Re: [secdir] Recurring issues found during sec review

Paul Wouters <paul@nohats.ca> Tue, 23 July 2019 15:33 UTC

Return-Path: <paul@nohats.ca>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2C9E5120423 for <secdir@ietfa.amsl.com>; Tue, 23 Jul 2019 08:33:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nohats.ca
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3O_Syzgc4RmD for <secdir@ietfa.amsl.com>; Tue, 23 Jul 2019 08:33:25 -0700 (PDT)
Received: from mx.nohats.ca (mx.nohats.ca [IPv6:2a03:6000:1004:1::68]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8D6D5120383 for <secdir@ietf.org>; Tue, 23 Jul 2019 08:33:25 -0700 (PDT)
Received: from localhost (localhost [IPv6:::1]) by mx.nohats.ca (Postfix) with ESMTP id 45tMv64jdTz5B7 for <secdir@ietf.org>; Tue, 23 Jul 2019 17:33:22 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nohats.ca; s=default; t=1563896002; bh=p/NBWZxQgZIOdosWYC9R3x7X+m/y5HZ/yq5CzXhpGRQ=; h=Date:From:To:Subject:In-Reply-To:References; b=kuymZWXsJaDTJGnISlL5K/5D3MxK7sFYXSJ7xfxFvgPyd6O1Fz1+nbpDmExU8xQlZ fY3JQNzsg08aHyldPpHyDJLpYWLDZcAuZHWTxqHfPFt/7Ul0TX9UbSvxqFPsWAIV7A 0P+3HwFDKI9f3k9VWvVTUAdEDmhf1o6vZ8bb0JaA=
X-Virus-Scanned: amavisd-new at mx.nohats.ca
Received: from mx.nohats.ca ([IPv6:::1]) by localhost (mx.nohats.ca [IPv6:::1]) (amavisd-new, port 10024) with ESMTP id RY0pfW2uB_P1 for <secdir@ietf.org>; Tue, 23 Jul 2019 17:33:20 +0200 (CEST)
Received: from bofh.nohats.ca (bofh.nohats.ca [76.10.157.69]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx.nohats.ca (Postfix) with ESMTPS for <secdir@ietf.org>; Tue, 23 Jul 2019 17:33:19 +0200 (CEST)
Received: by bofh.nohats.ca (Postfix, from userid 1000) id 9D4943159D2; Tue, 23 Jul 2019 11:33:18 -0400 (EDT)
DKIM-Filter: OpenDKIM Filter v2.11.0 bofh.nohats.ca 9D4943159D2
Received: from localhost (localhost [127.0.0.1]) by bofh.nohats.ca (Postfix) with ESMTP id 96A4B406FE60 for <secdir@ietf.org>; Tue, 23 Jul 2019 11:33:18 -0400 (EDT)
Date: Tue, 23 Jul 2019 11:33:18 -0400 (EDT)
From: Paul Wouters <paul@nohats.ca>
To: secdir <secdir@ietf.org>
In-Reply-To: <14187E3B-4436-406E-A2D6-7A514CD95925@akamai.com>
Message-ID: <alpine.LRH.2.21.1907231120530.16355@bofh.nohats.ca>
References: <359EC4B99E040048A7131E0F4E113AFC01B33E17EA@marchand> <BAB87450-CF8C-4AB2-89C6-1578C4E8C273@deployingradius.com> <alpine.LRH.2.21.1907231009140.16355@bofh.nohats.ca> <4210BF08-7564-4F9B-9E3D-2902B0351707@deployingradius.com> <14187E3B-4436-406E-A2D6-7A514CD95925@akamai.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 8BIT
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/dV8od-7qDRldHiqQJ4kTHNOXVU8>
Subject: Re: [secdir] Recurring issues found during sec review
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 23 Jul 2019 15:33:37 -0000

On Tue, 23 Jul 2019, Salz, Rich wrote:

>    > That is, every MUST should have an obvious action for when it is
>    > violated.
>
>      That's a good phrasing.
>
> I strongly disagree.  It turns every MUST into something that only the recipient must act on.

Unless it is MUST ignore ?

>  The burden of the protocol should be on both sides to act correctly

Indeed, the document would already state not to send malformed data. But
the responder/server will be the endpoint dealing with those violations.

> , and one side should not be constrained to behave a particular way if the counter-party misbehaves. Another reason against this is that it tends to result in naïve behavior such as oracles or "name not found" being distinguished from "wrong password"

I think we are not saying different things. If the action of a MUST is
not obvious (eg drop packet), and there are security issues into giving
too specific error codes as the example you bring up, it is precisely
why the document should tell you what to do. I'm not saying every MUST
must have a specific and immediate sentence following saying what to do.

For example, IKEv2 has a very limited set of error codes specifically
to cover your concern here. INVALID_SYNTAX, AUTHENTICATION_FAILED and
NO_PROPOSAL_CHOSEN. With the latter one being the kitchen sink of
errors.

Paul