Re: [secdir] [Dots] Secdir telechat review of draft-ietf-dots-signal-channel-31

"Konda, Tirumaleswar Reddy" <TirumaleswarReddy_Konda@McAfee.com> Sat, 04 May 2019 08:40 UTC

Return-Path: <TirumaleswarReddy_Konda@mcafee.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EC56C12026E; Sat, 4 May 2019 01:40:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.301
X-Spam-Level:
X-Spam-Status: No, score=-4.301 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=mcafee.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cjEj9LyiaIcL; Sat, 4 May 2019 01:40:54 -0700 (PDT)
Received: from DNVWSMAILOUT1.mcafee.com (dnvwsmailout1.mcafee.com [161.69.31.173]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1349E120269; Sat, 4 May 2019 01:40:53 -0700 (PDT)
X-NAI-Header: Modified by McAfee Email Gateway (5500)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mcafee.com; s=s_mcafee; t=1556958855; h=From: To:CC:Subject:Thread-Topic:Thread-Index:Date: Message-ID:References:In-Reply-To:Accept-Language: Content-Language:X-MS-Has-Attach:X-MS-TNEF-Correlator: dlp-product:dlp-version:dlp-reaction:authentication-results: x-originating-ip:x-ms-publictraffictype:x-ms-office365-filtering-correlation-id: x-microsoft-antispam:x-ms-traffictypediagnostic: x-ms-exchange-purlcount:x-microsoft-antispam-prvs: x-ms-oob-tlc-oobclassifiers:x-forefront-prvs: x-forefront-antispam-report:received-spf:x-ms-exchange-senderadcheck: x-microsoft-antispam-message-info:Content-Type: Content-Transfer-Encoding:MIME-Version:X-MS-Exchange-CrossTenant-Network-Message-Id: X-MS-Exchange-CrossTenant-originalarrivaltime: X-MS-Exchange-CrossTenant-fromentityheader: X-MS-Exchange-CrossTenant-id:X-MS-Exchange-CrossTenant-mailboxtype: X-MS-Exchange-Transport-CrossTenantHeadersStamped: X-OriginatorOrg:X-NAI-Spam-Flag:X-NAI-Spam-Threshold: X-NAI-Spam-Score:X-NAI-Spam-Version; bh=m RnMtrYsr+4HzsgFeS4j5BoRKXJRvftPlAgjoAOc+L o=; b=EjJy1xLFUuJ/U+xrJFqLcNQMCGw1UbnycFsXQbIxXM2K WBytf6sV5VUh5i+3DkoT/eV3hjnMs4rMu5OsrashBTFyVJCazn d2T5eAMGDVyQEEno6+vIJLDsizUeDyuThjMIy6CHTWqPNrQ3y4 chamulHjSddc9RAU5v1Tab5kIyQ=
Received: from DNVEXAPP1N05.corpzone.internalzone.com (unknown [10.44.48.89]) by DNVWSMAILOUT1.mcafee.com with smtp (TLS: TLSv1/SSLv3,256bits,ECDHE-RSA-AES256-SHA384) id 14a5_a409_d6cc8eb0_7dc4_496b_a9b2_f1d4be959618; Sat, 04 May 2019 02:34:14 -0600
Received: from DNVEXAPP1N06.corpzone.internalzone.com (10.44.48.90) by DNVEXAPP1N05.corpzone.internalzone.com (10.44.48.89) with Microsoft SMTP Server (TLS) id 15.0.1395.4; Sat, 4 May 2019 02:40:34 -0600
Received: from DNVO365EDGE1.corpzone.internalzone.com (10.44.176.66) by DNVEXAPP1N06.corpzone.internalzone.com (10.44.48.90) with Microsoft SMTP Server (TLS) id 15.0.1395.4 via Frontend Transport; Sat, 4 May 2019 02:40:34 -0600
Received: from NAM02-BL2-obe.outbound.protection.outlook.com (10.44.176.243) by edge.mcafee.com (10.44.176.66) with Microsoft SMTP Server (TLS) id 15.0.1395.4; Sat, 4 May 2019 02:40:32 -0600
Received: from BYAPR16MB2790.namprd16.prod.outlook.com (20.178.233.91) by BYAPR16MB2613.namprd16.prod.outlook.com (20.177.227.79) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1856.12; Sat, 4 May 2019 08:40:31 +0000
Received: from BYAPR16MB2790.namprd16.prod.outlook.com ([fe80::4873:7200:9e57:9e62]) by BYAPR16MB2790.namprd16.prod.outlook.com ([fe80::4873:7200:9e57:9e62%5]) with mapi id 15.20.1835.018; Sat, 4 May 2019 08:40:31 +0000
From: "Konda, Tirumaleswar Reddy" <TirumaleswarReddy_Konda@McAfee.com>
To: Benjamin Kaduk <kaduk@mit.edu>, Stephen Farrell <stephen.farrell@cs.tcd.ie>
CC: "dots@ietf.org" <dots@ietf.org>, "draft-ietf-dots-signal-channel.all@ietf.org" <draft-ietf-dots-signal-channel.all@ietf.org>, "ietf@ietf.org" <ietf@ietf.org>, "secdir@ietf.org" <secdir@ietf.org>
Thread-Topic: [Dots] Secdir telechat review of draft-ietf-dots-signal-channel-31
Thread-Index: AQHU84Xn3S97Pb+WW0CNvO8JFIRGL6ZZwC+AgAD4aJA=
Date: Sat, 4 May 2019 08:40:30 +0000
Message-ID: <BYAPR16MB2790F46BC224F33C5240FEF2EA360@BYAPR16MB2790.namprd16.prod.outlook.com>
References: <155533088202.10777.9128855796755282458@ietfa.amsl.com> <20190503171406.GO59871@kduck.mit.edu>
In-Reply-To: <20190503171406.GO59871@kduck.mit.edu>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
dlp-product: dlpe-windows
dlp-version: 11.2.0.6
dlp-reaction: no-action
authentication-results: spf=none (sender IP is ) smtp.mailfrom=TirumaleswarReddy_Konda@McAfee.com;
x-originating-ip: [49.37.205.191]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 0b4c4b61-4e54-4575-690d-08d6d06c2ac7
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600141)(711020)(4605104)(2017052603328)(7193020); SRVR:BYAPR16MB2613;
x-ms-traffictypediagnostic: BYAPR16MB2613:
x-ms-exchange-purlcount: 3
x-microsoft-antispam-prvs: <BYAPR16MB2613C888ECF5EDF0B4596E4DEA360@BYAPR16MB2613.namprd16.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-forefront-prvs: 0027ED21E7
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(396003)(366004)(39840400004)(136003)(346002)(376002)(32952001)(189003)(199004)(51914003)(13464003)(2906002)(966005)(6306002)(14454004)(6246003)(66446008)(9686003)(305945005)(478600001)(73956011)(66946007)(86362001)(68736007)(76176011)(6436002)(7736002)(5024004)(25786009)(256004)(14444005)(5660300002)(53936002)(55016002)(72206003)(66476007)(66556008)(99286004)(64756008)(7696005)(66066001)(74316002)(2171002)(8676002)(229853002)(76116006)(476003)(110136005)(11346002)(80792005)(486006)(8936002)(54906003)(33656002)(316002)(446003)(102836004)(6116002)(3846002)(6506007)(26005)(52536014)(81156014)(81166006)(4326008)(71200400001)(53546011)(186003)(71190400001)(85282002); DIR:OUT; SFP:1101; SCL:1; SRVR:BYAPR16MB2613; H:BYAPR16MB2790.namprd16.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: McAfee.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: sbf8i6PVa1UyuJRJhFnDYPUu0qyzgSYZR2lGAEsmRXjhrstfncL1Y7GaZNoR0/xDwdvVlQr2uHGhzL5Lswdn5bPt5CIJ4t13mjsF2yH22+ULMvBBu1C81OMUr223nGDCeq5Gc7zQeby0NBadiHaNtA6rUu/YDAuN+oc9X60o3cCAP9WX0eF9TQQefr2CkbLCqKuKlSIxtfLkKSGSwP9kWpbVN/OtdlwkvrmqVGHaMaQLULhk0PoQm00pHT9LFdZllzF86H6NgUTWNfBFnR/0+kRsATsGQb8tSI6jdWjNFuWLtQ7OrRM+d5aCS7Kvs782rMc7JcsUMTF8Z+6FTMid0tSOzwV7kYm2trUAtJpGGsGFGC9RHKs/5tWkNpU1tZnEwh8oCUZYzmfBiyWCgBEN7nQwBOX+UIWS4+vfPjcbzdA=
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: 0b4c4b61-4e54-4575-690d-08d6d06c2ac7
X-MS-Exchange-CrossTenant-originalarrivaltime: 04 May 2019 08:40:31.0879 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 4943e38c-6dd4-428c-886d-24932bc2d5de
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BYAPR16MB2613
X-OriginatorOrg: mcafee.com
X-NAI-Spam-Flag: NO
X-NAI-Spam-Threshold: 15
X-NAI-Spam-Score: 0
X-NAI-Spam-Version: 2.3.0.9418 : core <6539> : inlines <7072> : streams <1820529> : uri <2840373>
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/GG4Pc20UiU4MzoMcKq_dN_nDwpk>
Subject: Re: [secdir] [Dots] Secdir telechat review of draft-ietf-dots-signal-channel-31
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 04 May 2019 08:40:57 -0000

> -----Original Message-----
> From: Dots <dots-bounces@ietf.org>; On Behalf Of Benjamin Kaduk
> Sent: Friday, May 3, 2019 10:44 PM
> To: Stephen Farrell <stephen.farrell@cs.tcd.ie>;
> Cc: dots@ietf.org; draft-ietf-dots-signal-channel.all@ietf.org; ietf@ietf.org;
> secdir@ietf.org
> Subject: Re: [Dots] Secdir telechat review of draft-ietf-dots-signal-channel-31
> 
> This email originated from outside of the organization. Do not click links or
> open attachments unless you recognize the sender and know the content is
> safe.
> 
> On Mon, Apr 15, 2019 at 05:21:22AM -0700, Stephen Farrell via Datatracker
> wrote:
> > Reviewer: Stephen Farrell
> > Review result: Has Issues
> >
> > I took a look at the changes between -30 and -31 and at the mail
> > following my earlier review of -30.
> >
> > To explain the "has issues" status for this review: Generally, I think
> > this is probably ok, but I (still) have the concerns listed below that
> > the ADs might wanna think about. The authors already responded on each
> > of these points, and made some corresponding changes, so I guess they
> > reckon these are non-issues. (Which is of course fine - even if I
> > don't quite agree, I'm often wrong:-)
> >
> > - p13: The cuid still seems to me to be too static (there's a SHOULD
> > saying to tie it to the client certificate public key or an
> > equivalent).  I still think recommending a way to generate an
> > identifier that isn't tied to a key pair would be better, esp if this
> > could be used in a CPE. (Creating a new long-lived identifier for a
> > CPE seems like a bad plan if it's not really
> > needed.) For example, one could use both the SPKI and a timestamp as
> > input for a recommended way to generate a cuid and that should be as
> > unique, but without mapping 1:1 to possibly long-lived key pairs. (-31
> > does say some more about how to change cuid, but still has the same
> > SHOULD/RECOMMENDED way to generate cuid values.)
> 
> IIUC, if there are no gateways involved, anything that sees a cuid is also
> seeing the device's client certificate, so to a large extent the use as a long-
> lived identifier is pretty similar.  Server-domain gateways are supposedly just
> for the convenience of the operator and considered equally trusted to the
> actual server, so I think this would only come into play when a client-side
> gateway is in use.  (I don't know how common that will
> be.)

As per the discussion with Stephen https://mailarchive.ietf.org/arch/msg/dots/H5JG69FJruwN7pM3j92L8wwtn-s, we have added "Appendix A. CUID Generation" and updated section 10 (please see the diff at 
https://github.com/boucadair/draft-ietf-dots-signal-channel/blob/master/wdiff%20draft-ietf-dots-signal-channel-31.txt%20draft-ietf-dots-signal-channel-31.pdf) 

> 
> > - I wondered if a bad actor in control of an authorised DOTS client
> > colluding with the controller of a DDoS attack could use this protocol
> > to probe the network to see how their attack is going and change the
> > attack to be more effective.  In mail, the authors stated that this
> > isn't possible, and added text saying that to -31. That may be true,
> > but I'm not sure (given the complexity of the protocol).
> 
> I don't think anyone responded on this yet, so I'd like to get the sense of the
> authors.
> 
> My personal take is that the status updates are only for the efficacy of
> mitigations requested by this client, so (in this scenario) while you can tell
> how much of your attack is being blocked, you may not be able to learn how
> much is making through and adapt to increase the amount making it through.
> I suppose if you didn't know how big of a cannon you have, this could provide
> a way to get some metrics, but at the cost of rendering the ongoing attack
> ineffective, and probably revealing the compromised nature of the DOTS
> client.

This comment was discussed and resolved by adding the following lines:
A DOTS client is entitled to access only to resources it creates.  In	
particular, a DOTS client cannot retrieve data related to mitigation	
requests created by other DOTS clients of the same DOTS client	
domain.

Further, the draft points to DOTS security considerations discussed in DOTS requirements draft which says the following:

   To detect compromised DOTS agents, DOTS operators should carefully
   monitor and audit DOTS agents to detect misbehavior and to deter
   misuse, while employing current secure network communications best
   practices to reduce attack surface.

> 
> > A nit:
> >
> > - p91: The mention of TCP-AO seems to require suspension of disbelief
> > (given the lack of deployment of TCP-AO).  If we don't think it'll be
> > used, it'd be better to not pretend it might get used.
> 
> The authors should respond to this as well.

We can update the use of TCP-AO as follows:

Although not widely adopted, if TCP-AO is used, then any bogus packets injected by an attacker will be rejected by the
TCP-AO integrity check and therefore will never reach the TLS layer.

Cheers,
-Tiru

> 
> Thanks for the re-review and follow-up discussion!
> 
> -Ben
> 
> _______________________________________________
> Dots mailing list
> Dots@ietf.org
> https://www.ietf.org/mailman/listinfo/dots