IETF Logo Mail Archive

Re: [secdir] secdir review of draft-ietf-siprec-metadata-20

David Mandelberg <david@mandelberg.org> Sun, 21 February 2016 23:38 UTC

Return-Path: <david@mandelberg.org>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 551AE1AC3B0 for <secdir@ietfa.amsl.com>; Sun, 21 Feb 2016 15:38:40 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.701
X-Spam-Level:
X-Spam-Status: No, score=-0.701 tagged_above=-999 required=5 tests=[BAYES_40=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_LOW=-0.7] autolearn=unavailable
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id efggpNekW6Jk for <secdir@ietfa.amsl.com>; Sun, 21 Feb 2016 15:38:39 -0800 (PST)
Received: from nm22-vm10.access.bullet.mail.bf1.yahoo.com (nm22-vm10.access.bullet.mail.bf1.yahoo.com [216.109.115.153]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DDF751AC3B4 for <secdir@ietf.org>; Sun, 21 Feb 2016 15:38:38 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1456097917; bh=VXds8pAiANrW7RNG8JfodJwvZjWYnpuPadgYMfNgC3g=; h=Subject:To:References:From:Date:In-Reply-To:From:Subject; b=RpCnOWJOgp4gkwgsHPZ2cTXuQFhb+je5N0WyFI/90r4Gh9bUl3+y5bB/rVGjDaawd5WU7XnQLNw7DQbWGCN5RYG/DwMQQoMXoG+v5s9a18hopdYnKKrPuppSOQMOv/gynIW6NoE/f6HU/3vOXCmOSh09oCsorhpNrNZbUNHfBwpyEnBoRb2V3CyCfm9aDZ59vfhIzlxFBlxGV/EGQuTbvgAJySxGi605UBQ6XJupUIOHypdaamAnTu6bwdyqe4yNaI8LF3AXkTI2zp2nK6SbcNCI24KSsqNfqklYBCPP/32VuGw68gb7tt8YrFme/21frgbwrl/LsTt5cNEjLQvyrg==
Received: from [66.196.81.159] by nm22.access.bullet.mail.bf1.yahoo.com with NNFMP; 21 Feb 2016 23:38:37 -0000
Received: from [98.138.104.97] by tm5.access.bullet.mail.bf1.yahoo.com with NNFMP; 21 Feb 2016 23:38:37 -0000
Received: from [127.0.0.1] by smtp117.sbc.mail.ne1.yahoo.com with NNFMP; 21 Feb 2016 23:38:37 -0000
X-Yahoo-Newman-Id: 176535.37965.bm@smtp117.sbc.mail.ne1.yahoo.com
X-Yahoo-Newman-Property: ymail-3
X-YMail-OSG: a71bgIYVM1mSm_MnHu4B2TWHYOE.z4WM2HFIEn5_.sZj7TY qOkVbtDe5LEJ5ND4teLyxG4k7tWOT44J09kohEqqB15OWgyqneQXybGoFmSj NYndMmz300PCVn6I4vozWOw9vOW4oOkoWBVnapiL5s0n7hp83I5kANSJV4jd pMOGNiPz8EyWpWRGxruMda2_EkoqNEjXI1rtj829EI1MgaYHuqnDc_GGOyse 3n1Ho3gyFy3FuVbQRskK7_CwNxswKJ0GZM6Z8PeUNcZUJnFhgb7.2ujcCbKI HDUUFr.mbGP6OwBZPBXZjgPZU3QdmlIEH4WRej_0k5Sc_KbS2zyCUddbilDV XZj7afzyVFUVkixlzFg41.V0Ycj5AO7F3tZEFuCIKNgAmLddIrB0Zrh.5VGG uiUjL5lBgV6l1MO0P3T5ZqsJ7Z8Aqe_quGKub5ameUPCFePWiIX6JfBCQsn5 KV80WyfnRvhHRIfOFPmhGJuKkmGPZOp7iZSAP9SjslPwe3Z_VmE6jg9TmVdZ e0jBya4l3zr2tc_G7sZsA_Za_ZpCHPfnRkDhfaA--
X-Yahoo-SMTP: 4kJJK.qswBDPuwyc5wW.BPAQqNXdy5j09UNyeAS0pyOQ708-
Received: from [192.168.1.16] (c-76-24-31-176.hsd1.ma.comcast.net [76.24.31.176]) by uriel.mandelberg.org (Postfix) with ESMTPSA id 58F581C6035; Sun, 21 Feb 2016 18:38:35 -0500 (EST)
To: Paul Kyzivat <pkyzivat@alum.mit.edu>, iesg@ietf.org, secdir@ietf.org, draft-ietf-siprec-metadata.all@tools.ietf.org
References: <56C0EB89.4050409@mandelberg.org> <56C15FB9.8030600@alum.mit.edu> <56C4B3D6.6040700@mandelberg.org> <56C4BA98.3080001@alum.mit.edu>
From: David Mandelberg <david@mandelberg.org>
X-Enigmail-Draft-Status: N1110
Message-ID: <56CA4A7A.1050505@mandelberg.org>
Date: Sun, 21 Feb 2016 18:38:34 -0500
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.5.1
MIME-Version: 1.0
In-Reply-To: <56C4BA98.3080001@alum.mit.edu>
Content-Type: multipart/signed; micalg="pgp-sha1"; protocol="application/pgp-signature"; boundary="psPIw9pd34RClwx55eC8Hepe9ofAiCGa8"
Archived-At: <http://mailarchive.ietf.org/arch/msg/secdir/ZiTCt-_daSINy0-qnBzElN68YT8>
Subject: Re: [secdir] secdir review of draft-ietf-siprec-metadata-20
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 21 Feb 2016 23:38:40 -0000

Responses to your points are below, but I think it might also help if
I'm more clear about how I think this issue could be resolved. Here's
one way that seems reasonable to me, but is not the only way to prevent
the issue I brought up (unless I'm wrong and it's not an issue).

Add text specifying that if an SRS receives more than one object defined
with the same UUID, the SRS MUST reject (or ignore?) all but the first
definition of the object. (This would ensure that UUIDs are actually
unique on a per-SRS basis.) Also, specify that an SRC MUST use a random
or pseudo-random method of generating UUIDs, and an SRC MUST NOT share
an object's UUID with anybody other than the SRS until after the SRS has
acknowledged receipt of that object. (This would ensure that the UUID
generated by the SRC points to the correct object.)

Would that work?


On 02/17/2016 01:23 PM, Paul Kyzivat wrote:
> So your concern is the security implications when we have a malicious
> SRC that has been authorized by the SRS?

Yes, but I didn't see anything in the draft saying that an SRC needs to
be authorized by the SRS, just that the SRS needs to be authorized by
the SRC. Maybe I missed that? Or maybe the Security Considerations could
be made more clear about exactly who needs to authenticate to whom and
who needs to make what authorization decisions based on that authentication?


> If so, it seems like that can extend to lots of things beyond reuse of
> UUIDs.

The only issue I noticed was with the UUIDs. Otherwise it looks like an
SRS could record metadata from any untrusted SRC without any security
concerns other than the use of bandwidth, disk space, etc. (I could have
missed something of course.)


> (Going further afield, how does this differ from a malicious SIP UA that
> has the credentials to register a particular AoR? It could cause all
> sorts of mischief by unregistering valid UAs, etc. ISTM the bottom line
> is that it is impossible to avoid problems from a party with access to
> enough "secrets".)

I'm not a SIP expert, but I think it needs to be made clear which pieces
of data are secrets in order to reason about the security of a system.
At present, I don't see any indication that UUIDs are meant to be
secrets. If they are supposed to be secrets, then I don't think they're
adequately protected from attackers who can guess the output of a
(potentially non-random) UUID generator.


> But the problem actually seems less severe in the case of SIPREC. The
> SRS is performing what is essentially an append-only write process. The
> use of a duplicate UUID by a malicious SRC doesn't cause any valid
> information to be lost. And the SRS is free to track the source of each
> piece of information it records, so that the malicious info can be
> sorted out from the valid info once the bad guy has been identified.

I don't see any mention of append-only writing in the draft, so I don't
know how a server implementer would know to avoid overwriting of the
object for a specific UUID, thus modifying the meaning of metadata that
had previously been recorded from a different SRC.


-- 
David Eric Mandelberg / dseomn
http://david.mandelberg.org/

v2.23.0 | Report a Bug | By Email