Re: [Spud] Authentication and packet reflection [was: Re: Questions based on draft-trammell-spud-req-00]
Tom Herbert <tom@herbertland.com> Tue, 11 August 2015 20:36 UTC
Return-Path: <tom@herbertland.com>
X-Original-To: spud@ietfa.amsl.com
Delivered-To: spud@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1])
by ietfa.amsl.com (Postfix) with ESMTP id 646831B2A61
for <spud@ietfa.amsl.com>; Tue, 11 Aug 2015 13:36:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.678
X-Spam-Level:
X-Spam-Status: No, score=-1.678 tagged_above=-999 required=5
tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, MIME_8BIT_HEADER=0.3,
RCVD_IN_DNSWL_LOW=-0.7] autolearn=no
Received: from mail.ietf.org ([4.31.198.44])
by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id eN-Ykpqt7PWq for <spud@ietfa.amsl.com>;
Tue, 11 Aug 2015 13:36:56 -0700 (PDT)
Received: from mail-ig0-f172.google.com (mail-ig0-f172.google.com
[209.85.213.172])
(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
(No client certificate requested)
by ietfa.amsl.com (Postfix) with ESMTPS id 22AB61B2A5D
for <spud@ietf.org>; Tue, 11 Aug 2015 13:36:56 -0700 (PDT)
Received: by igfj19 with SMTP id j19so38628igf.1
for <spud@ietf.org>; Tue, 11 Aug 2015 13:36:55 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20130820;
h=x-gm-message-state:mime-version:in-reply-to:references:date
:message-id:subject:from:to:cc:content-type
:content-transfer-encoding;
bh=hdrDH+zDX7DxR2gE7bvVobWyZ9DUaQoAHfgMibmZW8U=;
b=MSa0J5dYe1SC2iSfpN4T9aBJmkO17fWFWbwFA6ZBzYC2ko6Mn24x9zi1uoNqJBzro3
PWBKqHgi9DsKtmyR2ewxaHkSc6x9cGwuItoozzPN2Pc0Iwa8GfzbN0MgvnrZc9LrLOLu
ZbSJhahMIqMsCqqyxFI3TPhPEwYZkf98ZTR3G6ylB/Dh6MbwOZsqZ7TfDBOt88I5FmM1
rbnMs3+IUN2ozoi3tDHIkjYzWxfEqlHLVm0WAxH8TQ3+bCNQFBVZDudEmPXbqkSkGKPV
asaiz8S0ekYZXkUpoVOHWpTtpOexyi4mbY3/Of71N9qjYLFZF6+BsyI9yVfdUmvD0rki
RBsg==
X-Gm-Message-State: ALoCoQnv8MewNiPANSu7bK1rHp5y0nF+8tnvXdWgZw0PkHCQwkyW7Z0CajPET4CqYT/eypMYVG1T
MIME-Version: 1.0
X-Received: by 10.50.72.6 with SMTP id z6mr21113743igu.65.1439325415579; Tue,
11 Aug 2015 13:36:55 -0700 (PDT)
Received: by 10.107.200.195 with HTTP; Tue, 11 Aug 2015 13:36:55 -0700 (PDT)
In-Reply-To: <C071D303-C48B-4AB3-9B29-AC5E6F9C9E45@tik.ee.ethz.ch>
References: <1AFABFF2-B841-4B0D-867C-709683BEDC8D@tik.ee.ethz.ch>
<CALx6S348ggxfi470iLDwKWKKmWFmwBahJeA6jfGmnGQ_Vmn37g@mail.gmail.com>
<C071D303-C48B-4AB3-9B29-AC5E6F9C9E45@tik.ee.ethz.ch>
Date: Tue, 11 Aug 2015 13:36:55 -0700
Message-ID: <CALx6S344VdB866aSUSOzym+pKMqq3pvR9fBG8oA31UDq-ndUWg@mail.gmail.com>
From: Tom Herbert <tom@herbertland.com>
To: =?UTF-8?Q?Mirja_K=C3=BChlewind?= <mirja.kuehlewind@tik.ee.ethz.ch>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
Archived-At: <http://mailarchive.ietf.org/arch/msg/spud/8uhJswNMvJQJQZwD2SF9akYqokI>
Cc: Ted Hardie <ted.ietf@gmail.com>, "Black,
David" <david.black@emc.com>, Eric Rescorla <ekr@rtfm.com>,
Joe Hildebrand <jhildebr@cisco.com>, spud@ietf.org,
Jana Iyengar <jri@google.com>, Ken Calvert <calvert@netlab.uky.edu>,
Brian Trammell <ietf@trammell.ch>
Subject: Re: [Spud] Authentication and packet reflection [was: Re: Questions
based on draft-trammell-spud-req-00]
X-BeenThere: spud@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Session Protocol Underneath Datagrams <spud.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spud>,
<mailto:spud-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spud/>
List-Post: <mailto:spud@ietf.org>
List-Help: <mailto:spud-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spud>,
<mailto:spud-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 11 Aug 2015 20:36:57 -0000
On Tue, Aug 11, 2015 at 10:37 AM, Mirja Kühlewind <mirja.kuehlewind@tik.ee.ethz.ch> wrote: > Hi Tom, > > just two comments below: > >>> 3) Tradeoffs in integrity protection >>> --- >>> a) Should SPUD provide support to use the authentication mechanism of the overlying transport for SPUD information provided by an endpoint to check the authenticity and integrity when the information arrive at the other endpoint? >>> —> Yes, if supported by the overlying protocol >>> >> Yes, but this seems independent of the overlying protocol. We should >> be able to secure the SPUD bits as needed regardless of overlay or >> underlay. > > That means, you would like to provide key exchange mechanisms in SPUD? > The end points do need a key exchange, if they are already doing TLS for encrypting the payload maybe that can be leveraged. IIRC QUIC headers are authenticated but cleartext, and payload is always encrypted, so they may have already solved this... >> >>> b) How can packet-mangling (middleboxes changing accidental or intentionally information provided by others, both middblebox and endpoints) by on-path ndes be detected? >>> -> Lying can potentially be detected if information can be verify over a different mechanism. However it might not be possible to detect who provided these wrong information. Off-path devices would need to know the tube id to provide wrong information which may be unlikely. >>> >> Authenticating the header should be an option in cases where we want >> to prevent any packet-mangling. > > If you already have a trust relationship which the other end, that’s easy but that only helps for information provided from end-points. However you might not be able to provide authenticated information from a middlebox. And sometimes it might even been on purpose that one middlebox should be able to overwrite the information form another middlebox, e.g. if the shortest time-out on the path is requested. > Right, but there's also fields in the headers which should be declared immutable in the path-- which likely includes the session ID and cmd. We should be able to get integrity and end to end authentication of those. If mutable fields are also present, then some options are: - Define a mechanism to indicate those fields are excluded from authentication and integrity check - Place mutable fields outside of the headers. For instance, middleboxes can respond directly to the source instead of modifying packets inflight and relying on reflection - Middlebox encapsulates in another header so it can set any fields as desired, but receiver will need to untangle that >>> >>> f) Should middlebox information be reflected over the receiver or can they also be send directly to the sender (and might take a different route)? >>> -> Maybe there should be a possibility to sent directly to the sender; for unidirectional flows the receiver may not have a bearer flow to carry the message back and thus would generate spud-only packets which maybe quite a bit overhead. However reflection over the receiver should be preferred. >>> >> Middleboxes often have a locality associated with them, e.g. home >> router, enterprise firewall. In such cases, it seems like returning >> information directly is a better use of resources and limits the >> exposure of the data. For example, if your firewall wants to provide >> the client with it's connection timeout, it can send that back >> directly rather than forwarding this to some server halfway around the >> world and expecting the them to properly reflect the information when >> they should not care about this. To the server this is just extra work >> and extra memory that needs to be allocated for each flow (possibly >> millions of them). > > For time-outs I rather would like to see a mechanism where this information is reflected over the receiver because what you are actually looking for it not the time-out of your local firewall (you might already know that over a different channel) but the minimum time-out of all middleboxes on the path. Otherwise if you just request the time-out, every (Spud-aware) middlebox on the path would need to send you a separate reply. Of course the middlebox with the smallest time-out might not be spud-aware but that’s different problem. > How big of problem is this likely to be? How many middleboxes do you foresee in paths that will be maintaining flow state with timeouts? Also, see my comment about keep-alivess, I'm hoping we can get a better solution which eliminates the need for knowing timeouts and sending keep-alives in the first place! Tom > Mirja > > > >
- [Spud] Questions based on draft-trammell-spud-req… Mirja Kühlewind
- Re: [Spud] Questions based on draft-trammell-spud… Toerless Eckert
- Re: [Spud] Return routability and feedback (was: … Roland Bless
- Re: [Spud] Return routability and feedback (was: … Mirja Kühlewind
- Re: [Spud] Return routability and feedback Bless, Roland (TM)
- Re: [Spud] Questions based on draft-trammell-spud… Tom Herbert
- [Spud] Authentication and packet reflection [was:… Mirja Kühlewind
- Re: [Spud] Return routability and feedback (was: … Jana Iyengar
- Re: [Spud] Return routability and feedback (was: … Ted Hardie
- Re: [Spud] Authentication and packet reflection [… Tom Herbert
- Re: [Spud] Return routability and feedback Joe Touch