Re: [tram] Publication has been requested for draft-ietf-tram-stun-pmtud-07

Marc Petit-Huguenin <marc@petit-huguenin.org> Wed, 29 August 2018 11:54 UTC

Return-Path: <marc@petit-huguenin.org>
X-Original-To: tram@ietfa.amsl.com
Delivered-To: tram@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D08DF129AB8; Wed, 29 Aug 2018 04:54:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.108
X-Spam-Level:
X-Spam-Status: No, score=-1.108 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RDNS_NONE=0.793, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wJCvEQirmmDC; Wed, 29 Aug 2018 04:54:14 -0700 (PDT)
Received: from implementers.org (unknown [IPv6:2001:4b98:dc0:45:216:3eff:fe7f:7abd]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0BFE1130E85; Wed, 29 Aug 2018 04:54:13 -0700 (PDT)
Received: from [IPv6:2601:648:8400:8e7d:5445:8b08:3b93:5610] (unknown [IPv6:2601:648:8400:8e7d:5445:8b08:3b93:5610]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "Marc Petit-Huguenin", Issuer "implementers.org" (verified OK)) by implementers.org (Postfix) with ESMTPS id 60429AE004; Wed, 29 Aug 2018 13:54:10 +0200 (CEST)
To: Spencer Dawkins at IETF <spencerdawkins.ietf@gmail.com>
Cc: draft-ietf-tram-stun-pmtud@ietf.org, tram-chairs@ietf.org, tram@ietf.org, "Asveren, Tolga" <tasveren@rbbn.com>
References: <152421676370.10784.8969648253452773656.idtracker@ietfa.amsl.com> <CAKKJt-ffi8CVqeWGsf8x9HDX7fEOKYztuPNZ90HhcpjMZ3ApYA@mail.gmail.com> <55552202-8550-235b-b907-5f7dd65dbde2@petit-huguenin.org> <CAKKJt-fkm5L0qdQ5tFBbHR=ODQwiXaWYY8AVQKMg1ZutytpHDA@mail.gmail.com> <ebda0375-b581-0dc9-eebf-423f4954c163@petit-huguenin.org> <CAKKJt-f=51JfanPKfEyjp7s3uaXVsFg8A79x=QdxHjUWy9cK9g@mail.gmail.com>
From: Marc Petit-Huguenin <marc@petit-huguenin.org>
Openpgp: preference=signencrypt
Autocrypt: addr=marc@petit-huguenin.org; prefer-encrypt=mutual; keydata= mQINBE6Mh9wBEADrUEDZChteJbQtsHwZITZExr7TAqT7pniNwhBX3nFgd+FrV3lsLKJ1rym2 52MAYpubXEJZGzMp6uCCAnROWbtmQbOm8z/jHnjxHhPqfuYCYPpAQqu8K/Sc194Rp37krMwB jz32yr7+gvWLzRgQGKIh9d2mzy8QLMETVWWQWGb6fEfpOxXo0wumN1rc/275kZwOu44JIPGg zbgwZdnEqYOUUa18K9MXeRDoWbwDISP30CvKuZDwD14lbBE3o7tBQrU9uoMhE7eFlTjbsCox qoubI2tZSuOTF8mRXjPmNrRGtf9mYkQnOB7y6qy/QxmOVMq4IRtHzOYIm/EZ6NTodcpZQHOM 2v6B6YK9uKrYrapSpJzn4f9oU7alT31Y3o2hOlxAWDQ16+Dd1MOPYsKQXOwY1/ihm4PTjiJ8 ud8yPzy7c+BSVs5wkBU6QuLNIgZHrrxdn+KxM+F/oAVtfzO7XzVoeOcXyWi3/CHL5pgoBruY enIF/RrRuplpy09pvZjmFPNfqKBYJGnqpQuqsQwO7LsFqDqfY2EuHg+KsGN1XuN+jxXc48/1 gCnKw7ALSPWEb7g25wD6KfiZTAcyRTG8LePNFQKhw61LbIWmkw9EaVLyXvwPTc1iCSc0dDT/ pcT/z+8xrWOyWGZNZAjR584NlDpKollbItcxYtFcYZkvTCmOVwARAQABtDFNYXJjIFBldGl0 LUh1Z3VlbmluIDxtYXJjLnBldGl0LWh1Z3VlbmluQDh4OC5jb20+iQJOBBMBCAA4FiEEBSI+ IuCHU8MsI1GjKcRFldZqfsQFAlgqCm0CGyMFCwkIBwIGFQgJCgsCBBYCAwECHgECF4AACgkQ KcRFldZqfsTWsRAAjh/m618wTGN0NauvycFi4tku1pfsCbU8/Sh1F3fp8TJiZN77g1i46G24 1w3/d5lc7Wx5FolAvE9+lxu4pVFJt4pNQ0oChaCJhjrvqmYP56fuu2Jpw+deRDYpnElYUbCc k+3/mB3st+3jERVAE0J4Vtt/SpjJKuG9WoEpNd20qXADWMkJJAow9qtR0uzbIM0Xiw/nlvNV Exq1387YuGnWonsdzWOTalf0v6R2fv0/rn9XKTzI4ieKwpszlOxVOK8djbc/J+uICd3Popmg dVz8JKj1Zuk6GBPlint1HmpEv1IClxb4DgfUXb03qVdnF08tb5usZwjrVaFGoQ8AsZf3BNgC y3pG9/0x4SsVsKl6uOh5erUFCU8SI43J2GoZuFS26v3msQUIIsuQCJpk2l+gCeNBlvn8fAgf yOXiReexWEHy76BzvlPGu77fFyiLgxzHL/jUl5oLrO2DxuizG82UVtrwqOHyj7Gge1qwbyQz 64haUeA/dmSnvBB3v/VHgIEf7dEY7Pp7sXaHA4LYhBWXfKbDsNeoa4X4XQz7fkBj44YMnSzf pvLZrTX/mAmcU6IZzdwVQVBmA/35EF3WoYPer7rfubI7zFShTCY35mjN88apFoC+cNJsrjbt I/1TeLIU+tZTmEsU719+vdaFCyhOXmzRmVB7gknZlUuTXNJY0XC5Ag0EToyH3AEQAL+LguHh cSDCL/IevdcvH/5/fzO2fmuuTxdGwrZZSm7l6/HD2Irah6Wpa1LvVeRbnsRq8k6O8/i3wVap EoQPmNY3vjWfXaJb8R4vHcqgcxw9N9jhZa+mvGJk9+cIilDyPzHRBBID4d/3oFKQCQ4Y2SIk O66znPhfBOS2f2AU7AtXHhVEyj6WsLK6boEMcj7j+w5aes2nZam0jhgoz+4DQem4uk8outrR lboGnZN7A2kCNuy39UeOp7BpvQ95IKcJCIeSoiJt2A4BNPQroqhW0zGn9Y9FJ9UiZ9YIeNPY bscUxxvrD+OU9Jv67hW0v3KfvoIKDwVKpO3MW6o+1teSGt1KCSz+CvGJCvIxfCk7S5K5SBne 7ZNKz7rkGXYIzlyr7ZoEgRHmqGmcK/sHTS4e6g2pQQrRUSkspyqLZl5Uzmg7yI5oGBL0aHTz YdDkkOKMRXYnl7ivBeNtGcniGqlONLJxpbwec8j7hLRqpXFuepbtPqX/GefuK8rdo+ppEqpR J50cJTegchTfWfSjn5/mG1B4Oz9OnOcBEeTLO729n0K9BeTx1pmisD6P/fyrqZZTozDwVEi7 Wo9AOaqWOhuTe8L0FlFIk6fc/yM0wzvDWP7sNrevEYHKV9rd+Yc/Jjt293J4uayrt6DNMmSk Aw3nlBq3uK5d54J0FAsAUcsE/W2/ABEBAAGJAh8EGAEIAAkCGwwFAlfy11wACgkQKcRFldZq fsSQyA/+Kx3eWtKyb/y35TjgtjT/Hrtw+aIpr1uK97LAln1j5m7+lQ/jh0/rvSZjs+YQMYLq VGI8oaaF/u+qrokkU6pfrhVZ49D1BmmSTMBSYgnBDYqZyZ+uzQnnDYt/mpo2OLbl9BhuifR5 QXLp43cE1FIhyDT46wfse5tNZ+ll4m4HtXuTw4W3b4cPHto10260Mki7hXbkDMZ+icBFDMkr rZyYHSnBhelzIM7XnY7A/XZdulfFcDXEcZhAFEv3ylJsxTnGwzDyP1VAdBFL3hpP1CqfP1Kt i4hKcxXZYbIgTSsBjcYbPchw3ktUTU29I/nWKH5gmD+qwFizyhtt8Qhl6U67OdZ/XbRGBXs/ 7tlYJIGiGZyG7IQtDOX0PsVd+6WRcDdFqkpBwYkxU8gdiCeW+YTQ5d8mXXPT2dhFAeK2hCFa 2+IdaXvH8ovjZpTMeKstHrWJUDaSqQ4GFT676DbDyqtmP6Ul9cjGVtXIs64FWqR9wrbwBH1G uIHhDmG9sN5AkyB9mxXaEG3uG4E6qQeedtIKC6p+ebAsaTGgztFWMJDC8LUznu7B0oyWxNVo E/RGt5mesOeAtqYr6Jtdh7unyk8BYP1y4e+SSMwvtwh+69tJwNhGYbOJrdX34tXNAKb6r/rF RjVJm+sPPs5ok7LddvV35o+Fho0LRNDsioDV3HytlhA=
Message-ID: <b700302d-323b-3fc2-9825-af0a6fea9cf3@petit-huguenin.org>
Date: Wed, 29 Aug 2018 04:54:02 -0700
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.9.1
MIME-Version: 1.0
In-Reply-To: <CAKKJt-f=51JfanPKfEyjp7s3uaXVsFg8A79x=QdxHjUWy9cK9g@mail.gmail.com>
Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="CBXlQvIkzps2vLOm9DzeASNBX1TG03V0k"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tram/9c8Grjr5mpnH0EDlLqTQZkLx_fE>
Subject: Re: [tram] Publication has been requested for draft-ietf-tram-stun-pmtud-07
X-BeenThere: tram@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: "Discussing the creation of a Turn Revised And Modernized \(TRAM\) WG, which goal is to consolidate the various initiatives to update TURN and STUN." <tram.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tram>, <mailto:tram-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tram/>
List-Post: <mailto:tram@ietf.org>
List-Help: <mailto:tram-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tram>, <mailto:tram-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 29 Aug 2018 11:54:16 -0000

Hi Spencer,

I case you missed the announcement, I published a new version of draft-ietf-tram-stun-pmtud with the modifications described in this thread.

Thanks.

On 08/20/2018 10:31 AM, Spencer Dawkins at IETF wrote:
> Hi, Marc,
> 
> On Mon, Aug 20, 2018 at 11:08 AM Marc Petit-Huguenin <
> marc@petit-huguenin.org> wrote:
> 
>> Hi SPencer,
>>
>> Sorry for the delay on resolving that issue.  See below for my answer.
>>
>> On 05/15/2018 08:33 AM, Spencer Dawkins at IETF wrote:
>>> Hi, Marc,
>>>
>>> On Mon, May 14, 2018 at 6:50 PM, Marc Petit-Huguenin <
>>> marc@petit-huguenin.org> wrote:
>>>
>>
>> [...]
>>
>>>>
>>>>>
>>>>> If using authentication in
>>>>>
>>>>>   UDP-based protocols that want to use any of these mechanisms,
>>>>>    including the PMTUD-SUPPORTED attribute, to signal PMTUD
>> capabilities
>>>>>    MUST ensure that it cannot be used to launch an amplification
>> attack.
>>>>>    For example, using authentication can ensure this.
>>>>>
>>>>> is only one way to ensure prevention of amplification attacks, is there
>>>> any
>>>>> guidance or reference you could point to that would help implementers
>>>>> evaluate other approaches?
>>>>
>>>> It's a good question.  I have to think about that.
>>>>
>>>
>>> Thanks for the quick and thorough responses.
>>>
>>> I think I'm good on your responses for all my other questions. I'll let
>> the
>>> working group chew on this one, and let the chairs/shepherd let me know
>>> when to request Last Call.
>>>
>>
>> As far as I can tell, there is 3 major ways of preventing source IP
>> spoofing at this layer, but I was not able to find a unique reference that
>> points to an explanation to these.
>>
>> So the plan is to add, after some copy-editing with my co-editor, the
>> following text in replacement of the "For example, using authentication can
>> ensure this." sentence:
>>
>>
>> "  An amplification attack can be prevented using three different
>>    techniques:
>>
>>    o  Authentication, where the source of the packet and the destination
>>       share a secret.
>>
>>    o  3 way handshake with some form of unpredictable cookie.
>>
>>    o  Make sure that the total size of the traffic potentially generated
>>       is lower than the size of the request that generated it."
>>
>>
>> Would that resolve that issue?
>>
> 
> Yes, it would.
> 
> I was hoping there would be a good reference you can point to, but if
> there's not, this is helpful.
> 
> I might suggest that your first sentence be something like
> 
> "An amplification attack can be prevented using techniques such as:"
> 
> just in case a security reviewer happens to know of a fourth technique. But
> I'll let you and Gonzalo do the right thing, and I'll request Last Call for
> your next version.
> 
> Thanks for chasing this down!
> 
> Spencer
> 
> 
>> Thanks.
>>


> 


-- 
Marc Petit-Huguenin
Email: marc@petit-huguenin.org
Blog: https://marc.petit-huguenin.org
Profile: https://www.linkedin.com/in/petithug