IETF Logo Mail Archive

Re: [secdir] Writing Security Considerations

Linda Dunbar <linda.dunbar@futurewei.com> Thu, 27 June 2019 16:47 UTC

Return-Path: <linda.dunbar@futurewei.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7A818120118 for <secdir@ietfa.amsl.com>; Thu, 27 Jun 2019 09:47:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=futurewei.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7eR-uM3uEsnY for <secdir@ietfa.amsl.com>; Thu, 27 Jun 2019 09:47:23 -0700 (PDT)
Received: from NAM01-BY2-obe.outbound.protection.outlook.com (mail-eopbgr810094.outbound.protection.outlook.com [40.107.81.94]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B40E7120112 for <secdir@ietf.org>; Thu, 27 Jun 2019 09:47:22 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=Futurewei.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=xZhZWGbEw1zylxEqZSbNPUSq8Aoap+e4jH7ehqYj8wA=; b=pTqgFT6Wa+5b0b6KXfFAS/3PxskCTn0rD2pfm6wR4ywTD51m7dF4uKfngqJzraUn0D0k13VWYYwMyPzpZPRKEbjhfO1vX91IeB3IoNQREM3EN+QbexW0Zy3IdBCzLoajBodHj/HJFc+fbev/0FbZhvHeusoYVyUyqDfVwdM2Lr8=
Received: from MN2PR13MB3582.namprd13.prod.outlook.com (10.255.238.139) by MN2PR13MB2656.namprd13.prod.outlook.com (20.178.251.155) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2032.12; Thu, 27 Jun 2019 16:47:20 +0000
Received: from MN2PR13MB3582.namprd13.prod.outlook.com ([fe80::a8cd:e9ef:5219:67ea]) by MN2PR13MB3582.namprd13.prod.outlook.com ([fe80::a8cd:e9ef:5219:67ea%6]) with mapi id 15.20.2032.012; Thu, 27 Jun 2019 16:47:20 +0000
From: Linda Dunbar <linda.dunbar@futurewei.com>
To: Vincent Roca <vincent.roca@inria.fr>, "Salz, Rich" <rsalz@akamai.com>, Yoav Nir <ynir.ietf@gmail.com>
CC: secdir <secdir@ietf.org>
Thread-Topic: [secdir] Writing Security Considerations
Thread-Index: AQHVK4fepAORvcYl7Eyn4Hgy5k6N9KatgdgAgAFp7YCAAIEYgIAACcCAgAA/+lA=
Date: Thu, 27 Jun 2019 16:47:20 +0000
Message-ID: <MN2PR13MB35824C91911136E2E1DD1D4B85FD0@MN2PR13MB3582.namprd13.prod.outlook.com>
References: <AB6D23B6-C4F2-466B-8DE2-75CF6FD6EF8A@gmail.com> <421EA63E-CD5F-4BCC-AA24-3BDBD7182B24@inria.fr> <558A448D-E5EE-4E3C-9B0A-F5B5490E793C@gmail.com> <7D1A00B2-3A6F-4B54-AE8F-9BB7771E6189@akamai.com> <5C18F02D-BACE-4251-99D9-AA8D0AEA7F37@inria.fr>
In-Reply-To: <5C18F02D-BACE-4251-99D9-AA8D0AEA7F37@inria.fr>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=linda.dunbar@futurewei.com;
x-originating-ip: [12.111.81.80]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: c73afe09-142e-49b2-e448-08d6fb1f1f6a
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600148)(711020)(4605104)(1401327)(2017052603328)(7193020); SRVR:MN2PR13MB2656;
x-ms-traffictypediagnostic: MN2PR13MB2656:
x-ms-exchange-purlcount: 9
x-microsoft-antispam-prvs: <MN2PR13MB265616518DFF6700AAAADDCF85FD0@MN2PR13MB2656.namprd13.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-forefront-prvs: 008184426E
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(39840400004)(366004)(346002)(136003)(396003)(376002)(199004)(189003)(51874003)(14454004)(66574012)(3846002)(5660300002)(186003)(26005)(6436002)(71200400001)(6246003)(6116002)(14444005)(2906002)(256004)(15650500001)(2420400007)(790700001)(52536014)(6306002)(55016002)(76116006)(478600001)(86362001)(71190400001)(316002)(73956011)(64756008)(9686003)(54896002)(236005)(4326008)(606006)(66946007)(53936002)(81166006)(66446008)(561944003)(44832011)(66556008)(8936002)(74316002)(966005)(476003)(8676002)(25786009)(11346002)(7110500001)(7736002)(102836004)(446003)(53546011)(7696005)(6506007)(76176011)(486006)(99286004)(66066001)(68736007)(110136005)(33656002)(66476007)(81156014)(229853002); DIR:OUT; SFP:1102; SCL:1; SRVR:MN2PR13MB2656; H:MN2PR13MB3582.namprd13.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: futurewei.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: 3E/F9SSGrAqy2NnIAo8WwphmSPvWivDBA/ZA6Q9IePEew6y9IQlvSfV94sQaefymP07jwKizB46xfhLBerRcRzccjFTAwgJQyGl2X7WHe08q4x8dBgsJ3uP3jW7aMfu9s2+WGczz6tTcWi4W3AUO8FAcgUIRZB6ggWCHqMkxdOhVRU071+OHuylYfclfSM8qNxJaX0cnPp7iXieHpXuH52fq9gsZBcrz3GwdX8FlcH9Z29FjeDEAvRxcPS4IdtMm1/ms+cmX6KTDSkASV526cHuB67wMtG5x02rLjvF4i70C6kAIJc9NoEz6CvYGqECyifeUZ5twT6/wkKxhdbvQp3z5VSofjQCGhboM5Cbl/e29cYK/hmmmhXK9IlSxkKQ+Ww82l+cpo0ZdzXlQIR/idXEK+NdjD35nk4X3CHcROK0=
Content-Type: multipart/alternative; boundary="_000_MN2PR13MB35824C91911136E2E1DD1D4B85FD0MN2PR13MB3582namp_"
MIME-Version: 1.0
X-OriginatorOrg: Futurewei.com
X-MS-Exchange-CrossTenant-Network-Message-Id: c73afe09-142e-49b2-e448-08d6fb1f1f6a
X-MS-Exchange-CrossTenant-originalarrivaltime: 27 Jun 2019 16:47:20.7291 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 0fee8ff2-a3b2-4018-9c75-3a1d5591fedc
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: ldunbar@futurewei.com
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MN2PR13MB2656
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/9_j-EnH5_YxsUWw_OwdFs1Oshqc>
Subject: Re: [secdir] Writing Security Considerations
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 27 Jun 2019 16:47:26 -0000

I see many drafts from Routing Area and Ops Areas have the similar writing on Security Considerations as RFC6520.
For many people in Routing and Ops, Security is not on their mind, even with Thinking Multiple times.

It will be more helpful to compose a list of Security Check List. Draft authors can go through the list to be reminded of potential security risks introduced by the draft proposed mechanisms.

Linda

From: secdir <secdir-bounces@ietf.org> On Behalf Of Vincent Roca
Sent: Thursday, June 27, 2019 7:50 AM
To: Salz, Rich <rsalz@akamai.com>; Yoav Nir <ynir.ietf@gmail.com>
Cc: secdir <secdir@ietf.org>
Subject: Re: [secdir] Writing Security Considerations

Hello,

The two messages I would suggest:
               - You, authors, think everything is fine, that your proposal does not introduce any new threat. Think it twice (or more),
                  there’s probably something that’s worth being said;
               - And the Security Considerations section is also meant to help developers: in this specific case, it would have
                 been nice to add a warning about this carbon copy in the reply packet, as we all discovered later.

I think it’s a good example of cool protocol feature that can turn into a security nightmare if wrongly implemented.
It’s worth explaining IMHO.

But that’s just an idea, feel free to ignore my suggestion.
Cheers,

  Vincent


Le 27 juin 2019 à 14:15, Salz, Rich <rsalz@akamai.com<mailto:rsalz@akamai.com>> a écrit :

Well there’s also the fact that it was implemented in TLS but only intended for DTLS.

But yeah, I’m still not sure what the lesson learned is.

From: Yoav Nir <ynir.ietf@gmail.com<mailto:ynir.ietf@gmail.com>>
Date: Thursday, June 27, 2019 at 12:33 AM
To: Vincent Roca <vincent.roca@inria.fr<mailto:vincent.roca@inria.fr>>
Cc: "secdir@ietf.org<mailto:secdir@ietf.org>" <secdir@ietf.org<mailto:secdir@ietf.org>>
Subject: Re: [secdir] Writing Security Considerations

Hi, Vincent.

Thanks, but I don’t know what kind of lesson there is in this for the general RFC-writing audience.

Always call out when you have internal length fields because that can be done dangerously in C?

I think mis-handling length fields has been an issue with protocols as long as protocols have been implemented.

Yoav



On 26 Jun 2019, at 9:57, Vincent Roca <vincent.roca@inria.fr<mailto:vincent.roca@inria.fr>> wrote:

Hello Yoav and Linda,

Good initiative.

Since you’re looking for stories, here is a proposal, rooted in real life.
RFC6520 (https://tools.ietf.org/html/rfc6520<https://nam03.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.proofpoint.com%2Fv2%2Furl%3Fu%3Dhttps-3A__tools.ietf.org_html_rfc6520%26d%3DDwMFaQ%26c%3D96ZbZZcaMF4w0F4jpN6LZg%26r%3D4LM0GbR0h9Fvx86FtsKI-w%26m%3D32H5KaerecFFfHL_RbK6_S3L5bwUE9K88_l69RYrvIQ%26s%3DFbDzqETFX080s8nnVXHURz64o5cbrHAGdKknxxMVsBA%26e%3D&data=02%7C01%7Clinda.dunbar%40futurewei.com%7Cbe1607e3887d44118d9708d6fafe1082%7C0fee8ff2a3b240189c753a1d5591fedc%7C1%7C0%7C636972366461270746&sdata=%2Be8dQAiiMhX8aq2JBn%2BPLCAK1pi%2FfeSnyIBADT0KMnI%3D&reserved=0>) on TLS heartbeat extension has a pretty simple security considerations section: it says
it does not introduce any new security consideration and it refers to two existing RFCs.

We all know this TLS heartbeat extension has been the cause of the famous heartbleed OpenSSL vulnerability and associated attack.
Of course the major problem comes from an erroneous implementation of the mechanism in OpenSSL:
https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=96db9023b881d7cd9f379b0c154650d6c108e9a3<https://nam03.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.proofpoint.com%2Fv2%2Furl%3Fu%3Dhttps-3A__git.openssl..org_gitweb_-3Fp-3Dopenssl.git-3Ba-3Dcommitdiff-3Bh-3D96db9023b881d7cd9f379b0c154650d6c108e9a3%26d%3DDwMFaQ%26c%3D96ZbZZcaMF4w0F4jpN6LZg%26r%3D4LM0GbR0h9Fvx86FtsKI-w%26m%3D32H5KaerecFFfHL_RbK6_S3L5bwUE9K88_l69RYrvIQ%26s%3D9FZTwoOauH47k_ngFMjQzuMPRb0jIWcs96Y0axdM9gY%26e%3D&data=02%7C01%7Clinda.dunbar%40futurewei.com%7Cbe1607e3887d44118d9708d6fafe1082%7C0fee8ff2a3b240189c753a1d5591fedc%7C1%7C0%7C636972366461280740&sdata=zyswYpFDTktpKWf7F6mk8gSQjoOTpGrQ1NUq20ojA%2FU%3D&reserved=0>

The goal is not to blame anybody in person, especially as the RFC describes what should be done to prevent any problem.
But I also think this is a document where we all (i.e., authors/secdir/IESG) should have highlighted the associated risk of badly
implementing the response message in the Security Considerations section. As always in such a situation, it’s easier to say afterwards!

I think there is a way to say that in a positive way (lessons learned) and tell an interesting story many people heard about without knowing
the details.

Cheers,

  Vincent


Le 25 juin 2019 à 20:57, Yoav Nir <ynir.ietf@gmail.com<mailto:ynir.ietf@gmail.com>> a écrit :

Hi, all

If you’ve had a look at the draft agenda (https://datatracker.ietf.org/meeting/105/agenda.html<https://nam03.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.proofpoint.com%2Fv2%2Furl%3Fu%3Dhttps-3A__datatracker..ietf.org_meeting_105_agenda.html%26d%3DDwMFaQ%26c%3D96ZbZZcaMF4w0F4jpN6LZg%26r%3D4LM0GbR0h9Fvx86FtsKI-w%26m%3D32H5KaerecFFfHL_RbK6_S3L5bwUE9K88_l69RYrvIQ%26s%3D3UI7WQmwfyz7h1buiVZOY8g7D6K8ARLSHXArn_PYUBc%26e%3D&data=02%7C01%7Clinda.dunbar%40futurewei.com%7Cbe1607e3887d44118d9708d6fafe1082%7C0fee8ff2a3b240189c753a1d5591fedc%7C1%7C0%7C636972366461290735&sdata=RDwcMInt7Yx%2FHyNug8ayYPBkYb7%2FMXPy3hcGXOr88io%3D&reserved=0>), we have a Writing Security Considerations tutorial on Sunday, which Linda Dunbar and I will be doing.

The idea is to get people writing drafts to know what they should do for a smooth interaction with us SecDir people.

The slides do not exist yet, but we have a rough outline on github: https://github.com/IETF-SAAG/SecurityConsiderationsTutorial<https://nam03.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.proofpoint.com%2Fv2%2Furl%3Fu%3Dhttps-3A__github.com_IETF-2DSAAG_SecurityConsiderationsTutorial%26d%3DDwMFaQ%26c%3D96ZbZZcaMF4w0F4jpN6LZg%26r%3D4LM0GbR0h9Fvx86FtsKI-w%26m%3D32H5KaerecFFfHL_RbK6_S3L5bwUE9K88_l69RYrvIQ%26s%3DkMYyq9Tz5RZyqpaBjEPwSWYLw7P6jG9eqigfDeW1lNk%26e%3D&data=02%7C01%7Clinda.dunbar%40futurewei.com%7Cbe1607e3887d44118d9708d6fafe1082%7C0fee8ff2a3b240189c753a1d5591fedc%7C1%7C0%7C636972366461290735&sdata=A7A48mIPGRQ9y2EbjfUw%2Bn%2BvA0xl8owyTA8CfMcl0ps%3D&reserved=0>

So if there’s missing or wrong stuff, we’d like to hear about it, preferably in the form of PRs.

But most of all, we’re looking for more examples in the examples page: https://github.com/IETF-SAAG/SecurityConsiderationsTutorial/blob/master/examples.md<https://nam03.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.proofpoint.com%2Fv2%2Furl%3Fu%3Dhttps-3A__github.com_IETF-2DSAAG_SecurityConsiderationsTutorial_blob_master_examples.md%26d%3DDwMFaQ%26c%3D96ZbZZcaMF4w0F4jpN6LZg%26r%3D4LM0GbR0h9Fvx86FtsKI-w%26m%3D32H5KaerecFFfHL_RbK6_S3L5bwUE9K88_l69RYrvIQ%26s%3Df1H6brU-13lYu1_rTmpXv5fGU5dc258l1UXuaIrOX3Y%26e%3D&data=02%7C01%7Clinda.dunbar%40futurewei.com%7Cbe1607e3887d44118d9708d6fafe1082%7C0fee8ff2a3b240189c753a1d5591fedc%7C1%7C0%7C636972366461300727&sdata=hT51%2Bgdtzn5BH0c9gbBDbxekd2uBByae8YDXfs3qeh4%3D&reserved=0>

So any horror story, war story, stuff that’s terribly wrong, or even something that’s surprisingly right will be welcome.

Thanks in advance

Linda & Yoav

_______________________________________________
secdir mailing list
secdir@ietf.org<mailto:secdir@ietf.org>
https://www.ietf.org/mailman/listinfo/secdir<https://nam03.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.proofpoint.com%2Fv2%2Furl%3Fu%3Dhttps-3A__www.ietf.org_mailman_listinfo_secdir%26d%3DDwMFaQ%26c%3D96ZbZZcaMF4w0F4jpN6LZg%26r%3D4LM0GbR0h9Fvx86FtsKI-w%26m%3D32H5KaerecFFfHL_RbK6_S3L5bwUE9K88_l69RYrvIQ%26s%3D6b6SRPf-vkkPvj-FrX-q8rwRHE1RCF54pOHVFQAkkRQ%26e%3D&data=02%7C01%7Clinda.dunbar%40futurewei.com%7Cbe1607e3887d44118d9708d6fafe1082%7C0fee8ff2a3b240189c753a1d5591fedc%7C1%7C0%7C636972366461300727&sdata=EYUr5SBgNDlQOUF9AI7t2LwSJlcXFszlog2iCtCKNFw%3D&reserved=0>
wiki: http://tools.ietf.org/area/sec/trac/wiki/SecDirReview<https://nam03.safelinks.protection.outlook.com/?url=http%3A%2F%2Ftools.ietf.org%2Farea%2Fsec%2Ftrac%2Fwiki%2FSecDirReview&data=02%7C01%7Clinda.dunbar%40futurewei.com%7Cbe1607e3887d44118d9708d6fafe1082%7C0fee8ff2a3b240189c753a1d5591fedc%7C1%7C0%7C636972366461310723&sdata=p0WeLfYi23bSD6sslNFoAYyizebY0ruewP1%2BdCFyIpc%3D&reserved=0>

v2.23.0 | Report a Bug | By Email