Re: [secdir] secdir review of draft-ietf-siprec-metadata-20
Paul Kyzivat <pkyzivat@alum.mit.edu> Wed, 17 February 2016 18:23 UTC
Return-Path: <pkyzivat@alum.mit.edu>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A9F791B2B19 for <secdir@ietfa.amsl.com>; Wed, 17 Feb 2016 10:23:24 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.235
X-Spam-Level:
X-Spam-Status: No, score=-1.235 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, SPF_SOFTFAIL=0.665] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PYuadCfVGVh2 for <secdir@ietfa.amsl.com>; Wed, 17 Feb 2016 10:23:23 -0800 (PST)
Received: from resqmta-ch2-04v.sys.comcast.net (resqmta-ch2-04v.sys.comcast.net [IPv6:2001:558:fe21:29:69:252:207:36]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 42CA61B2AFD for <secdir@ietf.org>; Wed, 17 Feb 2016 10:23:23 -0800 (PST)
Received: from resomta-ch2-07v.sys.comcast.net ([69.252.207.103]) by resqmta-ch2-04v.sys.comcast.net with comcast id KWMH1s0032EPM3101WPNsY; Wed, 17 Feb 2016 18:23:22 +0000
Received: from Paul-Kyzivats-MacBook-Pro.local ([73.218.51.154]) by resomta-ch2-07v.sys.comcast.net with comcast id KWPM1s0013KdFy101WPMiN; Wed, 17 Feb 2016 18:23:22 +0000
To: David Mandelberg <david@mandelberg.org>, iesg@ietf.org, secdir@ietf.org, draft-ietf-siprec-metadata.all@tools.ietf.org
References: <56C0EB89.4050409@mandelberg.org> <56C15FB9.8030600@alum.mit.edu> <56C4B3D6.6040700@mandelberg.org>
From: Paul Kyzivat <pkyzivat@alum.mit.edu>
Message-ID: <56C4BA98.3080001@alum.mit.edu>
Date: Wed, 17 Feb 2016 13:23:20 -0500
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:38.0) Gecko/20100101 Thunderbird/38.6.0
MIME-Version: 1.0
In-Reply-To: <56C4B3D6.6040700@mandelberg.org>
Content-Type: text/plain; charset="windows-1252"; format="flowed"
Content-Transfer-Encoding: 7bit
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=comcast.net; s=q20140121; t=1455733402; bh=9AN0NuOoaBgMVjO+rXjBUeRiVHJRBZwpfOjhSVilqjY=; h=Received:Received:Subject:To:From:Message-ID:Date:MIME-Version: Content-Type; b=IF2VZvo/AvlbfPgYwGQ9VU4piCaxCcMR++uxhiZ8gxzG1Pz1O5o76XXzsl/sOrMcJ h/s354AM7QA+fAxf0PjoiXSIEktW+m+ma8CQFOelX85IYsy7flTgzap/5V+zzo0K6f wHYzl1sbNaWJ4+5Dv18lxPudJPii5XP7u2pfNyFLprc4KxeOZAzzwqljMUZWiYq+uN vuO9ytSNPF0S7ZMfcJ24IAya8B8vxyS3kwK2K9+V2c+1DAxsxrijTDZnneGat3X6AZ cXkV48wkUrf+n1s4+zNfe9dq0I/5isjs70o6kR9CrGz7KOx33NzTzNZBubMZXWNvbX gnfWae259VC0A==
Archived-At: <http://mailarchive.ietf.org/arch/msg/secdir/rbf5RAmuslXmPMvNENtr8sf9RyU>
Subject: Re: [secdir] secdir review of draft-ietf-siprec-metadata-20
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 17 Feb 2016 18:23:24 -0000
David, Comment at end. On 2/17/16 12:54 PM, David Mandelberg wrote: > On 02/15/2016 12:18 AM, Paul Kyzivat wrote: >> On 2/14/16 4:03 PM, David Mandelberg wrote: >>> Section 6.10 says that "multiple SRC's [clients] can refer to the same >>> element/UUID (how each SRC learns the UUID here is out of scope of >>> SIPREC)". But what happens if two clients try to define different >>> objects with the same UUID? Does one of the objects take precedence for >>> all clients? If all of the benign clients are relying on referencing an >>> object A with UUID 1, and a malicious client is able to send an object B >>> also with UUID 1, that might compromise the integrity of the metadata >>> sent by the benign clients. This could be mitigated by requiring that >>> UUIDs are generated (pseudo-)randomly and are kept confidential from >>> potential adversaries, but I don't think the draft says either of these >>> things. >> >> The UUIDs used in the metadata are intended to be *unique*. Distinct >> SRCs that construct new UUIDs are expected to follow the rules for >> constructing them so that they are indeed unique. > > Yes, but a malicious SRC probably won't do what you're expecting of a > benign SRC. I agree that the text in the draft is good *if* it were true > that all SRCs are benign. > > >> If two SRCs use the same UUID it will be because they intentionally >> choose to do so. > > Or because the malicious SRC is intentionally choosing to do so, without > permission or cooperation from the benign SRC. > >> Typically this will be by some back channel to >> communicate among themselves. (I suppose there could potentially be some >> algorithmic way for them to construct UUIDs in a coordinated way, but I >> won't speculate on that.) >> >> By design there should be no accidental reuse of UUIDs. > > I agree. I'm worried only about malicious reuse of UUIDs. So your concern is the security implications when we have a malicious SRC that has been authorized by the SRS? If so, it seems like that can extend to lots of things beyond reuse of UUIDs. (Going further afield, how does this differ from a malicious SIP UA that has the credentials to register a particular AoR? It could cause all sorts of mischief by unregistering valid UAs, etc. ISTM the bottom line is that it is impossible to avoid problems from a party with access to enough "secrets".) But the problem actually seems less severe in the case of SIPREC. The SRS is performing what is essentially an append-only write process. The use of a duplicate UUID by a malicious SRC doesn't cause any valid information to be lost. And the SRS is free to track the source of each piece of information it records, so that the malicious info can be sorted out from the valid info once the bad guy has been identified. We don't put any requirements on *how* and *how much* of the the received info an SRS records, so we don't have a way to discuss this. Thanks, Paul
- [secdir] secdir review of draft-ietf-siprec-metad… David Mandelberg
- Re: [secdir] secdir review of draft-ietf-siprec-m… Paul Kyzivat
- Re: [secdir] secdir review of draft-ietf-siprec-m… Ram Mohan R (rmohanr)
- Re: [secdir] secdir review of draft-ietf-siprec-m… David Mandelberg
- Re: [secdir] secdir review of draft-ietf-siprec-m… David Mandelberg
- Re: [secdir] secdir review of draft-ietf-siprec-m… Paul Kyzivat
- Re: [secdir] secdir review of draft-ietf-siprec-m… David Mandelberg
- Re: [secdir] secdir review of draft-ietf-siprec-m… Paul Kyzivat