Re: [secdir] Secdir last call review of draft-ietf-masque-connect-udp-13
David Schinazi <dschinazi.ietf@gmail.com> Fri, 10 June 2022 01:38 UTC
Return-Path: <dschinazi.ietf@gmail.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3F386C15D881; Thu, 9 Jun 2022 18:38:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.106
X-Spam-Level:
X-Spam-Status: No, score=-2.106 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HUhKcW56fDMa; Thu, 9 Jun 2022 18:38:11 -0700 (PDT)
Received: from mail-pj1-x102a.google.com (mail-pj1-x102a.google.com [IPv6:2607:f8b0:4864:20::102a]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5D991C15D880; Thu, 9 Jun 2022 18:38:11 -0700 (PDT)
Received: by mail-pj1-x102a.google.com with SMTP id j7so22821214pjn.4; Thu, 09 Jun 2022 18:38:11 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=wbp+EIqpW/VSIzkJs+nBo7t2++JNLUhIzyLTUpTxIjE=; b=dYxIClnTlwFr8MYNJbB7c5mdMuNiXYNKQVML/pb6LEAhmJe5RD+DgY8+TMctCr3gNO h4PhlQ3lb2u6/MA0wnBKicjjB0vAwPt2CCKBjVyDalfNAjc7eSxuIGl3pYOXE9J8+8Yf yn+SllHmK8icL1hFExuTo0LiXd7C5y2IEWeQm7IQLz027YjejC2l393CCUip7zJ8UNTy Sho2JEAzzP1V42ZzWrOz7H8ruzUYL+ALTD7b9RilF3d83uddxrzzpET98OJvxcXyE8g/ ikWFppgJqLvxBFRL+tbitAsATPSAfVOfwA10shJgLgKJfm3XxfxyF5a/lhRSqKUTyU21 vNOw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=wbp+EIqpW/VSIzkJs+nBo7t2++JNLUhIzyLTUpTxIjE=; b=pV06gkwVvo4AG+s9sxt4PvAghBOAZxPnoH4FanyRP7SL0p6pD7jVkxo5RsOLrJ/YMC +XcOebzTkyXFMShmBaRRwO/qzTYgagNt+v9l++Pg8J2CAzfSZ7viJc018474MV257N6E c31LR4FU7NBVKBVFv+mvSceLBsmMiUajp0AYqA+xnlTmAViLmbp4EJTn0wLeEiHmoRfn 1sYF+QYlRemdhocfoDkP9JnyOn3+5pWjYPbmqqYTd8oyayVUdIHxjVQTWllq/6YMv//I PJJutRsYrMXW0dl5PiKnn68HHMQon7gwXLSgy8w2Zm022QzM5b6IZFI9k2bkH8Ga7UGS rlEg==
X-Gm-Message-State: AOAM531YL30o3ulgMtqf43P4erH1G/9QgLPn/TyQuNSvypR9WmqomcH1 VVLm4736LmkHxb6MQvD7o0fLXaRgFiwRoNvbQbI=
X-Google-Smtp-Source: ABdhPJx2pthu4ZgKBBHA08l2qyGP//J7yCIpxpxBTG+VP0KZ+uhXFThafZgbQNY+0lsaCpSdjo3HN+IQc3Yk8ofFurs=
X-Received: by 2002:a17:902:8e8b:b0:168:a135:d636 with SMTP id bg11-20020a1709028e8b00b00168a135d636mr8417239plb.140.1654825090286; Thu, 09 Jun 2022 18:38:10 -0700 (PDT)
MIME-Version: 1.0
References: <165463211375.64080.11151822253437995304@ietfa.amsl.com> <CAPDSy+6kYwS=obzvSQXa9nZsxmKijy-2tF4N7_vh82jpLUmijA@mail.gmail.com> <25323CD7-2914-4674-B8CA-BE142929CF2A@nrl.navy.mil>
In-Reply-To: <25323CD7-2914-4674-B8CA-BE142929CF2A@nrl.navy.mil>
From: David Schinazi <dschinazi.ietf@gmail.com>
Date: Thu, 09 Jun 2022 21:37:59 -0400
Message-ID: <CAPDSy+4CRFnwb_LRaAGwcGyT0+Hrq-yio6kjWj3_JJFJXiDqMQ@mail.gmail.com>
To: "Meadows, Catherine CIV USN NRL (5543) Washington DC (USA)" <catherine.meadows@nrl.navy.mil>
Cc: "secdir@ietf.org" <secdir@ietf.org>, "draft-ietf-masque-connect-udp.all@ietf.org" <draft-ietf-masque-connect-udp.all@ietf.org>, "last-call@ietf.org" <last-call@ietf.org>, MASQUE <masque@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000ac0af405e10dfd6d"
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/My5t2RAgWindS7sgM51rCYF-CJM>
Subject: Re: [secdir] Secdir last call review of draft-ietf-masque-connect-udp-13
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 10 Jun 2022 01:38:12 -0000
Hi Catherine, Responses inline. David On Thu, Jun 9, 2022 at 6:16 PM Meadows, Catherine CIV USN NRL (5543) Washington DC (USA) <catherine.meadows@nrl.navy.mil> wrote: > Thanks David! > > > > I’m fine with the resolution of Issue 1. > Great, thanks for confirming! > For Issue 2, I’m still a little confused when I look at the paragraph > about DoS. The new first sentence helps, but I’m afraid some of these > things are things I didn’t mention in my review, but only noticed when I > took a closer look now. > > > > However, in practice > > denial of service attacks target open TCP ports so the TCP SYN-ACK does not > > offer much protection in real scenarios. > > > > Why doesn’t it offer much protection? > With a CONNECT proxy, you can't DoS a closed port because the proxy will send a few SYNs but never data because the target won't reply with a SYN-ACK. But no one attacks closed ports in practice, they attack open ports that do reply with a SYN-ACK, so it is possible to send those data. So the SYN-ACK doesn't prevent real attacks. > Is it for the same reason as the reason the UDP proxy waiting for a > response doesn’t work, because the protocol running over UDP would respond? > That's right, if you target an open UDP port with a real packet (a valid DNS query or a valid QUIC initial or DTLS client hello etc) that part will reply with its protocol's corresponding response. > And how could the protocol respond if it is running over UDP and the UDP > port is flooded? > Once the port is flooded to the point that it doesn't reply, it is already too late - the attack has succeeded. It sounds like we can improve this text to make it clearer, do you have thoughts on how best to do that? > Cathy > > > > > > > > > > > > > > > > > > > > > > > > > > > > *From: *David Schinazi <dschinazi.ietf@gmail.com> > *Date: *Tuesday, June 7, 2022 at 10:20 PM > *To: *Catherine Meadows <catherine.meadows@nrl.navy.mil> > *Cc: *"secdir@ietf.org" <secdir@ietf.org>, " > draft-ietf-masque-connect-udp.all@ietf.org" < > draft-ietf-masque-connect-udp.all@ietf.org>, "last-call@ietf.org" < > last-call@ietf.org>, MASQUE <masque@ietf.org> > *Subject: *Re: Secdir last call review of draft-ietf-masque-connect-udp-13 > > > > Hi Catherine, > > > > Thank you for your review. I agree with both your points. In response, > I've created the following PR: > > https://github.com/ietf-wg-masque/draft-ietf-masque-connect-udp/pull/177 > > More responses inline. > > > > Thanks, > > David > > > > On Tue, Jun 7, 2022 at 4:01 PM Catherine Meadows via Datatracker < > noreply@ietf.org> wrote: > > Reviewer: Catherine Meadows > Review result: Has Issues > > This draft describes a protocol for proxying UDP in HTTP, similar to the > way in > which HTTP CONNECT allows proxying TCP in HTTP. > > The Security Considerations Section, besides noting that the considerations > identified in HTTP-DGRAM also apply, notes the necessity for > authentication. It > also notes the security issues (particularly, vulnerability to denial of > service attacks)that arise from the fact that in UDP the target of a > connection > doesn’t have to indicate its willingness to accept a connection before a > proxy > sends data. It also discusses some issues that may arise from basing a UDP > proxying implementation on a pre-existing implementation of the TCP CONNECT > Protocol. > > I found a couple of minor issues, mainly having to do with clarity: > > Issue 1: > > I am confused by the last paragraph of the section, which runs as follows: > > UDP sockets for UDP proxying have a different lifetime than TCP > sockets for CONNECT, therefore implementors would be well served to > follow the advice in Section 3.1 if they base their UDP proxying > implementation on a preexisting implementation of CONNECT. > > First of all, it’s not clear what the security implications of this are. > This > needs to be explained (or put elsewhere if there are no security > implications). > Secondly, it’s not clear what advice in Section 3.1 is relevant to this > paragraph. Section 3.1 is mostly MUSTs and SHOULDs; I don’t see anything I > would call advice. The paragraph needs to say more clearly what advice it > is > referring to. > > > > I went digging through the git history and mailing list archives and > couldn't come > > up with a good reason for why I added this paragraph. Also I can't tell > what it's > > supposed to accomplish when I read it with today's eyes. So I removed it. > > > > Issue 2: > > It is hard to draw a conclusion from the paragraph on DoS The first two > sentences are clear. They state that the fact in the CONNECT method for > TCP the > target must indicate its willingness to receive data, while this is not the > case for UDP, potentially makes it easier for UDP proxies implement > denial of > service attacks. > > However, I had trouble understanding the rest of the paragraph: > > However, in practice denial of service attacks target open TCP ports > so the TCP SYN-ACK does not offer much protection in real scenarios. > While a UDP proxy could potentially limit the number of UDP packets > it is willing to forward until it has observed a response from the > target, that is unlikely to provide any protection against denial of > service attacks because such attacks target open UDP ports where the > protocol running over UDP would respond, and that would be > interpreted as willingness to accept UDP by the UDP proxy. > > I think that what this is intended to say is that because DoS attacks > target > open ports there is not much difference between TCP and UDP proxies as far > as > vulnerability to DoS is concerned. I would recommend saying this upfront. > Then it would be easier to see how the two sentences above support that > statement. > > > > I've added the following sentence at the start of the paragraph to explain > why: > > << > > UDP proxies have similar properties to TCP proxies when it comes to > facilitating > > denial of service attacks, even though TCP offers better protection in > theory. > > >> >
- [secdir] Secdir last call review of draft-ietf-ma… Catherine Meadows via Datatracker
- Re: [secdir] Secdir last call review of draft-iet… David Schinazi
- Re: [secdir] Secdir last call review of draft-iet… Meadows, Catherine CIV USN NRL (5543) Washington DC (USA)
- Re: [secdir] Secdir last call review of draft-iet… David Schinazi
- Re: [secdir] Secdir last call review of draft-iet… Meadows, Catherine CIV USN NRL (5543) Washington DC (USA)
- Re: [secdir] [Last-Call] Secdir last call review … Jared Mauch