Re: [Spud] SPUD magic number
Toerless Eckert <eckert@cisco.com> Fri, 10 April 2015 17:33 UTC
Return-Path: <eckert@cisco.com>
X-Original-To: spud@ietfa.amsl.com
Delivered-To: spud@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1])
by ietfa.amsl.com (Postfix) with ESMTP id 92AF91A88F3
for <spud@ietfa.amsl.com>; Fri, 10 Apr 2015 10:33:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.511
X-Spam-Level:
X-Spam-Status: No, score=-14.511 tagged_above=-999 required=5
tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1,
DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001,
T_RP_MATCHES_RCVD=-0.01, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44])
by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id ggzm582Wm9hW for <spud@ietfa.amsl.com>;
Fri, 10 Apr 2015 10:33:04 -0700 (PDT)
Received: from rcdn-iport-6.cisco.com (rcdn-iport-6.cisco.com [173.37.86.77])
(using TLSv1 with cipher RC4-SHA (128/128 bits))
(No client certificate requested)
by ietfa.amsl.com (Postfix) with ESMTPS id CC8481A8857
for <spud@ietf.org>; Fri, 10 Apr 2015 10:33:03 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;
d=cisco.com; i=@cisco.com; l=3259; q=dns/txt; s=iport;
t=1428687184; x=1429896784;
h=date:from:to:cc:subject:message-id:references:
mime-version:content-transfer-encoding:in-reply-to;
bh=IJsl788LjZtagYVPjI87+HDId/PfOKIrTIsZ/ObIMjA=;
b=hN2YpF2/mgBEceJ5rWGxdPSIlU6NpcLdlxXh49h+p5cFyc5LWhklrAcm
r6TTE71v/Du+BK+aSpIjZGDfWKI/P9i4bkFu62pkF+Ad/ed9eohXV9Wml
Hjkia86mdnVTMH7B2NGcWsdY3NaB8Oe+XaR1jeieTqdkuLSB9LQzXPAVY s=;
X-IronPort-AV: E=Sophos;i="5.11,557,1422921600"; d="scan'208";a="410867674"
Received: from rcdn-core-2.cisco.com ([173.37.93.153])
by rcdn-iport-6.cisco.com with ESMTP; 10 Apr 2015 17:33:03 +0000
Received: from mcast-linux1.cisco.com (mcast-linux1.cisco.com [172.27.244.121])
by rcdn-core-2.cisco.com (8.14.5/8.14.5) with ESMTP id t3AHX2Qs017432
(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO);
Fri, 10 Apr 2015 17:33:03 GMT
Received: from mcast-linux1.cisco.com (localhost.cisco.com [127.0.0.1])
by mcast-linux1.cisco.com (8.13.8/8.13.8) with ESMTP id t3AHX2Pu022629;
Fri, 10 Apr 2015 10:33:02 -0700
Received: (from eckert@localhost)
by mcast-linux1.cisco.com (8.13.8/8.13.8/Submit) id t3AHX256022628;
Fri, 10 Apr 2015 10:33:02 -0700
Date: Fri, 10 Apr 2015 10:33:02 -0700
From: Toerless Eckert <eckert@cisco.com>
To: "Pal Martinsen (palmarti)" <palmarti@cisco.com>
Message-ID: <20150410173302.GE24286@cisco.com>
References: <CALx6S379MDL+dtnncB7J1Xz9xSbgS3gyEyKuQ7NaRNnHvh7E6w@mail.gmail.com>
<430F4C7C-7565-48C1-833B-45F9E0D5F6B2@cisco.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <430F4C7C-7565-48C1-833B-45F9E0D5F6B2@cisco.com>
User-Agent: Mutt/1.4.2.2i
Archived-At: <http://mailarchive.ietf.org/arch/msg/spud/ePAoWjYn6wgi8ou0apb5tqGGRwU>
Cc: Tom Herbert <tom@herbertland.com>, "spud@ietf.org" <spud@ietf.org>
Subject: Re: [Spud] SPUD magic number
X-BeenThere: spud@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Session Protocol Underneath Datagrams <spud.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spud>,
<mailto:spud-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/spud/>
List-Post: <mailto:spud@ietf.org>
List-Help: <mailto:spud-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spud>,
<mailto:spud-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 10 Apr 2015 17:33:05 -0000
In STUN/ICE there is also a checksum that can be checked. That
gives 32 bit for extraction from HW for CMDs, and then
another 32 bits of checksum to be done in SW, so that you
ultimately only had 1/2^64 for false positives. Unless somebody
explains me why not, i would recommend such a checksum for
SPUD cmd != 0 packets as well.
The 1/2^64 certainty + parsing of packets should then be good enough
to protect any middlebox action that could happen on cmd = 0 packets,
because for any middlebox action that needs a really high certainty
that it is really SPUD traffic, the cmd != 0 packets could be
used to learn the tube ID, and later on the packet cmd = 0
recognition could be based on the 96 bits of cookie + tun-ID.
Cheers
Toerless
On Fri, Apr 10, 2015 at 07:12:47AM +0000, Pal Martinsen (palmarti) wrote:
>
> > On 10 Apr 2015, at 04:35, Tom Herbert <tom@herbertland.com> wrote:
> >
> > Hi,
> >
> > The SPUD magic number seems like a good idea and in fact I anticipate
> > that we'll want to adopt this technique in other UDP encapsulation
> > protocols.
> >
> +1
>
> STUN (RFC5389) also uses this trick in section 6 (https://tools.ietf.org/html/rfc5389#section-6)
>
> > I believe the magic number could be applied in two different ways:
> >
> > 1) A middlebox must match both the UDP destination port and the magic
> > number before accepting the packet is SPUD protocol. In this case ,
> > the magic number is used to distinguish SPUD from other arbitrary uses
> > of a SPUD assigned port.
> > 2) A middlebox matches the magic number in any UDP packet regardless
> > of destination port and declares it to be SPUD. This is nice because
> > we would not need to configure SPUD ports on middleboxes, but
> > increases the chances of misinterpreting something which is not SPUD
> > at all (a larger magic number size might be warranted).
> >
> > What is the intended use for this in the SPUD prototype protocol?
> >
> This was actually the first bet we implemented (https://github.com/iptube/SPUDlib). Mostly due to your 2) bullet point.
>
> It allowed us to quickly get a linux router with netfiletr/iptables up and running with the following rule:
>
> -A PREROUTING -p udp ???match u32 --u32 "0>>22&0x3C@8=0xd80000d8" -j NFQUEUE --queue-num 0
>
> See https://github.com/iptube/TubeNode for a quick and dirty implementation.
>
> >From a client perspective lessons learned from implementing ICE and STUN where RTP, STUN and vide variety of other packets might be multiplexed on the same port was that having a simple isSPUD function is really useful..
>
> In the spud prototype it is defined like this:
>
> bool spud_is_spud(const uint8_t *payload, size_t length)
> {
> if (length < sizeof(spud_header)) {
> return false;
> }
> return (memcmp(payload, (void *)SpudMagicCookie, SPUD_MAGIC_COOKIE_SIZE) == 0);
> }
>
> .-.
> Pål-Erik
>
> > Thanks,
> > Tom
> >
> > _______________________________________________
> > Spud mailing list
> > Spud@ietf.org
> > https://www.ietf.org/mailman/listinfo/spud
>
> _______________________________________________
> Spud mailing list
> Spud@ietf.org
> https://www.ietf.org/mailman/listinfo/spud
- [Spud] SPUD magic number Tom Herbert
- Re: [Spud] SPUD magic number Pal Martinsen (palmarti)
- Re: [Spud] SPUD magic number Toerless Eckert
- Re: [Spud] SPUD magic number Toerless Eckert
- Re: [Spud] SPUD magic number Tom Herbert