IETF Logo Mail Archive

Re: [secdir] secdir review of draft-nottingham-http-new-status-03

Stephen Hanna <shanna@juniper.net> Fri, 13 January 2012 21:38 UTC

Return-Path: <shanna@juniper.net>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3FE2711E8072; Fri, 13 Jan 2012 13:38:01 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -106.599
X-Spam-Level:
X-Spam-Status: No, score=-106.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jmLJwx5rmiPG; Fri, 13 Jan 2012 13:38:00 -0800 (PST)
Received: from exprod7og104.obsmtp.com (exprod7og104.obsmtp.com [64.18.2.161]) by ietfa.amsl.com (Postfix) with ESMTP id E33431F0C38; Fri, 13 Jan 2012 13:37:45 -0800 (PST)
Received: from P-EMHUB02-HQ.jnpr.net ([66.129.224.36]) (using TLSv1) by exprod7ob104.postini.com ([64.18.6.12]) with SMTP ID DSNKTxCkKbHP00G72Ri3Abpj4eTMkCEanwp7@postini.com; Fri, 13 Jan 2012 13:37:51 PST
Received: from p-emfe01-wf.jnpr.net (172.28.145.24) by P-EMHUB02-HQ.jnpr.net (172.24.192.36) with Microsoft SMTP Server (TLS) id 8.3.213.0; Fri, 13 Jan 2012 13:26:30 -0800
Received: from EMBX01-WF.jnpr.net ([fe80::1914:3299:33d9:e43b]) by p-emfe01-wf.jnpr.net ([fe80::d0d1:653d:5b91:a123%11]) with mapi; Fri, 13 Jan 2012 16:26:29 -0500
From: Stephen Hanna <shanna@juniper.net>
To: Julian Reschke <julian.reschke@gmx.de>
Date: Fri, 13 Jan 2012 16:26:28 -0500
Thread-Topic: secdir review of draft-nottingham-http-new-status-03
Thread-Index: AczSMbESPXFYh7cpTSiWb/c10V+TNAABO4tQ
Message-ID: <AC6674AB7BC78549BB231821ABF7A9AEB82253AE7B@EMBX01-WF.jnpr.net>
References: <AC6674AB7BC78549BB231821ABF7A9AEB82253AD14@EMBX01-WF.jnpr.net> <4F109383.1090505@gmx.de>
In-Reply-To: <4F109383.1090505@gmx.de>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: "draft-nottingham-http-new-status@tools.ietf.org" <draft-nottingham-http-new-status@tools.ietf.org>, "ietf@ietf.org" <ietf@ietf.org>, "secdir@ietf.org" <secdir@ietf.org>
Subject: Re: [secdir] secdir review of draft-nottingham-http-new-status-03
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 13 Jan 2012 21:38:01 -0000

Julian,

I'm sure that in your view one sentence is adequate to explain
all the security implications of each status code. However,
you may want to consider that some readers may not have quite
the same deep grasp of the matter that you do. Therefore,
I think it would be wise to provide more explanation. Here's an
example for section 7.2 on status code 429 (Too Many Requests):

Section 7.2  429 Too Many Requests

   While status code 429 can be helpful in figuring out why a
   server is not responding to requests, it can also be harmful.
   When a server is under attack or simply receiving a very
   large number of requests from a single party, responding
   to each of these requests with a 429 status code will consume
   resources that could be better used in other ways. Therefore,
   a server in such circumstances may choose to send a 429 status
   code only the first time a client exceeds its limit and
   ignore subsequent requests from this client until its limit
   is no longer exceeded. Other approaches may also be employed.

As you can see, I described security problems that could occur
with this status code and explained how those problems can be
avoided or mitigated. While it's true that these problems
could occur when a more generic status code is used to handle
the case of "too many requests", that does not mean that they
are not relevant to this document. On the contrary, the fact
that this document is providing more detailed status codes
gives us the opportunity and one can argue the obligation to
provide more detailed security analysis relevant to these more
detailed status codes.

And I'm glad that you saw the value in my comment about
Appendix B!

Thanks,

Steve

> -----Original Message-----
> From: Julian Reschke [mailto:julian.reschke@gmx.de]
> Sent: Friday, January 13, 2012 3:27 PM
> To: Stephen Hanna
> Cc: draft-nottingham-http-new-status@tools.ietf.org; secdir@ietf.org;
> ietf@ietf.org
> Subject: Re: secdir review of draft-nottingham-http-new-status-03
> 
> On 2012-01-13 20:59, Stephen Hanna wrote:
> > I have reviewed this document as part of the security directorate's
> > ongoing effort to review all IETF documents being processed by the
> > IESG. These comments were written primarily for the benefit of the
> > security area directors. Document editors and WG chairs should treat
> > these comments just like any other last call comments.
> >
> > This document specifies new HTTP status codes for a variety of
> > common situations. Although I am not an HTTP expert, it seems
> > to me that this document is clear, well-written, and reasonable.
> 
> +1
> 
> >> From a security perspective, this document seems to have little
> > impact either positive or negative. However, the Security
> > Considerations section does not meet our usual standards.
> > While the authors include a subsection on each new status code,
> > they do not explain clearly what the security implications are
> > for each status code and how any possible negative impacts
> > could be reduced.
> 
> In general, the proposed new codes just allow to describe a problem
> more
> clearly; previously, a more generic status code would have to be used.
> 
> As such, they do not change security at all.
> 
> > Riccardo Bernardini already commented on this issue during
> > IETF LC. However, I do not agree with Mr. Bernardini that
> > sections 7.1 and 7.2 are not security related. Rather, the
> > security implications are just not clearly stated. For example,
> > section 7.2 points out that servers may not want to always
> > use the 429 status code when receiving too many requests
> > from one client. This has security implications in that
> > a server under attack with excessive requests from one
> > client may compound the problem by queuing 429 status codes
> > for every request from that client. However, this is not
> > stated explicitly in section 7.2. Fleshing out the subsections
> 
> "Servers are not required to use the 429 status code; when limiting
> resource usage, it may be more appropriate to just drop connections, or
> take other steps."
> 
> > of section 7 (Security Considerations) should help solve the
> > problem by providing a clear description of security problems
> > related to these result codes and recommended mitigations.
> > Section 7.4 does a decent job of describing the problems
> > but fails to describe mitigations. I think that having the
> > client use HTTPS instead of HTTP for important requests
> > and limiting the effects of HTTP (not HTTPS) responses
> > is an obvious mitigation.
> 
> It's not the job of this spec to completely describe security
> considerations with respect to captive portals.
> 
> All the spec does is defining a new status code that, when used, makes
> captive portals a bit better to work with.
> 
> > I do have a question about the issues raised in Appendix B.
> > These are all legitimate issues. However, it seems to me
> > that having status code 511 should help with these. A
> 
> Indeed; that's why 511 is there in the first place. The introduction to
> Appendix B should state that.
> 
> > ...
> 
> Best regards, Julian

v2.23.0 | Report a Bug | By Email