RbK6_S3L5bwUE9K88_l69RYrvIQ&s=9FZTwoOauH47k_ngFMjQzuMPRb0jIWcs96Y0axdM9gY&e=> >> >> The goal is not to blame anybody in person, especially as the RFC describes what should be done to prevent any problem. >> But I also think this is a document where we all (i.e., authors/secdir/IESG) should have highlighted the associated risk of badly >> implementing the response message in the Security Considerations section. As always in such a situation, it’s easier to say afterwards! >> >> I think there is a way to say that in a positive way (lessons learned) and tell an interesting story many people heard about without knowing >> the details. >> >> Cheers, >> >> Vincent >> >> >>> Le 25 juin 2019 à 20:57, Yoav Nir <ynir.ietf@gmail.com <mailto:ynir.ietf@gmail.com>> a écrit : >>> >>> Hi, all >>> >>> If you’ve had a look at the draft agenda (https://datatracker.ietf.org/meeting/105/agenda.html <https://urldefense.proofpoint.com/v2/url?u=https-3A__datatracker.ietf.org_meeting_105_agenda.html&d=DwMFaQ&c=96ZbZZcaMF4w0F4jpN6LZg&r=4LM0GbR0h9Fvx86FtsKI-w&m=32H5KaerecFFfHL_RbK6_S3L5bwUE9K88_l69RYrvIQ&s=3UI7WQmwfyz7h1buiVZOY8g7D6K8ARLSHXArn_PYUBc&e=>), we have a Writing Security Considerations tutorial on Sunday, which Linda Dunbar and I will be doing. >>> >>> The idea is to get people writing drafts to know what they should do for a smooth interaction with us SecDir people. >>> >>> The slides do not exist yet, but we have a rough outline on github: https://github.com/IETF-SAAG/SecurityConsiderationsTutorial <https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_IETF-2DSAAG_SecurityConsiderationsTutorial&d=DwMFaQ&c=96ZbZZcaMF4w0F4jpN6LZg&r=4LM0GbR0h9Fvx86FtsKI-w&m=32H5KaerecFFfHL_RbK6_S3L5bwUE9K88_l69RYrvIQ&s=kMYyq9Tz5RZyqpaBjEPwSWYLw7P6jG9eqigfDeW1lNk&e=> >>> >>> So if there’s missing or wrong stuff, we’d like to hear about it, preferably in the form of PRs. >>> >>> But most of all, we’re looking for more examples in the examples page: https://github.com/IETF-SAAG/SecurityConsiderationsTutorial/blob/master/examples.md <https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_IETF-2DSAAG_SecurityConsiderationsTutorial_blob_master_examples.md&d=DwMFaQ&c=96ZbZZcaMF4w0F4jpN6LZg&r=4LM0GbR0h9Fvx86FtsKI-w&m=32H5KaerecFFfHL_RbK6_S3L5bwUE9K88_l69RYrvIQ&s=f1H6brU-13lYu1_rTmpXv5fGU5dc258l1UXuaIrOX3Y&e=> >>> >>> So any horror story, war story, stuff that’s terribly wrong, or even something that’s surprisingly right will be welcome. >>> >>> Thanks in advance >>> >>> Linda & Yoav >>> >>> _______________________________________________ >>> secdir mailing list >>> secdir@ietf.org <mailto:secdir@ietf.org> >>> https://www.ietf.org/mailman/listinfo/secdir <https://urldefense.proofpoint.com/v2/url?u=https-3A__www.ietf.org_mailman_listinfo_secdir&d=DwMFaQ&c=96ZbZZcaMF4w0F4jpN6LZg&r=4LM0GbR0h9Fvx86FtsKI-w&m=32H5KaerecFFfHL_RbK6_S3L5bwUE9K88_l69RYrvIQ&s=6b6SRPf-vkkPvj-FrX-q8rwRHE1RCF54pOHVFQAkkRQ&e=> >>> wiki: http://tools.ietf.org/area/sec/trac/wiki/SecDirReview
- [secdir] Writing Security Considerations Yoav Nir
- Re: [secdir] Writing Security Considerations Vincent Roca
- Re: [secdir] Writing Security Considerations Yoav Nir
- Re: [secdir] Writing Security Considerations Salz, Rich
- Re: [secdir] Writing Security Considerations Vincent Roca
- Re: [secdir] Writing Security Considerations Linda Dunbar
- Re: [secdir] Writing Security Considerations Yoav Nir
- Re: [secdir] Writing Security Considerations Benjamin Kaduk