IETF Logo Mail Archive

Re: [tram] WGLC draft-ietf-tram-stunbis-12

"Konda, Tirumaleswar Reddy" <TirumaleswarReddy_Konda@McAfee.com> Thu, 18 May 2017 01:31 UTC

Return-Path: <TirumaleswarReddy_Konda@mcafee.com>
X-Original-To: tram@ietfa.amsl.com
Delivered-To: tram@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A69DD1293FD for <tram@ietfa.amsl.com>; Wed, 17 May 2017 18:31:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.901
X-Spam-Level:
X-Spam-Status: No, score=-6.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=mcafee.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OKpRktlKDOOB for <tram@ietfa.amsl.com>; Wed, 17 May 2017 18:31:53 -0700 (PDT)
Received: from MIVWSMAILOUT1.mcafee.com (mivwsmailout1.mcafee.com [161.69.47.167]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 64670126CD6 for <tram@ietf.org>; Wed, 17 May 2017 18:31:52 -0700 (PDT)
Received: from MIVEXAPP1N01.corpzone.internalzone.com (unknown [10.48.48.88]) by MIVWSMAILOUT1.mcafee.com with smtp id 5bc1_60c5_d99bda9e_1d6a_4d55_afcf_2cc5b17f95f2; Wed, 17 May 2017 20:31:50 -0500
Received: from MIVEXUSR1N07.corpzone.internalzone.com (10.48.48.87) by MIVEXAPP1N01.corpzone.internalzone.com (10.48.48.88) with Microsoft SMTP Server (TLS) id 15.0.1263.5; Wed, 17 May 2017 21:31:49 -0400
Received: from MIVEXAPP1N03.corpzone.internalzone.com (10.48.48.90) by MIVEXUSR1N07.corpzone.internalzone.com (10.48.48.87) with Microsoft SMTP Server (TLS) id 15.0.1263.5; Wed, 17 May 2017 21:31:48 -0400
Received: from MIVO365EDGE4.corpzone.internalzone.com (10.48.176.87) by MIVEXAPP1N03.corpzone.internalzone.com (10.48.48.90) with Microsoft SMTP Server (TLS) id 15.0.1263.5 via Frontend Transport; Wed, 17 May 2017 21:31:48 -0400
Received: from NAM02-SN1-obe.outbound.protection.outlook.com (10.48.176.243) by edge.mcafee.com (10.48.176.87) with Microsoft SMTP Server (TLS) id 15.0.1263.5; Wed, 17 May 2017 21:31:48 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mcafee.onmicrosoft.com; s=selector1-mcafee-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=TOAEvQ9pzu2zHQpZv0DhwZ6c5MSNqvq4a1GpICNAKog=; b=hRoUpQwKHWBf5+kYSN2mnq8/FmLy+djr+qOrwI9ZEijVBJrEzAyhEH7KY61KVF1GTLSn6wIhNlO8LC6xQyqDXo7/gz500Ik1Ii2p2Gj9zB1cvJelSl/iRbYQK1RBPUCov6yzr1oMkbO2xSFBUlBTJhNMkP60ssFd+uxBxtEWRvM=
Received: from MWHPR16MB1614.namprd16.prod.outlook.com (10.175.5.144) by MWHPR16MB1613.namprd16.prod.outlook.com (10.175.5.143) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1084.16; Thu, 18 May 2017 01:31:47 +0000
Received: from MWHPR16MB1614.namprd16.prod.outlook.com ([10.175.5.144]) by MWHPR16MB1614.namprd16.prod.outlook.com ([10.175.5.144]) with mapi id 15.01.1084.030; Thu, 18 May 2017 01:31:46 +0000
From: "Konda, Tirumaleswar Reddy" <TirumaleswarReddy_Konda@McAfee.com>
To: Brandon Williams <brandon.williams@akamai.com>, "tram@ietf.org" <tram@ietf.org>
Thread-Topic: [tram] WGLC draft-ietf-tram-stunbis-12
Thread-Index: AQHSzPtah9Xr6y5D4EiFrJlIiXED0KH4XBdwgABPRYCAAKb2wA==
Date: Thu, 18 May 2017 01:31:46 +0000
Message-ID: <MWHPR16MB1614358ACFBADAED901D31BAEAE40@MWHPR16MB1614.namprd16.prod.outlook.com>
References: <aaca5191-1ee5-ef99-dd2e-5ee9c1dbd64a@jive.com> <d10acf37-0544-aa21-a068-34222116f2ba@akamai.com> <MWHPR16MB1614D5E350167C6D3E8EB7BDEAE70@MWHPR16MB1614.namprd16.prod.outlook.com> <ac4546c2-9ef2-8cda-88e7-12d8b9228219@akamai.com>
In-Reply-To: <ac4546c2-9ef2-8cda-88e7-12d8b9228219@akamai.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: akamai.com; dkim=none (message not signed) header.d=none;akamai.com; dmarc=none action=none header.from=McAfee.com;
x-originating-ip: [103.245.47.20]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; MWHPR16MB1613; 7:+cxRQWJNeW0AXf7uzHvVRKQY9CTIlEAB28GMVvf+xSqIdl4V60i1NnJoWe7eKhGdi6Uq3CSHTC6UNe3cZnjUnC+51JlwoSqCwvcuaH8i4OAzra7MSIJAzjGOHcI2P//0Of08gQdcqz/67hOmOU46lAa3FpBC2CgWs65xjfLkvvHmvZ7uAMwiepBa1OVg2/1D7ujcU7ObSlqFnrbJi7JRTnwMDSDuThZBtpvOM2t8Uhmx0G6IUbt+CEckWMNvhNSWEzQPdXqWirLt/5cZ5UoQ/Eg/ibHKRgqmxZ9DLrWiDU4ogm7VmcX/REB3hVZgWYX/SIcFvXBnFDIDV5tOuacglw==
x-ms-office365-filtering-correlation-id: 25cf9b37-bcf3-4809-d1a7-08d49d8da609
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(22001)(2017030254075)(201703131423075)(201703031133081)(201702281549075); SRVR:MWHPR16MB1613;
x-microsoft-antispam-prvs: <MWHPR16MB161311B3A54BC7DA41417D6CEAE40@MWHPR16MB1613.namprd16.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(158342451672863)(120809045254105)(192374486261705)(123452027830198);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(6040450)(601004)(2401047)(8121501046)(5005006)(10201501046)(93006095)(93001095)(3002001)(6041248)(201703131423075)(201702281528075)(201703061421075)(201703061406153)(20161123560025)(20161123555025)(20161123564025)(20161123562025)(20161123558100)(6072148); SRVR:MWHPR16MB1613; BCL:0; PCL:0; RULEID:; SRVR:MWHPR16MB1613;
x-forefront-prvs: 0311124FA9
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(6009001)(39840400002)(39410400002)(39400400002)(39450400003)(39850400002)(13464003)(377454003)(24454002)(122556002)(33656002)(189998001)(7696004)(5660300001)(86362001)(2900100001)(6116002)(2501003)(102836003)(3846002)(66066001)(38730400002)(6246003)(9686003)(53936002)(6306002)(478600001)(6436002)(6506006)(55016002)(99286003)(77096006)(551544002)(50986999)(80792005)(72206003)(54356999)(966005)(25786009)(53546009)(76176999)(3280700002)(229853002)(3660700001)(305945005)(2950100002)(230783001)(7736002)(93886004)(74316002)(81166006)(8676002)(8936002)(85282002); DIR:OUT; SFP:1101; SCL:1; SRVR:MWHPR16MB1613; H:MWHPR16MB1614.namprd16.prod.outlook.com; FPR:; SPF:None; MLV:sfv; LANG:en;
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-originalarrivaltime: 18 May 2017 01:31:46.4050 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 4943e38c-6dd4-428c-886d-24932bc2d5de
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MWHPR16MB1613
X-OriginatorOrg: mcafee.com
X-NAI-Spam-Flag: NO
X-NAI-Spam-Threshold: 15
X-NAI-Spam-Score: 0
X-NAI-Spam-Version: 2.3.0.9418 : core <6027> : inlines <5878> : streams <1745963> : uri <2428458>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tram/i443ZgWCYy8jHncucJx-Nh9RkY4>
Subject: Re: [tram] WGLC draft-ietf-tram-stunbis-12
X-BeenThere: tram@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "Discussing the creation of a Turn Revised And Modernized \(TRAM\) WG, which goal is to consolidate the various initiatives to update TURN and STUN." <tram.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tram>, <mailto:tram-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tram/>
List-Post: <mailto:tram@ietf.org>
List-Help: <mailto:tram-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tram>, <mailto:tram-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 18 May 2017 01:31:56 -0000

> -----Original Message-----
> From: Brandon Williams [mailto:brandon.williams@akamai.com]
> Sent: Wednesday, May 17, 2017 9:02 PM
> To: Konda, Tirumaleswar Reddy <TirumaleswarReddy_Konda@McAfee.com>;
> tram@ietf.org
> Subject: Re: [tram] WGLC draft-ietf-tram-stunbis-12
> 
> Wouldn't changing the nonce cookie invalidate the nonce? causing the server
> to reject signed messages that include the now bad nonce?

Yes, server will reject the nonce cookie.

> Security on the one message would be dropped to a lower level, but not for
> the channel as a whole, right?

Yup.

> 
> Agreed that we should mention the issue and (D)TLS. Just don't want to over-
> state.

Works for me.

Cheers,
-Tiru

> 
> --Brandon
> 
> On 05/17/2017 07:06 AM, Konda, Tirumaleswar Reddy wrote:
> > I think https://tools.ietf.org/html/draft-ietf-tram-stunbis-12#section-9.2.1
> needs more discussion, a man-in-the-middle attacker can also change the
> "nonce cookie" forcing the client to pick a weaker password algorithm. (D)TLS
> is required to prevent the MITM attack (just like (D)TLS is required to prevent
> the downgrade attack to MESSAGE-INTEGRITY).
> >
> > -Tiru
> >
> > -----Original Message-----
> > From: tram [mailto:tram-bounces@ietf.org] On Behalf Of Brandon
> > Williams
> > Sent: Monday, May 15, 2017 3:11 AM
> > To: tram@ietf.org
> > Subject: Re: [tram] WGLC draft-ietf-tram-stunbis-12
> >
> > FWIW ... I reviewed the changes in the latest draft. They appear to cover
> what we discussed in Chicago. I agree with the authors that the outstanding
> issues have been addressed.
> >
> > --Brandon
> >
> > On 05/01/2017 08:21 AM, Simon Perreault wrote:
> >> TRAMsters,
> >>
> >> This email initiates a two-week working-group last call on this draft:
> >>
> >> https://datatracker.ietf.org/doc/draft-ietf-tram-stunbis/
> >>
> >> Please read it now. Substantial comments should be addressed to the
> >> group. Nits should be sent directly to the authors.
> >>
> >> Thanks,
> >> Simon & Gonzalo
> >>
> >> _______________________________________________
> >> tram mailing list
> >> tram@ietf.org
> >> https://www.ietf.org/mailman/listinfo/tram
> >>
> >
> > _______________________________________________
> > tram mailing list
> > tram@ietf.org
> > https://www.ietf.org/mailman/listinfo/tram
> >
> 
> --
> Brandon Williams; Chief Architect
> Cloud Networking; Akamai Technologies Inc.

v2.23.0 | Report a Bug | By Email