IETF Logo Mail Archive

Re: [tram] WGLC draft-ietf-tram-stunbis-12

Brandon Williams <brandon.williams@akamai.com> Wed, 17 May 2017 15:38 UTC

Return-Path: <brandon.williams@akamai.com>
X-Original-To: tram@ietfa.amsl.com
Delivered-To: tram@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2A49E12950B for <tram@ietfa.amsl.com>; Wed, 17 May 2017 08:38:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=akamai.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id w-C8gHumiflc for <tram@ietfa.amsl.com>; Wed, 17 May 2017 08:38:02 -0700 (PDT)
Received: from mx0b-00190b01.pphosted.com (mx0b-00190b01.pphosted.com [IPv6:2620:100:9005:57f::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5B130129503 for <tram@ietf.org>; Wed, 17 May 2017 08:31:36 -0700 (PDT)
Received: from pps.filterd (m0050102.ppops.net [127.0.0.1]) by m0050102.ppops.net-00190b01. (8.16.0.21/8.16.0.21) with SMTP id v4HFRH0q003501; Wed, 17 May 2017 16:31:34 +0100
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=akamai.com; h=subject : to : references : from : message-id : date : mime-version : in-reply-to : content-type : content-transfer-encoding; s=jan2016.eng; bh=Y86vQaJnRbqxUkZpuIDARmnsrrPccKqN6el+hjX3ymY=; b=JeGgpld5TBGpKlAXTKEtqeI8mOVaJqzLqDMTKvrq/NP9Q1aQa6d0MrRmBf51hTUS1CCE lxDlCxUttO/uyzqmkerTm/gEBniuogVl2Dbg/kORaJe5dmKmhQ0hlozd4+H9SfBnq+yw HbZMK0aIlb5xQbZnDW7I58HYrnYwURBZyGe0UJ3n9Ss5o8PjVDbH6WL/bNtAmetbbzgB GULcOgb8J9n9CuUkw+xpka3MyCLis9119eUUhTojGKmsTZvMXnQMnXtm3tJRJd1jv5sp Q/zQVl9doTiNd2SB6sFj41DHto85A74WurR24efc+W9fcusHZQGfmFbCcd0i1GlBQL3k Dw==
Received: from prod-mail-ppoint1 (a184-51-33-18.deploy.static.akamaitechnologies.com [184.51.33.18] (may be forged)) by m0050102.ppops.net-00190b01. with ESMTP id 2agmp51msu-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 17 May 2017 16:31:34 +0100
Received: from pps.filterd (prod-mail-ppoint1.akamai.com [127.0.0.1]) by prod-mail-ppoint1.akamai.com (8.16.0.17/8.16.0.17) with SMTP id v4HFQSNr003916; Wed, 17 May 2017 11:31:33 -0400
Received: from prod-mail-relay11.akamai.com ([172.27.118.250]) by prod-mail-ppoint1.akamai.com with ESMTP id 2adwfu9aht-1; Wed, 17 May 2017 11:31:33 -0400
Received: from [172.28.119.37] (bowill.kendall.corp.akamai.com [172.28.119.37]) by prod-mail-relay11.akamai.com (Postfix) with ESMTP id 49B111FC7D; Wed, 17 May 2017 15:31:33 +0000 (GMT)
To: "Konda, Tirumaleswar Reddy" <TirumaleswarReddy_Konda@McAfee.com>, "tram@ietf.org" <tram@ietf.org>
References: <aaca5191-1ee5-ef99-dd2e-5ee9c1dbd64a@jive.com> <d10acf37-0544-aa21-a068-34222116f2ba@akamai.com> <MWHPR16MB1614D5E350167C6D3E8EB7BDEAE70@MWHPR16MB1614.namprd16.prod.outlook.com>
From: Brandon Williams <brandon.williams@akamai.com>
Message-ID: <ac4546c2-9ef2-8cda-88e7-12d8b9228219@akamai.com>
Date: Wed, 17 May 2017 11:31:33 -0400
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.7.0
MIME-Version: 1.0
In-Reply-To: <MWHPR16MB1614D5E350167C6D3E8EB7BDEAE70@MWHPR16MB1614.namprd16.prod.outlook.com>
Content-Type: text/plain; charset="windows-1252"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2017-05-17_11:, , signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 spamscore=0 suspectscore=0 malwarescore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1703280000 definitions=main-1705170117
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2017-05-17_11:, , signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 priorityscore=1501 malwarescore=0 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1011 lowpriorityscore=0 impostorscore=0 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1703280000 definitions=main-1705170117
Archived-At: <https://mailarchive.ietf.org/arch/msg/tram/spY3ACwg-lVDYIYVxhSOscEEQhk>
Subject: Re: [tram] WGLC draft-ietf-tram-stunbis-12
X-BeenThere: tram@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "Discussing the creation of a Turn Revised And Modernized \(TRAM\) WG, which goal is to consolidate the various initiatives to update TURN and STUN." <tram.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tram>, <mailto:tram-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tram/>
List-Post: <mailto:tram@ietf.org>
List-Help: <mailto:tram-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tram>, <mailto:tram-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 17 May 2017 15:38:07 -0000

Wouldn't changing the nonce cookie invalidate the nonce? causing the 
server to reject signed messages that include the now bad nonce? 
Security on the one message would be dropped to a lower level, but not 
for the channel as a whole, right?

Agreed that we should mention the issue and (D)TLS. Just don't want to 
over-state.

--Brandon

On 05/17/2017 07:06 AM, Konda, Tirumaleswar Reddy wrote:
> I think https://tools.ietf.org/html/draft-ietf-tram-stunbis-12#section-9.2.1 needs more discussion, a man-in-the-middle attacker can also change the "nonce cookie" forcing the client to pick a weaker password algorithm. (D)TLS is required to prevent the MITM attack (just like (D)TLS is required to prevent the downgrade attack to MESSAGE-INTEGRITY).
>
> -Tiru
>
> -----Original Message-----
> From: tram [mailto:tram-bounces@ietf.org] On Behalf Of Brandon Williams
> Sent: Monday, May 15, 2017 3:11 AM
> To: tram@ietf.org
> Subject: Re: [tram] WGLC draft-ietf-tram-stunbis-12
>
> FWIW ... I reviewed the changes in the latest draft. They appear to cover what we discussed in Chicago. I agree with the authors that the outstanding issues have been addressed.
>
> --Brandon
>
> On 05/01/2017 08:21 AM, Simon Perreault wrote:
>> TRAMsters,
>>
>> This email initiates a two-week working-group last call on this draft:
>>
>> https://datatracker.ietf.org/doc/draft-ietf-tram-stunbis/
>>
>> Please read it now. Substantial comments should be addressed to the
>> group. Nits should be sent directly to the authors.
>>
>> Thanks,
>> Simon & Gonzalo
>>
>> _______________________________________________
>> tram mailing list
>> tram@ietf.org
>> https://www.ietf.org/mailman/listinfo/tram
>>
>
> _______________________________________________
> tram mailing list
> tram@ietf.org
> https://www.ietf.org/mailman/listinfo/tram
>

-- 
Brandon Williams; Chief Architect
Cloud Networking; Akamai Technologies Inc.

v2.23.0 | Report a Bug | By Email