Re: [secdir] Secdir last call review of draft-ietf-anima-constrained-join-proxy-09
Peter van der Stok <stokcons@bbhmail.nl> Mon, 11 April 2022 07:35 UTC
Return-Path: <stokcons@bbhmail.nl>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 25D0C3A1D81; Mon, 11 Apr 2022 00:35:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.104
X-Spam-Level:
X-Spam-Status: No, score=-2.104 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=bbhmail.nl
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id G8_upbru-aIs; Mon, 11 Apr 2022 00:35:17 -0700 (PDT)
Received: from relay4.hostedemail.com (relay4.hostedemail.com [64.99.140.36]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5910D3A1D7D; Mon, 11 Apr 2022 00:35:16 -0700 (PDT)
Received: from omf01.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay02.hostedemail.com (Postfix) with ESMTP id 66BE823DA0; Mon, 11 Apr 2022 07:35:15 +0000 (UTC)
Received: from [HIDDEN] (Authenticated sender: stokcons@bbhmail.nl) by omf01.hostedemail.com (Postfix) with ESMTPA id BE81E6000E; Mon, 11 Apr 2022 07:35:14 +0000 (UTC)
MIME-Version: 1.0
Date: Mon, 11 Apr 2022 09:35:14 +0200
From: Peter van der Stok <stokcons@bbhmail.nl>
To: Mališa Vučinić <malisa.vucinic@inria.fr>
Cc: secdir@ietf.org, anima@ietf.org, draft-ietf-anima-constrained-join-proxy.all@ietf.org, last-call@ietf.org
Reply-To: stokcons@bbhmail.nl
Mail-Reply-To: stokcons@bbhmail.nl
In-Reply-To: <164942421882.15991.10648263530009015921@ietfa.amsl.com>
References: <164942421882.15991.10648263530009015921@ietfa.amsl.com>
Message-ID: <beb57c407e1852b8f8c1bb65bbb42bbe@bbhmail.nl>
X-Sender: stokcons@bbhmail.nl
Organization: vanderstok consultancy
Content-Type: multipart/alternative; boundary="=_0700dcd953896ba6b3321612322d1a08"
X-Rspamd-Queue-Id: BE81E6000E
X-Stat-Signature: gjpt8whpmgto5c5n4boquqhx31s6x5zk
X-Rspamd-Server: rspamout03
X-Session-Marker: 73746F6B636F6E73406262686D61696C2E6E6C
X-Session-ID: U2FsdGVkX1+NIex4yrIfVJ930sI/fZ6md0+NYOPTlh4=
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bbhmail.nl; h=mime-version:date:from:to:cc:subject:reply-to:in-reply-to:references:message-id:content-type; s=key; bh=62xAXEQUaX1H6o3+8QCEIHL8P6tN7gH5ftqb/WkaHEo=; b=OXgumJE4Ama60laWLTvU/fidPe2Uid4tvPUVHAaYSclE0nFHxNenszDLcDbt1hUpOaBbXwUTqcaWgtQ4Q77OnbMtntGfbEpoEx1jZi/M3PldFCIhEOBZj8U3U5FDNkmtDMjeuZqjYbI/EGwHJXmNhdMZZBHhl64ML2XUlYbwujE=
X-HE-Tag: 1649662514-541092
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/9m0F_Ap8PbMS4pToJpYWJHG9tuc>
Subject: Re: [secdir] Secdir last call review of draft-ietf-anima-constrained-join-proxy-09
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 11 Apr 2022 07:35:23 -0000
HI Malisa, thanks for the review. Toerless having reacted to the first pargraph, I will react to the last part. Plese, see below. Peter Mališa Vučinić via Datatracker schreef op 2022-04-08 15:23: > Reviewer: Mališa Vučinić > Review result: Has Issues > > I have reviewed this document as part of the security directorate's > ongoing > effort to review all IETF documents being processed by the IESG. These > comments > were written primarily for the benefit of the security area directors. > Document editors and WG chairs should treat these comments just like > any other > last call comments. > > The document standardizes the functionality of a Join Proxy, which is a > node > that relays the traffic between the joining node, Pledge, and the > network > Registrar, at the time of the network join. The document defines two > modes of > operation of a Join Proxy: Stateful Join Proxy and Stateless Join > Proxy. > > I have reservations on the progress of this document in its current > state from > the interoperability and security points of view. > > Interoperability-wise, the operation of a Stateful Join Proxy does not > seem to > necessitate a standardization effort as the processing is contained on > a single > network node. The Registrar processes the packet from the Join Proxy as > any > other packet. The language that describes the operation of a Stateful > Join > Proxy in Section 5.1 is informational and describes the process rather > than the > protocol. I would consider moving this text outside the "Join Proxy > Specification" section, perhaps into Section 4, which contains > informational > text. > > Stateless Join Proxy specification in Section 5.3 defines the message > format > that the Registrar and the Join Proxy agree on, which is necessary from > the > interoperability point of view. The message is split into Header and > Content > parts, where Header is opaque to the Registrar and just returned > verbatim to > the Join Proxy. In that sense, I don't understand the need to specify > the inner > structure of the Header part. I believe this will only introduce > interoperability issues with future version of the specification. In > the last > paragraph in Section 5.3, you argue that if any (new) field is not > recognized > by the Registrar, it should be ignored. But then, the protocol simply > won't be > backwards compatible because Stateless Join Proxy will have expected > the > Registrar to echo the new fields. Why complicate this and not leave the > whole > "Header" struct as an opaque byte string that is just echoed by the > Registrar? > > pvds==> > Yes, I think you are right. The header structure should be opaque. > If the Registrar needs information stored in the header, then IMO a new > draft shoudl] > address this. > I will change the text accordingly if my co-authors agree. > ==> > > Security-wise, document is incomplete. Without protection of the Header > field, > an on-path attacker can easily alter the return address of the pledge > to DoS > it. This is all discussed in RFC8974 and RFC9031 so I don't understand > why none > of those concerns are addressed, given the similarity of the topic. > Security > considerations or Figure 5 do not elaborate on DoS considerations of > either > approach. > > pvds==> > I see. The text of RFC8974 seems the most appropriate one. I will refer > to it > in the security consideration, taking over the recommended encryption > algorithm. > ==> > > In general, I think that the document would use an editorial pass as > there seem > to be many small inconsistencies. For example, Security Considerations > talk > about a "CBOR map" while the normative message structure uses CBOR > arrays. > > pvds==> > Very good. Apologies. This mistake reflects the hitory traject of the > document. > ==>
- [secdir] Secdir last call review of draft-ietf-an… Mališa Vučinić via Datatracker
- Re: [secdir] Secdir last call review of draft-iet… Toerless Eckert
- Re: [secdir] Secdir last call review of draft-iet… Mališa Vučinić
- Re: [secdir] Secdir last call review of draft-iet… Peter van der Stok