[secdir] SECDIR review of draft-ietf-pcp-description-option-04

Phillip Hallam-Baker <hallam@gmail.com> Thu, 20 February 2014 01:46 UTC

Return-Path: <hallam@gmail.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3778E1A0168; Wed, 19 Feb 2014 17:46:12 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LnK4Bc7PoxAm; Wed, 19 Feb 2014 17:46:09 -0800 (PST)
Received: from mail-la0-x236.google.com (mail-la0-x236.google.com [IPv6:2a00:1450:4010:c03::236]) by ietfa.amsl.com (Postfix) with ESMTP id 3A9D61A0103; Wed, 19 Feb 2014 17:46:09 -0800 (PST)
Received: by mail-la0-f54.google.com with SMTP id y1so861244lam.41 for <multiple recipients>; Wed, 19 Feb 2014 17:46:05 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:date:message-id:subject:from:to:content-type; bh=DXHs8Ok1BHyXbVr/icSeO2QXOJfwmm7uOIWMU7NQ/YQ=; b=Wsdk6m60WqaLvMS0PKnAwbp3CBoTTqSI4tJx//bwGhmBsSNtFyNNMbvOWt3UJ/qSHk A0tMJp4AGmf1NBQj1IE0sbBSkAIbochg188yYe8QMCfPl1rJrVvN1e++2aDzSmsuv6T6 E2ea+LQ3OSL45yu+NEkL4Jkv3dJ0guongFATnyHocx6U0vLZvmpYVgZxKh/nAADvbD81 pIwwT7iwNgriRw/+xwXl/iqrEFYkJrT0veMdhgB3MbZEBfTvKwyNzt+7X48+T6UaB09e OXmYBOBvQM8XcLNiDNI2I8edEmXzMICP/MKTztka1cN9lAIj4Zp/nguJ7Z4wQ7hRI1dg e89w==
MIME-Version: 1.0
X-Received: by 10.152.20.134 with SMTP id n6mr2154091lae.83.1392860765171; Wed, 19 Feb 2014 17:46:05 -0800 (PST)
Received: by 10.112.37.168 with HTTP; Wed, 19 Feb 2014 17:46:05 -0800 (PST)
Date: Wed, 19 Feb 2014 20:46:05 -0500
Message-ID: <CAMm+LwhGTKD_+qRGCpe5seHgmwp-41UPaZS5uH4fzxCwGjb3Nw@mail.gmail.com>
From: Phillip Hallam-Baker <hallam@gmail.com>
To: "secdir@ietf.org" <secdir@ietf.org>, "draft-ietf-pcp-description-option@tools.ietf.org" <draft-ietf-pcp-description-option@tools.ietf.org>, "iesg@ietf.org" <iesg@ietf.org>
Content-Type: multipart/alternative; boundary="089e01493dbe21363f04f2ccab4b"
Archived-At: http://mailarchive.ietf.org/arch/msg/secdir/rnTkCt3AdIoXUoe4IZFdlDdj2PY
Subject: [secdir] SECDIR review of draft-ietf-pcp-description-option-04
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 20 Feb 2014 01:46:12 -0000

This draft simply adds in a description field to the Port Control Protocol.

While this does not raise security concerns in itself, uses of the field
may. In particular, the (ab)use of the DNS TXT field to stuff site local or
non-standard control data into the protocol might become a problem

I suspect it won't be long before someone has the idea that their
application announce itself with a description of "# SELECT * FROM
Bobby.tables".

The SC should point out that the data is not authenticated for this purpose
and relying on (or executing) descriptions is a trail of tears.

-- 
Website: http://hallambaker.com/