IETF Logo Mail Archive

Re: [secdir] secdir review of draft-nottingham-http-new-status-03

Julian Reschke <julian.reschke@gmx.de> Fri, 13 January 2012 20:26 UTC

Return-Path: <julian.reschke@gmx.de>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CDD2721F8498 for <secdir@ietfa.amsl.com>; Fri, 13 Jan 2012 12:26:53 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -103.604
X-Spam-Level:
X-Spam-Status: No, score=-103.604 tagged_above=-999 required=5 tests=[AWL=-1.005, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VGe2x8lyJqVk for <secdir@ietfa.amsl.com>; Fri, 13 Jan 2012 12:26:52 -0800 (PST)
Received: from mailout-de.gmx.net (mailout-de.gmx.net [213.165.64.23]) by ietfa.amsl.com (Postfix) with SMTP id 7CF1021F848C for <secdir@ietf.org>; Fri, 13 Jan 2012 12:26:52 -0800 (PST)
Received: (qmail invoked by alias); 13 Jan 2012 20:26:51 -0000
Received: from p5DCC28C9.dip.t-dialin.net (EHLO [192.168.178.36]) [93.204.40.201] by mail.gmx.net (mp069) with SMTP; 13 Jan 2012 21:26:51 +0100
X-Authenticated: #1915285
X-Provags-ID: V01U2FsdGVkX1/1gFl4Jo31RC5WyQUqS1V15w7h84H03l+atE5rFN Ih+kw4M/O5gn69
Message-ID: <4F109383.1090505@gmx.de>
Date: Fri, 13 Jan 2012 21:26:43 +0100
From: Julian Reschke <julian.reschke@gmx.de>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:9.0) Gecko/20111222 Thunderbird/9.0.1
MIME-Version: 1.0
To: Stephen Hanna <shanna@juniper.net>
References: <AC6674AB7BC78549BB231821ABF7A9AEB82253AD14@EMBX01-WF.jnpr.net>
In-Reply-To: <AC6674AB7BC78549BB231821ABF7A9AEB82253AD14@EMBX01-WF.jnpr.net>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Y-GMX-Trusted: 0
X-Mailman-Approved-At: Wed, 18 Jan 2012 08:22:31 -0800
Cc: "draft-nottingham-http-new-status@tools.ietf.org" <draft-nottingham-http-new-status@tools.ietf.org>, "ietf@ietf.org" <ietf@ietf.org>, "secdir@ietf.org" <secdir@ietf.org>
Subject: Re: [secdir] secdir review of draft-nottingham-http-new-status-03
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 13 Jan 2012 20:26:53 -0000

On 2012-01-13 20:59, Stephen Hanna wrote:
> I have reviewed this document as part of the security directorate's
> ongoing effort to review all IETF documents being processed by the
> IESG. These comments were written primarily for the benefit of the
> security area directors. Document editors and WG chairs should treat
> these comments just like any other last call comments.
>
> This document specifies new HTTP status codes for a variety of
> common situations. Although I am not an HTTP expert, it seems
> to me that this document is clear, well-written, and reasonable.

+1

>> From a security perspective, this document seems to have little
> impact either positive or negative. However, the Security
> Considerations section does not meet our usual standards.
> While the authors include a subsection on each new status code,
> they do not explain clearly what the security implications are
> for each status code and how any possible negative impacts
> could be reduced.

In general, the proposed new codes just allow to describe a problem more 
clearly; previously, a more generic status code would have to be used.

As such, they do not change security at all.

> Riccardo Bernardini already commented on this issue during
> IETF LC. However, I do not agree with Mr. Bernardini that
> sections 7.1 and 7.2 are not security related. Rather, the
> security implications are just not clearly stated. For example,
> section 7.2 points out that servers may not want to always
> use the 429 status code when receiving too many requests
> from one client. This has security implications in that
> a server under attack with excessive requests from one
> client may compound the problem by queuing 429 status codes
> for every request from that client. However, this is not
> stated explicitly in section 7.2. Fleshing out the subsections

"Servers are not required to use the 429 status code; when limiting 
resource usage, it may be more appropriate to just drop connections, or 
take other steps."

> of section 7 (Security Considerations) should help solve the
> problem by providing a clear description of security problems
> related to these result codes and recommended mitigations.
> Section 7.4 does a decent job of describing the problems
> but fails to describe mitigations. I think that having the
> client use HTTPS instead of HTTP for important requests
> and limiting the effects of HTTP (not HTTPS) responses
> is an obvious mitigation.

It's not the job of this spec to completely describe security 
considerations with respect to captive portals.

All the spec does is defining a new status code that, when used, makes 
captive portals a bit better to work with.

> I do have a question about the issues raised in Appendix B.
> These are all legitimate issues. However, it seems to me
> that having status code 511 should help with these. A

Indeed; that's why 511 is there in the first place. The introduction to 
Appendix B should state that.

> ...

Best regards, Julian

v2.23.0 | Report a Bug | By Email