Re: [Int-area] SOCKS6 and UDP
Ben Schwartz <bemasc@google.com> Wed, 11 December 2019 16:10 UTC
Return-Path: <bemasc@google.com>
X-Original-To: int-area@ietfa.amsl.com
Delivered-To: int-area@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 748C9120C6A for <int-area@ietfa.amsl.com>; Wed, 11 Dec 2019 08:10:00 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -17.499
X-Spam-Level:
X-Spam-Status: No, score=-17.499 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, ENV_AND_HDR_SPF_MATCH=-0.5, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VoSJybyzbidn for <int-area@ietfa.amsl.com>; Wed, 11 Dec 2019 08:09:58 -0800 (PST)
Received: from mail-io1-xd2f.google.com (mail-io1-xd2f.google.com [IPv6:2607:f8b0:4864:20::d2f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E04AC120C3B for <int-area@ietf.org>; Wed, 11 Dec 2019 08:09:57 -0800 (PST)
Received: by mail-io1-xd2f.google.com with SMTP id x1so23211830iop.7 for <int-area@ietf.org>; Wed, 11 Dec 2019 08:09:57 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=pGJA7FbQTgib6OeGqprmPzEL0wFlXVSgBY0u9rjfW/k=; b=it8YHk5RN87wNseHvFUZRNQT92XFOnnjme6d9De3sjYZMpmIzsbBJvOfDEGiUigl9V YSr1Z4i0RHR7Cj6m1uoUtxCK1wT4+ldIEMs0LiGeIWW5FZW1qDnVQoYKmEwQd+rE2zKX X/P9VsSKsbQAFIWONh0jxS2flHsicttOvQc573WxD142d4k74AkHUmgCZiNOCiTTaVrp o3ntDSeZymA9pPZZtAFPrR4lKEGa8v45LllAHyZlAuJWmi/m8RH/WhwomBOFrTNgJO+J 3uz0i8ao030zJEpAYcEsKZ/UurQh4tNNGi58uUiNoiWqEX1QM/9WlI0KdRhI4OZ9QGiV 8v0A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=pGJA7FbQTgib6OeGqprmPzEL0wFlXVSgBY0u9rjfW/k=; b=FJ2o7tWLgH8UUKF+mpu+iA9XY8spJbJ6z9uoDDeuSWUMILelYos7MZyjvsFtcib+x7 keisaz1po5YZwffSVXe86vqjcTxeCFQvJ2+XeYPO1pHFmQYgXnBPXKL8RiHNFmPyoefk YB/CmvIr/M6Stss/G1Perdz9bwG2aYndMVYlYh8eAPdOERkebwRw8vYVnVrUuV+rSSbd eejXF7rvLuot0bdGXJinAemOX6hRk3Bq6HgBDlVN5D/G+V0XZNuE+ajEd8eU+rTvL03/ wktT+73hMRGjuo11AfTbeYnrs0O1mVMcgpJEnUotrwmXyU+Q221u76Bad6KhlytqeBgV ZIXg==
X-Gm-Message-State: APjAAAXV5a0+oULVoLicifGoq0/VoU1cV1WAZcUzEy85a5vJ5GeQX8jQ fEyBLBHPaX/DnbBTCkldK0w+PAxpbH7a1WmFohE1YMh6
X-Google-Smtp-Source: APXvYqxhWlCLXLItOCIrftzHZCK51Gh/e09FHY/L011VTB1mHDl57XFMcT5bbZM7peU0dhETPx3hpKdtnvuEiWJnco8=
X-Received: by 2002:a05:6602:1c5:: with SMTP id w5mr553186iot.129.1576080596692; Wed, 11 Dec 2019 08:09:56 -0800 (PST)
MIME-Version: 1.0
References: <CAHbrMsDgP0zvjhgsqvv2rvxBo69c-W0agnv9+pe5MeF2j+fOuw@mail.gmail.com> <6f2d6f3e-111f-b06f-b58f-fedd82a294e1@cs.pub.ro>
In-Reply-To: <6f2d6f3e-111f-b06f-b58f-fedd82a294e1@cs.pub.ro>
From: Ben Schwartz <bemasc@google.com>
Date: Wed, 11 Dec 2019 11:09:45 -0500
Message-ID: <CAHbrMsA+1cgnaqApTbCGoU0xp8v380Sk+pBrqx+201FoCCsBqA@mail.gmail.com>
To: Vladimir Olteanu <vladimir.olteanu@cs.pub.ro>
Cc: int-area@ietf.org
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-256"; boundary="000000000000259ae105996fdcfa"
Archived-At: <https://mailarchive.ietf.org/arch/msg/int-area/eUnVxRoCRvmpzW4_TAeDivZk5SI>
Subject: Re: [Int-area] SOCKS6 and UDP
X-BeenThere: int-area@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF Internet Area Mailing List <int-area.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/int-area>, <mailto:int-area-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/int-area/>
List-Post: <mailto:int-area@ietf.org>
List-Help: <mailto:int-area-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/int-area>, <mailto:int-area-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 11 Dec 2019 16:10:03 -0000
On Tue, Dec 10, 2019 at 2:43 PM Vladimir Olteanu <vladimir.olteanu@cs.pub.ro> wrote: > > Hi Ben, > > I've added my comments inline. > > On 12/10/19 7:12 PM, Ben Schwartz wrote: > > I have a few notes on the SOCKS 6 draft, related to UDP. > > > > 1. I would like to require servers to share resumption between TLS and > > DTLS. This would allow clients to keep a single resumption cache, > > instead of two. > > This is the first time I hear about TLS and DTLS sharing sessions. > > It is a nice performance improvement that, as far as I can tell, doesn't > have any drawbacks. However, I wouldn't require it (as in MUST, REQUIRE > or SHOULD) since it puts extra burden on the implementers. The problem is, if it isn't required for the server, then the client always has to keep separate session caches, because it has no way to know if resumption tickets/keys could be shared. > All that > should be required is a functional TLS layer. (Session resumption might > not be supported by the library, it becomes complicated if you're using > an L4 load-balancer etc. etc.) True, if the TLS termination is implemented separately from the SOCKS server then this could be hard to achieve. Port 1080 is reserved for SOCKS on both TCP and UDP, so maybe this requirement could apply only when using TLS and DTLS on the same host and port. > > 3. The 64-bit Association ID seems like a potential security > > vulnerability when using DTLS. Suppose an attacker observes a DTLS > > connection attempt from a client. If the attacker can block the true > > client's DTLS, they can start enumerating Association IDs until they > > find the one that works. Enumerating a 64-bit space is not easy, but > > it is too small to be considered cryptographically strong. > > Yes, guessing the Association ID is indeed a concern. We are planning to > write something about it in the security considerations section. > > The main idea is to narrow the attacker's window down to a few minutes. ... > I don't know what the standard is for deeming something "secure". Maybe > we should also ask SAAG to take a look at this. That sounds like a good idea to me. > > Putting a very large Association ID at the beginning of every packet > > is not appealing, but with DTLS there may be a more secure and more > > efficient solution. For example, the client could include a longer > > Association ID only until it gets an acknowledgement from the server, > > at which point both sides know that the UDP association is mapped to > > this DTLS connection. Alternatively, the client could send some > > information about its DTLS ClientHello in the TLS channel that sent > > the UDP ASSOCIATE, creating a secure binding. > > Unfortunately, we can't ditch the Association ID entirely, because > multiple UDP associations can be multiplexed over the same DTLS connection. > > Your idea about having two different Association IDs is interesting. In > essence, one would be "signed", and the other "unsigned". The only issue > is that the ID eats into the maximum payload size, and clients would see > the equivalent of a varying MTU. Yeah, this is inconvenient. One can imagine a new message type like "ACCEPT ASSOCIATION" that is sent on the DTLS connection, which includes both a long (e.g. 128-bit) server-selected Association ID and a short (e.g. 16-bit) client-selected key that identifies the association on this DTLS connection (or 5-tuple). However, I'm not sure how to do this without adding a roundtrip. > Your second idea with the ClientHello seems promissing. We could include > the session ID, connection ID or ticket in the SOCKS Request. (I'm not > sure what to do if the DTLS connection has neither.) It could just be the whole DTLS ClientHello, or a hash of it. > Further, it can't be an attack if the TLS and DTLS connections share the > same session or client credentials (but we can't always count on having > these features available, especially the latter). > > > > > 4. SOCKS6-UDP is not compatible with PLPMTUD > > (https://tools.ietf.org/html/draft-ietf-tsvwg-datagram-plpmtud), > > because the client cannot control fragmentation at the proxy. I think > > we should add a "Don't Fragment" bit to the SOCKS 6 datagram header to > > support PLPMTUD. > > The path of least resistance would be a "don't fragment" stack option. > However, that would apply to the whole UDP association and there would > be no way to change it. > > Of course, the client can create an association specifically for probing > purposes. > > > > > (I would love it if SOCKS 6 could pass ICMP messages for classical > > PMTUD (and ping! and traceroute!) but I don't expect that to happen.) > > > > --Ben > Yes, I don't think there's an elegant way to support ICMP. > > Cheers, > > Vlad >
- [Int-area] SOCKS6 and UDP Ben Schwartz
- Re: [Int-area] SOCKS6 and UDP Vladimir Olteanu
- Re: [Int-area] SOCKS6 and UDP Ben Schwartz
- Re: [Int-area] SOCKS6 and UDP Vladimir Olteanu
- Re: [Int-area] SOCKS6 and UDP Joe Touch