IETF Logo Mail Archive

Re: [tsvwg] Review of draft-ietf-tsvwg-udp-options-32

"C. M. Heard" <heard@pobox.com> Mon, 29 April 2024 18:57 UTC

Return-Path: <heard@pobox.com>
X-Original-To: tsvwg@ietfa.amsl.com
Delivered-To: tsvwg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C6EB4C14F700 for <tsvwg@ietfa.amsl.com>; Mon, 29 Apr 2024 11:57:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.095
X-Spam-Level:
X-Spam-Status: No, score=-2.095 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=pobox.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SXLSrc-HW8eh for <tsvwg@ietfa.amsl.com>; Mon, 29 Apr 2024 11:57:24 -0700 (PDT)
Received: from pb-smtp21.pobox.com (pb-smtp21.pobox.com [173.228.157.53]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BB2D6C14F6FD for <tsvwg@ietf.org>; Mon, 29 Apr 2024 11:57:24 -0700 (PDT)
Received: from pb-smtp21.pobox.com (unknown [127.0.0.1]) by pb-smtp21.pobox.com (Postfix) with ESMTP id 88FDC18407 for <tsvwg@ietf.org>; Mon, 29 Apr 2024 14:57:16 -0400 (EDT) (envelope-from heard@pobox.com)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed; d=pobox.com; h= mime-version:references:in-reply-to:from:date:message-id:subject :to:content-type; s=sasl; bh=0qnmG29VWjrHeze5XKGSdIN3Tri4OCmKaZ0 gWKmUHiw=; b=W6T1EKxo7M0Yn+NclnIZKMA5jzGbNFNvBJH7M+fEOyxwKMOYAWx yE1L9TnZ3lpxiJNwqTrauaXya/zkJOZBiv7DPe8FU+dR1OB0ytJJLhZcZEkdepNh 2aVKzJpGHLKQOlyh8hc8bE4zvMo/QQGOY2UAvE0cW8G0BIgzfJGU717g=
Received: from pb-smtp21.sea.icgroup.com (unknown [127.0.0.1]) by pb-smtp21.pobox.com (Postfix) with ESMTP id 810FC18404 for <tsvwg@ietf.org>; Mon, 29 Apr 2024 14:57:16 -0400 (EDT) (envelope-from heard@pobox.com)
Received: from mail-ed1-f54.google.com (unknown [209.85.208.54]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by pb-smtp21.pobox.com (Postfix) with ESMTPSA id 6F25C18400 for <tsvwg@ietf.org>; Mon, 29 Apr 2024 14:57:11 -0400 (EDT) (envelope-from heard@pobox.com)
Received: by mail-ed1-f54.google.com with SMTP id 4fb4d7f45d1cf-5726ccca4c8so2848418a12.3 for <tsvwg@ietf.org>; Mon, 29 Apr 2024 11:57:11 -0700 (PDT)
X-Gm-Message-State: AOJu0YyB6pyohRD6ubRAbSZUFu7Ksf4mhW7esV1Bcd/aVVFs2dFH26Xn ojXrZQVTCfzg+QJwsJJusHryi6+3sfA4tAxHL783DoKkxA5ZZs8J17RayN+5nTkkzp6CFk+TZCj 30UMQXj5I856Gynb554NPtC23kT8=
X-Google-Smtp-Source: AGHT+IG2ZyFUA9OHnI+DWTqyufmap0+Ns5mXM1482c3CHlp+j7pWkZSAHEDbwfx8otASWjljU2AcZLSe79wxX0++j1I=
X-Received: by 2002:a50:a687:0:b0:568:1882:651f with SMTP id e7-20020a50a687000000b005681882651fmr7199634edc.25.1714417029056; Mon, 29 Apr 2024 11:57:09 -0700 (PDT)
MIME-Version: 1.0
References: <CAEh=tcd2FzQxgbSivuX2cEg2FpsnkoqdFw5gMhrx3pkT_JV88Q@mail.gmail.com> <2BEB5CC3-BB54-4119-A20F-8497ED4B5AE2@erg.abdn.ac.uk> <CAEh=tccKg7YHYkwKZ978uaXmTkBu3zyA+WBAW=eBMKAh2PSVDw@mail.gmail.com> <b7f7b836-c625-445d-bd38-f5ed8f4ba757@huitema.net> <CALx6S34=5CCDY_Wj1+9Moj0NMnZr=gBjpT3NBfom6r6oouGJEw@mail.gmail.com> <017b6905-d56c-4821-a313-644f003f2925@huitema.net> <CALx6S36YKP6XN=51E0mAzUzJumsZKkhyYJ0XzR_7en8OJ_pAAQ@mail.gmail.com> <5f3d17fa-292a-4c22-ba31-1325acd08ade@huitema.net>
In-Reply-To: <5f3d17fa-292a-4c22-ba31-1325acd08ade@huitema.net>
From: "C. M. Heard" <heard@pobox.com>
Date: Mon, 29 Apr 2024 11:56:56 -0700
X-Gmail-Original-Message-ID: <CACL_3VHkj9DshuJVWO2qm9mwuM29peUZExVw-QWrK+OEFmo5hw@mail.gmail.com>
Message-ID: <CACL_3VHkj9DshuJVWO2qm9mwuM29peUZExVw-QWrK+OEFmo5hw@mail.gmail.com>
To: TSVWG <tsvwg@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000003a023061740d2fc"
X-Pobox-Relay-ID: 49149020-065A-11EF-B58C-A19503B9AAD1-06080547!pb-smtp21.pobox.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/tsvwg/2aU56CapIZDlQ2PnzfZ9gRBvitA>
Subject: Re: [tsvwg] Review of draft-ietf-tsvwg-udp-options-32
X-BeenThere: tsvwg@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Transport Area Working Group <tsvwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tsvwg>, <mailto:tsvwg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tsvwg/>
List-Post: <mailto:tsvwg@ietf.org>
List-Help: <mailto:tsvwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tsvwg>, <mailto:tsvwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 29 Apr 2024 18:57:29 -0000

On Tue, Apr 9, 2024 at 10:16 AM Christian Huitema wrote:
> On 4/9/2024 9:09 AM, Tom Herbert wrote:
> > On Tue, Apr 9, 2024 at 8:29 AM Christian Huitema wrote:
> > > On 4/9/2024 8:17 AM, Tom Herbert wrote:
> > > > On Tue, Apr 9, 2024 at 7:29 AM Christian Huitema wrote:
> > > > > Depending on the application stack, UDP is either a transport
> > > > > protocol or a transparent pass-through. Indeed, this is pretty
> > > > > much the intended design of UDP, as stated in RFC 768: "This
> > > > > protocol provides a procedure for application programs to send
> > > > > messages to other programs with a minimum of protocol
> > > > > mechanism."
> > > > >
> > > > > If the application stack is including its own transport
> > > > > protocol, then we are in the "pass-through" case. This is
> > > > > absolutely the case if the application stack includes QUIC,
> > > > > SCTP or DTLS, but there are other examples.
> > > > >
> > > > > In the pass-through examples, and especially when the
> > > > > application transport uses encryption, adding clear-text
> > > > > options does not add value. It destroys it, re-enabling
> > > > > surveillance despite encryption of the application.
> > > > >
> > > > > I think there should be a very clear mechanism for application
> > > > > to "opt-in" the usage of clear-text application, and that for
> > > > > applications that did not opt in the reception of clear-text
> > > > > options should be treated as a protocol error.
> > > >
> > > > Christian,
> > > >
> > > > In current host stack implementation[s], when a UDP packet is
> > > > received  with surplus area we truncate the packet down to UDP
> > > > Length and otherwise ignore the surplus area bits. Are you
> > > > suggesting that the default behavior should be to drop packets
> > > > with a UDP surplus area?
> > > >
> > > > IMO, this might be worth considering. I agree that this would
> > > > tighten security. Also, I would point out that even truncating
> > > > the surplus area like we do today is not without cost. If we are
> > > > doing protocol agnostic checksum offload, the preferred method,
> > > > then we need to compute the checksum over the surplus area when
> > > > truncating and so we do this in the CPU. For a large surplus
> > > > area this can burn a lot of cycles to process data that is
> > > > useless to the receiver; conceivably, this could be a basis
> > > > for a DoS attack on CPU resources.
> > >
> > > If the application did not opt-in, yes, because that's the best
> > > way to prevent "off standard" deployment of clear-text options.
> >
> > Christian,
> >
> > I believe that processing of the options is already opt-in.
> > Accepting UDP surplus area (at least ignoring it and not dropping
> > packet) and the checksum processing I described are currently
> > mandatory.
>
> And that's probably what need to change before this draft is
> published. Using the surplus area without the explicit consent of
> the application is an attack. The proper way to stop such attacks
> is to drop the whole packet, because only that inflicts a cost to
> the attacker.

In case it was not clear, when Tom says "currently mandatory" in the
passage above, he is referring to current standards, i.e., RFC 768
as it now stands. He is not referring to the current contents of
the UDP Options spec. The change that you are proposing here would
thus be a change to current standard behaviour, which is explicitly
out of scope for the UDP Options spec.

What the UDP Options spec could do to improve the situation would be
to have an API option (or a configuration option that applies to
selected listening ports) to drop all packets that contain a
non-empty surplus area (i.e., that contain any UDP options at all).
This would not address all of the security problems that you raise,
but it result in an improvement over the current situation if the
UDP Options spec were to be published and adopted.

These considerations are summarized in a response to Issue #44
<https://github.com/tsvwg/draft-ietf-tsvwg-udp-options/issues/44>.

Respectfully,

Mike Heard

v2.35.0 | Report a Bug | By Email | System Status