IETF Logo Mail Archive

Re: [tram] Publication has been requested for draft-ietf-tram-stun-pmtud-07

Spencer Dawkins at IETF <spencerdawkins.ietf@gmail.com> Mon, 20 August 2018 17:32 UTC

Return-Path: <spencerdawkins.ietf@gmail.com>
X-Original-To: tram@ietfa.amsl.com
Delivered-To: tram@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2126B130DC1; Mon, 20 Aug 2018 10:32:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id o6E6LqJH4Zj3; Mon, 20 Aug 2018 10:32:05 -0700 (PDT)
Received: from mail-yw1-xc36.google.com (mail-yw1-xc36.google.com [IPv6:2607:f8b0:4864:20::c36]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 76E45130D7A; Mon, 20 Aug 2018 10:32:05 -0700 (PDT)
Received: by mail-yw1-xc36.google.com with SMTP id s68-v6so7119026ywg.2; Mon, 20 Aug 2018 10:32:05 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=6OwYoVaZsutHaHqIDGv6Fm66MkCyd3/Ah2ozYnwpXi8=; b=YUzP+tPANSfhdLYGHn7yBbWZo/G0HQW4KkWTv7vWNUEWSEMpoLCzW1b8ocLT7vilgS talGMj8HC2N/cMMNwEogXDeX1QBBwDN7uDYG/cJpkWUMHISzu6HJ4crU3T/oO3xjWSoD kS26EXpE7aF5i7VKT9qPYtRfrmIyD3BTdXkxt+aklH0DERfRHghGzFwmVCI/ePNAMSoO hgEDSpqjIVkKQRv9MnLBNKBU1HQt597gxb3UTBLpg4oay64UixnzW9ze8GmRICpAuCXd tDt9etSMPRKOESUxKGjTF2VQnZWXWXRZ+0GRKpnJathMsN74X3pMrmPPVL7w0eMfkrH0 KhIA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=6OwYoVaZsutHaHqIDGv6Fm66MkCyd3/Ah2ozYnwpXi8=; b=FP4WwzgDHnTZ7TvmjN/BH6D1f2aJMPFzzwnv8E/8BCC2QC+GgD/OguR2JfOA+E8f/G BHWVVtyex3Ce4O6Ii8zJ4Zvf2l6QULAwBSEMiuqGI0mGRNNA/3v4e/Fl1rKDZu5IUMew 4YbTPtSrMdeQ1Zok6vpHdKTiw7jQxa9EwjYZjn0+Q5pLuUuAJ8n41eGOZk9QCS1mfV4H 0sMmRlW/UN+MFWdBcRIR4YdbvR8X1maoUTcr3aU6QfEjGT2s+3cjJiAZmDTmQNgKqwlB rQHJ/dGXr90XSAzwaslkBh/dAirLEFyGYPOK6ZESd3KfMFsYyrF7oh8VlvfthnXMF8Cq X0Sg==
X-Gm-Message-State: AOUpUlEIwYHWef8ZsswIZNIRLYBayXhfYomDwj2iIhQxsprxByu/X4MQ kZbvScFGC6SyVNseOY+N06ZsWSC7TTho5BjEYwM=
X-Google-Smtp-Source: AA+uWPz5rYBiYudgjaga+5gKve243cis+RzizBMPpqM3S3L7Sa6x5gtLsqTOOxPCOJUTnsCrEzcBS95wbfuLkArUUSQ=
X-Received: by 2002:a81:4dd5:: with SMTP id a204-v6mr5933820ywb.179.1534786324463; Mon, 20 Aug 2018 10:32:04 -0700 (PDT)
MIME-Version: 1.0
References: <152421676370.10784.8969648253452773656.idtracker@ietfa.amsl.com> <CAKKJt-ffi8CVqeWGsf8x9HDX7fEOKYztuPNZ90HhcpjMZ3ApYA@mail.gmail.com> <55552202-8550-235b-b907-5f7dd65dbde2@petit-huguenin.org> <CAKKJt-fkm5L0qdQ5tFBbHR=ODQwiXaWYY8AVQKMg1ZutytpHDA@mail.gmail.com> <ebda0375-b581-0dc9-eebf-423f4954c163@petit-huguenin.org>
In-Reply-To: <ebda0375-b581-0dc9-eebf-423f4954c163@petit-huguenin.org>
From: Spencer Dawkins at IETF <spencerdawkins.ietf@gmail.com>
Date: Mon, 20 Aug 2018 12:31:52 -0500
Message-ID: <CAKKJt-f=51JfanPKfEyjp7s3uaXVsFg8A79x=QdxHjUWy9cK9g@mail.gmail.com>
To: Marc Petit-Huguenin <marc@petit-huguenin.org>
Cc: draft-ietf-tram-stun-pmtud@ietf.org, tram-chairs@ietf.org, tram@ietf.org, "Asveren, Tolga" <tasveren@rbbn.com>
Content-Type: multipart/alternative; boundary="000000000000ad081d0573e1494b"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tram/06aIeclpYlJuH1hzzvxOeQFtPaQ>
Subject: Re: [tram] Publication has been requested for draft-ietf-tram-stun-pmtud-07
X-BeenThere: tram@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: "Discussing the creation of a Turn Revised And Modernized \(TRAM\) WG, which goal is to consolidate the various initiatives to update TURN and STUN." <tram.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tram>, <mailto:tram-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tram/>
List-Post: <mailto:tram@ietf.org>
List-Help: <mailto:tram-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tram>, <mailto:tram-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 20 Aug 2018 17:32:08 -0000

Hi, Marc,

On Mon, Aug 20, 2018 at 11:08 AM Marc Petit-Huguenin <
marc@petit-huguenin.org> wrote:

> Hi SPencer,
>
> Sorry for the delay on resolving that issue.  See below for my answer.
>
> On 05/15/2018 08:33 AM, Spencer Dawkins at IETF wrote:
> > Hi, Marc,
> >
> > On Mon, May 14, 2018 at 6:50 PM, Marc Petit-Huguenin <
> > marc@petit-huguenin.org> wrote:
> >
>
> [...]
>
> >>
> >>>
> >>> If using authentication in
> >>>
> >>>   UDP-based protocols that want to use any of these mechanisms,
> >>>    including the PMTUD-SUPPORTED attribute, to signal PMTUD
> capabilities
> >>>    MUST ensure that it cannot be used to launch an amplification
> attack.
> >>>    For example, using authentication can ensure this.
> >>>
> >>> is only one way to ensure prevention of amplification attacks, is there
> >> any
> >>> guidance or reference you could point to that would help implementers
> >>> evaluate other approaches?
> >>
> >> It's a good question.  I have to think about that.
> >>
> >
> > Thanks for the quick and thorough responses.
> >
> > I think I'm good on your responses for all my other questions. I'll let
> the
> > working group chew on this one, and let the chairs/shepherd let me know
> > when to request Last Call.
> >
>
> As far as I can tell, there is 3 major ways of preventing source IP
> spoofing at this layer, but I was not able to find a unique reference that
> points to an explanation to these.
>
> So the plan is to add, after some copy-editing with my co-editor, the
> following text in replacement of the "For example, using authentication can
> ensure this." sentence:
>
>
> "  An amplification attack can be prevented using three different
>    techniques:
>
>    o  Authentication, where the source of the packet and the destination
>       share a secret.
>
>    o  3 way handshake with some form of unpredictable cookie.
>
>    o  Make sure that the total size of the traffic potentially generated
>       is lower than the size of the request that generated it."
>
>
> Would that resolve that issue?
>

Yes, it would.

I was hoping there would be a good reference you can point to, but if
there's not, this is helpful.

I might suggest that your first sentence be something like

"An amplification attack can be prevented using techniques such as:"

just in case a security reviewer happens to know of a fourth technique. But
I'll let you and Gonzalo do the right thing, and I'll request Last Call for
your next version.

Thanks for chasing this down!

Spencer


> Thanks.
>
> --
> Marc Petit-Huguenin
> Email: marc@petit-huguenin.org
> Blog: https://marc.petit-huguenin.org
> Profile: https://www.linkedin.com/in/petithug
>
>
>
>

v2.23.0 | Report a Bug | By Email