[Tsvwg] Secdir review of draft-ietf-tsvwg-rsvp-user-error-spec-06
"Stephen Hanna" <shanna@juniper.net> Sun, 04 May 2008 07:04 UTC
Return-Path: <tsvwg-bounces@ietf.org>
X-Original-To: tsvwg-archive@optimus.ietf.org
Delivered-To: ietfarch-tsvwg-archive@core3.amsl.com
Received: from core3.amsl.com (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 2631828C281; Sun, 4 May 2008 00:04:14 -0700 (PDT)
X-Original-To: tsvwg@core3.amsl.com
Delivered-To: tsvwg@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 56E623A6837; Fri, 2 May 2008 21:05:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.599
X-Spam-Level:
X-Spam-Status: No, score=-6.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2r40Q9tAl0CF; Fri, 2 May 2008 21:05:03 -0700 (PDT)
Received: from exprod7og105.obsmtp.com (exprod7og105.obsmtp.com [64.18.2.163]) by core3.amsl.com (Postfix) with ESMTP id 6E8883A6E7C; Fri, 2 May 2008 21:04:27 -0700 (PDT)
Received: from source ([66.129.224.36]) by exprod7ob105.postini.com ([64.18.6.12]) with SMTP; Fri, 02 May 2008 21:04:28 PDT
Received: from proton.jnpr.net ([10.10.2.37]) by emailsmtp55.jnpr.net with Microsoft SMTPSVC(6.0.3790.1830); Fri, 2 May 2008 21:04:26 -0700
X-MimeOLE: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Date: Sat, 03 May 2008 00:04:24 -0400
Message-ID: <A6398B0DB62A474C82F61554EE937287054A6D49@proton.jnpr.net>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: Secdir review of draft-ietf-tsvwg-rsvp-user-error-spec-06
Thread-Index: AcirFpjvucSNYFTQT8eJ27hzOtCb2QBkhLWA
From: Stephen Hanna <shanna@juniper.net>
To: swallow@cisco.com, adrian@olddog.co.uk
X-OriginalArrivalTime: 03 May 2008 04:04:26.0059 (UTC) FILETIME=[C6ED01B0:01C8ACD2]
X-Mailman-Approved-At: Sun, 04 May 2008 00:04:13 -0700
Cc: Magnus Westerlund <magnus.westerlund@ericsson.com>, tsvwg@ietf.org, secdir@mit.edu, iesg@ietf.org, jmpolk@cisco.com
Subject: [Tsvwg] Secdir review of draft-ietf-tsvwg-rsvp-user-error-spec-06
X-BeenThere: tsvwg@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Transport Area Working Group <tsvwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tsvwg>, <mailto:tsvwg-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:tsvwg@ietf.org>
List-Help: <mailto:tsvwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tsvwg>, <mailto:tsvwg-request@ietf.org?subject=subscribe>
Sender: tsvwg-bounces@ietf.org
Errors-To: tsvwg-bounces@ietf.org
I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and others should treat these comments just like any other comments. I should preface this security review by stating that I am not an expert in RSVP. Please excuse any misunderstandings on that front. And please excuse the lateness of my comments. This document defines a standard for user-defined errors in RSVP. It clearly defines the format and semantics for such errors as well as the procedures to be followed in sending and processing the errors. Backward compatibility is adequately considered. The Security Considerations section of this document seems to adequately address most of the security implications of this specification. The only security-related suggestion that I have regarding the document is that I think it might be good to add text to section 4.2, warning recipients to carefully examine a received USER_ERROR_SPEC object for malformed data or otherwise dangerous before processing it. Otherwise, buffer overruns or injection problems could arise. Here's a sample paragraph: Like any other data received from a partially trusted party, the recipient MUST carefully check the USER_ERROR_SPEC object and its contents to make sure that it does not contain any malformed or illegal values and will not cause any buffer overruns or other processing errors that could cause reliability or security problems. The Error Description should be examined especially carefully if it is to be logged or displayed since it may eventually be processed by other code with poor error handling. Any control characters (bytes with values 0-31 and 127 decimal) or non-ASCII characters (128-255 decimal) MUST be removed. Other characters may need to be removed from the string, depending on the logging system in use and the range of characters that it can accept. If the logging or display system has escaping or another post-processing step that could give special meaning to the characters in the string, protection against injection attacks SHOULD be included in the RSVP code. While this warning will probably seem obvious to security-aware readers, some readers may be naive about security issues so it's good to include this sort of warning. If you agree that control characters should not be included in the Error Description, you might want to include a requirement that senders not include such characters in the string. However, recipients cannot assume that the sender will do so. It seems better to have the recipient remove such characters from the string than for them to regard the message as malformed. I also noticed two typographical errors in the specification: In section 3, "Criticial" should be "Critical". In section 4.2, "display of logging" should be "display or logging". As I stated above, the specification seems to be good overall. Thanks, Steve
- [Tsvwg] Secdir review of draft-ietf-tsvwg-rsvp-us… Stephen Hanna