Re: [secdir] draft-ietf-appsawg-mdn-3798bis-15 SECDIR Review

["HANSEN, TONY L" <tony@att.com>]

The wonderful thing about having a coauthor 5 hours ahead of you is that by the time you log in in the morning, things have often already been taken care of. ☺

Thanks for the comments Donald.

                Tony

From: Alexey Melnikov <alexey.melnikov@isode.com>
Date: Thursday, December 1, 2016 at 6:12 AM
To: Donald Eastlake <d3e3e3@gmail.com>, "iesg@ietf.org" <iesg@ietf.org>, "draft-ietf-appsawg-mdn-3798bis.all@ietf.org" <draft-ietf-appsawg-mdn-3798bis.all@ietf.org>
Cc: "secdir@ietf.org" <secdir@ietf.org>
Subject: Re: [secdir] draft-ietf-appsawg-mdn-3798bis-15 SECDIR Review
Resent-From: <alias-bounces@ietf.org>
Resent-To: <alexey.melnikov@isode.com>, <tony@att.com>, <superuser@gmail.com>, <ben@nostrum.com>, <alissa@cooperw.in>, <aamelnikov@fastmail.fm>, Barry Leiba <barryleiba@computer.org>
Resent-Date: Thursday, December 1, 2016 at 6:14 AM


Hi Donald,

Thank you for your comments.

On 01/12/2016 02:02, Donald Eastlake wrote:
My apologies for getting this in late. I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. Document editors and WG chairs should treat these comments just like any other last call comments.

This draft appears to be ready for publication with some nits..

This draft polishes and advances to Internet Standard level RFC 3798 on Message Disposition Notifications.

Security Considerations:

The Security Considerations seem good except for one minor point: in my opinion the option to return all or a portion of the original message significantly increases the possible risk of use MDNs as a traffic multiplier. I believe this should be mentioned in Section 6.4.

Thank you, I've added some text on this to the first paragraph of Section 6.4:

  Additionally, as generated MDN notifications can include full content of messages that caused them
  and thus they can be bigger than such messages, they can be used for bandwidth amplification attacks.



Miscellaneous:

The style of this draft is to say that you MUST do this and MUST NOT do that without indicating what action should be taken if this is violated. This is like saying a protocol field "MUST be zero" without adding the usual "and is ignored on receipt". For example, in Section 3 it says that a message disposition notification MUST NOT itself request an MDN. I believe it should go on and add the few words to say: "If one does, this is ignored." (unless that's wrong...) I'm not saying this must always be done but there may be 1 or 2 other cases like this in the draft where such wording should be added.

This is a difficult area, because we typically don't describe how to handle violations of MUSTs. In the case that you mention above, the text is added in order to prevent loops. Not much can be done on recipients end other than usual handling of spam and/or broken implementations.

Can you list other possible cases where you wanted some advice to be given?


Wording:

In Section 3, the wording of the last sentence of point d seems just a bit obscure. It says

       However, in the case of encrypted messages requesting MDNs,

       encrypted message text MUST be returned, if it is returned at

       all, only in its original encrypted form.
I think it would be a just bit clearer as

       However, in the case of encrypted messages requesting MDNs, if

       the original message or a portion thereof is returned, it MUST

       be in its original encrypted form.

I used your text, thank you.


Trivia:

I do wonder if the references to X.400 mail are necessary. They seem archaic. Does anyone run X.400 email any more?

Yes :-)


It is just used as an example, along with proprietary mail systems. I think such proprietary systems still exist, but X.400 mail? I'm not so sure. If it is going to be retained, maybe there should be an Informational reference for it.

I will try to dig one out.