[secdir] SecDir review of draft-ietf-imapapnd-appendlimit-extension
Paul Wouters <paul@nohats.ca> Thu, 31 December 2015 21:36 UTC
Return-Path: <paul@nohats.ca>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 30C831A0271; Thu, 31 Dec 2015 13:36:33 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.789
X-Spam-Level:
X-Spam-Status: No, score=0.789 tagged_above=-999 required=5 tests=[BAYES_40=-0.001, DKIM_ADSP_ALL=0.8, T_RP_MATCHES_RCVD=-0.01] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yUShWc-qtnKX; Thu, 31 Dec 2015 13:36:32 -0800 (PST)
Received: from mx.nohats.ca (mx.nohats.ca [IPv6:2a03:6000:1004:1::68]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D5BD71A0137; Thu, 31 Dec 2015 13:36:31 -0800 (PST)
Received: from localhost (localhost [IPv6:::1]) by mx.nohats.ca (Postfix) with ESMTP id 3pWjV41p3lz30V; Thu, 31 Dec 2015 22:36:28 +0100 (CET)
X-OPENPGPKEY: Message passed unmodified
X-Virus-Scanned: amavisd-new at mx.nohats.ca
Received: from mx.nohats.ca ([IPv6:::1]) by localhost (mx.nohats.ca [IPv6:::1]) (amavisd-new, port 10024) with ESMTP id nGzBBme-f8Gy; Thu, 31 Dec 2015 22:36:26 +0100 (CET)
Received: from bofh.nohats.ca (206-248-139-105.dsl.teksavvy.com [206.248.139.105]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx.nohats.ca (Postfix) with ESMTPS; Thu, 31 Dec 2015 22:36:26 +0100 (CET)
Received: by bofh.nohats.ca (Postfix, from userid 1000) id 573F7603AF12; Thu, 31 Dec 2015 16:36:25 -0500 (EST)
DKIM-Filter: OpenDKIM Filter v2.10.3 bofh.nohats.ca 573F7603AF12
Received: from localhost (localhost [127.0.0.1]) by bofh.nohats.ca (Postfix) with ESMTP id 541A425936; Thu, 31 Dec 2015 16:36:25 -0500 (EST)
Date: Thu, 31 Dec 2015 16:36:25 -0500
From: Paul Wouters <paul@nohats.ca>
To: draft-ietf-imapapnd-appendlimit-extension.all@tools.ietf.org
Message-ID: <alpine.LFD.2.20.1512311626070.29547@bofh.nohats.ca>
User-Agent: Alpine 2.20 (LFD 67 2015-01-07)
MIME-Version: 1.0
Content-Type: text/plain; format="flowed"; charset="US-ASCII"
Archived-At: <http://mailarchive.ietf.org/arch/msg/secdir/9-mgHiPvoRG8R1nfuTpsbaIMuxQ>
Cc: iesg@ietf.org, secdir <secdir@ietf.org>
Subject: [secdir] SecDir review of draft-ietf-imapapnd-appendlimit-extension
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 31 Dec 2015 21:36:33 -0000
I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. This document is Ready The document describes an IMAP extension to convey a limit size for appending to a mailbox. This prevents situations where the clients upload data only to have it rejected by the server. The security considerations are therefor limited in scope, as it is more of an optimization. The only item mentioned in the section is that an attacker that knows the limit could optimize their attack by sending better matching sized payloads for a denial-of-service attack, and servers should disconnect such clients as abusive. I believe that it correctly covers any new security risks that could arise from this document's specification. And that this issue is very minor compared to other DOS attacks possible by malicious clients that can successfully authenticate against the IMAP server. Paul
- [secdir] SecDir review of draft-ietf-imapapnd-app… Paul Wouters
- Re: [secdir] SecDir review of draft-ietf-imapapnd… Barry Leiba