[secdir] secdir review of draft-masotta-tftpexts-windowsize-opt-10

"Waltermire, David A." <david.waltermire@nist.gov> Tue, 15 July 2014 00:33 UTC

Return-Path: <david.waltermire@nist.gov>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com []) by ietfa.amsl.com (Postfix) with ESMTP id 1EF2D1B27C6; Mon, 14 Jul 2014 17:33:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.601
X-Spam-Status: No, score=-2.601 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id SgDzC9HVS1sw; Mon, 14 Jul 2014 17:32:59 -0700 (PDT)
Received: from na01-bl2-obe.outbound.protection.outlook.com (mail-bl2lp0207.outbound.protection.outlook.com []) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 198381B27B7; Mon, 14 Jul 2014 17:32:59 -0700 (PDT)
Received: from DM2PR09MB0224.namprd09.prod.outlook.com ( by DM2PR09MB0221.namprd09.prod.outlook.com ( with Microsoft SMTP Server (TLS) id 15.0.985.8; Tue, 15 Jul 2014 00:32:56 +0000
Received: from DM2PR09MB0224.namprd09.prod.outlook.com ([]) by DM2PR09MB0224.namprd09.prod.outlook.com ([]) with mapi id 15.00.0985.008; Tue, 15 Jul 2014 00:32:56 +0000
From: "Waltermire, David A." <david.waltermire@nist.gov>
To: "iesg@ietf.org" <iesg@ietf.org>, "secdir@ietf.org" <secdir@ietf.org>, "draft-masotta-tftpexts-windowsize-opt.all@tools.ietf.org" <draft-masotta-tftpexts-windowsize-opt.all@tools.ietf.org>
Thread-Topic: secdir review of draft-masotta-tftpexts-windowsize-opt-10
Thread-Index: Ac+fv7NcsGmC4KKQSM2oT4Q8+MLMbA==
Date: Tue, 15 Jul 2014 00:32:55 +0000
Message-ID: <ffc89df7bd104e038ebdc25c5d8ac654@DM2PR09MB0224.namprd09.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
x-originating-ip: []
x-microsoft-antispam: BCL:0;PCL:0;RULEID:
x-forefront-prvs: 027367F73D
x-forefront-antispam-report: SFV:NSPM; SFS:(6009001)(189002)(199002)(76482001)(46102001)(99396002)(50986999)(54356999)(101416001)(229853001)(86362001)(4396001)(107886001)(2656002)(74502001)(33646002)(87936001)(74662001)(79102001)(83322001)(107046002)(77982001)(99286002)(21056001)(31966008)(95666004)(74316001)(105586002)(106356001)(83072002)(85852003)(2201001)(92566001)(81342001)(20776003)(64706001)(76576001)(77096002)(80022001)(81542001)(85306003)(66066001)(108616002)(24736002); DIR:OUT; SFP:; SCL:1; SRVR:DM2PR09MB0221; H:DM2PR09MB0224.namprd09.prod.outlook.com; FPR:; MLV:sfv; PTR:InfoNoRecords; MX:1; LANG:en;
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: nist.gov
Archived-At: http://mailarchive.ietf.org/arch/msg/secdir/9WNvKiLKwyQPLlyBig2Fkg3mfQ0
Subject: [secdir] secdir review of draft-masotta-tftpexts-windowsize-opt-10
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 15 Jul 2014 00:33:02 -0000

I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG.  These comments were written primarily for the benefit of the security area directors.  Document editors and WG chairs should treat these comments just like any other last call comments.

Status: Almost ready - There are a few security and other related concerns with this draft summarized below.

The draft defines a method for overriding the default step-wise acknowledgement (ACK) behavior of TFTP. This extension suppresses the standard step-wise ACK response until a negotiated window size of blocks have been sent. A single ACK is then sent indicating that all blocks in the window were transmitted. This results in a general reduction in the number of ACKs over the exchange, allowing for higher transfer rates than using block size negotiation alone (RFC2348).

Security Concerns:

The specific security considerations statement appears to be copied from RFC2347. It acknowledges that TFTP does not have any explicit security mechanism and that the extension does not add any additional security risk beyond the base specification. Instead of copying the text from the other RFCs, this text should be replaced with text that references the security considerations from RFC1350, RFC2347, and probably RFC5405.

Additionally, it seems like this option requires a state machine, involving both the client and server, to track the exchange of blocks within a window to support retransmission of failed blocks. If I am understanding this correctly, it looks like a potential attack vector exists where a malicious client (or server) could cause abnormal consumption of system and network resources through the use of large window sizes across a number of sessions. This malicious actor would need to selectively cause retransmission of blocks that still conform with max retry, timeout, and delay constraints. In part, the second paragraph (and the following example) in the "Congestion and Error Control" section provide some error handling guidance that also addresses this security consideration. At minimum a discussion of this attack vector and a reference back to this explanation should be included in the security considerations section. It would also be valuable to include some discussion on reasonable limits for window sizes, retry, timeout, and delay parameters, or at least some guidelines around determining them based on the characteristics of the data link layer protocol used.

Other concerns:

In the abstract:

- The abstract should mention that this memo extends RFC1350 by adding a new option extension for ... based on RFC2347.

In section "Windowsize Option Specification":

- The text in this section should be updated to make use of RFC2119 capitalized keywords.
- A specification for the Read and Write requests is provided along with an example. The specification of the corresponding OACK should be provided with the same degree of rigor.
- The draft describes the ACK behavior for data exchange in the definition of the windowsize "#blocks" field. The actual requirements should be defined using RFC2119 language in a new paragraph after the discussion of option negotiation. This new text should express the actual windowing behavior requirements for implementations of the protocol extension. It should also make explicit which block number to send in the ACK, which I infer to be the last block sent in the window.

General nits:

There are a number of grammatical and punctuation issues throughout the document. Some of these make it more difficult to understand the document. A quick editorial pass through the document should address this concern. I am happy to provide a few specifics/suggestions in this regard if the author would like.

Also, the nits tool reported:
- An issue with 3 pages being longer than the required 58 lines per page.
- The abstract contains bracketed references. See previous comment.
- Whitespace warnings

Dave Waltermire