IETF Logo Mail Archive

Re: [tsvwg] I-D Action: draft-ietf-tsvwg-udp-options-dplpmtud-02.txt

mohamed.boucadair@orange.com Thu, 09 December 2021 15:23 UTC

Return-Path: <mohamed.boucadair@orange.com>
X-Original-To: tsvwg@ietfa.amsl.com
Delivered-To: tsvwg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CEA9C3A0D68 for <tsvwg@ietfa.amsl.com>; Thu, 9 Dec 2021 07:23:52 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=orange.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ufmk5qvWwT20 for <tsvwg@ietfa.amsl.com>; Thu, 9 Dec 2021 07:23:48 -0800 (PST)
Received: from relais-inet.orange.com (relais-inet.orange.com [80.12.66.40]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D952D3A0D50 for <tsvwg@ietf.org>; Thu, 9 Dec 2021 07:23:47 -0800 (PST)
Received: from opfedar00.francetelecom.fr (unknown [xx.xx.xx.11]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by opfedar24.francetelecom.fr (ESMTP service) with ESMTPS id 4J8yVT6pLlz5w0L; Thu, 9 Dec 2021 16:23:45 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=orange.com; s=ORANGE001; t=1639063426; bh=MrZIbwqw1XmFbjqZdPehxpIIHellByyOiB1AsUDzdc0=; h=From:To:Subject:Date:Message-ID:Content-Type: Content-Transfer-Encoding:MIME-Version; b=PLrRSbo0o0zE4ORWRiI1MG8nNlqYlXrfHI9V7k5RUlcLLIUm61TMFX5MjnLwZBwqq jciZpbc08AFZCWrcCwroYYiYZtdYhuaddRYZeYwzir0bWNOY1RNla//bAQIMhV+nDq IQIJfuIuKEte3fYMRoRCq9ntufKdG3nn3b4PI8HUDmccPXL7he58H5lpPjWMchRnDk 4zbPYybNGdjmY9GlNnmXpjcJrdVnNINWBr+reKUZ0f9II08vuQWcmGQoRN6XzcL//b ggX+B7w2gIvOzjTHBRER+sIB/21JVBpUVbALWEbnj9Q2iWV2ZpPYHUirBKKH9jAVr3 wIFhNJ/g1LHnw==
Received: from Exchangemail-eme6.itn.ftgroup (unknown [xx.xx.13.51]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by opfedar00.francetelecom.fr (ESMTP service) with ESMTPS id 4J8yVT5wC7zCqkC; Thu, 9 Dec 2021 16:23:45 +0100 (CET)
From: mohamed.boucadair@orange.com
To: Gorry Fairhurst <gorry@erg.abdn.ac.uk>
CC: "tsvwg@ietf.org" <tsvwg@ietf.org>
Thread-Topic: I-D Action: draft-ietf-tsvwg-udp-options-dplpmtud-02.txt
Thread-Index: AQHX7QvVij9pYrq/eE2YMLRz2D4LvKwqQnsQ
Content-Class:
Date: Thu, 09 Dec 2021 15:23:45 +0000
Message-ID: <16146_1639063425_61B21F81_16146_169_1_787AE7BB302AE849A7480A190F8B933035461B80@OPEXCAUBMA2.corporate.adroot.infra.ftgroup>
References: <163785494316.17506.9044882518269944059@ietfa.amsl.com> <24268_1638965971_61B0A2D3_24268_138_1_787AE7BB302AE849A7480A190F8B933035460D95@OPEXCAUBMA2.corporate.adroot.infra.ftgroup> <250f239f-edeb-eaab-d67f-92c672d78a77@erg.abdn.ac.uk> <22260_1639058448_61B20C10_22260_249_1_787AE7BB302AE849A7480A190F8B933035461A08@OPEXCAUBMA2.corporate.adroot.infra.ftgroup> <bbc7a30d-1bff-9c91-9694-7440f840d8fc@erg.abdn.ac.uk>
In-Reply-To: <bbc7a30d-1bff-9c91-9694-7440f840d8fc@erg.abdn.ac.uk>
Accept-Language: fr-FR, en-US
Content-Language: fr-FR
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels: MSIP_Label_07222825-62ea-40f3-96b5-5375c07996e2_Enabled=true; MSIP_Label_07222825-62ea-40f3-96b5-5375c07996e2_SetDate=2021-12-09T15:22:04Z; MSIP_Label_07222825-62ea-40f3-96b5-5375c07996e2_Method=Privileged; MSIP_Label_07222825-62ea-40f3-96b5-5375c07996e2_Name=unrestricted_parent.2; MSIP_Label_07222825-62ea-40f3-96b5-5375c07996e2_SiteId=90c7a20a-f34b-40bf-bc48-b9253b6f5d20; MSIP_Label_07222825-62ea-40f3-96b5-5375c07996e2_ActionId=f1b3649a-5cd4-4886-afb2-642639af23d3; MSIP_Label_07222825-62ea-40f3-96b5-5375c07996e2_ContentBits=0
x-originating-ip: [10.114.13.245]
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/tsvwg/57-xiWRfqFXU06swMb0xtLFyQz4>
Subject: Re: [tsvwg] I-D Action: draft-ietf-tsvwg-udp-options-dplpmtud-02.txt
X-BeenThere: tsvwg@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Transport Area Working Group <tsvwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tsvwg>, <mailto:tsvwg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tsvwg/>
List-Post: <mailto:tsvwg@ietf.org>
List-Help: <mailto:tsvwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tsvwg>, <mailto:tsvwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 09 Dec 2021 15:23:53 -0000

Re-,

Please see inline. 

Cheers,
Med

> -----Message d'origine-----
> De : Gorry Fairhurst <gorry@erg.abdn.ac.uk>
> Envoyé : jeudi 9 décembre 2021 15:48
> À : BOUCADAIR Mohamed INNOV/NET <mohamed.boucadair@orange.com>
> Cc : tsvwg@ietf.org
> Objet : Re: I-D Action: draft-ietf-tsvwg-udp-options-dplpmtud-02.txt
> 
> 
[snip]
> >>
> >> This I wonder - if really this is necessary that all probes carry a
> >> random nonce, in the past we have managed with sequentially numbered
> >> probes - initialised with a hard to guess value
> > [Med] If you have the initial random value close to the nonce bounds (0,
> 2^32 - 1), randomness does not add much because of nonce wraps around. A
> more efficient approach to prevent off-path attacks is to use random
> nonces per request.
> 
> GF2, Well I see the sender generating a sequence of probes... probably not
> many per RTT, and each carries a RES option and the nonce. An off-path
> attacker will find it hard to guess a random nonce.

[Med] Fully agree if the nonce is always random.

> 
> Probes need to be indentifiable uniquely in the case of path reordering or
> (unlikely) duplication. I'm suggesting successive probes could be numbered
> sequentially, to achieve this - but you could also use a PN sequence or
> whatever means to achieve uniqueness.

[Med] I thought you were suggesting that a given sender will generate a nonce once, and then sequentially increment it when it has to send a REQ. I think this is suboptimal compared to generating a random nonce to uniquely identify each REQ. Sequentially incrementing the nonce may not be a good guard especially if a host sends regulars probes to check an increase of the PLPMTU (the draft says, this happens "From time to time"). 

I don't think a sequence number is needed with a 4-byte nonce. 

_________________________________________________________________________________________________________________________

Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc
pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler
a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration,
Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci.

This message and its attachments may contain confidential or privileged information that may be protected by law;
they should not be distributed, used or copied without authorisation.
If you have received this email in error, please notify the sender and delete this message and its attachments.
As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified.
Thank you.

v2.23.0 | Report a Bug | By Email