IETF Logo Mail Archive

Re: [Spud] SPUD's open/close are unconvincing

Toerless Eckert <eckert@cisco.com> Thu, 09 April 2015 17:23 UTC

Return-Path: <eckert@cisco.com>
X-Original-To: spud@ietfa.amsl.com
Delivered-To: spud@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2BDFD1A8A07 for <spud@ietfa.amsl.com>; Thu, 9 Apr 2015 10:23:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.511
X-Spam-Level:
X-Spam-Status: No, score=-14.511 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0FTSYYh0OIu4 for <spud@ietfa.amsl.com>; Thu, 9 Apr 2015 10:23:42 -0700 (PDT)
Received: from alln-iport-7.cisco.com (alln-iport-7.cisco.com [173.37.142.94]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E7F221A89FC for <spud@ietf.org>; Thu, 9 Apr 2015 10:23:40 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=2678; q=dns/txt; s=iport; t=1428600222; x=1429809822; h=date:from:to:cc:subject:message-id:references: mime-version:in-reply-to; bh=FfyXuQ7IQHpPapZMIMkE2ZGeqOHv0q+auImym6kt3hg=; b=ZFrta4f70fYdyu6QGLojlVOTZw9pynJucc4jBgxTGsqcUcDbDm18ELOJ WmJ9uX3avYmkQ3vDeC6LxiGC8RtqtEkOjyZv4tNa1GirK1sRy+dlbXgBM m/hSxeYzVNic2iDs0ATeMwpzubqYqI4tGsbH6tJk8UwAHHIxPTAMnI1XL 0=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0BPBADotCZV/51dJa1cgwhSXMRECYFJCoV9AoFDOBQBAQEBAQEBfYQgAQEEAQEBNzQLEAsYCSUPBRM2E4gqDc46AQEBAQEBAQEBAQEBAQEBAQEBAQEBEwSLK4R8B4QtBYsnj10BlGUiggMcgXAeMYJDAQEB
X-IronPort-AV: E=Sophos;i="5.11,551,1422921600"; d="scan'208";a="139778269"
Received: from rcdn-core-6.cisco.com ([173.37.93.157]) by alln-iport-7.cisco.com with ESMTP; 09 Apr 2015 17:23:41 +0000
Received: from mcast-linux1.cisco.com (mcast-linux1.cisco.com [172.27.244.121]) by rcdn-core-6.cisco.com (8.14.5/8.14.5) with ESMTP id t39HNde1024037 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Thu, 9 Apr 2015 17:23:40 GMT
Received: from mcast-linux1.cisco.com (localhost.cisco.com [127.0.0.1]) by mcast-linux1.cisco.com (8.13.8/8.13.8) with ESMTP id t39HNdh6023536; Thu, 9 Apr 2015 10:23:39 -0700
Received: (from eckert@localhost) by mcast-linux1.cisco.com (8.13.8/8.13.8/Submit) id t39HNdo1023535; Thu, 9 Apr 2015 10:23:39 -0700
Date: Thu, 9 Apr 2015 10:23:39 -0700
From: Toerless Eckert <eckert@cisco.com>
To: Caitlin Bestler <caitlin.bestler@nexenta.com>
Message-ID: <20150409172339.GW24286@cisco.com>
References: <87iod631nv.fsf@alice.fifthhorseman.net> <DM2PR0301MB06555C7D7F32A69214405D44A8FC0@DM2PR0301MB0655.namprd03.prod.outlook.com> <20150408193920.GD24286@cisco.com> <871tju2rdq.fsf@alice.fifthhorseman.net> <5526AFF1.8040109@nexenta.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <5526AFF1.8040109@nexenta.com>
User-Agent: Mutt/1.4.2.2i
Archived-At: <http://mailarchive.ietf.org/arch/msg/spud/31oR1nBZF-iLrLSVN-j7PjUVmfE>
Cc: spud@ietf.org
Subject: Re: [Spud] SPUD's open/close are unconvincing
X-BeenThere: spud@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Session Protocol Underneath Datagrams <spud.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spud>, <mailto:spud-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/spud/>
List-Post: <mailto:spud@ietf.org>
List-Help: <mailto:spud-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spud>, <mailto:spud-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 09 Apr 2015 17:23:44 -0000

+1 on everything you said, but (*grin*) i think we should
layer the analysis:

The base layer is analysing how a "session setup/teardown" signaling
on top of UDP with an arbitrary transport protocol encapsulated
inside of it compares to eg: Native TCP wrt. security and
policy for end-to-end operations and FW/middlebox operations.

The only bar to pass here is that it should not be significantly worse
than TCP.

Then the next level is to add the possible enhancements (or
others) factored into the SPUD proposals and see how each of them
fares. Some of them would have to be compared with other existing
approaches. Eg: if the tube ID is an alernative or enhancement to
MPTCP, then one would have to compare with that.

On the base layer, the main downside i can come up with is that the
filtering of invalid protocol packets or sequence of packets is something
that ideally should become more easy, because the FW would only have
to do it once for SPUD instead of every different transport separately,
but alas that is not true because an attacker can still modify the
encapsulated transport proto signaling elements, so a FW that would
like to provide that state-machinery/packet-header filtering for
transport protocols would need to still understand the whole SPUD+Transport
stack. Just off the top of my head, the best way out would be to
move towards UDP+SPUD+dTLS+reliable-transport, because that would protect
that arbitrary transport protocol headers from attacks and would leave
FWs with only SPUD and dTLS to worry about.

Cheers
    Toerless

On Thu, Apr 09, 2015 at 09:59:29AM -0700, Caitlin Bestler wrote:
> I believe that endpoint assist in the form of declarative information
> is necessary to enable optimum network response. Standardizing
> that information will make it something vendors and endpoint
> stack developers will support. Without standardization you have
> a chicken and egg problem that will never be resolved.
>
> The key questions are:
> * Are the hints sufficient to provide optimizations that more than
>    reward the cost of sending the hints?
> * Are we avoiding creating some form of DOS-vector, which would
>    result in everyone turning off this feature in the field?
>
> I suspect there are some refinements that may be needed to
> avoid enhancing DOS attacks. But we need to set the goal
> realistically as avoiding *enhanced* attacks, and not rejecting
> SPUD for being vulnerable to the same attacks that would have
> worked against TCP.
> 
> _______________________________________________
> Spud mailing list
> Spud@ietf.org
> https://www.ietf.org/mailman/listinfo/spud

v2.8.7 | Report a Bug | By Email