Re: [Spud] Fwd: New Version Notification for draft-herbert-transports-over-udp-00.txt
Tom Herbert <tom@herbertland.com> Sat, 21 May 2016 15:53 UTC
Return-Path: <tom@herbertland.com>
X-Original-To: spud@ietfa.amsl.com
Delivered-To: spud@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0409A128E19 for <spud@ietfa.amsl.com>; Sat, 21 May 2016 08:53:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=herbertland-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Mi-4ObV5eTRI for <spud@ietfa.amsl.com>; Sat, 21 May 2016 08:53:21 -0700 (PDT)
Received: from mail-ig0-x22c.google.com (mail-ig0-x22c.google.com [IPv6:2607:f8b0:4001:c05::22c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 605EB12B062 for <spud@ietf.org>; Sat, 21 May 2016 08:53:21 -0700 (PDT)
Received: by mail-ig0-x22c.google.com with SMTP id ww4so10085889igb.1 for <spud@ietf.org>; Sat, 21 May 2016 08:53:21 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=herbertland-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-transfer-encoding; bh=4rma0YrxTSwOh++iguKk9TTtYeyau7h616mcdUzx4IY=; b=d2962ucuDEVYtGDyUbWpQruAG0U2QAYrG7BZ9QSYQJAvPXQ++3KnvIiGYvryXbMpVk 7A+jpRia0Lv8oNY9zawq9fV0nh9UabU8vCgWo5jTJv953jlSJH/YuHjGKcpwnFyhq6yw ErV0L3nNarPclrv/rRMYN9VJ4PZYIychlb0oiPZ9XdQtOVHLeTzN//IkKgr+pMO0Wmu5 iwasqZIFkMHwIM8DPb3lWU0gHUKxl4+O9w2q3ShM7pwhl5m/PRzEZ4Sxh7AbG7jp633B 4KrEkpaTKYHxhDuF8tjz/FOFwNLcMz7fm/Kz6dpUA+kHbRQWINDOzjoVzBM91gj2NS/k Mk6g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-transfer-encoding; bh=4rma0YrxTSwOh++iguKk9TTtYeyau7h616mcdUzx4IY=; b=mWSlGGRCLwqzK97GIdwfVq0s6Z9ue8Fns3I7GgQV2Lfx1HCBK+RKorDmYaHNDDtSy9 0FcPp0ufhH9CmppCoJIBIb6xmLAhtg86PMuh9rGBRoASnBzgbsb1zL5fhsOk9qCCTj9W W/u0H2MYWUX8i5/7qHEFsiI3+Qv2toOi2pqo+s1zqF9Tkb+z3WP8IWDQF217Dd+4m4FP UJTmTOJtLzUN6yNgpF7oeEwAiAhxOvNI3xS8iBx1GjjzRFUE8Tk1a0Y8/UVzRDzpFeP6 latQEZI0M4r6SmSv2BlHLSqGYgGOcL2L057IvXj05tMr66kJXUE3gnwyqalgDcXlrPTL EgxA==
X-Gm-Message-State: AOPr4FXrC4173Pj2v/H1DaqNXPJQr8U5V7UdtiRwWbzlGVQ/RFsFozd2leU4xmTPZhzyTNpNzGb/J2vG7Sq6rA==
MIME-Version: 1.0
X-Received: by 10.50.205.8 with SMTP id lc8mr7275795igc.94.1463846000587; Sat, 21 May 2016 08:53:20 -0700 (PDT)
Received: by 10.107.56.67 with HTTP; Sat, 21 May 2016 08:53:20 -0700 (PDT)
In-Reply-To: <DM2PR0301MB06553A6249DB5BAD06D2A96BA84B0@DM2PR0301MB0655.namprd03.prod.outlook.com>
References: <CALx6S377qRfq7ufRVUx6Yn7ec4=EmK_=FL14PWT_qf4g840mbQ@mail.gmail.com> <20160519185943.GM12994@cisco.com> <CALx6S37qPpKpCT6ZpVQwRWf1XFKESYasOBcz26To9zw0GRyz5Q@mail.gmail.com> <573E31E1.807@isi.edu> <20160519221102.GS12994@cisco.com> <573E3C5E.2090300@isi.edu> <20160520001323.GC2511@cisco.com> <573E6303.8030701@isi.edu> <20160520012431.GF2511@cisco.com> <573F47C0.3010501@isi.edu> <20160520182115.GO2511@cisco.com> <CALx6S378X7bk5q-u7Kxu+s3w1ZZ5kZcyhCVEUyPG_=hVzNH2tA@mail.gmail.com> <655C07320163294895BBADA28372AF5D48860CBE@FR712WXCHMBA15.zeu.alcatel-lucent.com> <DM2PR0301MB06553A6249DB5BAD06D2A96BA84B0@DM2PR0301MB0655.namprd03.prod.outlook.com>
Date: Sat, 21 May 2016 08:53:20 -0700
Message-ID: <CALx6S35m9xCvzLqXyLgARdoep_WfZBoLsGFNUVUx8GfxXfiYNg@mail.gmail.com>
From: Tom Herbert <tom@herbertland.com>
To: Christian Huitema <huitema@microsoft.com>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <http://mailarchive.ietf.org/arch/msg/spud/UF5T8zoIixv1xPnhCQseu98IDBI>
Cc: Toerless Eckert <eckert@cisco.com>, "Scharf, Michael (Nokia - DE)" <michael.scharf@nokia.com>, spud <spud@ietf.org>, Joe Touch <touch@isi.edu>
Subject: Re: [Spud] Fwd: New Version Notification for draft-herbert-transports-over-udp-00.txt
X-BeenThere: spud@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Session Protocol Underneath Datagrams <spud.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spud>, <mailto:spud-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spud/>
List-Post: <mailto:spud@ietf.org>
List-Help: <mailto:spud-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spud>, <mailto:spud-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 21 May 2016 15:53:23 -0000
On Fri, May 20, 2016 at 4:38 PM, Christian Huitema <huitema@microsoft.com> wrote: > On Friday, May 20, 2016 9:14 AM, Michael Scharf wrote: >> To: Tom Herbert <tom@herbertland.com>; Toerless Eckert >> <eckert@cisco.com> >> Cc: Joe Touch <touch@isi.edu>; spud <spud@ietf.org> >> Subject: Re: [Spud] Fwd: New Version Notification for draft-herbert- >> transports-over-udp-00.txt >> >> > NAT makes life complicated, especially if we want to have connections >> survive across UDP NAT address/port remapping. Most of the draft is about >> dealing with this. One nice feature (that I borrowed from > QUIC) is to >> negotiate a shared session identifier for the connection that is unique to both >> sides. With this a connection is identified (at the end >> > nodes) without using the addresses or UDP port numbers. So connection >> identification becomes location independent which solves the NAP >> remapping problem and also allows for mobility. >> >> Ahhh, Section 3.2 is really cool... >> >> I can clearly see the tremendous improvement for user privacy if the highly >> privacy-sensitive TCP header fields finally get all encrypted, including things >> like flags, sequence numbers etc., if there is now a new clear text identifier >> that just happens to be unique per subscriber. What a great improvement for >> privacy in the Internet! And even better that it seems compatible with QUIC... >> >> Sorry, I really could not resist. > > Actually, using a 64 bit QUIC-like identifier to support mobility or multi path is a terrible idea. The best way to describe it is, "clear text super cookie." It allows adversaries to link connections originating from different IP addresses. Providing such linkability is a boon for traffic analysis and user tracking, and of course a big loss for privacy. And yes, MP-TCP is doing something similar, but at least they acknowledge the problem and want to find a solution. If we want privacy, the identifiers used to link several connections together have to be placed inside the crypto envelope, not in a clear text header. > We assume that strong security must be applied, so unlike MP-TCP the transport headers are encrypted and the only information sent in plain text is the session identifier (serving as an SPI) and DTLS headers. In the case of a connection surviving across NAT remapping an attacker could observe that the connection has been remapped, but that reveals no new information about the connection than it had previously except that the it was remapped by an intermediate device. That does potentially reveal information about the NAT device, for instance it could probably ascertain the timeout, but I don't know how useful that would be in and it could probably be determined by other means. But even given that, yes, I would prefer that anything that identifies flows on the network (UDP tuples, session identifiers, flow labels) is periodically rotated to reduce the ability of intermediate nodes to track my flows over long periods of time. The protocol to negotiate a new session identifier can be implemented in the encrypted portion of the packet. To change the UDP tuple a client can pick a different ephemeral source port (in userspace sockets implementation this would close one socket and create a new and do a connect without explicit bind). Tom > -- Christian Huitema > >
- Re: [Spud] New Version Notification for draft-her… Mirja Kühlewind
- [Spud] Fwd: New Version Notification for draft-he… Tom Herbert
- Re: [Spud] Fwd: New Version Notification for draf… Toerless Eckert
- Re: [Spud] Fwd: New Version Notification for draf… Tom Herbert
- Re: [Spud] Fwd: New Version Notification for draf… Toerless Eckert
- Re: [Spud] Fwd: New Version Notification for draf… Tom Herbert
- Re: [Spud] Fwd: New Version Notification for draf… Toerless Eckert
- Re: [Spud] Fwd: New Version Notification for draf… Joe Touch
- Re: [Spud] Fwd: New Version Notification for draf… Tom Herbert
- Re: [Spud] Fwd: New Version Notification for draf… Toerless Eckert
- Re: [Spud] Fwd: New Version Notification for draf… Joe Touch
- Re: [Spud] Fwd: New Version Notification for draf… Joe Touch
- Re: [Spud] Fwd: New Version Notification for draf… Tom Herbert
- Re: [Spud] Fwd: New Version Notification for draf… Ca By
- Re: [Spud] Fwd: New Version Notification for draf… Toerless Eckert
- Re: [Spud] Fwd: New Version Notification for draf… Ca By
- Re: [Spud] Fwd: New Version Notification for draf… Joe Touch
- Re: [Spud] Fwd: New Version Notification for draf… Joe Touch
- Re: [Spud] Fwd: New Version Notification for draf… Toerless Eckert
- Re: [Spud] Fwd: New Version Notification for draf… Tom Herbert
- Re: [Spud] Fwd: New Version Notification for draf… Joe Touch
- Re: [Spud] Fwd: New Version Notification for draf… Ca By
- Re: [Spud] Fwd: New Version Notification for draf… Tom Herbert
- Re: [Spud] Fwd: New Version Notification for draf… Toerless Eckert
- Re: [Spud] Fwd: New Version Notification for draf… Tom Herbert
- Re: [Spud] Fwd: New Version Notification for draf… Toerless Eckert
- Re: [Spud] Fwd: New Version Notification for draf… Joe Touch
- Re: [Spud] Fwd: New Version Notification for draf… Toerless Eckert
- Re: [Spud] Fwd: New Version Notification for draf… Toerless Eckert
- Re: [Spud] Fwd: New Version Notification for draf… Joe Touch
- Re: [Spud] Fwd: New Version Notification for draf… Joe Touch
- Re: [Spud] Fwd: New Version Notification for draf… Toerless Eckert
- Re: [Spud] Fwd: New Version Notification for draf… Toerless Eckert
- Re: [Spud] New Version Notification for draft-her… Michael Welzl
- Re: [Spud] New Version Notification for draft-her… Brian Trammell
- Re: [Spud] Fwd: New Version Notification for draf… Joe Touch
- Re: [Spud] Fwd: New Version Notification for draf… Joe Touch
- Re: [Spud] Fwd: New Version Notification for draf… Toerless Eckert
- Re: [Spud] Fwd: New Version Notification for draf… Tom Herbert
- Re: [Spud] Fwd: New Version Notification for draf… Joe Touch
- Re: [Spud] Fwd: New Version Notification for draf… Tom Herbert
- Re: [Spud] Fwd: New Version Notification for draf… Joe Touch
- Re: [Spud] Fwd: New Version Notification for draf… Scharf, Michael (Nokia - DE)
- Re: [Spud] Fwd: New Version Notification for draf… Christian Huitema
- Re: [Spud] Fwd: New Version Notification for draf… Scharf, Michael (Nokia - DE)
- Re: [Spud] Fwd: New Version Notification for draf… Dave Dolson
- Re: [Spud] Fwd: New Version Notification for draf… Toerless Eckert
- Re: [Spud] Fwd: New Version Notification for draf… Tom Herbert
- Re: [Spud] Fwd: New Version Notification for draf… Jana Iyengar
- Re: [Spud] Fwd: New Version Notification for draf… Joe Touch
- Re: [Spud] Fwd: New Version Notification for draf… Phillip Hallam-Baker
- Re: [Spud] Fwd: New Version Notification for draf… Scharf, Michael (Nokia - DE)
- Re: [Spud] Fwd: New Version Notification for draf… Scharf, Michael (Nokia - DE)
- Re: [Spud] New Version Notification for draft-her… Michael Welzl
- Re: [Spud] Fwd: New Version Notification for draf… Ca By
- Re: [Spud] New Version Notification for draft-her… Michael Welzl
- Re: [Spud] New Version Notification for draft-her… Brian Trammell
- Re: [Spud] New Version Notification for draft-her… Scharf, Michael (Nokia - DE)
- Re: [Spud] Fwd: New Version Notification for draf… Tom Herbert
- Re: [Spud] New Version Notification for draft-her… Brian Trammell
- Re: [Spud] Fwd: New Version Notification for draf… Ca By
- Re: [Spud] Fwd: New Version Notification for draf… Joe Touch