[secdir] secdir review of draft-ietf-radext-bigger-packets
Paul Wouters <paul@nohats.ca> Sun, 20 March 2016 20:18 UTC
Return-Path: <paul@nohats.ca>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0CFDD12D54A; Sun, 20 Mar 2016 13:18:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.101
X-Spam-Level:
X-Spam-Status: No, score=-1.101 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_ADSP_ALL=0.8, RP_MATCHES_RCVD=-0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gD3o_0ngIOyA; Sun, 20 Mar 2016 13:18:26 -0700 (PDT)
Received: from mx.nohats.ca (mx.nohats.ca [193.110.157.68]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3249612D546; Sun, 20 Mar 2016 13:18:26 -0700 (PDT)
Received: from localhost (localhost [IPv6:::1]) by mx.nohats.ca (Postfix) with ESMTP id 3qSqz400Hnz36T; Sun, 20 Mar 2016 21:18:24 +0100 (CET)
X-OPENPGPKEY: Message passed unmodified
X-Virus-Scanned: amavisd-new at mx.nohats.ca
Received: from mx.nohats.ca ([IPv6:::1]) by localhost (mx.nohats.ca [IPv6:::1]) (amavisd-new, port 10024) with ESMTP id 5E_uBZrj2_Fd; Sun, 20 Mar 2016 21:18:22 +0100 (CET)
Received: from bofh.nohats.ca (206-248-139-105.dsl.teksavvy.com [206.248.139.105]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx.nohats.ca (Postfix) with ESMTPS; Sun, 20 Mar 2016 21:18:22 +0100 (CET)
Received: by bofh.nohats.ca (Postfix, from userid 1000) id CB7326019B73; Sun, 20 Mar 2016 16:18:21 -0400 (EDT)
DKIM-Filter: OpenDKIM Filter v2.10.3 bofh.nohats.ca CB7326019B73
Received: from localhost (localhost [127.0.0.1]) by bofh.nohats.ca (Postfix) with ESMTP id C690126087; Sun, 20 Mar 2016 16:18:21 -0400 (EDT)
Date: Sun, 20 Mar 2016 16:18:21 -0400
From: Paul Wouters <paul@nohats.ca>
To: secdir <secdir@ietf.org>, iesg@ietf.org
Message-ID: <alpine.LFD.2.20.1603201555020.29425@bofh.nohats.ca>
User-Agent: Alpine 2.20 (LFD 67 2015-01-07)
MIME-Version: 1.0
Content-Type: text/plain; format="flowed"; charset="US-ASCII"
Archived-At: <http://mailarchive.ietf.org/arch/msg/secdir/Ayl07D-wy7Av7OsAHdCZ-N45M0M>
Cc: draft-ietf-radext-bigger-packets-05.all@tools.ietf.org
Subject: [secdir] secdir review of draft-ietf-radext-bigger-packets
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 20 Mar 2016 20:18:28 -0000
I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. The draft is Ready with nits This document introduces new attributes to Radius to signal handling radius packets larger than 4096 octets. This is possible when using TCP as a transport mechanism which is already defined in another RFC. The document sort of suggests using TLS to protect against any possible attacks on TCP. I think it could be more explicit about this. I'm a little confused about when a size refers to a RADIUS packet size, and when it refers to a TCP packet size. eg: An implementation of [RFC6613] will silently discard any packet larger than 4096 octets and will close the TCP connection. But TCP is a stream, so it could be using multiple packets smaller than 4096 that would transport a radius packet that is larger than 4096 bytes. (I assume in the beginning it couldn't since everything was limited by single UDP packets?) What does "maximum size of a response" refer to? TCP packet size or radius packet size? I think it would make the document clearer if the authors would go over all mentions of "packet" and "size" and specifically write it out as radius packet size or TCP packet size. I'm also confused by: Other attributes or configuration MAY be used as an indicator that large responses are likely to be acceptable. Are those attributes defined in another RFC? If not, this document should not hand-wave about non-standard attributes. The security considerations state: These attacks can be entirely mitigated by using TLS. If these attacks are acceptable, then this specification can be used over TCP. This text is confusing. I think it means to say "These attacks can be avoided by using TLS". Because this whole document is about TCP, so there is no case where "this specification" can be used "not over TCP". nits: cloing -> closing? by including the attribute the client indicates -> By including the attribute, the client indicates an next hop -> a next hop Paul
- [secdir] secdir review of draft-ietf-radext-bigge… Paul Wouters