Re: [secdir] Secdir review of draft-ietf-tsvwg-rlc-fec-scheme
Vincent Roca <vincent.roca@inria.fr> Wed, 19 September 2018 09:37 UTC
Return-Path: <vincent.roca@inria.fr>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 32BCF130DC7; Wed, 19 Sep 2018 02:37:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.899
X-Spam-Level:
X-Spam-Status: No, score=-6.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JlejB2Q6m_tN; Wed, 19 Sep 2018 02:37:16 -0700 (PDT)
Received: from mail3-relais-sop.national.inria.fr (mail3-relais-sop.national.inria.fr [192.134.164.104]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6A5E112F1A2; Wed, 19 Sep 2018 02:37:15 -0700 (PDT)
X-IronPort-AV: E=Sophos;i="5.53,393,1531778400"; d="scan'208,217";a="279372264"
Received: from demeter.inrialpes.fr ([194.199.28.3]) by mail3-relais-sop.national.inria.fr with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 19 Sep 2018 11:37:13 +0200
From: Vincent Roca <vincent.roca@inria.fr>
Message-Id: <AA1BA182-6C42-44B2-A172-96B9C0997323@inria.fr>
Content-Type: multipart/alternative; boundary="Apple-Mail=_94B6AE9A-7444-411A-A7DC-BBFE2F118097"
Mime-Version: 1.0 (Mac OS X Mail 11.5 \(3445.9.1\))
Date: Wed, 19 Sep 2018 11:37:12 +0200
In-Reply-To: <AC5F299B-4787-40E4-8E8C-8051E0761416@deployingradius.com>
Cc: secdir@ietf.org, draft-ietf-tsvwg-rlc-fec-scheme.all@ietf.org, tsvwg@ietf.org, The IESG <iesg@ietf.org>
To: aland@deployingradius.com
References: <AC5F299B-4787-40E4-8E8C-8051E0761416@deployingradius.com>
X-Mailer: Apple Mail (2.3445.9.1)
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/m-bh666E6BJ2T7qcPo7YUzuwQgA>
Subject: Re: [secdir] Secdir review of draft-ietf-tsvwg-rlc-fec-scheme
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 19 Sep 2018 09:37:19 -0000
Hello Alan, Thanks a lot for your SECDIR review. NB: I have added IESG (you forgot to do so) and TSVWG (to let everybody know) to the CC list of this answer. > Le 18 sept. 2018 à 16:08, Alan DeKok <aland@deployingradius.com> a écrit : > > I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. > > The summary of the review is read with nits > > The document seems to clearly describe what it's doing and why. > > One nit I have is the formulae in the document, e.g.: > > dw_max_size = (max_lat * br_out * cr) / (8 * E) > > My concern here is about numerical overflow, which could lead to improper calculations and security problems. > > Experience has shown that naive implementations will just do the calculations no matter what the inputs. Garbage inputs then lead to garbage outputs, and we have problems. > > It would be good to: > > * state the limits on each of the variables, so that implementations can know that values *outside* of these limits are erroneous, and should be ignored > > * state the minimum size of each of the above variables. e.g. "dw_max_size" is likely not going to be an 8-bit integer. So what data types are sufficient to perform the calculations correctly? > > This information may be in another document, but it wasn't clear on cursory inspection. This is a very good point. NEW in section 3.1.1: The ew_max_size is the main parameter at a FECFRAME sender. It is RECOMMENDED to check that the ew_max_size value stays within reasonnable bounds in order to avoid hazardous behaviours. and later (same section): It is RECOMMENDED to check that the ls_max_size value stays within reasonnable bounds in order to avoid hazardous behaviours. NEW section: 8.5. Additional Security Considerations for Numerical Computations In addition to the above security considerations, inherited from [RFC6363], the present document introduces several formulae, in particular in Section 3.1.1. It is RECOMMENDED to check that the computed values stay within reasonnable bounds since numerical overflows, caused by an erroneous implementation or an erroneous input value, may lead to hazardous behaviours. However what "reasonnable bounds" means is use-case and implementation dependent and is not detailed in this document. Section 3.1.2 also mentions the possibility of "using the timestamp field of an RTP packet header" when applicable. A malicious attacker may deliberately corrupt this header field in order to trigger hazardous behaviours at a FECFRAME receiver. Protection against this type of content corruption can be addressed with the above recommendations on a baseline secure operation. In addition, it is also RECOMMENDED to check that the timestamp value be within reasonnable bounds. > 3.1.2: > > Another approach consists in using ADU timing information (e.g., > using the timestamp field of an RTP packet header > > What happens if the timestamp is outside of reasonable bounds? There could be a recommendation that only timestamps within a certain window are used. > > e.g. an adversary sends timestamps which are unreasonable, and a naive implementation could use those, and engage in integer overflow, etc. > > Section 8 describes protections against many adversarial attacks, which is good. > > I would suggest adding a sub-section of Section 8, discussion computation / numerical issues, as discussed above. Good point. In our implementation we do not rely on NTP timestamp but on the 2nd possibility mentioned in the I-D: "Another approach consists in using ADU timing information (e.g., using the timestamp field of an RTP packet header, or registering the time upon receiving a new ADU)." Using the gettimeofday() (or a similar system call) relieves from this problem and avoids to dig into packet headers to get the RTP timestamp. However we have added a sentence to warn an implementer about this risk (see the 2nd paragraph on new section 8.5 above) > Other than that, the document looks fine. Thanks a lot for these suggestions. We’re preparing a new version that will also answer the Genart review from Russ H. Cheers, Vincent and Belkacem
- [secdir] Secdir review of draft-ietf-tsvwg-rlc-fe… Alan DeKok
- Re: [secdir] Secdir review of draft-ietf-tsvwg-rl… Vincent Roca