[secdir] secdir review of draft-ietf-radext-bigger-packets
Paul Wouters <paul@nohats.ca> Sun, 20 March 2016 20:18 UTC
Return-Path: <paul@nohats.ca>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0CFDD12D54A; Sun, 20 Mar 2016 13:18:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.101
X-Spam-Level:
X-Spam-Status: No, score=-1.101 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_ADSP_ALL=0.8, RP_MATCHES_RCVD=-0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gD3o_0ngIOyA; Sun, 20 Mar 2016 13:18:26 -0700 (PDT)
Received: from mx.nohats.ca (mx.nohats.ca [193.110.157.68]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3249612D546; Sun, 20 Mar 2016 13:18:26 -0700 (PDT)
Received: from localhost (localhost [IPv6:::1]) by mx.nohats.ca (Postfix) with ESMTP id 3qSqz400Hnz36T; Sun, 20 Mar 2016 21:18:24 +0100 (CET)
X-OPENPGPKEY: Message passed unmodified
X-Virus-Scanned: amavisd-new at mx.nohats.ca
Received: from mx.nohats.ca ([IPv6:::1]) by localhost (mx.nohats.ca [IPv6:::1]) (amavisd-new, port 10024) with ESMTP id 5E_uBZrj2_Fd; Sun, 20 Mar 2016 21:18:22 +0100 (CET)
Received: from bofh.nohats.ca (206-248-139-105.dsl.teksavvy.com [206.248.139.105]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx.nohats.ca (Postfix) with ESMTPS; Sun, 20 Mar 2016 21:18:22 +0100 (CET)
Received: by bofh.nohats.ca (Postfix, from userid 1000) id CB7326019B73; Sun, 20 Mar 2016 16:18:21 -0400 (EDT)
DKIM-Filter: OpenDKIM Filter v2.10.3 bofh.nohats.ca CB7326019B73
Received: from localhost (localhost [127.0.0.1]) by bofh.nohats.ca (Postfix) with ESMTP id C690126087; Sun, 20 Mar 2016 16:18:21 -0400 (EDT)
Date: Sun, 20 Mar 2016 16:18:21 -0400
From: Paul Wouters <paul@nohats.ca>
To: secdir <secdir@ietf.org>, iesg@ietf.org
Message-ID: <alpine.LFD.2.20.1603201555020.29425@bofh.nohats.ca>
User-Agent: Alpine 2.20 (LFD 67 2015-01-07)
MIME-Version: 1.0
Content-Type: text/plain; format="flowed"; charset="US-ASCII"
Archived-At: <http://mailarchive.ietf.org/arch/msg/secdir/Ayl07D-wy7Av7OsAHdCZ-N45M0M>
Cc: draft-ietf-radext-bigger-packets-05.all@tools.ietf.org
Subject: [secdir] secdir review of draft-ietf-radext-bigger-packets
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 20 Mar 2016 20:18:28 -0000
I have reviewed this document as part of the security directorate's ongoing
effort to review all IETF documents being processed by the IESG. These
comments were written primarily for the benefit of the security area directors.
Document editors and WG chairs should treat these comments just like any other
last call comments.
The draft is Ready with nits
This document introduces new attributes to Radius to signal handling
radius packets larger than 4096 octets. This is possible when using TCP as
a transport mechanism which is already defined in another RFC. The
document sort of suggests using TLS to protect against any possible
attacks on TCP. I think it could be more explicit about this.
I'm a little confused about when a size refers to a RADIUS packet size,
and when it refers to a TCP packet size. eg:
An implementation of [RFC6613] will silently discard any packet
larger than 4096 octets and will close the TCP connection.
But TCP is a stream, so it could be using multiple packets smaller
than 4096 that would transport a radius packet that is larger than
4096 bytes. (I assume in the beginning it couldn't since everything
was limited by single UDP packets?)
What does "maximum size of a response" refer to? TCP packet size or
radius packet size? I think it would make the document clearer if the
authors would go over all mentions of "packet" and "size" and
specifically write it out as radius packet size or TCP packet size.
I'm also confused by:
Other attributes or configuration MAY be used as an indicator that large responses are
likely to be acceptable.
Are those attributes defined in another RFC? If not, this document
should not hand-wave about non-standard attributes.
The security considerations state:
These attacks can be entirely mitigated by using TLS. If these attacks are
acceptable, then this specification can be used over TCP.
This text is confusing. I think it means to say "These attacks can be
avoided by using TLS". Because this whole document is about TCP, so
there is no case where "this specification" can be used "not over TCP".
nits:
cloing -> closing?
by including the attribute the client indicates -> By including the attribute, the client indicates
an next hop -> a next hop
Paul
- [secdir] secdir review of draft-ietf-radext-bigge… Paul Wouters