Last Call Review of draft-ietf-tsvwg-sctp-ndata-12
review-ietf-tsvwg-sctp-ndata-12-secdir-lc-kelly-2017-08-31-00
| Request | Review of | draft-ietf-tsvwg-sctp-ndata |
|---|---|---|
| Requested revision | No specific revision (document currently at 13) | |
| Type | Last Call Review | |
| Team | Security Area Directorate (secdir) | |
| Deadline | 2017-08-25 | |
| Requested | 2017-08-10 | |
| Authors | Randall R. Stewart , Michael Tüxen , Salvatore Loreto , Robin Seggelmann | |
| I-D last updated | 2017-08-31 | |
| Completed reviews |
Secdir Last Call review of -12
by Scott G. Kelly
(diff)
Genart Last Call review of -12 by Stewart Bryant (diff) Opsdir Last Call review of -12 by Stefan Winter (diff) |
|
| Assignment | Reviewer | Scott G. Kelly |
| State | Completed | |
| Request | Last Call review on draft-ietf-tsvwg-sctp-ndata by Security Area Directorate Assigned | |
| Reviewed revision | 12 (document currently at 13) | |
| Result | Has issues | |
| Completed | 2017-08-31 |
review-ietf-tsvwg-sctp-ndata-12-secdir-lc-kelly-2017-08-31-00
I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. The summary of the review is ready with (maybe) issues. I'm not sure if there is an issue or not. Maybe this can be quickly resolved. Paraphrasing from the abstract, the document adds a new chunk to SCTP for carrying payload data, allowing a sender to interleave different user messages that would otherwise result in head of line blocking at the sender. An example usage: a client (or server) is sending a large message over SCTP, so it fragments the message and sends the fragments one after the other; each fragment is assigned a Transmission Sequence Number (TSN). If that client has a higher priority message to send during the transmission of the fragments, that message must go to the end of the line. This document defines a "stream", and allows interleaving streams, so that the higher priority message can be transmitted immediately (on its own stream), and the receiver will understand that this is not part of the lower priority message's TSN chain (stream). The security considerations section says This document does not add any additional security considerations in addition to the ones given in [RFC4960] and [RFC6458]. It should be noted that the application has to consent that it is willing to do the more complex reassembly support required for user message interleaving. When doing so, an application has to provide up to two reassembly buffers (one for ordered messages, one for unordered messages) for each incoming stream. It has to protect itself against these buffers taking too many resources. If user message interleaving is not used, only a single reassembly buffer needs to be provided for each association. But the application has to protect itself for excessive resource usages there too. The security considerations of 4960 are very thorough, but they never mention anything about fragment reassembly issues. I don't know much about SCTP, so maybe this is not a concern, but I wondered: could a hostile endpoint attack the reassembly scheme (which must be reimplemented for each application) by sending malicious fragments? --Scott