IETF Logo Mail Archive

Re: [T2TRG] [core] New Version Notification for draft-mattsson-core-coap-attacks-02.txt

Carsten Bormann <cabo@tzi.org> Wed, 02 February 2022 13:02 UTC

Return-Path: <cabo@tzi.org>
X-Original-To: t2trg@ietfa.amsl.com
Delivered-To: t2trg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AB0BA3A099E for <t2trg@ietfa.amsl.com>; Wed, 2 Feb 2022 05:02:34 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Hq-sdwTUT9IB for <t2trg@ietfa.amsl.com>; Wed, 2 Feb 2022 05:02:31 -0800 (PST)
Received: from gabriel-smtp.zfn.uni-bremen.de (gabriel-smtp.zfn.uni-bremen.de [134.102.50.15]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E94E73A012C for <t2trg@irtf.org>; Wed, 2 Feb 2022 05:02:30 -0800 (PST)
Received: from [192.168.217.118] (p5089ad4f.dip0.t-ipconnect.de [80.137.173.79]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by gabriel-smtp.zfn.uni-bremen.de (Postfix) with ESMTPSA id 4Jphm361lyzDCfx; Wed, 2 Feb 2022 14:02:27 +0100 (CET)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.120.23.2.7\))
From: Carsten Bormann <cabo@tzi.org>
In-Reply-To: <HE1PR0701MB30500AA57A7DD6F3170BB60F89269@HE1PR0701MB3050.eurprd07.prod.outlook.com>
Date: Wed, 02 Feb 2022 14:02:27 +0100
Cc: "core@ietf.org" <core@ietf.org>, t2trg@irtf.org
X-Mao-Original-Outgoing-Id: 665499747.3266751-977cae689772ebb06c314485bec66db8
Content-Transfer-Encoding: quoted-printable
Message-Id: <5AFB6C76-9C15-4050-B478-711832318342@tzi.org>
References: <164370592991.14136.4943780498822971831@ietfa.amsl.com> <HE1PR0701MB30500AA57A7DD6F3170BB60F89269@HE1PR0701MB3050.eurprd07.prod.outlook.com>
To: John Mattsson <john.mattsson=40ericsson.com@dmarc.ietf.org>
X-Mailer: Apple Mail (2.3608.120.23.2.7)
Archived-At: <https://mailarchive.ietf.org/arch/msg/t2trg/uOK8ObgLKMyJH-nBlifNkQCC_BU>
Subject: Re: [T2TRG] [core] New Version Notification for draft-mattsson-core-coap-attacks-02.txt
X-BeenThere: t2trg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IRTF Thing-to-Thing Research Group <t2trg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/t2trg>, <mailto:t2trg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/t2trg/>
List-Post: <mailto:t2trg@irtf.org>
List-Help: <mailto:t2trg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/t2trg>, <mailto:t2trg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Wed, 02 Feb 2022 13:02:35 -0000

Hi John,

> On 2022-02-01, at 10:30, John Mattsson <john.mattsson=40ericsson.com@dmarc.ietf.org> wrote:
> 
> I think this would be a good time to have an adoption call for the document. Echo, Request-Tag, and Token Processing will soon be published as RFC 9175. It would be good to publish the informational “CoAP Attacks” as a companion document in the not-too-distant future as suggested by the security AD.

I think we need to open up this discussion a little bit before we converge on a good way forward.

We already have elements of solutions standardized, e.g., echo-request-tag (RFC 9175-to-be).  This is a standards-track document, done in the CoRE WG.
This document provides the implementer with a set of tools, but doesn’t provide actionable guidelines as to when these tools should be used.

We obviously need more documentation.

We could go ahead and do a BCP now, but somehow that might work approximately as well as the hand-washing mandates that are trying to prevent the spread of COVID-19 — we don’t actually know very well what works and what doesn’t (*).

To really do a BCP that works in a sustainable way, we need to do a bit more research:

— what attacks do occur in practice
— what solutions [mitigations] (RFC 7252, RFC 9175-to-be, others) actually do work against these attacks
— are there workarounds against those solutions that an attacker could use
— would certain solutions just shift around the attacks to a different vulnerability
— what is the design space for potential additional solutions that have fewer work-arounds
— if there are several solutions that one could choose from, how do they compare in
  — effectiveness
  — onus on the communication partners and the network in between
— can we come up metrics that actually allow an implementer to make decisions in this complex space

That information should not all go into the BCP, as this should focus on the actionable advice.  Instead, there should be a document that can be referenced from the BCP to provide more detailed explanation and rationale.

That other document (“research document”) would be a natural thing to work on in T2TRG.  We already have had some off-list discussions that indicate that we might have critical mass for that.

Grüße, Carsten

(*) Spoiler: Hand-washing does little against the spread of COVID-19.  But a general increase of handwashing is not bad at all, and it may be hard to retract mandates until it is proven that handwashing never helps (which you essentially can’t prove), so handwashing will stay on as a ritual that started with COVID-19.
One of my objectives is to minimize the number of rituals that we infect our ecosystem with…

v2.23.0 | Report a Bug | By Email