The security problems identified in
Vulnerabilities in Many Implementations of the Simple Network
Management Protocol (SNMP)" are not caused by the protocol choice to
use ASN.1, but by vendors incorrectly implementing the protocol (which
was made worse by vendors using toolkits that had the problems).
If "Multiple Vulnerabilities in Implementations" were used to condemn
the encoding methods of protocols that have been incorrectly
implemented, then we would have to condemn an awful lot of IETF
protocols as being very (security) bug prone:
CERT Advisory CA-2003-26 Multiple Vulnerabilities in SSL/TLS
US-CERT Vulnerability Note VU#459371 Multiple IPsec implementations do
not adequately validate
CERTR Advisory CA-2001-18 Multiple Vulnerabilities in Several
Implementations of the Lightweight Directory Access Protocol (LDAP)
CERT Advisory CA-2002-36 Multiple Vulnerabilities in SSH
CERTR Advisory CA-2003-06 Multiple vulnerabilities in implementations
of the Session Initiation Protocol (SIP)
Vulnerability Note VU#428230 Multiple vulnerabilities in S/MIME
Vulnerability Note VU#955777 Multiple vulnerabilities in DNS
Vulnerability Note VU#226364 Multiple vulnerabilities in Internet Key
Exchange (IKE) version 1 implementations
CERTR Advisory CA-2002-06 Vulnerabilities in Various Implementations
of the RADIUS Protocol
CERTR Advisory CA-2000-06 Multiple Buffer Overflows in Kerberos
Vulnerability Note VU#836088 Multiple vendors' email content/virus
scanners do not adequately check "message/partial" MIME entities
From: Steven M. Bellovin [mailto:smb(_at_)cs(_dot_)columbia(_dot_)edu]
Sent: Monday, June 05, 2006 7:10 PM
To: Randy Presuhn
Subject: Re: Best practice for data encoding?
On Mon, 5 Jun 2006 16:06:28 -0700, "Randy Presuhn"
From: "Iljitsch van Beijnum" <iljitsch(_at_)muada(_dot_)com>
To: "IETF Discussion" <ietf(_at_)ietf(_dot_)org>
Sent: Monday, June 05, 2006 2:43 PM
Subject: Best practice for data encoding?
Then there is the ASN.1 route, but as we can see with
SNMP, this also requires lots of code and is very (security) bug
Having worked on SNMP toolkits for a long time, I'd have to
strenuously disagree. In my experience, the ASN.1/BER-related
code is a rather small portion of an SNMP protocol engine.
The code related to the SNMP protocol's quirks, such as
processing and the mangling of index values into object
(which is far removed from how ASN.1 intended object identifiers
to be used) require much more code and complexity.
Yah -- measure first, then optimize.
I'm curious, too, about the claim that this has resulted in
problems. Could someone elaborate?
--Steven M. Bellovin, http://www.cs.columbia.edu/~smb
Ietf mailing list
Ietf mailing list