[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [APPS-REVIEW] secdir review of draft-kucherawy-sender-auth-header-20

To: Barry Leiba <leiba at watson.ibm.com>
Subject: Re: [APPS-REVIEW] secdir review of draft-kucherawy-sender-auth-header-20
From: Douglas Otis <dotis at mail-abuse.org>
Date: Thu, 29 Jan 2009 11:54:30 -0800
Cc: draft-kucherawy-sender-auth-header at tools.ietf.org, draft-otis-auth-header-sec-issues at tools.ietf.org, apps-review at ietf.org, iesg at ietf.org, secdir at ietf.org
Delivered-to: ietfarch-apps-review-archive at core3.amsl.com
Delivered-to: apps-review at core3.amsl.com
In-reply-to: <675489E3DF05B8FA18C3C849 at Uranus.home>
List-archive: <http://www.ietf.org/pipermail/apps-review>
List-help: <mailto:apps-review-request@ietf.org?subject=help>
List-id: Applications Review List <apps-review.ietf.org>
List-post: <mailto:apps-review@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/apps-review>, <mailto:apps-review-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/apps-review>, <mailto:apps-review-request@ietf.org?subject=unsubscribe>
References: <675489E3DF05B8FA18C3C849 at Uranus.home>
Sender: apps-review-bounces at ietf.org

On Jan 25, 2009, at 7:52 AM, Barry Leiba wrote:

I have reviewed this document as part of the security directorate'songoing effort to review all IETF documents being processed by theIESG. These comments were written primarily for the benefit of thesecurity area directors. Document editors and WG chairs shouldtreat these comments just like any other last call comments.
Specifically, I've been asked to review draft-kucherawy-sender-auth-header-20, after having reviewed the -18 revision, and to considerdraft-otis-auth-header-sec-issues-00 in the review. I'm alsocopying this review to the apps-review list, since it's relevantthere.
I've looked at the diffs between the -18 and -20 versions, to makesure I didn't miss any changes, and I've reviewed the -20 version asa whole. I've also looked at the comments and questions that havecome up during IESG evaluation.
My evaluation of the document stands from the -18 version -- the -19and -20 revisions have made clarifications over -18, in response toother comments, and that's good. But the document was basicallysound then, and reflected rough consensus of the participants fromthe email-developer community, and still does.
Considering draft-otis-auth-header-sec-issues-00: Doug's main pointappears to involve a disagreement with Murray's decision not toinclude the IP address, for SPF and Sender-ID cases (for simplicity,I'll just say "SPF" to refer to both in this review). Murrayinstead includes only the domain that has been verified (or not)*using* the IP address. His complaint is that the header field"fails to offer the authenticated entity being trusted in theexchange, the IP address of the SMTP client." In other words, Dougconsiders that it's the IP address, not the ADMD, that has been"authenticated".
I disagree, but this is a tricky area, because we're not wading in atypical sort of authentication pool here -- SPF is actually blendingidentity, authentication, and authorization. As I see it, the SPFmodel is that the *identity* to be authenticated is taken from theSMTP MAIL FROM command (for Sender-ID it's derived through the PRAalgorithm), the IP address supplies the authentication*credentials*, and the DNS lookup both verifies the credentials(completing the authentication) and returns the authorizationinformation in one, combined response ("the entity with thesecredentials is authorized to send mail on behalf of the identity'example.com'.").

The IP address of the SMTP is being authorized by a domain. It is notknown whether the domain intended the authorization to have been basedupon the Mail From or the PRA due to conflicting RFCs. Although theIESG added a warning about this conflict within the respective RFCs,it seems unlikely the warning convinced a substantial portion of thosewho published an SPF record, to then also add a record intended tosupport Sender-ID.

The statement made within RFC 4406 in regard to unintended use of theSPF record is as follows:

,----

In order to provide compatibility for these domains, Sender IDimplementations SHOULD interpret the version prefix "v=spf1" asequivalent to "spf2.0/mfrom,pra", provided no record starting with"spf2.0" exists. ...If the information in a "v=spf1" record is not correct for a PRAcheck, administrators SHOULD publish either an "spf2.0/pra" recordwith correct information or an "spf2.0/pra ?all" record indicatingthat the result of a PRA check is explicitly inconclusive.

'----

While this was a way to adopt RFC 4406 without waiting for explicitsupport, this also created animosity among those not wanting the scopeof SPF record changed by what they viewed as interlopers. While theIESG warning may have been well intended to better ensure emailacceptance, it would be dangerous to also assume this warningrectified existing conflicts between RFC 4408 and RFC 4406.

Secondly, the initial intent of this record was primarily to mitigatebackscatter (currently mitigated by RFC 3834 with greater deliveryintegrity). It remains doubtful that a domain wishing to avoidbackscatter, also asserts that their authorization of an SMTP clientensures _only_ their domain controls the use of Mail From parameter orPRA header field. Any assumption that Authorization of an SMTP clientrepresents Authentication of the authorizing domain as a messagesource ignores these dangerous and likely incorrect assumptions!

Of course, it's entirely reasonable to want the credentials to bepreserved, since they're not secret. I see nothing wrong withincluding the IP address, and I wonder why Murray has chosen notto. That said, I agree with the approach that this field is meantto convey the *results* of application of an "authentication"algorithm, and not to give the MUA what it needs to re-run theauthentication. I'll note that the same is true with the applicationof this to DKIM: the header field described here does not containall the information provided to the DKIM validator.
So, while I see no harm in including the IP address, I have noproblem with the decision not to. I also note that it can be addedas an extension, if there's demand for that from the MUA vendors.There doesn't seem to be, at this point.

The problem of not including the IP address is many. The header islabeled "Authentication-Results". By excluding the _only_authenticated source identity, the IP address of the SMTP client, theheader becomes dangerously misleading. When there are two entitiesdepicted, a recipient is likely to question which element wasauthenticated. In addition, it is the SMTP client being trusted tocontrol the use of parameters or header fields that contain theauthorizing domain. When this trust is not upheld, the reputation ofthe SMTP client should be directly affected, and not that of thedomain. If access to the SMTP client has been compromised, directapplication of SMTP client reputation offers a means for the rapidprotection across all domains who may have authorized the SMTP client.

Assessing SMTP client reputation against the authorizing domains isunfair for several reasons. The domain is unlikely to control theSMTP client and therefore is unaware of any security breach. Blockingthe entire domain also prevents communication through any other secureSMTP client, which makes assessments of the SMTP client by theauthorizing domain highly disruptive and unlikely impractical!

There's the issue of needing the IP address to properly assessreputation. DNS black/white lists (see draft-irtf-asrg-dnsbl) usethe IP address as a reputation key because it's what they have. Thewhole *point* of SPF is to translate the IP address into a confirmeddomain name, to have a more useful reputation key, and this headerfield supports that.

Strongly disagree. The intent of the Authentication-Results headeris for the presentation the results of the methods _after thereputation of the message's authenticated origination was checked_.The only authenticated identifier of the message's origination is theIP address of the SMTP client in the case of SPF and Sender-ID. Thedraft does not mandate that the reputation of the source be checkedprior to adding this header. In fact the example given for look-alikedomains indicates an expectation that the header is added withoutprior reputation checks regarding what is safe to be annotated. Thedraft only requires the reputation of the message source be checkedprior to revealing these results to users, which is normally afunction of an application down stream from that of the border MTA.Although the border MTA that will be making acceptance assessments,these assessments may not relate to the safe source annotations ofMail From or PRA parameters or header fields.

That said, there are result values that do not allow the use of theADMD as a key to a reputation check: "none" and "neutral", forexample, explicitly refuse to tie the IP address to the domainname. In such cases it might be useful to have the IP addressavailable for fall-back reputation checks.

The IP address of the SMTP client is the only reputation check thatshould be made! While there are hundreds of millions of domains,there are about 1.5 million SMTP clients that earn good reputations.The issue is not about which message is accepted, (a function of theborder MTA), this is about what domain can be safely revealed tousers. Whether the SMTP client protects these fields is the essentialquestion that needs to checked. Appendix D reaches several incorrectconclusions, primarily based upon assessments about whether a messageshould be accepted, but not about which parameters or fields should behighlighted to users as the source of the message. With malware beingso rampant and polymorphic, the source of an item represents anextremely critical aspect of security these days. It is not safe toassume that malware can always be detected. The malware can come inthe form documents, images, or videos that many incorrectly considerinherently safe.

On the other hand, it's likely that the mail system will have doneother checks at the domain boundary besides just SPF. Putting theresponsibility for IP-address-based checks in the MUA is probablyunwise anyway.

The draft places this responsibility ONLY on the application that isrevealing the results! There are NO assurances within the header thatany reputation checks have even been made! Preventing a reputationcheck of the SMTP client by the MUA for either SPF or Sender-IDmethods is extremely unwise and will endanger users.

Doug also worries about the use of the "local part" in SPF cases. Iknow that Doug is bothered by the local-part stuff in general, and Iagree with some of his concerns. I think, though, that thoseconcerns aren't relevant to this document -- the document, again, isreflecting the *results* of the SPF check, which may or may notinvolve the local part. This document is not *adding* anything inthat regard.

Actually it does increase the concerns related to the use of the local-part macros available within SPF. This draft adds a stipulation thatlocal-part annotations be "authenticated" which will be interpreted tomean that local-part macros must be used. In essence, the entire SPFSMTP client IP address authorization scheme MUST BE REPEATED for everyuser within a domain! In addition, many of the related transactionsare likely to occur as a result of a cached SPF record. The amount ofDNS traffic this generates might even saturate OC192 connections, letalone swamp victim DNS servers. This enables a free attack whilespamming!

Finally, Doug appears to dislike the use of the word"authentication" here, and I agree with him. As I said above, SPF(for example) isn't *really* an authentication system, and it'sunfortunate that we've fallen into using that term for it. But thefact is that we *have* fallen into it, and I think there'd be moredamage done by trying to use a different term than there is by usingthe term that's come to be accepted, and to acknowledge that it'snot strictly correct.

The dangers are to recipients that are about to see thesemisrepresented results as a result of this draft. At least gettingthe terminology correct now will allow a better understanding of therisks related to the methods being displayed.

So, here's the bottom line:
1. I think draft-kucherawy-sender-auth-header-20 is ready to go asit is.


Strongly disagree.

2. I'd like it if we weren't calling all this "authentication", butI don't see any way around it and I recommend that it NOT be changed.


Why?

3. I wouldn't object to the inclusion of the IP address in theheader field for SPF and Sender-ID cases, but I don't think it'snecessary and support the decision not to include it.

Not including the IP address will mostly likely become a basis for anappeal. There is no desire to impugn the integrity of those involvedin the consensus building process related to this draft, but there isalso reason to be believe special interests were influential inshaping this consensus, where the general good of the public and theInternet was not properly considered. My humble apologies to thoseoffended by an appeal not to accept the consensus for this draft. Twoyears of misrepresenting a method intended to provide an allusion ofsecurity, that also makes mitigating security breaches impractical,can not justify the dangerous decisions that shaped this draft.


-Doug
_______________________________________________
APPS-REVIEW mailing list
APPS-REVIEW at ietf.org
https://www.ietf.org/mailman/listinfo/apps-review

References:
- [APPS-REVIEW] secdir review of draft-kucherawy-sender-auth-header-20
  - From: Barry Leiba

Prev by Date: [APPS-REVIEW] secdir review of draft-kucherawy-sender-auth-header-20
Next by Date: [APPS-REVIEW] Review of draft-merrick-jms-uri-05
Previous by thread: [APPS-REVIEW] secdir review of draft-kucherawy-sender-auth-header-20
Next by thread: [APPS-REVIEW] Review of draft-merrick-jms-uri-05
Index(es):
- Date
- Thread