Re: [secdir] Writing Security Considerations

"Salz, Rich" <rsalz@akamai.com> Thu, 27 June 2019 12:15 UTC

Return-Path: <rsalz@akamai.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 79F7D1200C5 for <secdir@ietfa.amsl.com>; Thu, 27 Jun 2019 05:15:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=akamai.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kjeE7TJOEzVq for <secdir@ietfa.amsl.com>; Thu, 27 Jun 2019 05:15:13 -0700 (PDT)
Received: from mx0a-00190b01.pphosted.com (mx0a-00190b01.pphosted.com [IPv6:2620:100:9001:583::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 878B9120026 for <secdir@ietf.org>; Thu, 27 Jun 2019 05:15:13 -0700 (PDT)
Received: from pps.filterd (m0122333.ppops.net [127.0.0.1]) by mx0a-00190b01.pphosted.com (8.16.0.27/8.16.0.27) with SMTP id x5RCCZah028867; Thu, 27 Jun 2019 13:15:12 +0100
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=akamai.com; h=from : to : cc : subject : date : message-id : references : in-reply-to : content-type : mime-version; s=jan2016.eng; bh=q0lOlc6cHBrhBVi4GqGCKHZIt+FKS7tfctWKfooRN4w=; b=OLkfFFdP0f64org3c1AraVA/V4x8LxsfWEndwLqI5jBT0CqINmYjEKLYhDzg4fqVCkni Nvho6osgU6lI73CX5DXp4qpyZgttJHW28PcweNPEfr+AA1GE7/hs76SoKG3KoYzp+INc 0YrOxgXBSvzRYvO3uE4H+UlEiAwvYhx8QYOYaj6+n8us29Q+hbKXqPgT78XpNFOAoHTc kJM3ve96A2WWnK5VFh43WtcDXdrXgmhKuSCHGVAI0p4QxH+bEkBcsLko/ClAMCt9ZChS zNMXHLkUHK7p3MFqcf3ir+SZI6xiqGdXlwflsxV331GEG+VbwGTMDdev990uEgBGyBrf EQ==
Received: from prod-mail-ppoint1 (prod-mail-ppoint1.akamai.com [184.51.33.18] (may be forged)) by mx0a-00190b01.pphosted.com with ESMTP id 2tcfsm2nmb-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 27 Jun 2019 13:15:12 +0100
Received: from pps.filterd (prod-mail-ppoint1.akamai.com [127.0.0.1]) by prod-mail-ppoint1.akamai.com (8.16.0.27/8.16.0.27) with SMTP id x5RC29Fl006404; Thu, 27 Jun 2019 08:15:11 -0400
Received: from email.msg.corp.akamai.com ([172.27.123.33]) by prod-mail-ppoint1.akamai.com with ESMTP id 2tccwpabdt-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT); Thu, 27 Jun 2019 08:15:11 -0400
Received: from USMA1EX-DAG1MB1.msg.corp.akamai.com (172.27.123.101) by usma1ex-dag1mb1.msg.corp.akamai.com (172.27.123.101) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Thu, 27 Jun 2019 08:15:10 -0400
Received: from USMA1EX-DAG1MB1.msg.corp.akamai.com ([172.27.123.101]) by usma1ex-dag1mb1.msg.corp.akamai.com ([172.27.123.101]) with mapi id 15.00.1473.004; Thu, 27 Jun 2019 08:15:10 -0400
From: "Salz, Rich" <rsalz@akamai.com>
To: Yoav Nir <ynir.ietf@gmail.com>, Vincent Roca <vincent.roca@inria.fr>
CC: secdir <secdir@ietf.org>
Thread-Topic: [secdir] Writing Security Considerations
Thread-Index: AQHVK4f+79E03v9Qr0aD3weHumEHZaatxOYAgAFp7YCAAD4JgA==
Date: Thu, 27 Jun 2019 12:15:09 +0000
Message-ID: <7D1A00B2-3A6F-4B54-AE8F-9BB7771E6189@akamai.com>
References: <AB6D23B6-C4F2-466B-8DE2-75CF6FD6EF8A@gmail.com> <421EA63E-CD5F-4BCC-AA24-3BDBD7182B24@inria.fr> <558A448D-E5EE-4E3C-9B0A-F5B5490E793C@gmail.com>
In-Reply-To: <558A448D-E5EE-4E3C-9B0A-F5B5490E793C@gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/10.1a.0.190609
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [172.19.34.41]
Content-Type: multipart/alternative; boundary="_000_7D1A00B23A6F4B54AE8F9BB7771E6189akamaicom_"
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:, , definitions=2019-06-27_07:, , signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 suspectscore=0 malwarescore=0 phishscore=0 bulkscore=0 spamscore=0 mlxscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1810050000 definitions=main-1906270141
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:, , definitions=2019-06-27_07:, , signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 priorityscore=1501 malwarescore=0 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1011 lowpriorityscore=0 mlxscore=0 impostorscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1810050000 definitions=main-1906270144
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/hTHls-EWl2kx6sCZfhv-cwGEcJw>
Subject: Re: [secdir] Writing Security Considerations
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 27 Jun 2019 12:15:17 -0000

Well there’s also the fact that it was implemented in TLS but only intended for DTLS.

But yeah, I’m still not sure what the lesson learned is.

From: Yoav Nir <ynir.ietf@gmail.com>
Date: Thursday, June 27, 2019 at 12:33 AM
To: Vincent Roca <vincent.roca@inria.fr>
Cc: "secdir@ietf.org" <secdir@ietf.org>
Subject: Re: [secdir] Writing Security Considerations

Hi, Vincent.

Thanks, but I don’t know what kind of lesson there is in this for the general RFC-writing audience.

Always call out when you have internal length fields because that can be done dangerously in C?

I think mis-handling length fields has been an issue with protocols as long as protocols have been implemented.

Yoav


On 26 Jun 2019, at 9:57, Vincent Roca <vincent.roca@inria.fr<mailto:vincent.roca@inria.fr>> wrote:

Hello Yoav and Linda,

Good initiative.

Since you’re looking for stories, here is a proposal, rooted in real life.
RFC6520 (https://tools.ietf.org/html/rfc6520<https://urldefense.proofpoint.com/v2/url?u=https-3A__tools.ietf.org_html_rfc6520&d=DwMFaQ&c=96ZbZZcaMF4w0F4jpN6LZg&r=4LM0GbR0h9Fvx86FtsKI-w&m=32H5KaerecFFfHL_RbK6_S3L5bwUE9K88_l69RYrvIQ&s=FbDzqETFX080s8nnVXHURz64o5cbrHAGdKknxxMVsBA&e=>) on TLS heartbeat extension has a pretty simple security considerations section: it says
it does not introduce any new security consideration and it refers to two existing RFCs.

We all know this TLS heartbeat extension has been the cause of the famous heartbleed OpenSSL vulnerability and associated attack.
Of course the major problem comes from an erroneous implementation of the mechanism in OpenSSL:
https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=96db9023b881d7cd9f379b0c154650d6c108e9a3<https://urldefense.proofpoint.com/v2/url?u=https-3A__git.openssl.org_gitweb_-3Fp-3Dopenssl.git-3Ba-3Dcommitdiff-3Bh-3D96db9023b881d7cd9f379b0c154650d6c108e9a3&d=DwMFaQ&c=96ZbZZcaMF4w0F4jpN6LZg&r=4LM0GbR0h9Fvx86FtsKI-w&m=32H5KaerecFFfHL_RbK6_S3L5bwUE9K88_l69RYrvIQ&s=9FZTwoOauH47k_ngFMjQzuMPRb0jIWcs96Y0axdM9gY&e=>

The goal is not to blame anybody in person, especially as the RFC describes what should be done to prevent any problem.
But I also think this is a document where we all (i.e., authors/secdir/IESG) should have highlighted the associated risk of badly
implementing the response message in the Security Considerations section. As always in such a situation, it’s easier to say afterwards!

I think there is a way to say that in a positive way (lessons learned) and tell an interesting story many people heard about without knowing
the details.

Cheers,

  Vincent


Le 25 juin 2019 à 20:57, Yoav Nir <ynir.ietf@gmail.com<mailto:ynir.ietf@gmail.com>> a écrit :

Hi, all

If you’ve had a look at the draft agenda (https://datatracker.ietf.org/meeting/105/agenda.html<https://urldefense.proofpoint.com/v2/url?u=https-3A__datatracker.ietf.org_meeting_105_agenda.html&d=DwMFaQ&c=96ZbZZcaMF4w0F4jpN6LZg&r=4LM0GbR0h9Fvx86FtsKI-w&m=32H5KaerecFFfHL_RbK6_S3L5bwUE9K88_l69RYrvIQ&s=3UI7WQmwfyz7h1buiVZOY8g7D6K8ARLSHXArn_PYUBc&e=>), we have a Writing Security Considerations tutorial on Sunday, which Linda Dunbar and I will be doing.

The idea is to get people writing drafts to know what they should do for a smooth interaction with us SecDir people.

The slides do not exist yet, but we have a rough outline on github: https://github.com/IETF-SAAG/SecurityConsiderationsTutorial<https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_IETF-2DSAAG_SecurityConsiderationsTutorial&d=DwMFaQ&c=96ZbZZcaMF4w0F4jpN6LZg&r=4LM0GbR0h9Fvx86FtsKI-w&m=32H5KaerecFFfHL_RbK6_S3L5bwUE9K88_l69RYrvIQ&s=kMYyq9Tz5RZyqpaBjEPwSWYLw7P6jG9eqigfDeW1lNk&e=>

So if there’s missing or wrong stuff, we’d like to hear about it, preferably in the form of PRs.

But most of all, we’re looking for more examples in the examples page: https://github.com/IETF-SAAG/SecurityConsiderationsTutorial/blob/master/examples.md<https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_IETF-2DSAAG_SecurityConsiderationsTutorial_blob_master_examples.md&d=DwMFaQ&c=96ZbZZcaMF4w0F4jpN6LZg&r=4LM0GbR0h9Fvx86FtsKI-w&m=32H5KaerecFFfHL_RbK6_S3L5bwUE9K88_l69RYrvIQ&s=f1H6brU-13lYu1_rTmpXv5fGU5dc258l1UXuaIrOX3Y&e=>

So any horror story, war story, stuff that’s terribly wrong, or even something that’s surprisingly right will be welcome.

Thanks in advance

Linda & Yoav

_______________________________________________
secdir mailing list
secdir@ietf.org<mailto:secdir@ietf.org>
https://www.ietf.org/mailman/listinfo/secdir<https://urldefense.proofpoint.com/v2/url?u=https-3A__www.ietf.org_mailman_listinfo_secdir&d=DwMFaQ&c=96ZbZZcaMF4w0F4jpN6LZg&r=4LM0GbR0h9Fvx86FtsKI-w&m=32H5KaerecFFfHL_RbK6_S3L5bwUE9K88_l69RYrvIQ&s=6b6SRPf-vkkPvj-FrX-q8rwRHE1RCF54pOHVFQAkkRQ&e=>
wiki: http://tools.ietf.org/area/sec/trac/wiki/SecDirReview