Re: [secdir] [Last-Call] Secdir last call partial review of draft-ietf-lpwan-coap-static-context-hc-12
Ana Minaburo <ana@ackl.io> Tue, 26 May 2020 16:46 UTC
Return-Path: <ana@ackl.io>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A01793A0A92 for <secdir@ietfa.amsl.com>; Tue, 26 May 2020 09:46:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=ackl-io.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hPKHVMOc6Thq for <secdir@ietfa.amsl.com>; Tue, 26 May 2020 09:46:05 -0700 (PDT)
Received: from mail-il1-x131.google.com (mail-il1-x131.google.com [IPv6:2607:f8b0:4864:20::131]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 90E423A0A7E for <secdir@ietf.org>; Tue, 26 May 2020 09:46:05 -0700 (PDT)
Received: by mail-il1-x131.google.com with SMTP id r2so9940808ila.4 for <secdir@ietf.org>; Tue, 26 May 2020 09:46:05 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ackl-io.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=F9IdecfGG091m5X5fhyHhz5I8QzTQ+cd/EAt3uo+bCE=; b=bmK9mK7LtP4OPTdBW5K1qgQRkOycXfehnzKI4RQHrrPOmex655wITF1VAWN9TYGgTW 9xTlg4nnDfc2Hh7Sq0l2xFYJgWt0MHWLQTWRSqhk3Z9iCB8Nb+oOw21KmXUbgBzfHUXV oQQJP0UMkfx4Hmfry4Qgbup11G5fPsNRrGKbck0KNSCTGx/cspetHuapfF+8WxbicMvf OjtysqxJaQqwzXgT73JqgH7DjJwz0ZFuXKFeI/FY31kze/jfpCJAKxu7yQeo4kb+vZBL X8RR97yLp+DbY6eN2RxD7oQZPWBsZzC0MGi7KMErehhibL05kZIdP96Ew8MfjAND4sKE OJdw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=F9IdecfGG091m5X5fhyHhz5I8QzTQ+cd/EAt3uo+bCE=; b=PsG9uK7jiBd2IxLtvbi3P2QObNUgt3/iMg5SulZiR5Y3WPbChn9ka0p8ydoGjJODkh tglrVARJHZ+dMOMRFU/rG9jsOO7CwzLGA+jY/EEqtAgIxqma01Yhk7Z/cZEBT0n6Zf94 DuCTIA2/aO5GuW/0XfNltFtPtlPrNpdkPLIQy4YS1+AheySRmvu16bifWCMeEAwoAxFh ywybFxyWs0KX9mEcL/ZbRf30ZZJnRVKp4aAlwpWUTnAeR2qVyO+KnzKZj+6iKweOMAfc AYSUgzwSs6NrXPdjCW385I05gAQsTbL/oymDG757g35BzJ2oWyDC+NgJj+oInT/y0WWO bRvw==
X-Gm-Message-State: AOAM532Gx8UtQ2mRUxVK5Ej/HbHw1UivbAAPTxwGtvEgZYi/RfCL7WjX /0rEhJ7GfrI6Q5/Y+UNXfdymN26hCnoH0x+0xEJgVw==
X-Google-Smtp-Source: ABdhPJxBAU/QjsnLwcCbXZcibIuKG2PH+1NIyP4SM2vg64cYaeFacG45pCpJpSf3o7O+ZebggBqRATMlulmHotcleGM=
X-Received: by 2002:a92:d6cc:: with SMTP id z12mr1902574ilp.179.1590511564673; Tue, 26 May 2020 09:46:04 -0700 (PDT)
MIME-Version: 1.0
References: <158231113340.29033.17150460168186400041@ietfa.amsl.com> <20200221202332.GC53538@kduck.mit.edu>
In-Reply-To: <20200221202332.GC53538@kduck.mit.edu>
From: Ana Minaburo <ana@ackl.io>
Date: Tue, 26 May 2020 18:45:38 +0200
Message-ID: <CAAbr+nTkerPwSqihv=YTJ6g52xOFS1Kzt9-U7L4cJ+okVKZ4SQ@mail.gmail.com>
To: Benjamin Kaduk <kaduk@mit.edu>
Cc: Paul Wouters <paul@nohats.ca>, secdir@ietf.org, lp-wan <lp-wan@ietf.org>, last-call@ietf.org, draft-ietf-lpwan-coap-static-context-hc.all@ietf.org
Content-Type: multipart/alternative; boundary="000000000000d2df0505a68fd4c5"
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/xa0ESz1dBZEGfNMPmcllRU-MpV0>
Subject: Re: [secdir] [Last-Call] Secdir last call partial review of draft-ietf-lpwan-coap-static-context-hc-12
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 26 May 2020 16:46:08 -0000
Thank you for your review, a new version of the draft has been published today with a new security section. We have discussed this section during the virtual IETF meeting taking your inputs into account. The IETF datatracker status page for this draft is: https://datatracker.ietf.org/doc/draft-ietf-lpwan-coap-static-context-hc/ Ana On Fri, Feb 21, 2020 at 9:23 PM Benjamin Kaduk <kaduk@mit.edu> wrote: > Hi Paul, > > Thanks for doing the review and raising the potentially serious issues. > > On Fri, Feb 21, 2020 at 10:52:13AM -0800, Paul Wouters via Datatracker > wrote: > > > > Review is partially done. Another assignment may be needed to complete > it. > > > > Reviewer: Paul Wouters > > Review result: Serious Issues > > > > I have reviewed this document as part of the security directorate's > > ongoing effort to review all IETF documents being processed by the > > IESG. These comments were written primarily for the benefit of the > > security area directors. Document editors and WG chairs should treat > > these comments just like any other last call comments. > > > > I agree with the comments raised by the genart review by Theresa > Enghardt. The > > Security Section is just a reference to another document that specifies > in its > > own Security Consideration: > > > > As explained in Section 5, SCHC is expected to be implemented on top > > of LPWAN technologies, which are expected to implement security > > measures. > > > > This document explains that packets are wrapped in CoAP and then this > document > > can be used to compress fields, similar to the references document. But > now > > this is happening in the most outer layer, which the referenced document > > basically states that in its Security Considerations, it assumes the > outer > > layer has some kind of LPWAN based security meassures in place. > > > > It seems these two drafts need some coordination to determine where, how > and > > which Security Considerations are relevant. > > It does seem like it, since CoAP is not guaranteed to be used over a > physical medium with integrated security technologies (though many expected > use cases do). > > > Additionally, I'm a bit worried about multiple layers doing compression. > Can > > this lead to security issues? If not, why not? > > > > Where is it sais that compression states need to be checked for bogus > > instructions? How are these prevented? Think of the ever-decompressing > zip file > > hacks of the past. How are these DoS attacks prevented ? > > I think the "static context" nature of this compression mechanism prevents > issues with near-infinite expansion, at least, though there would of course > still be room for bugs when handling noncompliant input. > > -Ben > > > Other than this issue, I found Section 1 Introducion a bit confusing. It > seems > > to drop a reference to another document and then explain that other > document, > > without really talking about this document? Or if it does, it was not > very > > clear to me. > > > > I did not review this document for nits - my apologies but I ran out of > time. > > > > > > -- > > last-call mailing list > > last-call@ietf.org > > https://www.ietf.org/mailman/listinfo/last-call >
- [secdir] Secdir last call partial review of draft… Paul Wouters via Datatracker
- Re: [secdir] [Last-Call] Secdir last call partial… Benjamin Kaduk
- Re: [secdir] [Last-Call] Secdir last call partial… Ana Minaburo