IETF Logo Mail Archive

Re: [tsvwg] Review of draft-ietf-tsvwg-udp-options-32

"touch@strayalpha.com" <touch@strayalpha.com> Tue, 09 April 2024 15:01 UTC

Return-Path: <touch@strayalpha.com>
X-Original-To: tsvwg@ietfa.amsl.com
Delivered-To: tsvwg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1945DC14F693; Tue, 9 Apr 2024 08:01:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.316
X-Spam-Level:
X-Spam-Status: No, score=-1.316 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NEUTRAL=0.779, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=strayalpha.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fb-Xi14WJgQ8; Tue, 9 Apr 2024 08:01:21 -0700 (PDT)
Received: from server217-3.web-hosting.com (server217-3.web-hosting.com [198.54.115.226]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E8394C14F685; Tue, 9 Apr 2024 08:01:15 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=strayalpha.com; s=default; h=To:References:Message-Id:Cc:Date:In-Reply-To: From:Subject:Mime-Version:Content-Type:Sender:Reply-To: Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=JnrqxoG3UZfskMfzE1Row+GQI1hxbmcq+KnTFwEPGK0=; b=hStNfCbiDz8yhLTDsSjjvC0ENO 7T05umWTAQs5a5T7j4oo7SoBnnfKFvr42n9NkAWu/uKB+YimqRMcVKXA8jPgNnOATAjc8bRkvei6c iQrYbLg8A1dLR6GZHiGezhDF0HovlDNkFtWrNqRh9QmH14ZeVjTvSq4PEQxg+EwqIPtyusOYX5UKv +Zo8cJ2WY5GiEJL175mal1IZY4+Oa26HUfMFLfZm8c/q2VjK4InztMseT2l1I03dteY3CiRYpEKBb fRYKtAte/MYQAzJShPJ/C/l7N/ptuWK/Vy0vcOscZW+DGJELXgIM/MAs3C+iY/Ti63wmbPuoSKIHb 6l/CppcQ==;
Received: from [172.58.208.48] (port=48690 helo=smtpclient.apple) by server217.web-hosting.com with esmtpsa (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96.2) (envelope-from <touch@strayalpha.com>) id 1ruCy9-005jmc-1Z; Tue, 09 Apr 2024 11:01:10 -0400
Content-Type: multipart/alternative; boundary="Apple-Mail=_A881EC20-14FA-41AB-AC19-8170734427E3"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3774.500.171.1.1\))
From: "touch@strayalpha.com" <touch@strayalpha.com>
In-Reply-To: <CAEh=tcd2FzQxgbSivuX2cEg2FpsnkoqdFw5gMhrx3pkT_JV88Q@mail.gmail.com>
Date: Tue, 09 Apr 2024 08:00:52 -0700
Cc: Christian Huitema <huitema@huitema.net>, tsvwg <tsvwg@ietf.org>, draft-ietf-tsvwg-udp-options.all@ietf.org
Message-Id: <F36164D6-8685-4AB2-AED3-147E4D6D8FF8@strayalpha.com>
References: <CAM4esxSpwRF5E3Xc_hotgvCSdKVe4BY_zRUKAzHvW48JEtWqTA@mail.gmail.com> <CACL_3VGOLkJU1m7pqSXRRouCKwdQ6yrbmaPwoa22Jr-N3FZNzA@mail.gmail.com> <fccb92b0-dbc8-4cb2-b49c-1f603297d721@huitema.net> <CAEh=tcd2FzQxgbSivuX2cEg2FpsnkoqdFw5gMhrx3pkT_JV88Q@mail.gmail.com>
To: Zaheduzzaman Sarker <zahed.sarker.ietf@gmail.com>
X-Mailer: Apple Mail (2.3774.500.171.1.1)
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - server217.web-hosting.com
X-AntiAbuse: Original Domain - ietf.org
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - strayalpha.com
X-Get-Message-Sender-Via: server217.web-hosting.com: authenticated_id: touch@strayalpha.com
X-Authenticated-Sender: server217.web-hosting.com: touch@strayalpha.com
X-Source:
X-Source-Args:
X-Source-Dir:
X-From-Rewrite: unmodified, already matched
Archived-At: <https://mailarchive.ietf.org/arch/msg/tsvwg/-TUQCjdVD56xCnab1BbH0gqZ8Pk>
Subject: Re: [tsvwg] Review of draft-ietf-tsvwg-udp-options-32
X-BeenThere: tsvwg@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Transport Area Working Group <tsvwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tsvwg>, <mailto:tsvwg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tsvwg/>
List-Post: <mailto:tsvwg@ietf.org>
List-Help: <mailto:tsvwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tsvwg>, <mailto:tsvwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 09 Apr 2024 15:01:25 -0000

Hi, all,

> On Apr 9, 2024, at 3:31 AM, Zaheduzzaman Sarker <zahed.sarker.ietf@gmail.com> wrote:
> 
> The questions I would like to get answer is  - 
> 
>       Is it OK for the endpoints to send information in UDP options which can be read (only) by the transit nodes and react to it? if NO,  then how to prevent that to happen? 
> 
> //Zahed 

We can prevent that if/when we proceed with the UDP encryption option or using IPsec.

But all this talk about transport protocols and their vulnerability to on-path mods strikes me as hollow. We have had such protections for TCP for a generation (over 25 yrs) with TCP-MD5 and its successor TCP-AO. Neither one protects packets from on-path tampering with IP options, but we’ve had that for just as long too.

What we don’t have is a widely enough deployed key infrastructure. Until that happens, it’s difficult to understand how raising these issues obligates protocol designers.

However, there’s a second point I have not seen raised. Saying these options MUST NOT be modified in transit isn’t just for implementers - it’s also for those seeking to standardize such behavior and for those in the IETF who might assess those standards. What we’re saying, besides “don’t do it”, is “don’t standardize it”.

The doc can make that point more clear in the doc, but I don’t see any other action coming from this discussion for the core doc.

I also would suggest we move these discussions off to GITHUB as soon as possible so we can trace them more easily (chairs - what’s the procedure for that? Do you? Does the doc shepherd? Do I?).

Joe

v2.23.0 | Report a Bug | By Email