IETF Logo Mail Archive

Re: [secdir] secdir review of draft-ietf-siprec-metadata-20

Paul Kyzivat <pkyzivat@alum.mit.edu> Mon, 22 February 2016 15:15 UTC

Return-Path: <pkyzivat@alum.mit.edu>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 799331B3537 for <secdir@ietfa.amsl.com>; Mon, 22 Feb 2016 07:15:19 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.235
X-Spam-Level:
X-Spam-Status: No, score=-1.235 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, SPF_SOFTFAIL=0.665] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tkEU6B9c7ddV for <secdir@ietfa.amsl.com>; Mon, 22 Feb 2016 07:15:18 -0800 (PST)
Received: from resqmta-ch2-12v.sys.comcast.net (resqmta-ch2-12v.sys.comcast.net [IPv6:2001:558:fe21:29:69:252:207:44]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 043ED1B3528 for <secdir@ietf.org>; Mon, 22 Feb 2016 07:15:17 -0800 (PST)
Received: from resomta-ch2-07v.sys.comcast.net ([69.252.207.103]) by resqmta-ch2-12v.sys.comcast.net with comcast id MTEi1s0052EPM3101TFHL1; Mon, 22 Feb 2016 15:15:17 +0000
Received: from Paul-Kyzivats-MacBook-Pro.local ([73.218.51.154]) by resomta-ch2-07v.sys.comcast.net with comcast id MTFG1s0043KdFy101TFGSr; Mon, 22 Feb 2016 15:15:17 +0000
To: David Mandelberg <david@mandelberg.org>, iesg@ietf.org, secdir@ietf.org, draft-ietf-siprec-metadata.all@tools.ietf.org
References: <56C0EB89.4050409@mandelberg.org> <56C15FB9.8030600@alum.mit.edu> <56C4B3D6.6040700@mandelberg.org> <56C4BA98.3080001@alum.mit.edu> <56CA4A7A.1050505@mandelberg.org>
From: Paul Kyzivat <pkyzivat@alum.mit.edu>
Message-ID: <56CB2603.1020409@alum.mit.edu>
Date: Mon, 22 Feb 2016 10:15:15 -0500
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:38.0) Gecko/20100101 Thunderbird/38.6.0
MIME-Version: 1.0
In-Reply-To: <56CA4A7A.1050505@mandelberg.org>
Content-Type: text/plain; charset="windows-1252"; format="flowed"
Content-Transfer-Encoding: 7bit
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=comcast.net; s=q20140121; t=1456154117; bh=2h5tFB/JnlYLgy7SSaz9xibrPgIWfmHrEb86DybQCuc=; h=Received:Received:Subject:To:From:Message-ID:Date:MIME-Version: Content-Type; b=sANAVRBwDqJXPL2HrsiUwLWNJiJwKwCIy/Bx5Mw/c2sJCABvu/r/s+8PY2UJV2pKR k3VRvosdt6uqF1QYcB0AoVaouXDRclqimLHJNxx6DMO1paGFam6krnZUUlXHbZo0TW lgnCezs2XZ9BtubO82qsamFUiYc9OkbsWQsgf+MGgWfl851ordZhnboi8qdHg6cmFh PMxnC1M2tqcNKlV1Sz3O2jAcN1Df+Ollpq/RtnTfRzYfST9RNoM0vb2uZzYxK1EmZc vvvGd+biNIJAi15erEnxLlTSAzw2IPq0F38XJ0ClUZhOM6Q9q4VirCf4uNO6J6Drhc J+8dAl+jCs9aA==
Archived-At: <http://mailarchive.ietf.org/arch/msg/secdir/8xqzeOPvKTb6xjP1v6pwBzzjXlc>
Subject: Re: [secdir] secdir review of draft-ietf-siprec-metadata-20
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 22 Feb 2016 15:15:19 -0000

David,

Thank you for being so clear. I think I now understand your perspective. 
I would like to have a discussion about this with the other authors and 
the WG before coming back with a definitive response.

	Thanks,
	Paul

On 2/21/16 6:38 PM, David Mandelberg wrote:
> Responses to your points are below, but I think it might also help if
> I'm more clear about how I think this issue could be resolved. Here's
> one way that seems reasonable to me, but is not the only way to prevent
> the issue I brought up (unless I'm wrong and it's not an issue).
>
> Add text specifying that if an SRS receives more than one object defined
> with the same UUID, the SRS MUST reject (or ignore?) all but the first
> definition of the object. (This would ensure that UUIDs are actually
> unique on a per-SRS basis.) Also, specify that an SRC MUST use a random
> or pseudo-random method of generating UUIDs, and an SRC MUST NOT share
> an object's UUID with anybody other than the SRS until after the SRS has
> acknowledged receipt of that object. (This would ensure that the UUID
> generated by the SRC points to the correct object.)
>
> Would that work?
>
>
> On 02/17/2016 01:23 PM, Paul Kyzivat wrote:
>> So your concern is the security implications when we have a malicious
>> SRC that has been authorized by the SRS?
>
> Yes, but I didn't see anything in the draft saying that an SRC needs to
> be authorized by the SRS, just that the SRS needs to be authorized by
> the SRC. Maybe I missed that? Or maybe the Security Considerations could
> be made more clear about exactly who needs to authenticate to whom and
> who needs to make what authorization decisions based on that authentication?
>
>
>> If so, it seems like that can extend to lots of things beyond reuse of
>> UUIDs.
>
> The only issue I noticed was with the UUIDs. Otherwise it looks like an
> SRS could record metadata from any untrusted SRC without any security
> concerns other than the use of bandwidth, disk space, etc. (I could have
> missed something of course.)
>
>
>> (Going further afield, how does this differ from a malicious SIP UA that
>> has the credentials to register a particular AoR? It could cause all
>> sorts of mischief by unregistering valid UAs, etc. ISTM the bottom line
>> is that it is impossible to avoid problems from a party with access to
>> enough "secrets".)
>
> I'm not a SIP expert, but I think it needs to be made clear which pieces
> of data are secrets in order to reason about the security of a system.
> At present, I don't see any indication that UUIDs are meant to be
> secrets. If they are supposed to be secrets, then I don't think they're
> adequately protected from attackers who can guess the output of a
> (potentially non-random) UUID generator.
>
>
>> But the problem actually seems less severe in the case of SIPREC. The
>> SRS is performing what is essentially an append-only write process. The
>> use of a duplicate UUID by a malicious SRC doesn't cause any valid
>> information to be lost. And the SRS is free to track the source of each
>> piece of information it records, so that the malicious info can be
>> sorted out from the valid info once the bad guy has been identified.
>
> I don't see any mention of append-only writing in the draft, so I don't
> know how a server implementer would know to avoid overwriting of the
> object for a specific UUID, thus modifying the meaning of metadata that
> had previously been recorded from a different SRC.
>
>

v2.23.0 | Report a Bug | By Email