IETF Logo Mail Archive

Re: [secdir] review of draft-hollenbeck-rfc4933bis-02

"Hollenbeck, Scott" <shollenbeck@verisign.com> Wed, 08 July 2009 19:29 UTC

Return-Path: <shollenbeck@verisign.com>
X-Original-To: secdir@core3.amsl.com
Delivered-To: secdir@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 44C643A6B11; Wed, 8 Jul 2009 12:29:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.598
X-Spam-Level:
X-Spam-Status: No, score=-6.598 tagged_above=-999 required=5 tests=[AWL=-0.000, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gsB4DapG-hGz; Wed, 8 Jul 2009 12:29:54 -0700 (PDT)
Received: from osprey.verisign.com (osprey.verisign.com [216.168.239.75]) by core3.amsl.com (Postfix) with ESMTP id 7D3273A6B5E; Wed, 8 Jul 2009 12:29:54 -0700 (PDT)
Received: from dul1wnexcn03.vcorp.ad.vrsn.com (dul1wnexcn03.vcorp.ad.vrsn.com [10.170.12.113]) by osprey.verisign.com (8.13.6/8.13.4) with ESMTP id n68JIK0v029430; Wed, 8 Jul 2009 15:18:20 -0400
Received: from dul1wnexmb01.vcorp.ad.vrsn.com ([10.170.12.134]) by dul1wnexcn03.vcorp.ad.vrsn.com with Microsoft SMTPSVC(6.0.3790.3959); Wed, 8 Jul 2009 20:30:20 +0100
X-MimeOLE: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01CA0002.87D4B30B"
Date: Wed, 08 Jul 2009 15:30:19 -0400
Message-ID: <046F43A8D79C794FA4733814869CDF0702B8DAD5@dul1wnexmb01.vcorp.ad.vrsn.com>
In-Reply-To: <6F8E48C3-9E52-4912-B748-3C9A43519EA7@nrl.navy.mil>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: review of draft-hollenbeck-rfc4933bis-02
Thread-Index: Acn/5Xk32/Jg0jNCRdmxwandTw+Q9wAHQUVw
References: <897517DC-2F59-440A-BD63-BD71E1AF4421@nrl.navy.mil> <046F43A8D79C794FA4733814869CDF0702B8DA2E@dul1wnexmb01.vcorp.ad.vrsn.com> <6F8E48C3-9E52-4912-B748-3C9A43519EA7@nrl.navy.mil>
From: "Hollenbeck, Scott" <shollenbeck@verisign.com>
To: Catherine Meadows <catherine.meadows@nrl.navy.mil>
X-OriginalArrivalTime: 08 Jul 2009 19:30:20.0731 (UTC) FILETIME=[882178B0:01CA0002]
Cc: iesg@ietf.org, secdir@ietf.org
Subject: Re: [secdir] review of draft-hollenbeck-rfc4933bis-02
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 08 Jul 2009 19:29:56 -0000

No problem here - thanks for the clarification!
 
-Scott-


________________________________

	From: Catherine Meadows [mailto:catherine.meadows@nrl.navy.mil] 
	Sent: Wednesday, July 08, 2009 12:02 PM
	To: Hollenbeck, Scott
	Cc: Catherine Meadows; secdir@ietf.org; iesg@ietf.org
	Subject: Re: review of draft-hollenbeck-rfc4933bis-02
	
	
	My apologies!  I should have read RFC 4953 first.  The I-D
tracker is still giving me a 404, 
	but I was able to find it on the tcpm WG website.

	What RFC 4953 discusses is a specific vulnerability in TCP,
which involves the fact that reset sequence (RST) numbers can cycle
through quickly in large windows,
	and they make the protocol vulnerable to spurious resets from
attackers in that case.  So this really is a TCP issue, and I agree that
the TCP mapping document in the appropriate place for
	this if there is an issue, which would depend on the window
size. 

	My apologies again for typing without reading first, and for
introducing such a red herring.  My interpretation of "channel binding
attack" in this context was no where near the mark.
	I now no longer believe that there are any further changes to be
made to this document.

	Also, somebody needs to fix the ID tracker.  My attempt to find
4934 wound up in a 404 too.

	Cathy

	On Jul 7, 2009, at 3:52 PM, Hollenbeck, Scott wrote:


		I made this statement in my response to Sandy:
		 
		"I would need more specific information to know if
there's something to be done with this comment. Reliance on security
mechanisms provided at the transport layer has been part of this
specification since day one. I am not aware of any implementation
issues."
		 
		There was no follow-up, so I remain a little unsure of
how to address the comment.  Similarly, I need a clarification to know
if the text change suggested below is best made in 4933bis.
		 
		There's a separate document that addresses EPP transport
over TCP.  If the channel binding issue is primarily an issue with TCP
(is it?), I'd prefer to address it in the TCP mapping document
(4934bis).  If it's more focused on the application-layer exchange of
authorization information I'm OK with making the text change suggested
below in 4933bis.  I should note that the same text exists in 4931bis so
I'd need to change it there as well.
		 
		So - where is the most appropriate place to add text?
		 
		-Scott-


________________________________

			From: Catherine Meadows
[mailto:catherine.meadows@nrl.navy.mil] 
			Sent: Monday, July 06, 2009 11:53 AM
			To: secdir@ietf.org; iesg@ietf.org; Hollenbeck,
Scott
			Cc: Catherine Meadows
			Subject: review of
draft-hollenbeck-rfc4933bis-02
			
			
			I have reviewed this document as part of the
security 
			directorate's ongoing effort to review all IETF
documents 
			being processed by the IESG. 
			These comments were written primarily for the
benefit of the 
			security area directors.  Document editors and
WG chairs 
			should treat these comments just like any other
last call comments. 

			Quote from last review:
			

			"The draft updates RFC 4933, the EPP Contacts
Mapping spec.  
			The updates listed are relatively minor -
updates to 
			references and a few minor updates to text."

			Version 1 has reviewed recently (June 10, by
Sandy Murphy) and the author already
			made the changes that were agreed upon in
following discussion.

			Everything mostly looks OK to me, but there is
one issue that never got completely resolved
			as far as I can tell from what I saw online.
This is the question of channel binding issues as described
			RFC 4953.  I'm having trouble accessing that
document right now, but apparently the issue is that
			low-level authentication mechanisms will not
provide any distinction between channels at a higher level.
			This can make it possible for someone with
access to the authentication mechanisms to spoof different channels.
			In particular, if the EPP authorization
information is protected with lower-level authentication mechanisms this
could
			be the case.  Unless there is good reason to
believe that this sort of attack is impossible (in which case it would
			be a good idea to say why) it might be good 
			that 


				Both client and server MUST ensure that
authorization
				

				   information is stored and exchanged
with high-grade encryption
				

				   mechanisms to provide privacy
services.


			be changed to

			Both client and server MUST ensure that
authorization
			   information is stored and exchanged with
high-grade encryption
			   mechanisms to provide privacy and
authentication services at the appropriate level
			of granularity.


			
			Catherine Meadows
			Naval Research Laboratory
			Code 5543
			4555 Overlook Ave., S.W.
			Washington DC, 20375
			phone: 202-767-3490
			fax: 202-404-7942
			email: catherine.meadows@nrl.navy.mil



	
	Catherine Meadows
	Naval Research Laboratory
	Code 5543
	4555 Overlook Ave., S.W.
	Washington DC, 20375
	phone: 202-767-3490
	fax: 202-404-7942
	email: catherine.meadows@nrl.navy.mil

v2.23.0 | Report a Bug | By Email