[secdir] Secdir review of draft-ietf-lpwan-coap-static-context-hc-15
Charlie Kaufman <charliekaufman@outlook.com> Tue, 14 July 2020 04:11 UTC
Return-Path: <charliekaufman@outlook.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A06DD3A0CC2; Mon, 13 Jul 2020 21:11:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.1
X-Spam-Level:
X-Spam-Status: No, score=-2.1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=outlook.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rG992JR5zmxa; Mon, 13 Jul 2020 21:11:13 -0700 (PDT)
Received: from NAM11-DM6-obe.outbound.protection.outlook.com (mail-dm6nam11olkn2030.outbound.protection.outlook.com [40.92.19.30]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 75FAA3A0CA6; Mon, 13 Jul 2020 21:11:13 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=H43hvHy0B+X2RiKrZIase4NvwDsaHRf5js53z7Munc9hS9BTrVXej4pJrTpz0jGnyyp2LxzEDAK91zob021Pn1gdLCeuWGGQZeah+aLCvZIIHuvMER0PMkkvTEcsije8OHiwNemyPZemfGrRzuq8jl9HG2snXbxQvBLlPxj4SuQcBNPl+SkVQhh/N0pjhkwipO16GD1ueQHtbe93oj50nvsm/579Sm0GF1uk4UzPft8JxxXZbkU4kkf7LwaPyRorybmRr6YR1s7tmHvfMmLjnAlLYZry/WReaJkyGMd0EgOuzCRj1W+kcVwSdad45hE/zoz4otF++Bn8z9xrT3jrWw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=IMgpSJzWOGOicgF8gpeEjNdWu7MDAanqELstfrlMURY=; b=CyoRICHFxpFwbpGyP5JL7cRnQ71QeP+s8MrWrHkA4fZJuG+qak1O+fVXndmUZRBl3nCw4BLETKtFdpX35fyy1kpL93t4z33ZNH35hkdIPXHwgGySbkGeiKu2y8lVz6/cb1Ct+4Uwr2sCnDYpWE7eRlkgYn1xsLAQJtnN4+6IroUZsJneGrIPE3CiXDQlW3uOs0q/YUHV4zajCQ4YSiIlca3o1u0gJcgl74lxKiAHKzKKERvQoNHW8VqS5TyWFS+xgogwQ+gGGzmiCdzUWGtGRUiThDerVrvIzmeeG5SmMpfwqZoFIlQxlWrkqe3T5IBkt9uOc8u3W5ubvM+rMRcLUQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=none; dmarc=none; dkim=none; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=outlook.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=IMgpSJzWOGOicgF8gpeEjNdWu7MDAanqELstfrlMURY=; b=cdzVph6OU/dIg6Jhizyly6fnS+1xBVZfRIVayNLS55onLe+RhjuePdBOQoESlQ31PZOck+6WLc8HmrB2xP/n3C41IZI7sV1juip8s8snUSisa7Yh0TnICZV19dyrZuIM1FEoneFrgQFNB9S/rDLBQ+IL0dTQJZfNCe9ErVvnIF6zJa7UupYvKtqZF+T1r4ETcIdX6sldOjDE4gBgxgzhtMmC6e1Ej3qQt+9EUN7SLtIxFo8iIY01M0N4hweF358kjfwh8yCTV84M45VuJAD4g0ulvNKhi4EfEvgERtMBynyDLje5DtFV63JkOVDwVJefmCOpsglMUmiEbLoFK//LPQ==
Received: from CO1NAM11FT056.eop-nam11.prod.protection.outlook.com (2a01:111:e400:3861::4c) by CO1NAM11HT212.eop-nam11.prod.protection.outlook.com (2a01:111:e400:3861::99) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3174.21; Tue, 14 Jul 2020 04:11:12 +0000
Received: from CY4PR0701MB3650.namprd07.prod.outlook.com (2a01:111:e400:3861::53) by CO1NAM11FT056.mail.protection.outlook.com (2a01:111:e400:3861::363) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3174.21 via Frontend Transport; Tue, 14 Jul 2020 04:11:12 +0000
Received: from CY4PR0701MB3650.namprd07.prod.outlook.com ([fe80::7970:4441:aada:b3cd]) by CY4PR0701MB3650.namprd07.prod.outlook.com ([fe80::7970:4441:aada:b3cd%3]) with mapi id 15.20.3174.025; Tue, 14 Jul 2020 04:11:12 +0000
From: Charlie Kaufman <charliekaufman@outlook.com>
To: "secdir@ietf.org" <secdir@ietf.org>, "iesg@ietf.org" <iesg@ietf.org>, "draft-ietf-lpwan-coap-static-context-hc.all@ietf.org" <draft-ietf-lpwan-coap-static-context-hc.all@ietf.org>
Thread-Topic: Secdir review of draft-ietf-lpwan-coap-static-context-hc-15
Thread-Index: AQHWWZPK1Ld/LHZaykO7yoNJUwkvIw==
Date: Tue, 14 Jul 2020 04:11:11 +0000
Message-ID: <CY4PR0701MB36501948B27189600943233BDF610@CY4PR0701MB3650.namprd07.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-incomingtopheadermarker: OriginalChecksum:FEC956298AD3B39F4492978AA30DABB37673CAA6E1C551B90560DEB6186F659D; UpperCasedChecksum:F78E404EC4E8996D8F9258FB426B0EDBF9EDDC704E679A609DABBBCB802467EB; SizeAsReceived:6887; Count:41
x-tmn: [bNz63Er5ulMOGJWkySNye4fGa96KhvzH]
x-ms-publictraffictype: Email
x-incomingheadercount: 41
x-eopattributedmessage: 0
x-ms-office365-filtering-correlation-id: 98d5ddc6-3e15-4b0e-12f0-08d827abf1c9
x-ms-traffictypediagnostic: CO1NAM11HT212:
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: FPuI8P9A0PLyIUhSXx3Yp8J1QZg2mH3X/MDNfLJ/CKSi9YkR9L/wRtcY1Z11MSeEG0942jK+IjSyL3czm7hYaScBXBIsXdnxEh9HKsDlFmX5Yn7gc4EM9donuCxTHrR8GXNTYTmf38vOwy2YVabhJSjryGsIk8azKieryftQw5TuPvl8JgKsz8EIfFqGt+xECEtBfiAem6ix9jg60dYNVg==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:0; SRV:; IPV:NLI; SFV:NSPM; H:CY4PR0701MB3650.namprd07.prod.outlook.com; PTR:; CAT:NONE; SFTY:; SFS:; DIR:OUT; SFP:1901;
x-ms-exchange-antispam-messagedata: CbDiTN1B7OxEgzIZbkX6pzvwyJa3wRusyQcymzHH+A5DpFi5AdHVrlwhx8VOdTv8eJWmKwKBcHWRK6a3qYXjIEjeH9Ggp3D+RAPaG+fmUi0t5UVoJERuxtng7dIs1AZJd8MqtnfiHBI0Oq6hv4m45A==
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_CY4PR0701MB36501948B27189600943233BDF610CY4PR0701MB3650_"
MIME-Version: 1.0
X-OriginatorOrg: outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-AuthSource: CO1NAM11FT056.eop-nam11.prod.protection.outlook.com
X-MS-Exchange-CrossTenant-RMS-PersistedConsumerOrg: 00000000-0000-0000-0000-000000000000
X-MS-Exchange-CrossTenant-Network-Message-Id: 98d5ddc6-3e15-4b0e-12f0-08d827abf1c9
X-MS-Exchange-CrossTenant-rms-persistedconsumerorg: 00000000-0000-0000-0000-000000000000
X-MS-Exchange-CrossTenant-originalarrivaltime: 14 Jul 2020 04:11:12.1323 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Internet
X-MS-Exchange-CrossTenant-id: 84df9e7f-e9f6-40af-b435-aaaaaaaaaaaa
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CO1NAM11HT212
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/aWAPpSOjNWQx_oHMwoJUyCU1Dzk>
Subject: [secdir] Secdir review of draft-ietf-lpwan-coap-static-context-hc-15
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 14 Jul 2020 04:11:16 -0000
I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. This draft defines how SCHC (Static Context Header Compression) should be applied to the CoAP (Constrained Application Protocol). It appears that CoAP is designed for low end devices speaking standard protocols with a lot of static content they would like to suppress to avoid wasting processing time and communications overhead. That means that these devices are likely to be generating and parsing the compressed content directly rather than generating the full content and then compressing it. One security considerations worth noting is that whenever compression is used with a protocol intended to be encrypted (which this one is), the question should be raised as to whether the compression can be leveraged by an attacker to make traffic analysis more effective. In this case, I don't believe it can, but there should probably be an explanation of why in the security considerations. (The explanation is that the values in earlier fields do not affect the compression of later fields, so an attacker cannot supply values whose length after compression will leak the values of other compressed fields). This document is very difficult to read and could use an editing pass by a native English speaker, but I suspect that is not its only problem. Synchronizing the compression parameters is explicitly out of scope for this document, but this document allows for so many different variations in the parameter settings that it's not clear whether these settings are intended to by dynamically negotiated. While there are lots of aspects of this specification that I'm uncertain about, I am fairly certain it does not introduce any security problems. Details: Introduction: What does "designed to easily interop with HTTP" mean? Section 2 is confusing. For example: "In the first example Figure 1, a Rule compresses the complete header stack from IPv6 to CoAP. In this case, SCHC C/D (Static Context Header Compression Compressor/Decompressor) is performed at the Sender and at the Receiver. The host communicating with the device do not implement SCHC C/D." This text seems to make some distinction between the communications endpoint and the host on which the communications endpoint runs. But its not clear what the distinction is. I'm guessing there is a presumption that the host processes the network layer headers and some application processes the packet "payload", but if so doing the IPv6 and UDP header compression within the application makes no sense. The punctuation around figures 1, 2, and 3 including: ((((((())))))) ----- ------ ------ ----- does not make a lot of sense. The figures could use more explanation as to what the columns mean. Nits: Capitalization of "RFC" should be consistent (in particular, in section 1.1: [RFC2119][rfc8174]) "still is too large for" -> "is still too large for" "requires to install" -> "requires the installation of" "device do not" -> "device does not" "[rfc8724] document" -> "[rfc8724]" Sorry... there are just too many nits to enumerate.
- [secdir] Secdir review of draft-ietf-lpwan-coap-s… Charlie Kaufman
- Re: [secdir] Secdir review of draft-ietf-lpwan-co… Benjamin Kaduk