Re: [Simple] <note> in IMDN
Eric Burger <eburger@standardstrack.com> Wed, 17 September 2008 10:23 UTC
Return-Path: <simple-bounces@ietf.org>
X-Original-To: simple-archive@megatron.ietf.org
Delivered-To: ietfarch-simple-archive@core3.amsl.com
Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 6754428C284; Wed, 17 Sep 2008 03:23:39 -0700 (PDT)
X-Original-To: simple@core3.amsl.com
Delivered-To: simple@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 2F6AB3A6C87 for <simple@core3.amsl.com>; Wed, 17 Sep 2008 03:23:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Wq+EU7hWtXcb for <simple@core3.amsl.com>; Wed, 17 Sep 2008 03:23:37 -0700 (PDT)
Received: from gs19.inmotionhosting.com (gs19b.inmotionhosting.com [66.117.3.189]) by core3.amsl.com (Postfix) with ESMTP id 174B13A68CF for <simple@ietf.org>; Wed, 17 Sep 2008 03:23:37 -0700 (PDT)
Received: from [209.203.74.95] (port=51665) by gs19.inmotionhosting.com with esmtpsa (TLSv1:AES128-SHA:128) (Exim 4.68) (envelope-from <eburger@standardstrack.com>) id 1KfuBm-0001tk-4k; Wed, 17 Sep 2008 03:23:47 -0700
Message-Id: <99FCA0AC-9644-4462-948D-AA56FC091317@standardstrack.com>
From: Eric Burger <eburger@standardstrack.com>
To: Hisham Khartabil <hisham.khartabil@gmail.com>
In-Reply-To: <66cd252f0809162124k1a861742t650609595759cd77@mail.gmail.com>
Mime-Version: 1.0 (Apple Message framework v929.2)
Date: Wed, 17 Sep 2008 03:23:10 -0700
References: <1660532724-1210725948-cardhu_decombobulator_blackberry.rim.net-784864713-@bxe033.bisx.prod.on.blackberry> <66cd252f0805131939t6569dab7r45d8ced20471a157@mail.gmail.com> <77384F67-E82C-483C-B555-665BFAF02D4E@standardstrack.com> <66cd252f0805132138m23aa3f42kf01ce0dcb7c42181@mail.gmail.com> <3092F25A-A072-4952-9C44-8C639B1925E2@softarmor.com> <4834C22B.1000407@cisco.com> <AD5C512E-842F-48F3-8824-03EE8A7F7905@sipforum.org> <437FCCA2-DA86-48D8-9DAA-24A09CDDE677@estacado.net> <66cd252f0806040219x4f3354d0t91b76f729452c3e1@mail.gmail.com> <BD67270B-42E9-4A20-B47E-5A7279AB17FF@standardstrack.com> <66cd252f0809162124k1a861742t650609595759cd77@mail.gmail.com>
X-Mailer: Apple Mail (2.929.2)
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - gs19.inmotionhosting.com
X-AntiAbuse: Original Domain - ietf.org
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - standardstrack.com
X-Source:
X-Source-Args:
X-Source-Dir:
Cc: simple@ietf.org
Subject: Re: [Simple] <note> in IMDN
X-BeenThere: simple@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: SIP for Instant Messaging and Presence Leveraging Extensions <simple.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/simple>, <mailto:simple-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/pipermail/simple>
List-Post: <mailto:simple@ietf.org>
List-Help: <mailto:simple-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/simple>, <mailto:simple-request@ietf.org?subject=subscribe>
Content-Type: multipart/mixed; boundary="===============2086835544=="
Sender: simple-bounces@ietf.org
Errors-To: simple-bounces@ietf.org
I cannot argue with that position :-) +1 On Sep 16, 2008, at 9:24 PM, Hisham Khartabil wrote: > For the sake of moving this draft to completion, I plan to remove > the <note> element from IMDNs. If someone is interested in extending > the schema to allow an element that carries extra information about > the reasons behind a certain disposition status, please write an I-D. > > Any objections? > > Regards, > Hisham > > > On 04/06/2008, Eric Burger <eburger@standardstrack.com> wrote: Except: > > 1. I have no clue what language to use in the message, as a human > will read it. > > 2. The field is free-form, so is not amenable for automaton > processing. > > 3. The field is free-form, but could be read by the UAC, so it will > invite vendors to put proprietary information into the field. Then > users expect particular behaviors when these values are present. > I.e., who needs the IETF to review protocol element use? Let the > random implementor of the day build a protocol on top of IMDN! > > 4. The field is free-form and displayed to the user, so it will > invite spam. > > If it is useful from a protocol perspective, then create an IANA > registry of values. > > > > On Jun 4, 2008, at 5:19 AM, Hisham Khartabil wrote: > > The field is not useless. It carries extra information (a reason > phrase, if you like) as to why the IM delivery resulted in an error or > still being processed, etc. > > Hisham > > 2008/6/4 Ben Campbell <ben@estacado.net>: > > On May 23, 2008, at 2:21 PM, Eric Burger wrote: > > Actually, IMDNs, even the SIMPLE free-form fields, are fairly > constrained. Any mis-match is an opportunity to filter out bad > IMDNs. The <note> field has three problems: > > 1. It cannot be filtered, as any content could be real (which > introduces the attack vector) > > 2. It cannot know what language it should use, and thus is not likely > to be useful to the recipient > > 3. It has no protocol value, and is of no value to the UA > > > So, if something has no useful protocol value and introduces a spam > opportunity, why would we want to include it? > > > If something has no useful protocol value, even if it _does_no_harm, > why would we want to include it? > > IMHO, there is no need to prove a vector for harm, if we are fairly > certain there is no vector for _utility_. > > (Note that I am agnostic on whether the field is truly useless--I am > merely commenting on the form of the argument.) > > > > > On May 21, 2008, at 7:45 PM, Paul Kyzivat wrote: > > Its kind of late to be thinking about this now. THe problem is > pervasive > in MSRP. > > In SIP there are lots of unconstrained fields. But they are all > constrained by the overall size of the message, and people commonly > put > limits on that. > > In MSRP, because of chunking, a single MSRP message can be gigabytes > long. So using that to bound the unconstrained parts of the headers > doesn't work very well. > > A robust implementation might take a similar approach - define its > own > limit on the total message size, excluding the body. Then it could > constrain all the unconstrained fields to fit within it. > > But picking on one header isn't a solution to the problem. Either > assume > the developers will be able to deal with it, or else do and MSRPv2 > that > eliminates all unconstrained fields. > > Paul > > Dean Willis wrote: > On May 13, 2008, at 11:38 PM, Hisham Khartabil wrote: > > Can you explain how it is an attack vector? > > > Unconstrained rich content is one of the most easily exploited > attack > vectors. > > Buffer overrun attacks as well as all of the typical MIME compound- > component attacks are likely. For example, the common JPEG > vulnerabilities might be exploitable: > > http://www.news.com/Image-virus-spreads-via-chat/2100-7349_3-5390463.html > > > Or the content-execution weakness that caused the Macintosh Safari > browse to be most easily exploited in recent hacking contests: > > http://www.engadget.com/2007/07/23/safari-exploit-gives-hackers-full-control-of-your-iphone/ > > > There have also been exploits against QuickTime, Flash, and most > other > plugin components from time to time. > > -- > Dean > _______________________________________________ > Simple mailing list > Simple@ietf.org > https://www.ietf.org/mailman/listinfo/simple > > _______________________________________________ > Simple mailing list > Simple@ietf.org > https://www.ietf.org/mailman/listinfo/simple > > _______________________________________________ > Simple mailing list > Simple@ietf.org > https://www.ietf.org/mailman/listinfo/simple > > _______________________________________________ > Simple mailing list > Simple@ietf.org > https://www.ietf.org/mailman/listinfo/simple > > >
_______________________________________________ Simple mailing list Simple@ietf.org https://www.ietf.org/mailman/listinfo/simple
- Re: [Simple] <note> in IMDN Hisham Khartabil
- [Simple] <note> in IMDN Eric Burger
- Re: [Simple] <note> in IMDN Hisham Khartabil
- Re: [Simple] <note> in IMDN eburger
- Re: [Simple] <note> in IMDN Hisham Khartabil
- Re: [Simple] <note> in IMDN Eric Burger
- Re: [Simple] <note> in IMDN Dean Willis
- Re: [Simple] <note> in IMDN Eric Burger
- Re: [Simple] <note> in IMDN Hisham Khartabil
- Re: [Simple] <note> in IMDN Hisham Khartabil
- Re: [Simple] <note> in IMDN Paul Kyzivat
- Re: [Simple] <note> in IMDN Paul Kyzivat
- Re: [Simple] <note> in IMDN Eric Burger
- Re: [Simple] <note> in IMDN Paul Kyzivat
- Re: [Simple] <note> in IMDN Eric Burger
- Re: [Simple] <note> in IMDN Paul Kyzivat
- Re: [Simple] <note> in IMDN Eric Burger
- Re: [Simple] <note> in IMDN Dean Willis
- Re: [Simple] <note> in IMDN Eric Burger
- Re: [Simple] <note> in IMDN Eric Burger
- Re: [Simple] <note> in IMDN Ben Campbell
- Re: [Simple] <note> in IMDN Hisham Khartabil
- Re: [Simple] <note> in IMDN Eric Burger
- Re: [Simple] <note> in IMDN Aki Niemi
- Re: [Simple] <note> in IMDN Hisham Khartabil
- Re: [Simple] <note> in IMDN Eric Burger