[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Simple] <note> in IMDN

To: Paul Kyzivat <pkyzivat at cisco.com>
Subject: Re: [Simple] <note> in IMDN
From: Eric Burger <eburger at sipforum.org>
Date: Sun, 25 May 2008 07:57:44 -0500
Cc: simple at ietf.org
Delivered-to: ietfarch-simple-web-archive at core3.amsl.com
Delivered-to: simple at core3.amsl.com
In-reply-to: <483743F6.8060903@cisco.com>
List-archive: <http://www.ietf.org/pipermail/simple>
List-help: <mailto:simple-request@ietf.org?subject=help>
List-id: SIP for Instant Messaging and Presence Leveraging Extensions <simple.ietf.org>
List-post: <mailto:simple@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/simple>, <mailto:simple-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/simple>, <mailto:simple-request@ietf.org?subject=unsubscribe>
References: <1660532724-1210725948-cardhu_decombobulator_blackberry.rim.net-784864713-@bxe033.bisx.prod.on.blackberry> <66cd252f0805131939t6569dab7r45d8ced20471a157@mail.gmail.com> <77384F67-E82C-483C-B555-665BFAF02D4E@standardstrack.com> <66cd252f0805132138m23aa3f42kf01ce0dcb7c42181@mail.gmail.com> <3092F25A-A072-4952-9C44-8C639B1925E2@softarmor.com> <4834C22B.1000407@cisco.com> <AD5C512E-842F-48F3-8824-03EE8A7F7905@sipforum.org> <48374058.3030601@cisco.com> <C06ADE83-1F99-43F5-BC50-DEE465B0F0F5@sipforum.org> <483743F6.8060903@cisco.com>
Sender: simple-bounces at ietf.org

Almost all of the fields in IMDN are verbatim copies of the IM, which  
means an automaton can filter spoofed IMDN's.  Just about all of the  
fields have some protocol semantic value.  However, the <note> field  
is a spam delivery vector that has no protocol value.  That is my  
issue with it: no value *and* a method to introduce spam.  That does  
not sound like a winning combination.

On May 23, 2008, at 5:23 PM, Paul Kyzivat wrote:

>
>
> Eric Burger wrote:
>> 1. The content
>
> Then aren't you concerned with all the nearly unconstrained content  
> that is possible in sip itself? (quoted-strings can be used in many  
> places, and comments are allowed in a few.)
>
> In the context you are talking about, the content is constrained by  
> the syntax of xml. Are you concerned with the xml parser screwing  
> up? Or with an application screwing up processing the content after  
> it has been parsed from the xml - perhaps by doing a bad job of  
> trying to display it?
>
>> 2. IMDN is only for page-mode IM, not MSRP
>
> Oops, sorry. I forgot IMDN had been thrown out of MSRP.
>
> 	Paul
>
>> On May 23, 2008, at 5:08 PM, Paul Kyzivat wrote:
>>> Eric,
>>>
>>> I guess I'm missing what kink of problem you are trying to prevent  
>>> by
>>> constraining the content, and what kinds of constraints are needed  
>>> for
>>> this to be helpful.
>>>
>>> Are you concerned with unconstrained *length* or unconstrained
>>> *content*? You can already put fields of unconstrained length and  
>>> nearly
>>> unconstrained content into MSRP headers, in those places where
>>> quoted-string are allowed.
>>>
>>>    Paul
>>>
>>> Eric Burger wrote:
>>>> Actually, IMDNs, even the SIMPLE free-form fields, are fairly
>>>> constrained.  Any mis-match is an opportunity to filter out bad  
>>>> IMDNs.
>>>> The <note> field has three problems:
>>>>
>>>> 1. It cannot be filtered, as any content could be real (which  
>>>> introduces
>>>> the attack vector)
>>>>
>>>> 2. It cannot know what language it should use, and thus is not  
>>>> likely to
>>>> be useful to the recipient
>>>>
>>>> 3. It has no protocol value, and is of no value to the UA
>>>>
>>>>
>>>> So, if something has no useful protocol value and introduces a spam
>>>> opportunity, why would we want to include it?
>>>>
>>>>
>>>>
>>>> On May 21, 2008, at 7:45 PM, Paul Kyzivat wrote:
>>>>
>>>>> Its kind of late to be thinking about this now. THe problem is  
>>>>> pervasive
>>>>> in MSRP.
>>>>>
>>>>> In SIP there are lots of unconstrained fields. But they are all
>>>>> constrained by the overall size of the message, and people  
>>>>> commonly put
>>>>> limits on that.
>>>>>
>>>>> In MSRP, because of chunking, a single MSRP message can be  
>>>>> gigabytes
>>>>> long. So using that to bound the unconstrained parts of the  
>>>>> headers
>>>>> doesn't work very well.
>>>>>
>>>>> A robust implementation might take a similar approach - define  
>>>>> its own
>>>>> limit on the total message size, excluding the body. Then it could
>>>>> constrain all the unconstrained fields to fit within it.
>>>>>
>>>>> But picking on one header isn't a solution to the problem.  
>>>>> Either assume
>>>>> the developers will be able to deal with it, or else do and  
>>>>> MSRPv2 that
>>>>> eliminates all unconstrained fields.
>>>>>
>>>>>   Paul
>>>>>
>>>>> Dean Willis wrote:
>>>>>> On May 13, 2008, at 11:38 PM, Hisham Khartabil wrote:
>>>>>>
>>>>>>> Can you explain how it is an attack vector?
>>>>>>
>>>>>>
>>>>>> Unconstrained rich content is one of the most easily exploited  
>>>>>> attack
>>>>>> vectors.
>>>>>>
>>>>>> Buffer overrun attacks as well as all of the typical MIME  
>>>>>> compound-
>>>>>> component attacks are likely. For example, the common JPEG
>>>>>> vulnerabilities might be exploitable:
>>>>>>
>>>>>> http://www.news.com/Image-virus-spreads-via-chat/2100-7349_3-5390463.html
>>>>>>
>>>>>>
>>>>>>
>>>>>> Or the content-execution weakness that caused the Macintosh  
>>>>>> Safari
>>>>>> browse to be most easily exploited in recent hacking contests:
>>>>>>
>>>>>> http://www.engadget.com/2007/07/23/safari-exploit-gives-hackers-full-control-of-your-iphone/
>>>>>>
>>>>>>
>>>>>>
>>>>>> There have also been exploits against QuickTime, Flash, and  
>>>>>> most other
>>>>>> plugin components from time to time.
>>>>>>
>>>>>> -- 
>>>>>> Dean
>>>>>> _______________________________________________
>>>>>> Simple mailing list
>>>>>> Simple at ietf.org
>>>>>> https://www.ietf.org/mailman/listinfo/simple
>>>>>>
>>>>> _______________________________________________
>>>>> Simple mailing list
>>>>> Simple at ietf.org
>>>>> https://www.ietf.org/mailman/listinfo/simple
>>>>
>>>>
>>> _______________________________________________
>>> Simple mailing list
>>> Simple at ietf.org
>>> https://www.ietf.org/mailman/listinfo/simple

_______________________________________________
Simple mailing list
Simple at ietf.org
https://www.ietf.org/mailman/listinfo/simple

Follow-Ups:
- Re: [Simple] <note> in IMDN
  - From: Dean Willis
- Re: [Simple] <note> in IMDN
  - From: Paul Kyzivat

References:
- Re: [Simple] <note> in IMDN
  - From: eburger
- Re: [Simple] <note> in IMDN
  - From: Hisham Khartabil
- Re: [Simple] <note> in IMDN
  - From: Eric Burger
- Re: [Simple] <note> in IMDN
  - From: Hisham Khartabil
- Re: [Simple] <note> in IMDN
  - From: Dean Willis
- Re: [Simple] <note> in IMDN
  - From: Paul Kyzivat
- Re: [Simple] <note> in IMDN
  - From: Eric Burger
- Re: [Simple] <note> in IMDN
  - From: Paul Kyzivat
- Re: [Simple] <note> in IMDN
  - From: Eric Burger
- Re: [Simple] <note> in IMDN
  - From: Paul Kyzivat

Prev by Date: Re: [Simple] <note> in IMDN
Next by Date: Re: [Simple] <note> in IMDN
Previous by thread: Re: [Simple] <note> in IMDN
Next by thread: Re: [Simple] <note> in IMDN
Index(es):
- Date
- Thread