headers
Terry Manderson | 1 Feb 01:14
Picon
Favicon

Re: Last Call: <draft-ietf-sidr-rpki-rtr-19.txt> (The RPKI/Router Protocol) to Proposed Standard

On 28/01/12 3:02 PM, "Rob Austein" <sra <at> hactrn.net> wrote:

> At Wed, 21 Dec 2011 17:43:23 -0800, Terry Manderson wrote:
>>
>> Apologies for my lack of attention to date on this topic, so speaking only
>> for myself here.
>
> Similar apologies for not having answered this more promptly.  Somehow
> we missed seeing this until our AD asked us about it.
>
> Please see draft-ietf-sidr-rpki-rtr-25, just posted, which we hope
> addresses most of your concerns (there are a few points on which I
> think we're just going to have to agree to disagree).

I will read -25 soon and raise any concerns should they remain.

>
[..]

> RADIUS doesn't have a bulk transfer operation, and bulk transfer of
> data is the main task of this protocol, particularly at start-up.

Is that function of the protocol now highlighted in -25?

>
> You are certainly entitled to your opinion, but it comes a bit late.
> This work was done in the public view, with regular progress reports
> to the SIDR WG, and we have multiple interoperable implementations
> including several of the major router vendors.  So, with all due
> respect, I don't think the folks who have put work into this will be
(Continue reading)

Permalink | Reply | 0 comments |
headers
Francisco Corella | 1 Feb 05:53
Favicon

REVISED Last Call: <draft-ietf-oauth-v2-bearer-15.txt> (The OAuth 2.0 Authorization Protocol: Bearer Tokens) to Proposed Standard

The bearer token protocol described in the document referenced in the
subject line is vulnerable to the following attack by a malicious
resource server.

There are two resource servers S1 and S2, S1 hosting a resource R1,
and S2 hosting a resource R2.  Servers are not entitled to access
resources that they do not host.  S1 is malicious.  The client obtains
a broadly scoped access token that allows access to both resources.
The client uses the access token to obtain resource R1 from server S1.
Malicious server S1 then presents the access token received from the
client to server S2 and gains access to resource R2, which it is not
entitled to access.

Including the identity of the intended recipients in the token, as
recommended in Section 4.2, does not help, since the intended
recipients of the broadly scoped token include both R1 and R2.

Francisco

_______________________________________________
Ietf mailing list
Ietf <at> ietf.org
https://www.ietf.org/mailman/listinfo/ietf
Permalink | Reply | 2 comments |
headers
Tschofenig, Hannes (NSN - FI/Espoo | 1 Feb 13:33

RE: REVISED Last Call: <draft-ietf-oauth-v2-bearer-15.txt> (The OAuth 2.0Authorization Protocol: Bearer Tokens) to Proposed Standard

Hi Francisco,

 

if a token is created for access to server S1 and S2 then any party that gets access to the token can obviously access both servers. This should not be super surprising.

 

So, if you have a deployment where you want to grant access to resources at multiple servers and the attack you describe is a concern then you need to create multiple tokens.

 

The content of the token defines what the token can be used for.

 

The bearer token specification does not define the content of the token and therefore it is difficult to say more about it beyond what it already says.

 

If you think it is worth to specify highlight this type of attack then the appropriate place to describe it is the threats document.

 

Ciao
Hannes

 

From: ietf-bounces <at> ietf.org [mailto:ietf-bounces <at> ietf.org] On Behalf Of ext Francisco Corella
Sent: Wednesday, February 01, 2012 6:53 AM
To: ietf <at> ietf.org
Subject: REVISED Last Call: <draft-ietf-oauth-v2-bearer-15.txt> (The OAuth 2.0Authorization Protocol: Bearer Tokens) to Proposed Standard

 

The bearer token protocol described in the document referenced in the
subject line is vulnerable to the following attack by a malicious
resource server.

There are two resource servers S1 and S2, S1 hosting a resource R1,
and S2 hosting a resource R2.  Servers are not entitled to access
resources that they do not host.  S1 is malicious.  The client obtains
a broadly scoped access token that allows access to both resources.
The client uses the access token to obtain resource R1 from server S1.
Malicious server S1 then presents the access token received from the
client to server S2 and gains access to resource R2, which it is not
entitled to access.

Including the identity of the intended recipients in the token, as
recommended in Section 4.2, does not help, since the intended
recipients of the broadly scoped token include both R1 and R2.

Francisco

_______________________________________________
Ietf mailing list
Ietf <at> ietf.org
https://www.ietf.org/mailman/listinfo/ietf
Permalink | Reply | 1 comment |
headers
Jinesh Doshi | 1 Feb 17:49
Picon
Favicon

Last Call: <draft-weil-shared-transition-space-request-14.txt> (IANA Reserved IPv4 Prefix for Shared Address Space) to BCP

I support the updates to this draft.

Jinesh
Permalink | Reply | 0 comments |
headers
Francisco Corella | 1 Feb 21:31
Favicon

Re: REVISED Last Call: <draft-ietf-oauth-v2-bearer-15.txt> (The OAuth 2.0Authorization Protocol: Bearer Tokens) to Proposed Standard

Hi Hannes,

> if a token is created for access to server S1 and S2 then any party
> that gets access to the token can obviously access both servers. This
> should not be super surprising.
>
> So, if you have a deployment where you want to grant access to
> resources at multiple servers and the attack you describe is a concern
> then you need to create multiple tokens.
>
> The content of the token defines what the token can be used for.
>
> The bearer token specification does not define the content of the
> token and therefore it is difficult to say more about it beyond what
> it already says.
>
> If you think it is worth to specify highlight this type of attack then
> the appropriate place to describe it is the threats document.

Why shouldn't this attack be discussed in the security considerations
section of the protocol spec?  The security considerations section
already addresses two closely related attacks: "token redirect" and
"token replay".  It could use the following language to address
together this attack and the "token redirect" attack:

* If there are multiple resource servers, and different resource
* servers provide client access to different resources, and resource
* servers are not entitled to access resources others than those that
* they provide client access to, then care must be taken to prevent a
* malicious resource server from using an access token presented by a
* client to access, through another resource server, a resource that
* that the malicious server does not provide client access to.  This
* can be accomplished in two different ways:
*
*   1. By including in the access token a specification of the set of
*   resources that can be accessed by the token.  The set must satisfy
*   the following condition: every resource server that provides
*   client access to a resource in the set must provide client access
*   to all the resources in the set.  Or,
*
*   2. By including in the access token a specification of the set of
*   servers that the token can be presented to.  A resource server
*   must verify that it is a member of the set when presented with the
*   token.  The set must satisfy the following condition: all the
*   resource servers in the set must provide client access to the same
*   set of resources.

Best,

Francisco


From: "Tschofenig, Hannes (NSN - FI/Espoo)" <hannes.tschofenig <at> nsn.com>
To: Francisco Corella <fcorella <at> pomcor.com>; ietf <at> ietf.org
Sent: Wednesday, February 1, 2012 4:33 AM
Subject: RE: REVISED Last Call: <draft-ietf-oauth-v2-bearer-15.txt> (The OAuth 2.0Authorization Protocol: Bearer Tokens) to Proposed Standard

Hi Francisco,
 
if a token is created for access to server S1 and S2 then any party that gets access to the token can obviously access both servers. This should not be super surprising.
 
So, if you have a deployment where you want to grant access to resources at multiple servers and the attack you describe is a concern then you need to create multiple tokens.
 
The content of the token defines what the token can be used for.
 
The bearer token specification does not define the content of the token and therefore it is difficult to say more about it beyond what it already says.
 
If you think it is worth to specify highlight this type of attack then the appropriate place to describe it is the threats document.
 
Ciao
Hannes
 
From: ietf-bounces <at> ietf.org [mailto:ietf-bounces <at> ietf.org] On Behalf Of ext Francisco Corella
Sent: Wednesday, February 01, 2012 6:53 AM
To: ietf <at> ietf.org
Subject: REVISED Last Call: <draft-ietf-oauth-v2-bearer-15.txt> (The OAuth 2.0Authorization Protocol: Bearer Tokens) to Proposed Standard
 
The bearer token protocol described in the document referenced in the
subject line is vulnerable to the following attack by a malicious
resource server.

There are two resource servers S1 and S2, S1 hosting a resource R1,
and S2 hosting a resource R2.  Servers are not entitled to access
resources that they do not host.  S1 is malicious.  The client obtains
a broadly scoped access token that allows access to both resources.
The client uses the access token to obtain resource R1 from server S1.
Malicious server S1 then presents the access token received from the
client to server S2 and gains access to resource R2, which it is not
entitled to access.

Including the identity of the intended recipients in the token, as
recommended in Section 4.2, does not help, since the intended
recipients of the broadly scoped token include both R1 and R2.

Francisco


_______________________________________________
Ietf mailing list
Ietf <at> ietf.org
https://www.ietf.org/mailman/listinfo/ietf
Permalink | Reply | 0 comments |
headers
C. M. Heard | 1 Feb 22:25
Picon
Favicon

Re: Last Call: <draft-weil-shared-transition-space-request-14.txt> (IANA Reserved IPv4 Prefix for Shared Address Space) to BCP

On Wed, 1 Feb 2012, Brian E Carpenter wrote:
> On 2012-02-01 08:14, Pete Resnick wrote:
> > On 1/31/12 11:59 AM, George, Wes wrote:
> >>> From: Noel Chiappa [mailto:jnc <at> mercury.lcs.mit.edu]
> >>>
> >>> Is that wise? I thought (IIRC, and maybe I'm spacing) the 
> >>> whole reason for allocating this space was that 1918 space 
> >>> _couldn't_ easily be used for CGN because there were too many 
> >>> conflicting usages.
> >>>      
> >> [WEG] yes, but the general sense I got from the ensuing discussion was
> >> that no one expects anyone to actually adhere to that advice (ie MUST
> >> NOT be used as substitute for 1918 space), and as soon as the space is
> >> released, it'll be "cats and dogs living together, mass hysteria..."
> >> because everyone and their cousin will start using it as 1918-bis
> >> anyway, no matter whether the IETF wags their fingers at them or not.
> 
> I have no doubt that this space will be (mis)used as additional
> private ambiguous address space. But IMHO the text should make it
> clear that this is the wrong way to use it and give the reasons
> why - basically the same information as in the new text, but stated
> exactly the other way round. For example
> 
>      Shared Address Space is IPv4 address space designated for Service
>      Provider use with the purpose of facilitating CGN deployment.
>      Shared Address Space is not intended to be used as additional [RFC1918]
>      space, because either or both of the following issues might arise:
> 
>      o  Shared Address Space could also be used on the Service Provider side
>         of the CPE, with overlapping subnet or host addresses.
> 
>      o  Some CPE routers behave incorrectly when using the same address block on
>         both the internal and external interfaces.
> 
> > Speaking as one of the bozos^h^h^h^h^h ADs whose comments (and suggested
> > text) ended the document up here, let me suggest the slightly less
> > pessimistic view from Wes's, and the reason that I think this
> > *shouldn't* specifically update 1918:
> > 
> > This *is* a special use address block that is akin to 1918. It is
> > non-routable address space, just like 1918. But unlike 1918, this block
> > is defined as "might be used by your ISP on your outside interface". So,
> > people using it inside their networks (which, I agree with Wes, will
> > happen, and like everything else on the net, will be done stupidly by
> > some) have been told that this is *not* private use space and that they
> > use it at their own risk and their CGN service might stop working if
> > they use it in a way not described in this document. But I'd hate for us
> > to allocate space to "CGNs only" when it's obvious that this can be used
> > for a whole class of these sorts of things, and can be used by other
> > people who build sane equipment that understands "shared" addresses can
> > appear on two different interfaces. These aren't "private" addresses a
> > la 1918, they're "shared", so it's not an addition to that space. Let's
> > properly document what it is we're doing, giving people fair warnings.
> 
> Exactly, hence my suggested text above.

+1

//cmh
Permalink | Reply | 0 comments |
headers
Pete Resnick | 1 Feb 23:33

Re: Last Call: <draft-weil-shared-transition-space-request-14.txt> (IANA Reserved IPv4 Prefix for Shared Address Space) to BCP

On 1/31/12 1:38 PM, Brian E Carpenter wrote:
> IMHO the text should make it
> clear that this is the wrong way to use it and give the reasons
> why - basically the same information as in the new text, but stated
> exactly the other way round. For example
>
>       Shared Address Space is IPv4 address space designated for Service
>       Provider use with the purpose of facilitating CGN deployment.
>       Shared Address Space is not intended to be used as additional [RFC1918]
>       space, because either or both of the following issues might arise:
>
>       o  Shared Address Space could also be used on the Service Provider side
>          of the CPE, with overlapping subnet or host addresses.
>
>       o  Some CPE routers behave incorrectly when using the same address block on
>          both the internal and external interfaces.
>    

Ah. I think we're in pretty good agreement. The -14 text uses the words 
"may be used as [RFC1918] private address space", and I agree with you 
that we don't want to use those words. We need to say that though it is 
similar to 1918 space, it has limitations. So I wouldn't object to the 
above text , but I think we do have to give some indication of the flip 
side. I want something that says that Shared Address Space can be used 
for other Service-Provider-type uses and are not limited to CGNs. They 
can be used on any network equipment willing to do address translation 
across interfaces which both use the Shared Address Space, just as CGNs 
do. That is, clarify throughout that this *isn't* just like 1918 space 
(it has limitations and can only be used in particular circumstances), 
but do describe what the conditions are under which it can be used.

In your above, I would even strengthen "is not intended to be used as 
additional [RFC1918] space" to "can not be use as [RFC1918] private 
address space", and then maybe add something about where it can be used. 
In the intro, I would change the second paragraph (and it's sub-bullets) to:

    Shared Address Space is similar to [RFC1918] private address space in
    that it is not global routeable address space and can be used by
    multiple pieces of equipment. However, Shared Address Space has
    limitations in its use that the current [RFC1918] private address
    space does not have. In particular, Shared Address Space can only be
    used on routing equipment that is able to do address translation
    across router interfaces when the addresses are identical on two
    different interfaces.

Or something to that effect. Does that still capture that Shared Address 
Space is similar to 1918 space, it can be used for purposes other than 
CGN, but it can't be used everywhere 1918 addresses are used?

pr

--

-- 
Pete Resnick<http://www.qualcomm.com/~presnick/>
Qualcomm Incorporated - Direct phone: (858)651-4478, Fax: (858)651-1102
Permalink | Reply | 1 comment |
headers
Brian E Carpenter | 2 Feb 02:40
Picon

Re: Last Call: <draft-weil-shared-transition-space-request-14.txt> (IANA Reserved IPv4 Prefix for Shared Address Space) to BCP

Pete,

We seem to be agreeing violently.

Regards
   Brian Carpenter

On 2012-02-02 11:33, Pete Resnick wrote:
> On 1/31/12 1:38 PM, Brian E Carpenter wrote:
>> IMHO the text should make it
>> clear that this is the wrong way to use it and give the reasons
>> why - basically the same information as in the new text, but stated
>> exactly the other way round. For example
>>
>>       Shared Address Space is IPv4 address space designated for Service
>>       Provider use with the purpose of facilitating CGN deployment.
>>       Shared Address Space is not intended to be used as additional
>> [RFC1918]
>>       space, because either or both of the following issues might arise:
>>
>>       o  Shared Address Space could also be used on the Service
>> Provider side
>>          of the CPE, with overlapping subnet or host addresses.
>>
>>       o  Some CPE routers behave incorrectly when using the same
>> address block on
>>          both the internal and external interfaces.
>>    
> 
> Ah. I think we're in pretty good agreement. The -14 text uses the words
> "may be used as [RFC1918] private address space", and I agree with you
> that we don't want to use those words. We need to say that though it is
> similar to 1918 space, it has limitations. So I wouldn't object to the
> above text , but I think we do have to give some indication of the flip
> side. I want something that says that Shared Address Space can be used
> for other Service-Provider-type uses and are not limited to CGNs. They
> can be used on any network equipment willing to do address translation
> across interfaces which both use the Shared Address Space, just as CGNs
> do. That is, clarify throughout that this *isn't* just like 1918 space
> (it has limitations and can only be used in particular circumstances),
> but do describe what the conditions are under which it can be used.
> 
> In your above, I would even strengthen "is not intended to be used as
> additional [RFC1918] space" to "can not be use as [RFC1918] private
> address space", and then maybe add something about where it can be used.
> In the intro, I would change the second paragraph (and it's sub-bullets)
> to:
> 
>    Shared Address Space is similar to [RFC1918] private address space in
>    that it is not global routeable address space and can be used by
>    multiple pieces of equipment. However, Shared Address Space has
>    limitations in its use that the current [RFC1918] private address
>    space does not have. In particular, Shared Address Space can only be
>    used on routing equipment that is able to do address translation
>    across router interfaces when the addresses are identical on two
>    different interfaces.
> 
> Or something to that effect. Does that still capture that Shared Address
> Space is similar to 1918 space, it can be used for purposes other than
> CGN, but it can't be used everywhere 1918 addresses are used?
> 
> pr
>
Permalink | Reply | 0 comments |
headers
NomCom Chair | 2 Feb 03:33
Picon
Favicon

Nomcom 2011-2012: IAB Appointments

Hi all,

The 2011-2012 IETF Nominating committee is pleased to announce
the selection of the IAB members whose two year terms start at
IETF83.

The Nomcom has selected the following persons to serve as members
of the IAB and they have been confirmed by the ISOC Board of
Trustees (in its role as the confirming body):

Bernard Aboba
Jari Arkko
Marc Blanchet
Ross Callon
Spencer Dawkins
Hannes Tschofenig

We would like to express our sincere gratitude to the incumbents
who are not returning for their outstanding service, the many
highly qualified members of the community who offered to serve,
the community for their assistance in this process, and the
individuals named above for agreeing to serve the community on
the IAB.

Suresh Krishnan
Chair, NomCom 2011-2012
Permalink | Reply | 0 comments |
headers
Alan Johnston | 2 Feb 22:55
Picon

Yet Another Reason?

Is this yet another reason not to have IETF meetings in the USA? ;-)

     http://yro.slashdot.org/story/12/02/02/1719221/do-you-like-online-privacy-you-may-be-a-terrorist

The FBI and their would-be tipsters could be flat out trying
investigate everyone who uses encryption, anonymizer and privacy tools
on the Internet, or changes SIM cards in their mobile phone!  At least
"wearing T-shirts with inscrutable slogans" isn't on the list yet or
we'd all be rounded up...

Seriously - who writes this stuff?

- Alan -
Permalink | Reply | 6 comments |

Gmane