Re: secdir review of draft-ietf-usefor-usepro-12

["Charles Lindsey" <chl@xxxxxxxxxxxxxxxx>]

On Wed, 10 Sep 2008 02:03:24 +0100, Charles Clancy <clancy@xxxxxxxxxx>  
wrote:

> I have reviewed this document as part of the security directorate's
> ongoing effort to review all IETF documents being processed by the
> IESG.  These comments were written primarily for the benefit of the
> security area directors.  Document editors and WG chairs should treat
> these comments just like any other last call comments.
>
> Document: draft-ietf-usefor-usepro-12
> Document Title: Netnews Architecture and Protocols
>
> This document is an updated to RFC 1036, and defines the Netnews system.  
>   This document specifically addresses the Netnews architecture, with  
> another document defining the message formatting (and NNTP being defined  
> in a separate document, which is the most popular transport protocol).
>
> Having personally run my campus Usenet server while in college 10 years  
> ago, this document brings back all sorts of fun memories of a  
> pre-blog/wiki world.  The major issue back then seemed to be keeping  
> alt.binaries from filling up your server's disk.
>
> Overall, Newnews is known to have a myriad of security flaws that have  
> persisted since its inception, much like SMTP.  Strangely there hasn't  
> been any major effort to that I'm aware of to institutionalize things  
> such as digital signatures to Netnews articles.  The document indicates  
> that such an effort is underway (see section 5.1).  Is that true?
>
> A major avenue of attack for Netnews is unauthenticated control messages  
> that allow for operations such as the creation and deletion of  
> newsgroups, among other things.  Any Netnews Agent can generate such a  
> message, with any approving official's email address listed in the  
> header, and have them propagate through the Usenet system.
>
> While there is no authentication of Netnews control message, there is  
> typically some attempt to apply policy to authorize them (the major line  
> of defense against malicious control messages).  The irony here is that  
> authorization of unauthenticated messages gets you little more than a  
> minimal level of heuristic security.

This was discussed in the early days of USEFOR, and the decision was made  
to defer these security issues to a separate document (of which hints  
remain in the present draft).

Items to be considered in such a document would include:
   signing of control messages (the present ad hoc signing method works  
well
      but could not be standardized as it stands because it uses an
      X-header)
   signing of messages by moderators (which currently uses yet another
      X-header, but sadly a different one to control messages)
   cancel locks (there is an ancient draft for these)
   maybe some other things (e.g. I would like to standardize NoCems)

But whether such a project now goes ahead is open to considerable doubt  
:-(.

> Therefore much of the security of Netnews is then delegated to NNTP,  
> which can provide authenticated communications channels between Netnews  
> Agents.  This, however, only provides hop-by-hop security, and not any  
> form of end-to-end security.  I recommend the document discuss the  
> ramifications of this (i.e. any compromised NNTP server can generate and  
> propagate false control messages throughout the entire Usenet system, so  
> a secure Netnews transport protocol really only gives the system a false  
> sense of security).

--
Charles H. Lindsey ---------At Home, doing my own thing------------------------
Tel: +44 161 436 6131                       
   Web: http://www.cs.man.ac.uk/~chl
Email: chl@xxxxxxxxxxxxxxxx      Snail: 5 Clerewood Ave, CHEADLE, SK8 3JU, U.K.
PGP: 2C15F1A9      Fingerprint: 73 6D C2 51 93 A0 01 E7 65 E8 64 7E 14 A4 AB A5