[secdir] sec-dir review of draft-ietf-stox-presence-07

Ben Laurie <benl@google.com> Mon, 03 February 2014 17:50 UTC

Return-Path: <benl@google.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com []) by ietfa.amsl.com (Postfix) with ESMTP id B6F451A01DA for <secdir@ietfa.amsl.com>; Mon, 3 Feb 2014 09:50:27 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.914
X-Spam-Status: No, score=-1.914 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, RP_MATCHES_RCVD=-0.535, SPF_PASS=-0.001] autolearn=unavailable
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id 453jtx7VaepU for <secdir@ietfa.amsl.com>; Mon, 3 Feb 2014 09:50:26 -0800 (PST)
Received: from mail-vc0-x22f.google.com (mail-vc0-x22f.google.com [IPv6:2607:f8b0:400c:c03::22f]) by ietfa.amsl.com (Postfix) with ESMTP id 08E381A01C9 for <secdir@ietf.org>; Mon, 3 Feb 2014 09:50:25 -0800 (PST)
Received: by mail-vc0-f175.google.com with SMTP id ij19so4906976vcb.6 for <secdir@ietf.org>; Mon, 03 Feb 2014 09:50:25 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:date:message-id:subject:from:to:content-type; bh=p7MK6Sw9aCrjAVOOv710wc55vtwZnfhsGiGEAbSDfhY=; b=OK1dCJ8nDvOM3YruGU5V8q8XHXY/PPpOUO915D3VJFzPQPzCyiHJ+E/LLGHWso1nX2 7GHS76ZQpRQLYQCgCnQi5HKhFdjnKc8QocG39vUHYSrch53eMgDggifsmVZO2seQuYEp zctn34aSjYXP5j4OGsLpPmWARPbZfb0J/V7zJFCYhfPMTwRZaygLfR8QYpZxce1SFcBN EfDewN+OGk5wYMwfZ4WJKpkrX6ZmdvjVzeujRyj6MzsX2Nj+DU3eTY0Aq0SxCp2GJxeK GBV7F1Jzedbl9qr1ftVQLrEbhCn3qNaeviJA1KecdwfjWIMIk5QlOM1DYKzk35S0pbDQ PNCA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:date:message-id:subject:from:to :content-type; bh=p7MK6Sw9aCrjAVOOv710wc55vtwZnfhsGiGEAbSDfhY=; b=dP4LAAmhHUfvYGbsvcX9jWOWdeI8Fp4c/mhnqbZpZ5F6vrYKNfmxDOa9DVSPW7Mvih 4RQ+z83qcmbzI/de0nkLdaTAL75qrzVKQGxQKdcBh1a1OTc4udEqihLYNCirO8yV9Ost 4oeGUjRGBGs0Xn2mpS1S/zgup5iFaB2/UoIoRe/C20kvmEjxJNq57feJYqC6+5biGlq5 JYcdHXce3Z4LvqoBMLZEj0iduoXTayM8S2HQMBAmAjBIUi8POQukOjcPVC3CNaXfadM3 Up0399aq3XdnT2RWJWIs7FyrgFd77YcRGPj27oyxw84eS/kSvJAigEUfcQ0rIn8NzPOZ GiFg==
X-Gm-Message-State: ALoCoQl9/PUisR+lrVbp0fKfCodA19WH6XkgpLO3/HCdY5BYT79E9P3p/gGvPzN4MNXNYqfItZAAJ4lojlXVlWeJGbzeR3SATux/mdiGmcWuhQOeExvISt3I0y3M3xUdk0Zc9fjdf6R0bDwCx5KJgH+K9OYsaKr9EWVEaOqRHi1F3x3Ys2y0qLm6BElzLdfiqIbh1azXz8/q
MIME-Version: 1.0
X-Received: by with SMTP id i10mr2623581vch.23.1391449825545; Mon, 03 Feb 2014 09:50:25 -0800 (PST)
Received: by with HTTP; Mon, 3 Feb 2014 09:50:25 -0800 (PST)
Date: Mon, 03 Feb 2014 17:50:25 +0000
Message-ID: <CABrd9SQ7EV5hZ-cEP3DLsBTN5WAwxUFpxndX=iUXzhJ68fu-6A@mail.gmail.com>
From: Ben Laurie <benl@google.com>
To: The IESG <iesg@ietf.org>, "secdir@ietf.org" <secdir@ietf.org>, draft-ietf-stox-presence.all@tools.ietf.org
Content-Type: text/plain; charset="UTF-8"
Subject: [secdir] sec-dir review of draft-ietf-stox-presence-07
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 03 Feb 2014 17:50:27 -0000

I have reviewed this document as part of the security directorate's
ongoing effort to review all IETF documents being processed by the
IESG.  These comments were written primarily for the benefit of the
security area directors.  Document editors and WG chairs should treat
these comments just like any other last call comments.

Summary: ready with nits

Detail: the I-D documents a mapping between two fairly well-matched
presence protocols, and hence does not introduce much danger. The one
area of concern is that SIP presence subscriptions are short-lived and
XMPP's are long-lived, thus opening the possibility of an
amplification attack against SIP via XMPP.

The suggested mitigation is weak:

"To help prevent such an attack, access to an XMPP-
   SIP gateway that is hosted on the XMPP network SHOULD be restricted
   to XMPP users associated with a single domain or trust realm (e.g., a
   gateway hosted at simple.example.com ought to allow only users within
   the example.com domain to access the gateway, not users within
   example.org, example.net, or any other domain)"

Many XMPP servers allow open registration and so this defence is no
defence at all in that case. Perhaps some kind of rate limitation
would be useful?

Also, this part:

"Furthermore, whenever an XMPP-SIP gateway seeks to refresh
   an XMPP user's long-lived subscription to a SIP user's presence, it
   MUST first send an XMPP <presence/> stanza of type "probe" from the
   address of the gateway to the "bare JID" (user@domain.tld) of the
   XMPP user, to which the user's XMPP server MUST respond in accordance
   with [RFC6121]; however, the administrator of an XMPP-SIP gateway MAY
   (based on local service provisioning) exempt "known good" XMPP
   servers from this check (e.g., the XMPP server associated with the
   XMPP-SIP gateway as described above)."

is unclear: how does it help?