Last Call Review of draft-ietf-core-stateless-05
review-ietf-core-stateless-05-secdir-lc-mandelberg-2020-03-20-00

Request Review of draft-ietf-core-stateless
Requested rev. no specific revision (document currently at 08)
Type Last Call Review
Team Security Area Directorate (secdir)
Deadline 2020-04-02
Requested 2020-03-12
Authors Klaus Hartke, Michael Richardson
Draft last updated 2020-03-20
Completed reviews Secdir Last Call review of -05 by David Mandelberg (diff)
Genart Last Call review of -05 by Dan Romascanu (diff)
Secdir Telechat review of -06 by David Mandelberg (diff)
Genart Telechat review of -06 by Dan Romascanu (diff)
Assignment Reviewer David Mandelberg 
State Completed
Review review-ietf-core-stateless-05-secdir-lc-mandelberg-2020-03-20
Posted at https://mailarchive.ietf.org/arch/msg/secdir/ixtq6tEK3oIlHUbFcmpPKlJXw7A
Reviewed rev. 05 (document currently at 08)
Review result Has Issues
Review completed: 2020-03-15

Review
review-ietf-core-stateless-05-secdir-lc-mandelberg-2020-03-20

I have reviewed this document as part of the security directorate's
ongoing effort to review all IETF documents being processed by the
IESG.  These comments were written primarily for the benefit of the
security area directors.  Document editors and WG chairs should treat
these comments just like any other last call comments.

The summary of the review is ready with issues.

I think this protocol change increases the amount of data that a CoAP 
server would reflect in a DoS attack using spoofed source IP addresses 
with UDP. I don't see any opportunity for amplification though, just 
reflection of more data sent by a malicious client. I'm very much not a 
DoS expert though, so I have no idea if this is an issue at all.

What happens when a client changes the (implementation-private) format 
of the state it puts in the tokens? E.g., what if a client sends a 
request, applies a software update, then receives the response? (I'm 
guessing that's a more likely situation with UDP, since the software 
update would probably interrupt a TCP session.) If an attacker can 
predict when the software update will happen and how the new version 
will interpret the old version's tokens, can they replay anything 
maliciously? (Assuming the replay window includes some messages from 
just before the software update.)