[Spud] Authentication and packet reflection [was: Re: Questions based on draft-trammell-spud-req-00]
Mirja Kühlewind <mirja.kuehlewind@tik.ee.ethz.ch> Tue, 11 August 2015 17:38 UTC
Return-Path: <mirja.kuehlewind@tik.ee.ethz.ch>
X-Original-To: spud@ietfa.amsl.com
Delivered-To: spud@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1])
by ietfa.amsl.com (Postfix) with ESMTP id 0EF571ACE1C
for <spud@ietfa.amsl.com>; Tue, 11 Aug 2015 10:38:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.91
X-Spam-Level:
X-Spam-Status: No, score=-3.91 tagged_above=-999 required=5
tests=[BAYES_00=-1.9, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_MED=-2.3,
T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44])
by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id rkUyEs2juGsB for <spud@ietfa.amsl.com>;
Tue, 11 Aug 2015 10:37:58 -0700 (PDT)
Received: from smtp.ee.ethz.ch (smtp.ee.ethz.ch [129.132.2.219])
(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
(No client certificate requested)
by ietfa.amsl.com (Postfix) with ESMTPS id 965BC1ACE15
for <spud@ietf.org>; Tue, 11 Aug 2015 10:37:58 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1])
by smtp.ee.ethz.ch (Postfix) with ESMTP id 548CAD930B;
Tue, 11 Aug 2015 19:37:56 +0200 (MEST)
X-Virus-Scanned: by amavisd-new on smtp.ee.ethz.ch
Received: from smtp.ee.ethz.ch ([127.0.0.1])
by localhost (.ee.ethz.ch [127.0.0.1]) (amavisd-new, port 10024)
with LMTP id JpE+-NUyEiQn; Tue, 11 Aug 2015 19:37:56 +0200 (MEST)
Received: from [192.168.178.33] (x4d02d192.dyn.telefonica.de [77.2.209.146])
(using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits))
(No client certificate requested) (Authenticated sender: mirjak)
by smtp.ee.ethz.ch (Postfix) with ESMTPSA id EC5A5D9303;
Tue, 11 Aug 2015 19:37:54 +0200 (MEST)
Content-Type: text/plain; charset=utf-8
Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2102\))
From: =?utf-8?Q?Mirja_K=C3=BChlewind?= <mirja.kuehlewind@tik.ee.ethz.ch>
In-Reply-To: <CALx6S348ggxfi470iLDwKWKKmWFmwBahJeA6jfGmnGQ_Vmn37g@mail.gmail.com>
Date: Tue, 11 Aug 2015 19:37:53 +0200
Content-Transfer-Encoding: quoted-printable
Message-Id: <C071D303-C48B-4AB3-9B29-AC5E6F9C9E45@tik.ee.ethz.ch>
References: <1AFABFF2-B841-4B0D-867C-709683BEDC8D@tik.ee.ethz.ch>
<CALx6S348ggxfi470iLDwKWKKmWFmwBahJeA6jfGmnGQ_Vmn37g@mail.gmail.com>
To: Tom Herbert <tom@herbertland.com>
X-Mailer: Apple Mail (2.2102)
Archived-At: <http://mailarchive.ietf.org/arch/msg/spud/qfehGXtMceC5rKYJv_gQEaAwuF8>
Cc: Ted Hardie <ted.ietf@gmail.com>, "Black, David" <david.black@emc.com>,
Eric Rescorla <ekr@rtfm.com>, Joe Hildebrand <jhildebr@cisco.com>,
spud@ietf.org, Jana Iyengar <jri@google.com>,
Ken Calvert <calvert@netlab.uky.edu>, Brian Trammell <ietf@trammell.ch>
Subject: [Spud] Authentication and packet reflection [was: Re: Questions
based on draft-trammell-spud-req-00]
X-BeenThere: spud@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Session Protocol Underneath Datagrams <spud.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spud>,
<mailto:spud-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spud/>
List-Post: <mailto:spud@ietf.org>
List-Help: <mailto:spud-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spud>,
<mailto:spud-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 11 Aug 2015 17:38:01 -0000
Hi Tom, just two comments below: >> 3) Tradeoffs in integrity protection >> --- >> a) Should SPUD provide support to use the authentication mechanism of the overlying transport for SPUD information provided by an endpoint to check the authenticity and integrity when the information arrive at the other endpoint? >> —> Yes, if supported by the overlying protocol >> > Yes, but this seems independent of the overlying protocol. We should > be able to secure the SPUD bits as needed regardless of overlay or > underlay. That means, you would like to provide key exchange mechanisms in SPUD? > >> b) How can packet-mangling (middleboxes changing accidental or intentionally information provided by others, both middblebox and endpoints) by on-path ndes be detected? >> -> Lying can potentially be detected if information can be verify over a different mechanism. However it might not be possible to detect who provided these wrong information. Off-path devices would need to know the tube id to provide wrong information which may be unlikely. >> > Authenticating the header should be an option in cases where we want > to prevent any packet-mangling. If you already have a trust relationship which the other end, that’s easy but that only helps for information provided from end-points. However you might not be able to provide authenticated information from a middlebox. And sometimes it might even been on purpose that one middlebox should be able to overwrite the information form another middlebox, e.g. if the shortest time-out on the path is requested. >> >> f) Should middlebox information be reflected over the receiver or can they also be send directly to the sender (and might take a different route)? >> -> Maybe there should be a possibility to sent directly to the sender; for unidirectional flows the receiver may not have a bearer flow to carry the message back and thus would generate spud-only packets which maybe quite a bit overhead. However reflection over the receiver should be preferred. >> > Middleboxes often have a locality associated with them, e.g. home > router, enterprise firewall. In such cases, it seems like returning > information directly is a better use of resources and limits the > exposure of the data. For example, if your firewall wants to provide > the client with it's connection timeout, it can send that back > directly rather than forwarding this to some server halfway around the > world and expecting the them to properly reflect the information when > they should not care about this. To the server this is just extra work > and extra memory that needs to be allocated for each flow (possibly > millions of them). For time-outs I rather would like to see a mechanism where this information is reflected over the receiver because what you are actually looking for it not the time-out of your local firewall (you might already know that over a different channel) but the minimum time-out of all middleboxes on the path. Otherwise if you just request the time-out, every (Spud-aware) middlebox on the path would need to send you a separate reply. Of course the middlebox with the smallest time-out might not be spud-aware but that’s different problem. Mirja
- [Spud] Questions based on draft-trammell-spud-req… Mirja Kühlewind
- Re: [Spud] Questions based on draft-trammell-spud… Toerless Eckert
- Re: [Spud] Return routability and feedback (was: … Roland Bless
- Re: [Spud] Return routability and feedback (was: … Mirja Kühlewind
- Re: [Spud] Return routability and feedback Bless, Roland (TM)
- Re: [Spud] Questions based on draft-trammell-spud… Tom Herbert
- [Spud] Authentication and packet reflection [was:… Mirja Kühlewind
- Re: [Spud] Return routability and feedback (was: … Jana Iyengar
- Re: [Spud] Return routability and feedback (was: … Ted Hardie
- Re: [Spud] Authentication and packet reflection [… Tom Herbert
- Re: [Spud] Return routability and feedback Joe Touch