Re: [secdir] review of draft-hollenbeck-rfc4933bis-02
"Hollenbeck, Scott" <shollenbeck@verisign.com> Wed, 08 July 2009 19:29 UTC
Return-Path: <shollenbeck@verisign.com>
X-Original-To: secdir@core3.amsl.com
Delivered-To: secdir@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 44C643A6B11; Wed, 8 Jul 2009 12:29:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.598
X-Spam-Level:
X-Spam-Status: No, score=-6.598 tagged_above=-999 required=5 tests=[AWL=-0.000, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gsB4DapG-hGz; Wed, 8 Jul 2009 12:29:54 -0700 (PDT)
Received: from osprey.verisign.com (osprey.verisign.com [216.168.239.75]) by core3.amsl.com (Postfix) with ESMTP id 7D3273A6B5E; Wed, 8 Jul 2009 12:29:54 -0700 (PDT)
Received: from dul1wnexcn03.vcorp.ad.vrsn.com (dul1wnexcn03.vcorp.ad.vrsn.com [10.170.12.113]) by osprey.verisign.com (8.13.6/8.13.4) with ESMTP id n68JIK0v029430; Wed, 8 Jul 2009 15:18:20 -0400
Received: from dul1wnexmb01.vcorp.ad.vrsn.com ([10.170.12.134]) by dul1wnexcn03.vcorp.ad.vrsn.com with Microsoft SMTPSVC(6.0.3790.3959); Wed, 8 Jul 2009 20:30:20 +0100
X-MimeOLE: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01CA0002.87D4B30B"
Date: Wed, 08 Jul 2009 15:30:19 -0400
Message-ID: <046F43A8D79C794FA4733814869CDF0702B8DAD5@dul1wnexmb01.vcorp.ad.vrsn.com>
In-Reply-To: <6F8E48C3-9E52-4912-B748-3C9A43519EA7@nrl.navy.mil>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: review of draft-hollenbeck-rfc4933bis-02
Thread-Index: Acn/5Xk32/Jg0jNCRdmxwandTw+Q9wAHQUVw
References: <897517DC-2F59-440A-BD63-BD71E1AF4421@nrl.navy.mil> <046F43A8D79C794FA4733814869CDF0702B8DA2E@dul1wnexmb01.vcorp.ad.vrsn.com> <6F8E48C3-9E52-4912-B748-3C9A43519EA7@nrl.navy.mil>
From: "Hollenbeck, Scott" <shollenbeck@verisign.com>
To: Catherine Meadows <catherine.meadows@nrl.navy.mil>
X-OriginalArrivalTime: 08 Jul 2009 19:30:20.0731 (UTC) FILETIME=[882178B0:01CA0002]
Cc: iesg@ietf.org, secdir@ietf.org
Subject: Re: [secdir] review of draft-hollenbeck-rfc4933bis-02
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 08 Jul 2009 19:29:56 -0000
No problem here - thanks for the clarification! -Scott- ________________________________ From: Catherine Meadows [mailto:catherine.meadows@nrl.navy.mil] Sent: Wednesday, July 08, 2009 12:02 PM To: Hollenbeck, Scott Cc: Catherine Meadows; secdir@ietf.org; iesg@ietf.org Subject: Re: review of draft-hollenbeck-rfc4933bis-02 My apologies! I should have read RFC 4953 first. The I-D tracker is still giving me a 404, but I was able to find it on the tcpm WG website. What RFC 4953 discusses is a specific vulnerability in TCP, which involves the fact that reset sequence (RST) numbers can cycle through quickly in large windows, and they make the protocol vulnerable to spurious resets from attackers in that case. So this really is a TCP issue, and I agree that the TCP mapping document in the appropriate place for this if there is an issue, which would depend on the window size. My apologies again for typing without reading first, and for introducing such a red herring. My interpretation of "channel binding attack" in this context was no where near the mark. I now no longer believe that there are any further changes to be made to this document. Also, somebody needs to fix the ID tracker. My attempt to find 4934 wound up in a 404 too. Cathy On Jul 7, 2009, at 3:52 PM, Hollenbeck, Scott wrote: I made this statement in my response to Sandy: "I would need more specific information to know if there's something to be done with this comment. Reliance on security mechanisms provided at the transport layer has been part of this specification since day one. I am not aware of any implementation issues." There was no follow-up, so I remain a little unsure of how to address the comment. Similarly, I need a clarification to know if the text change suggested below is best made in 4933bis. There's a separate document that addresses EPP transport over TCP. If the channel binding issue is primarily an issue with TCP (is it?), I'd prefer to address it in the TCP mapping document (4934bis). If it's more focused on the application-layer exchange of authorization information I'm OK with making the text change suggested below in 4933bis. I should note that the same text exists in 4931bis so I'd need to change it there as well. So - where is the most appropriate place to add text? -Scott- ________________________________ From: Catherine Meadows [mailto:catherine.meadows@nrl.navy.mil] Sent: Monday, July 06, 2009 11:53 AM To: secdir@ietf.org; iesg@ietf.org; Hollenbeck, Scott Cc: Catherine Meadows Subject: review of draft-hollenbeck-rfc4933bis-02 I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. Quote from last review: "The draft updates RFC 4933, the EPP Contacts Mapping spec. The updates listed are relatively minor - updates to references and a few minor updates to text." Version 1 has reviewed recently (June 10, by Sandy Murphy) and the author already made the changes that were agreed upon in following discussion. Everything mostly looks OK to me, but there is one issue that never got completely resolved as far as I can tell from what I saw online. This is the question of channel binding issues as described RFC 4953. I'm having trouble accessing that document right now, but apparently the issue is that low-level authentication mechanisms will not provide any distinction between channels at a higher level. This can make it possible for someone with access to the authentication mechanisms to spoof different channels. In particular, if the EPP authorization information is protected with lower-level authentication mechanisms this could be the case. Unless there is good reason to believe that this sort of attack is impossible (in which case it would be a good idea to say why) it might be good that Both client and server MUST ensure that authorization information is stored and exchanged with high-grade encryption mechanisms to provide privacy services. be changed to Both client and server MUST ensure that authorization information is stored and exchanged with high-grade encryption mechanisms to provide privacy and authentication services at the appropriate level of granularity. Catherine Meadows Naval Research Laboratory Code 5543 4555 Overlook Ave., S.W. Washington DC, 20375 phone: 202-767-3490 fax: 202-404-7942 email: catherine.meadows@nrl.navy.mil Catherine Meadows Naval Research Laboratory Code 5543 4555 Overlook Ave., S.W. Washington DC, 20375 phone: 202-767-3490 fax: 202-404-7942 email: catherine.meadows@nrl.navy.mil
- [secdir] review of draft-hollenbeck-rfc4933bis-02 Catherine Meadows
- Re: [secdir] review of draft-hollenbeck-rfc4933bi… Hollenbeck, Scott
- Re: [secdir] review of draft-hollenbeck-rfc4933bi… Catherine Meadows
- Re: [secdir] review of draft-hollenbeck-rfc4933bi… Hollenbeck, Scott
- Re: [secdir] review of draft-hollenbeck-rfc4933bi… Sandra Murphy
- Re: [secdir] review of draft-hollenbeck-rfc4933bi… Polk, William T.
- Re: [secdir] review of draft-hollenbeck-rfc4933bi… Hollenbeck, Scott
- Re: [secdir] review of draft-hollenbeck-rfc4933bi… Alexey Melnikov
- Re: [secdir] review of draft-hollenbeck-rfc4933bi… Polk, William T.
- Re: [secdir] review of draft-hollenbeck-rfc4933bi… Polk, William T.
- Re: [secdir] review of draft-hollenbeck-rfc4933bi… Nicolas Williams
- Re: [secdir] review of draft-hollenbeck-rfc4933bi… Sandra Murphy
- Re: [secdir] review of draft-hollenbeck-rfc4933bi… Hollenbeck, Scott
- Re: [secdir] review of draft-hollenbeck-rfc4933bi… Nicolas Williams