Re: [secdir] [Last-Call] Secdir last call review of draft-ietf-dtn-tcpclv4-15
"Christopher Wood" <caw@heapingbits.net> Fri, 06 December 2019 19:39 UTC
Return-Path: <caw@heapingbits.net>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E18B912004A; Fri, 6 Dec 2019 11:39:32 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=heapingbits.net header.b=h3KrKBu1; dkim=pass (2048-bit key) header.d=messagingengine.com header.b=ZU2A6nE4
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XDVJDKhYBBUx; Fri, 6 Dec 2019 11:39:29 -0800 (PST)
Received: from out3-smtp.messagingengine.com (out3-smtp.messagingengine.com [66.111.4.27]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 78D351200FE; Fri, 6 Dec 2019 11:39:29 -0800 (PST)
Received: from compute6.internal (compute6.nyi.internal [10.202.2.46]) by mailout.nyi.internal (Postfix) with ESMTP id AAE55229C7; Fri, 6 Dec 2019 14:39:28 -0500 (EST)
Received: from imap4 ([10.202.2.54]) by compute6.internal (MEProxy); Fri, 06 Dec 2019 14:39:28 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=heapingbits.net; h=mime-version:message-id:in-reply-to:references:date:from:to :cc:subject:content-type:content-transfer-encoding; s=fm3; bh=It zHUsl8ExaNvY3ONA3dhdKKicHCpUF6j9QdP+t6ll4=; b=h3KrKBu1ujADkBZQyh +dUYRFd36xHyydGpvzPZeY82Fgj6e0sz7b4dP45BcDkl5H4rQsXo8+x9qbVPStUy +q0pncFwy/84IfZvmGQEGAHH2lGFyudwYvwSUp4iYKY8wCwUY59aRY0Tgu+8BNh8 PIzJcdn/MrOrb+VEEv5jLibddEc6qFEE5baNmPaywvZatGh8iYSm4+ybiXy6vuNC ENzisXDn0FT+3x+9TuG/XbU+uNHTwWhLXZux7lnAXXjuMmkPXoTRXzSn6BtlE4Sz /Vh3OSpDtHFRVFjTx6n1mzTBqmn7RrSKf8TjJupU1JpqT50o29gb2SowkESH+lYH Dvng==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-transfer-encoding:content-type :date:from:in-reply-to:message-id:mime-version:references :subject:to:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender :x-sasl-enc; s=fm1; bh=ItzHUsl8ExaNvY3ONA3dhdKKicHCpUF6j9QdP+t6l l4=; b=ZU2A6nE4vc9raIwCK/YKpugZpwtls0xcVe5szboo9WA9mTahYz7n2io/e E6lJ8DEZC0PLxyky0JlXDbNYs2/LeOvWndjjwKWJ8tca0Op5O/NLw554lDkBExqm 4Ikb9rDolMgeDzesi9XmxVO7mrEHb/fqWfnynk8fma5xdkC9Zn4qZ44E4zlBNf92 HuPOGz4tWWs3td3RZ0/6W9BR6+usW2PhiNN2WoX2lBl0EiqgUYwBrmnIxiBDK4Cx bIz6yQHrJXzlyF2lHbzouIIpnDjcw93Ad5vGO8nWzpo/OgDpO1Wg6zDLBYw74myc hdqne83nb/yRuxIWFi7wpjs4CVRkg==
X-ME-Sender: <xms:cK7qXVa9Hr15BaU3zUitZARH6jfhp-lKKiNfypnI-3sGHJA4g_-wWg>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedufedrudekfedguddvvdcutefuodetggdotefrod ftvfcurfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfgh necuuegrihhlohhuthemuceftddtnecusecvtfgvtghiphhivghnthhsucdlqddutddtmd enucfjughrpefofgggkfgjfhffhffvufgtgfesthhqredtreerjeenucfhrhhomhepfdev hhhrihhsthhophhhvghrucghohhougdfuceotggrfieshhgvrghpihhnghgsihhtshdrnh gvtheqnecuffhomhgrihhnpehmihhtrhgvrdhorhhgpdhivghtfhdrohhrghenucfrrghr rghmpehmrghilhhfrhhomheptggrfieshhgvrghpihhnghgsihhtshdrnhgvthenucevlh hushhtvghrufhiiigvpedt
X-ME-Proxy: <xmx:cK7qXe_BLXYtojIRvNRqW1z0rWi3c6rzCy7gO1y1xrZdSKpxLajrwg> <xmx:cK7qXbkhKv-bSoJfzjTluTMSEVOogKe-D8uwrBGPykUmw5rFqs-Gag> <xmx:cK7qXTxHVREn8jiu-q6j0VsfSd4jpTQTAm3dQmf_5zM1bnTxUio2Yw> <xmx:cK7qXVNJ3M4tcblI54Yjxab1OEulwKB0gEaHVf5ohDYzZ4X9k2R3Qg>
Received: by mailuser.nyi.internal (Postfix, from userid 501) id 55EC63C00A1; Fri, 6 Dec 2019 14:39:28 -0500 (EST)
X-Mailer: MessagingEngine.com Webmail Interface
User-Agent: Cyrus-JMAP/3.1.7-612-g13027cc-fmstable-20191203v1
Mime-Version: 1.0
Message-Id: <325f1938-7028-4f0c-ae16-6251a9ca4d6d@www.fastmail.com>
In-Reply-To: <MN2PR13MB3520A9981F64A77740856D669F4A0@MN2PR13MB3520.namprd13.prod.outlook.com>
References: <157309030845.20168.4543125034732217684@ietfa.amsl.com> <576b4769-ae0f-4821-a127-12a8a3d05de1@www.fastmail.com> <MN2PR13MB3520EBCB4F7786ABFDED76EE9F7B0@MN2PR13MB3520.namprd13.prod.outlook.com> <MN2PR13MB3520A9981F64A77740856D669F4A0@MN2PR13MB3520.namprd13.prod.outlook.com>
Date: Fri, 06 Dec 2019 11:39:08 -0800
From: Christopher Wood <caw@heapingbits.net>
To: Brian Sipos <BSipos@rkf-eng.com>, "secdir@ietf.org" <secdir@ietf.org>
Cc: "draft-ietf-dtn-tcpclv4.all@ietf.org" <draft-ietf-dtn-tcpclv4.all@ietf.org>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/8gxl-PU78CvV4aZ8WL4gYBbyB0E>
Subject: Re: [secdir] [Last-Call] Secdir last call review of draft-ietf-dtn-tcpclv4-15
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 06 Dec 2019 19:39:33 -0000
Thanks for the updates, Brian! And apologies for the delay in my response. I reviewed the diff and the changes look good to me. I only have one nit: I might rename the title of section 8.4 to "Active Transport Security Stripping" to distinguish this from the previous passive attacks. Best, Chris On Mon, Nov 25, 2019, at 1:39 PM, Brian Sipos wrote: > > Christopher, > A new draft has been posted [1] which should address all of your > comments on the -15 draft. Most of the changes [2] are to either fix > typos and inconsistencies or to add requirements supporting TLS use and > threat modeling. > Our AD has requested a re-review of the new draft to verify that there > are no more issues present. Would you be able to review the new draft > version? > Thank you, > Brian S. > > [1] https://tools.ietf.org/html/draft-ietf-dtn-tcpclv4-16 > [2] > https://www.ietf.org/rfcdiff?url1=draft-ietf-dtn-tcpclv4-15&url2=draft-ietf-dtn-tcpclv4-16&difftype=--html > *From:* Brian Sipos <BSipos@rkf-eng.com> > *Sent:* Wednesday, November 13, 2019 10:53 > *To:* Christopher Wood <caw@heapingbits.net>; secdir@ietf.org > <secdir@ietf.org> > *Cc:* last-call@ietf.org <last-call@ietf.org>; > draft-ietf-dtn-tcpclv4.all@ietf.org > <draft-ietf-dtn-tcpclv4.all@ietf.org>; dtn@ietf.org <dtn@ietf.org> > *Subject:* Re: [Last-Call] Secdir last call review of > draft-ietf-dtn-tcpclv4-15 > Christopher, > Thank you for these comments. My responses are inline below with > prefix "BS: ". I have been making edits to a future draft which is not > yet uploaded. > > *From:* Christopher Wood <caw@heapingbits.net> > *Sent:* Wednesday, November 6, 2019 20:57 > *To:* secdir@ietf.org <secdir@ietf.org> > *Cc:* last-call@ietf.org <last-call@ietf.org>; > draft-ietf-dtn-tcpclv4.all@ietf.org > <draft-ietf-dtn-tcpclv4.all@ietf.org>; dtn@ietf.org <dtn@ietf.org> > *Subject:* Re: [Last-Call] Secdir last call review of > draft-ietf-dtn-tcpclv4-15 > Oops. Datatracker butchered the formatting. Let's try that again: > > ~~~ > > Reviewer: Christopher Wood > Review result: Has Issues > > Comments: > - Section 1.1, fourth bullet: I assume certificate revocation is also > out of scope. If so, listing this explicitly might be useful. If not, > why not? Relatedly, is pre-shared key authentication supported? If so, > perhaps we should mention that this too is out of scope? > BS: I added explicit out-of-scope indication for both revocation and > PSK (and other non-certificate) use. > > - If TLS sits below TCPCL and if resumption is used, what is the > definition of a session's lifetime? Is it still bound to the underlying > TCP connection lifetime? I would suggest that the definition be > generalized to accommodate TLS, e.g., perhaps the lifetime is bound to > the underlying transport state lifetime. Relatedly, is TLS session > resumption supported (or encouraged)? When discussing TLS session > establishment in Section 4, this seems to be omitted. > BS: I added text to Section 4 to indicate both the lifetime of TLS > sessions and the ability to attempt to resume sessions. > > - Section 3.2, first paragraph: What does "initiate TLS security" > mean, exactly? Does this mean the initiator sends a TLS ClientHello > upon TCP connection establishment, or only after some other TCPCL > headers are exchanged? Similarly, is the Node ID transferred used in > authenticating such a TLS connection? If so, how? Is the Node ID sent > as the TLS SNI, as hinted at in Section 4.4.1 and 4.4.2, is it included > in the responder's certificate SAN list, etc? I think specific details > are needed here, perhaps with forward pointers to Section 4 as needed. > BS: I rephrased the first paragraph and added a reference to Section 4. > The text in Section 3 is supposed to be higher-level and informative, > where Section 4 is requirements. > > - Section 3.2: It's not clear to me how SESS_TERM translates to > graceful TLS termination (to avoid truncation attacks). The state > machine diagram outlined in Section 3.3 suggests that SESS_TERM, once > negotiated, does imply the end of the data transfer. It therefore seems > possible for an attacker to truncate data sent between receipt of > SESS_TERM and TCP FIN by simply closing the TCP connection. It would be > good to require use of a TLS closure alert when finished to avoid this > type of truncation. (Maybe BP prevents this by marking data transfer > lengths. However, even if that's the case, proper use of TLS seems > prudent.) > BS: I added a requirement to send Closure Alert before shutting down > the TLS session. The TCPCL messages are all fixed-length or > self-indicated length so there is no possibility of data truncation. > > - Section 4, first paragraph: If entities are encouraged to keep > sessions alive for as long as possible, guidance on how to update TLS > keying material (via key updates or explicitly tearing down the > connection and starting anew) seems prudent. TLS has a bound on how > much data can be encrypted under one key. > BS: I added text to Security Considerations section to include a > reference about key use limits and key updates. > > - Section 4: This text: > > Once a TCP connection is established, each entity MUST immediately > transmit a contact header over the TCP connection. > > suggests that TLS does *not* proceed as normal upon TCP connection > establishment. This is quite problematic, since any active attacker can > simply muck with the ContactHeader CAN_TLS bit to disable TLS, right? > Is this threat not considered in scope? Relatedly, what is the threat > model? (SSL stripping is mentioned in Section 8, but without mention of > a threat model.) "Secure" sessions subject to active downgrade do not > offer much in the way of security, and the document should acknowledge > that in the Security Considerations. Concretely, how about the > following text to replace the second paragraph in Section 8? > > TCPCL does not protect against active network attackers. In particular, an > active man-in-the-middle attackers to set the CAN_TLS flag to 0 on either > side of a TCPCL ContactHeader exchange. This leads to the "SSL Stripping" > attack described in [RFC7457]. > > If TLS is desired for use on any TCPCL network, it is strongly > encouraged that > the security policy disallow use of TCPCL when "Enable TLS" is > negotiated to false. This requires that the TLS handshake occurs, > regardless of the policy-driven parameters of the handshake and > policy-driven handling of the handshake outcome. > BS: Your statements are definitely true. The purpose of the CAN_TLS > flag has been clarified in Section 4.2 "Contact Header", and Section 8 > is updated to have a stronger recommendation for policy to require TLS > use when TLS is available. > The purpose of the CAN_TLS flag is to allow the use of TCPCL on > entities which simply do not have a TLS implementation available. This > was a stated goal of the DTN WG due to the desire to use TCPCL in > environments where the entities are constrained (TLS is unavailable) > but the network is trusted. > Regarding the threat model, this is something I need to look into and > find some examples of in other RFCs. > > - Section 4.4.2: Why is the recommendation that entities "SHOULD > terminate the session" if the peer's certificate is untrusted, rather > than "MUST terminate the session"? In what circumstances would an > entity not want to terminate the connection? (Later text mentions that > this may be allowed by "security policy," in which case we should > mention that here.) > BS: I updated these requirements to SHALL and made sure they are all > conditioned on policy rules. > > - Section 4.4.2, fourth paragraph: Why is host name validation done > *after* TLS completes, rather than during the connection? This seems > wrong, though I suspect I'm misunderstanding the details. > BS: I updated the text to read "Either during or immediately after the > TLS handshake..." The only reason for this is some TLS implementations > allow interrupting the handshake but some only allow inspecting the > results of the handshake. > > - 4.7, Enable TLS: If security policy allows the absence of TLS, why > not just always use TLS and have that policy tune TLS peer > authentication? (See https://tools.ietf.org/html/rfc7858#section-4.1 > for an example of this.) It seems strange that opportunistic security > is supported (and desired as a feature?) yet not always used. > BS: Per the earlier response to Section 4 text, the reason to allow > non-TLS sessions is purely for constrained entities. The text in > Section 4.2 and Section 8 are updated to clarify the CAN_TLS flag to > indicate the presence of TLS in the network stack, not really a > configuration parameter. > > - Section 8: I see no reason why one would want to use TLS for > authentication without any form of confidentiality. I would remove text > referencing this use case. > BS: I removed this text to avoid confusion. > > - Section 8: In describing volumetric DoS attacks, it might help to > consider the "opposite" sort of attack, e.g., similar to what the > HTTPT/2 data dribble attack exploited? > (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9511) > BS: This is a good catch, I added Section 8 text to warn against > accepting too-small Segment MRU or Transfer MRU parameters. > > Nits: > - Section 2.1, TCP Connection: typo in "and other states association" > (should be associated?) > BS: Fixed this typo. > - Section 2.1, Transmission Intermediate Progress: typo "transferr" > (and elsewhere) > BS: Fixed this typo. > - Inconsistent notation of SESS_TERM (it's referred to as SESSTERM in > lots of places) > BS: The "SESS_TERM" was a message while a "SESSTERM" was an activity. I > renamed the activity to "ST" to be consistent with other abbreviated > activity names. > - Section 3.4, last paragraph: typo "from from" > BS: Fixed this typo. > - Section: typo "negotating" > BS: Fixed several of this typo. >
- [secdir] Secdir last call review of draft-ietf-dt… Christopher Wood via Datatracker
- Re: [secdir] [Last-Call] Secdir last call review … Christopher Wood
- Re: [secdir] [Last-Call] Secdir last call review … Brian Sipos
- Re: [secdir] [Last-Call] Secdir last call review … Brian Sipos
- Re: [secdir] [Last-Call] Secdir last call review … Christopher Wood