[tram] Benjamin Kaduk's No Record on draft-ietf-tram-stunbis-16: (with COMMENT)
Benjamin Kaduk <kaduk@mit.edu> Thu, 19 April 2018 01:10 UTC
Return-Path: <kaduk@mit.edu>
X-Original-To: tram@ietf.org
Delivered-To: tram@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id A7315126C89; Wed, 18 Apr 2018 18:10:37 -0700 (PDT)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
From: Benjamin Kaduk <kaduk@mit.edu>
To: The IESG <iesg@ietf.org>
Cc: draft-ietf-tram-stunbis@ietf.org, Gonzalo.Camarillo@ericsson.com, Tolga Asveren <tasveren@rbbn.com>, tram-chairs@ietf.org, tasveren@rbbn.com, tram@ietf.org
X-Test-IDTracker: no
X-IETF-IDTracker: 6.78.0
Auto-Submitted: auto-generated
Precedence: bulk
Message-ID: <152410023763.28841.5479872591399614102.idtracker@ietfa.amsl.com>
Date: Wed, 18 Apr 2018 18:10:37 -0700
Archived-At: <https://mailarchive.ietf.org/arch/msg/tram/aGKtyJ2Cz48wnicwQLZ9Quop4m0>
Subject: [tram] Benjamin Kaduk's No Record on draft-ietf-tram-stunbis-16: (with COMMENT)
X-BeenThere: tram@ietf.org
X-Mailman-Version: 2.1.22
List-Id: "Discussing the creation of a Turn Revised And Modernized \(TRAM\) WG, which goal is to consolidate the various initiatives to update TURN and STUN." <tram.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tram>, <mailto:tram-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tram/>
List-Post: <mailto:tram@ietf.org>
List-Help: <mailto:tram-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tram>, <mailto:tram-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 19 Apr 2018 01:10:38 -0000
Benjamin Kaduk has entered the following ballot position for draft-ietf-tram-stunbis-16: No Record When responding, please keep the subject line intact and reply to all email addresses included in the To and CC lines. (Feel free to cut this introductory paragraph, however.) Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html for more information about IESG DISCUSS and COMMENT positions. The document, along with other ballot positions, can be found here: https://datatracker.ietf.org/doc/draft-ietf-tram-stunbis/ ---------------------------------------------------------------------- COMMENT: ---------------------------------------------------------------------- I'm balloting No Objection and not DISCUSS because no individual item rises quite to that level of criticality, but there still are quite a number of things that ought to be addressed prior to publication. In addition to the excellent points raised in the secdir review (which are mostly addressed but only in the editor's copy?), I would call out a few more key observations: If I understand correctly, the server's PASSWORD-ALGORITHMS array from the response are echoed back by the client in the subsequent request in order to provide downgrade protection -- the initial response is at least sometimes not authenticated, and by having the client repeat it back under an authenticated scheme, the server can detect if the list was tampered to remove any new, stronger, algorithms. This is probably an important enough concept to be called out explicitly, either where the behavior is described or in Section 9.2.1 ("Bid Down Attack Prevention"). Section 8.1 has some text that could be read as requiring a STUN client to implement dual-stack IPv4/IPv6, which presumably is not the intention: In addition, instead of querying either the A or the AAAA resource records for a domain name, the client MUST query both and try the requests with all the IP addresses received, as specified in [RFC8305]. There are still some places where the text talks about MESSAGE-INTEGRITY when it really means "message integrity protection" (i.e., either the SHA1 or SHA-256 variants, for now); I've attempted to note them in the notes below. There is text in both Sections 9.1 and 9.2 that talks of replay protection being provided, by the time-limited nature of the short-term credentials or the nonce for long-term credentials. This seems to only, strictly speaking, be true if any given password/nonce can only be used once, but for the short-term credentials the password is used for the duration of the "session-equivalent", and for the long-term credentials a nonce can be reused for some amount of time as well. So while these are both replay countermeasures that can limit replay attacks, it seems a stretch to claim that they prevent replay attacks (entirely). The Stale Nonce behavior seems potentially worrisome, in that it opens up a side channel for a distinguishing attack, between a 401 and 438 response. (That is, "password correct" vs. "password incorrect".) The impact seems rather muted, though, since the gain to the attacker is to be able to precompute a bunch of requests using a nonce of the attacker's choosing and blindly replay the precomputed object against (possibly multiple) servers looking for a guess. The realm and username are still in play, so the scope for the attacker to gain from the precomputation seems limited. (The same level of brute-force guessing can be obtained "live" just by computing the trial responses against a live server, using a valid nonce.) So, while it might be nice to give guidance that 438 should only be used when the server can validate that it did generate the nonce and the nonce was valid "recently", and to treat other cases as authentication failures, it's not clear to me that there's enough of a benefit from the change to make it worth doing. Section 6.2.3 Maybe just cite BCP 195/RFC 7525 instead of inlining requirements? Also, the "client SHOULD verify ..." and "client MUST verify ..." are similar enough that some clarification of certificate vs. identity verification would be in order, if both statements are believed accurate. Section 6.3 [...] Known-but-unexpected attributes SHOULD be ignored by the agent. [...] Why is this not an error? Section 6.3.1, 6.3.2, etc. Should the second paragraph start with "Otherwise, "? Presumably once an error response is sent or processing ceases, processing stops... Section 8.1 [...] A "stuns" URI containing an IP address MUST be rejected, unless the domain name is provided by the same mechanism that provided the STUN URI, and that domain name can be passed to the verification code. "the verifcation code" is probably unnecessarily vague; we're just talking about the (D)TLS SNI and certifciate verification code, right? Section 9.2 [...[ The nonce provides the replay protection. It is a cookie, selected by the server, and encoded in such a way as to indicate a duration of validity or client identity from which it is valid. Is this like a TLS cookie, where only the server needs to know about the internal structure (viz. "encoded" in the above)? If so, the text could probably be more clear. When mentioning just "a message-integrity", maybe forward-ref both versions of it to be more clear that we don't mean just the old one? It's unclear why indications can't use a nonce, if one is known from a previous request/response on the same connection. When encoding the value of 0 for the security feature, it may be worth clarifying that it is still encoded as a 24-bit integer and base64-encoded, though the "13 character string" text ought to make this clear to the reader. Section 9.2.4 * If the request contains neither PASSWORD-ALGORITHMS nor PASSWORD- ALGORITHM, then the request is processed as though PASSWORD- ALGORITHM were MD5 (Note that if the original PASSWORD-ALGORITHMS attribute did not contain MD5, this will result in a 400 Bad Request in a later step below). This Note seems a bit odd, since we're predicated on PASSWORD-ALGORITHMS being absent. * Otherwise, unless (1) PASSWORD-ALGORITHM and PASSWORD- ALGORITHMS are both present, (2) PASSWORD-ALGORITHMS matches the value sent in the response that sent this NONCE, and (3) PASSWORD-ALGORITHM matches one of the entries in PASSWORD- ALGORITHMS, the server MUST generate an error response with an error code of 400 (Bad Request). Maybe we could be more clear about "the value of the PASSWORD-ALGORITHMS attribute in the message matches the value of the PASSWORD-ALGORITHMS attribute sent in the response that sent the NONCE used with this message"? Section 9.2.5 If the response contains a PASSWORD-ALGORITHMS attribute, the subsequent request MUST be authenticated using MESSAGE-INTEGRITY- SHA256 only. This means "all subsequent requests to this server"? Maybe the wording could be more clear. (It also means that if we get a new scheme when SHA256 is broken, the document introducing it may need to Update this document to remove the MUST.) Also, I think the Security Feature bit is "Password algorithms" plural (in the next paragraph and maybe multiple locations in the document). Section 10 [...] If the transaction uses TLS or DTLS and if the transaction is authenticated by a MESSAGE-INTEGRITY-SHA256 attribute and if the server wants to redirect to a server that uses a different certificate, then it MUST include an ALTERNATE-DOMAIN attribute containing the subjectAltName of that certificate. The (definite article), implying the entire subjectAltName? Or just one name that is contained as a SAN entry? Section 14.8 Need to not just say MESSAGE-INTEGRITY since the SHA256 variant should be fine as well. Section 14.10 Maybe the nonce cookie should get a shout-out here? Section 14.12 Do we need to talk about the padding, since this is the the sole contents of the attribute and the attribute padding suffices? Also, "derive the long-term password" doesn't seem quite right; we're deriving the key from the long-term password, per Section 17.15.1. Section 15.1.2 There is no amplification of the number of packets with this attack (the STUN server sends one packet for each packet sent by the client), though there is a small increase in the amount of data, since STUN responses are typically larger than requests. I usually hear amplification in terms of bytes or bandwidth, not packets. So maybe just "amplification is modest"? Section 15.3 This specification uses both HMAC-SHA1 and HMAC-SHA256 for computation of the message integrity. Could perhaps be reworded, since the number of situations when both are used on the same message is small, and we try to push SHA256 when we can. o STUN Client and Server using the Short Term Credential Mechanism Clients and Servers, plural. Section 17.32. I'm confused why we have MUST-level requirements about using PASSWORD-ALGORITHMS when it is in the comprehension-optional range (e.g., echoing from response to repeated request as in Section 9.2.5). The server cannot actually enforce this MUST when talking to an old client if we want to retain the comprehension-optional semantics, IIUC. Section 17.6 If we're adding support for DTLS-over-udp (per the next section), should we be registering stuns/udp? "password encryption algorithm" is not quite the right statement to make, since we're hashing, not encrypting.
- [tram] Benjamin Kaduk's No Record on draft-ietf-t… Benjamin Kaduk
- Re: [tram] Benjamin Kaduk's No Record on draft-ie… Marc Petit-Huguenin
- Re: [tram] Benjamin Kaduk's No Record on draft-ie… Rohan Mahy
- Re: [tram] Benjamin Kaduk's No Record on draft-ie… Benjamin Kaduk
- Re: [tram] Benjamin Kaduk's No Record on draft-ie… Benjamin Kaduk