Re: [sipcore] AD Review: draft-ietf-sipcore-rejected
Eric Burger <eburger@standardstrack.com> Wed, 24 April 2019 03:02 UTC
Return-Path: <eburger@standardstrack.com>
X-Original-To: sipcore@ietfa.amsl.com
Delivered-To: sipcore@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8705D120319 for <sipcore@ietfa.amsl.com>; Tue, 23 Apr 2019 20:02:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.689
X-Spam-Level:
X-Spam-Status: No, score=-1.689 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_INVALID=0.1, DKIM_SIGNED=0.1, T_SPF_PERMERROR=0.01, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=neutral reason="invalid (public key: not available)" header.d=standardstrack.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kOf_hVwk4blU for <sipcore@ietfa.amsl.com>; Tue, 23 Apr 2019 20:02:38 -0700 (PDT)
Received: from biz221.inmotionhosting.com (biz221.inmotionhosting.com [198.46.93.79]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F2EB1120318 for <sipcore@ietf.org>; Tue, 23 Apr 2019 20:02:37 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=standardstrack.com; s=default; h=References:To:Cc:In-Reply-To:Date:Subject: Mime-Version:Content-Type:Message-Id:From:Sender:Reply-To: Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=XkaVR8kNqyQQSdBJWWeJtsAkmrf6TvVfTRa92Wn5XkI=; b=nKwOs1k0UbUAzeBjt3XCLV3ye 5n7M5YK7wtEsFDR21fTO/Win8RO8fFWw109n/HVp1tM9CAp7hco9j4DPpCadynUu9qufCEWFVBULA RtO+eyYiE9ILINnsdzwcXIUwh6QnLULmNb+XcjkeUXyWL25m/x8/9cU0Q0KlmXhFddyAU=;
Received: from [68.100.196.217] (port=50484 helo=[192.168.10.26]) by biz221.inmotionhosting.com with esmtpsa (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.91) (envelope-from <eburger@standardstrack.com>) id 1hJ8Az-000iUl-Mb; Tue, 23 Apr 2019 20:02:36 -0700
From: Eric Burger <eburger@standardstrack.com>
Message-Id: <E66F06E5-4D2E-4FEE-88A4-446038743E26@standardstrack.com>
Content-Type: multipart/signed; boundary="Apple-Mail=_968CCEB1-8EC0-4F96-811C-9688FAE6D682"; protocol="application/pgp-signature"; micalg="pgp-sha256"
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.8\))
Date: Tue, 23 Apr 2019 23:01:23 -0400
In-Reply-To: <2bed1f29-cf3e-e6df-60b8-590b88ab95d8@nostrum.com>
Cc: SIPCORE <sipcore@ietf.org>
To: Roach Adam <adam@nostrum.com>
References: <2bed1f29-cf3e-e6df-60b8-590b88ab95d8@nostrum.com>
X-Mailer: Apple Mail (2.3445.104.8)
X-OutGoing-Spam-Status: No, score=-0.2
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - biz221.inmotionhosting.com
X-AntiAbuse: Original Domain - ietf.org
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - standardstrack.com
X-Get-Message-Sender-Via: biz221.inmotionhosting.com: authenticated_id: eburger+standardstrack.com/only user confirmed/virtual account not confirmed
X-Authenticated-Sender: biz221.inmotionhosting.com: eburger@standardstrack.com
X-Source:
X-Source-Args:
X-Source-Dir:
Archived-At: <https://mailarchive.ietf.org/arch/msg/sipcore/QzwJMPSp-S38MSSw8jZUTM2cko0>
Subject: Re: [sipcore] AD Review: draft-ietf-sipcore-rejected
X-BeenThere: sipcore@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: SIP Core Working Group <sipcore.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sipcore>, <mailto:sipcore-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sipcore/>
List-Post: <mailto:sipcore@ietf.org>
List-Help: <mailto:sipcore-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sipcore>, <mailto:sipcore-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 24 Apr 2019 03:02:40 -0000
Thanks for the review! I think the draft will read a lot easier. I’ve accepted all of your suggestions, with a sideways deflection of the first set of substantive issues. I’ll trim the rest of the comments as they are in the archive, and focus in-line on the first set of comments. I just posted -07 and the announcement just flew by. https://datatracker.ietf.org/doc/draft-ietf-sipcore-rejected/ Diff: https://www.ietf.org/rfcdiff?url2=draft-ietf-sipcore-rejected-07 > On Apr 17, 2019, at 9:41 PM, Adam Roach <adam@nostrum.com> wrote: > > This is my AD review for draft-ietf-sipcore-rejected. There are a few places > where I think the mechanism needs to be better defined -- or, at least, more > clearly described -- before it goes into IETF review. I've grouped those issues > together at the top of my comments that follow. > > --------------------------------------------------------------------------- > > §4.1: > > This example is perplexing in a few dimensions that should be either > changed or explained. These are confusing enough that I'd like to see a new > version of the document before putting it into IETF last call. > > The first is that its Call-Info header field indicates a URL of the form: > > https://block.example.net/complaint.json > > ...which strongly implies that one might find a JSON object at that location. It > then goes on to specify that the thing one would retrieve from this location is > a JWS. While there's nothing that technically binds a URL's name to the content > type found at that URL, this goes against fairly well-established conventions in > a way that is likely to confuse implementors. > > That would imply a change to: > > https://block.example.net/complaint.jws I would offer that when you resolve the URI, you will get… a JSON object. That JSON object /happens/ to be a JWS. Note that *.jws is a thing: we at BEA Systems (now Oracle) use it to identify Java Web Server code. As such, no change there. > But this leads us to the second problem: the form of the URL -- a domain > followed by a simple word -- implies that this same URL is used for all > rejected calls (and... one would assume is generated on the fly with a fresh > "iat" parameter?) If that's the case, then this URL becomes an oracle that > allows for the exact kind of replay attacks described in the introduction. To > prevent this from being such an oracle, it's going to minimally need to vary > by call, which would lead it to look more like: > > https://block.example.net/79048YzkxNDA5NTI1MzA0OWFjOTFkMmFlODhiNTI2OWQ1ZTI.jws > > However, this takes us to yet a third problem, which is -- even with a > JWS-per-rejected-call approach, nothing prevents an attacker from spoofing 608 > responses with this URL for as long as the "iat" is likely to be accepted by > callers (probably on the order of minutes), which can still cause some pretty > substantial damage. > > I *think* this requires the ability to bind the jCard-containing JWS to the > call. This would require additional claims to be added to the body. You could > re-use the "orig" and "dest" claims created by PASSPORT (but be wary of > retargeting), or come up with your own claims that bind the rejection to the > call (although be careful of choosing fields that may be fragile in the > presence of B2BUAs); but I think the whole signing mechanism just doesn't work > unless it's bound to the call in some way. It might be enough just to bind it to > the calling party, since that reduces the attack from a DDoS to a simple > one-device DoS. > > Note that this last problem doesn't really bear on the example itself; however, > I wasn't completely convinced that it was an issue until I got to the example. I do not think we need to bind the jCard to a specific call. I greatly expanded the language in the Security Considerations section to make it clear what threats we are mitigating by signing the jCard and including an iat claim. Specifically, it is not to prove that /this/ jCard belongs to /that/ call. It is to prove that /this/ signer signed /this/ jCard. And, in reality, most intermediaries will have a fixed jCard and will use the iat as a nonce. More verbosity in the Security Considerations. Let me know if it makes more sense. > --------------------------------------------------------------------------- > > §4.4, Figure 5: > > This is an issue that I'd like to see fixed before IETF last call. > > Please either show the use of PRACK with the 183 response, or indicate that the > required PRACK messages have been elided from the diagram for clarity. In either > case, this document must have RFC 3262 as a normative dependency, as it's > impossible to satisfy its normatively-required behaviors without that > mechanism. Head smack given the major point of PRACK is to play announcements, says the guy who built announcement boxes <argh!> Fixed. Duh. Thanks. > --------------------------------------------------------------------------- > > §6: > > This is an issue that I'd like to see fixed before IETF last call. > > The mechanism specifies that the JWS objects are required to contain an "iat" > claim, but provides no guidance for how the recipient of such a JWS is supposed > to use this information. Clearly, it's intended to be "fresh enough" to prevent > replay attacks, but this is never stated. > > You should be able to fix this (once the first issue above is addressed) by > adding something to the "Security Considerations" section modeled after > https://tools.ietf.org/html/rfc8225#section-10.1 Done.