Re: [secdir] Secdir telechat review of draft-ietf-ipsecme-rfc8229bis-07
Valery Smyslov <svan@elvis.ru> Thu, 04 August 2022 14:00 UTC
Return-Path: <svan@elvis.ru>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 283A4C157B5A; Thu, 4 Aug 2022 07:00:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.108
X-Spam-Level:
X-Spam-Status: No, score=-7.108 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_HI=-5, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=elvis.ru
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mSrVZquwjOrj; Thu, 4 Aug 2022 07:00:13 -0700 (PDT)
Received: from akmail.elvis.ru (akmail.elvis.ru [82.138.51.97]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D9955C14CF0F; Thu, 4 Aug 2022 07:00:08 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=elvis.ru; s=mail; h=Content-Transfer-Encoding:Content-Type:MIME-Version:Message-ID: Date:Subject:In-Reply-To:References:CC:To:From:Sender:Reply-To:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=nLsoOIht0bWBNq7LO0zfQfLyfCTnU2TUvzTiMTqB0JQ=; b=QrMmjMNEGwldIGUw3jResUIVVi R/IpZO7FRGljgWae+OPbC+NcbZz+03E39VmgngY9XuSa+dEMUXrSkN4XoXtm73mn2Sk0EYfrXZECn XNbp+D9dE0s85lySmWExuia0l+5HmiwSxruYoX/38HEeN0eeToIZJ6ux/5OG/y+02M/0=;
Received: from kmail.elvis.ru ([93.188.44.208]) by akmail.elvis.ru with esmtp (Exim 4.92) (envelope-from <svan@elvis.ru>) id 1oJbOP-0001Sf-L7; Thu, 04 Aug 2022 17:00:05 +0300
Received: from mail16.office.elvis.ru ([10.111.1.29] helo=mail.office.elvis.ru) by kmail.elvis.ru with esmtp (Exim 4.92) (envelope-from <svan@elvis.ru>) id 1oJbOP-0004kV-CW; Thu, 04 Aug 2022 17:00:05 +0300
Received: from MAIL16.office.elvis.ru (10.111.1.29) by MAIL16.office.elvis.ru (10.111.1.29) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.1779.2; Thu, 4 Aug 2022 17:00:05 +0300
Received: from buildpc (10.111.10.33) by MAIL16.office.elvis.ru (10.111.1.29) with Microsoft SMTP Server id 15.1.1779.2 via Frontend Transport; Thu, 4 Aug 2022 17:00:05 +0300
From: Valery Smyslov <svan@elvis.ru>
To: 'Rifaat Shekh-Yusef' <rifaat.s.ietf@gmail.com>, secdir@ietf.org
CC: draft-ietf-ipsecme-rfc8229bis.all@ietf.org, ipsec@ietf.org, last-call@ietf.org
References: <165961801322.55199.12307045998936736017@ietfa.amsl.com>
In-Reply-To: <165961801322.55199.12307045998936736017@ietfa.amsl.com>
Date: Thu, 04 Aug 2022 17:00:07 +0300
Message-ID: <112501d8a80a$810a12d0$831e3870$@elvis.ru>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Outlook 14.0
Thread-Index: AQJ9nmtz/mOMJ+EYwMnWcrZ2Xou6R6xU0yGQ
Content-Language: ru
X-CrossPremisesHeadersFilteredBySendConnector: MAIL16.office.elvis.ru
X-OrganizationHeadersPreserved: MAIL16.office.elvis.ru
X-KLMS-AntiSpam-Interceptor-Info: not scanned
X-KLMS-Rule-ID: 1
X-KLMS-Message-Action: clean
X-KLMS-AntiSpam-Status: not scanned, disabled by settings
X-KLMS-AntiPhishing: Clean, bases: 2022/08/04 13:04:00
X-KLMS-AntiVirus: Kaspersky Security for Linux Mail Server, version 8.0.3.30, bases: 2022/08/04 09:55:00 #20049365
X-KLMS-AntiVirus-Status: Clean, skipped
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/vqKHZdQz6WQohGpoYXPEa9hBM-U>
Subject: Re: [secdir] Secdir telechat review of draft-ietf-ipsecme-rfc8229bis-07
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 04 Aug 2022 14:00:19 -0000
Hi Rifaat, thank you for your review. > Reviewer: Rifaat Shekh-Yusef > Review result: Ready > > I have reviewed this document as part of the security directorate's > ongoing effort to review all IETF documents being processed by the > IESG. These comments were written primarily for the benefit of the > security area directors. Document editors and WG chairs should treat > these comments just like any other last call comments. > > The summary of the review is: Ready with one comment > > The security considerations section describes two potential recovery mechanisms > to an injection attack. The first option is to close the TCP connection and let > the originator recreate it. The second option is a re-sync mechanism. The way I > read the document, it seems that the first option is the recommended one, but > it is not clear to me when should the second option be used, if at all. It > would be great if some text be added to clarify this. Yes, the first option is preferred, since it is simple and provides deterministic result. The drawback of the first option is that the performance will degrade (current TCP connection should be closed, then the TCP originator will detect it and create a new TCP connection, that will slow start etc.) The second option is an alternative approach that implementations may try to use to avoid performance degradation. However, this approach is unreliable, especially in situation when attacker injects garbage and the TCP responder will waste resources trying to find the next valid packet which doesn't exist. For this reason this option is MAY. We can change the beginning of this this para as follows: To avoid performance degradation caused by closing and re-creating TCP connection, implementations MAY alternatively try to re-sync after they receive unknown SPIs by searching the TCP stream for a 64-bit binary vector ... Is it OK? Regards, Valery.
- [secdir] Secdir telechat review of draft-ietf-ips… Rifaat Shekh-Yusef via Datatracker
- Re: [secdir] Secdir telechat review of draft-ietf… Valery Smyslov
- Re: [secdir] Secdir telechat review of draft-ietf… Rifaat Shekh-Yusef