Re: [tsvwg] I-D Action: draft-ietf-tsvwg-udp-options-21.txt

"" <> Sat, 10 June 2023 00:28 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id E4349C13AE41 for <>; Fri, 9 Jun 2023 17:28:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.315
X-Spam-Status: No, score=-1.315 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NEUTRAL=0.779, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=no autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id bsinlrp1ifC9 for <>; Fri, 9 Jun 2023 17:28:41 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 03DECC13AE3D for <>; Fri, 9 Jun 2023 17:28:40 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;; s=default; h=To:References:Message-Id:Cc:Date:In-Reply-To: From:Subject:Mime-Version:Content-Type:Sender:Reply-To: Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=79kUZRXKdhxAIy09qFEevIdZ99sA7X5p8gUC5aNS+EY=; b=RV04nahZugSH0pZB36oA4JEWbR WuLN7BPadxgjTtwfvulCV31ss+T6ZUBmRbWYt1UzAImKzUlvLzYZUnZL+XfZzKLkJ2T2+vhjaCyeZ Wuq6G8b57Ge7HJYpjzc9tX27jZSJ/+V14DE5c8nH3w7l8jmgNqEoXZ4NiExNGvXEkZc/yQVTrkRFl sVBs+mWUYNqNNy0xb5uBv4FjxVLIJ/fhewxHi7rFhwdY940Sd3deRLb6bYkTdk9GieCP4YmXNmr/q IQIY/LGqms4T/1A0gJ5a4TKYF5kHPV8dwq8k6m5iQJoU/H8rYGalG8phTJHT61TJfnWdOGjrK9guB Zhde1Y3w==;
Received: from [] (port=48767 by with esmtpsa (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from <>) id 1q7mT4-0039Qq-TW; Fri, 09 Jun 2023 20:28:39 -0400
Content-Type: multipart/alternative; boundary="Apple-Mail=_D86524DA-5BB4-4EA7-A20B-5CA89D3570AA"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3731.600.7\))
From: "" <>
In-Reply-To: <>
Date: Fri, 09 Jun 2023 17:28:22 -0700
Message-Id: <>
References: <> <> <> <> <> <> <> <>
To: Tom Herbert <>
X-Mailer: Apple Mail (2.3731.600.7)
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname -
X-AntiAbuse: Original Domain -
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain -
X-Get-Message-Sender-Via: authenticated_id:
X-From-Rewrite: unmodified, already matched
Archived-At: <>
Subject: Re: [tsvwg] I-D Action: draft-ietf-tsvwg-udp-options-21.txt
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Transport Area Working Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sat, 10 Jun 2023 00:28:45 -0000


> On Jun 9, 2023, at 4:33 PM, Tom Herbert <> wrote:
> On Fri, Jun 9, 2023 at 3:58 PM
> <> wrote:
>> Cutting to the chase…
>>> On Jun 9, 2023, at 3:24 PM, Tom Herbert <> wrote:
>>>> ...
>> *
>>>> There ARE good reasons a source might send more than N (for any N) SAFE options that a receiver might not support - and to do so repeatedly.
>>> Really? From the draft:
>>>>> Each option SHOULD NOT occur more than once in a single UDP
>>>  datagram, the only exceptions being NOP, EXP, and UEXP. If an option
>>>  other than these occurs more than once, a receiver MUST interpret
>>>  only the first instance of that option and MUST ignore all others.
>> The same option multiple times is NOT the same thing as many different options (the latter is what I refer to at the “*”)
>>> So if an option is received more than once is ignored, how is that
>>> possibly useful?
>> It isn’t, but it isn’t necessarily an attack either.
> Then what is it? An implementation bug on the sender? Either way,
> these cause the receiver to consume power and burn resources without
> beneficial effect. Receive one of these in a packet then it's in the
> noise, receive a bunch of packets with 300 of these in each packet
> then by any logic that's a Denial of Service Attack.

300 in each packet, maybe. 10? 20? What’s the threshold? There isn’t one - nor should there be.

And same for “a bunch of packets”. 

So yes, like any protocol, there are ways to abuse it. We can mention that in the security section, but should NOT proscribe specific ways or thresholds that aren’t inherently part of the protocol (e.g., 40 bytes for TCP options - which even that is being extended).

> ...
> Every standard track protocol requires security considerations, and
> DDOS is a security issue.

Yes, it can and should be discussed.

> Also note, that the protocol is CREATING the
> DOS vector,

The default is already that UDP options are off unless a user turns them on.

> so it's incumbent on the creators to provide solutions for
> mitigating that.

There are known solutions - but we should NOT be indicating specific thresholds because they WILL become baked into implementations.

>> ...
>> This is a USER protocol. Let the USER decide.
> Let the USER decide WHAT?

How many unknown options inside a single packet or how many such packets are an attack.

Yes, we can talk about that, but NO, we should not say 22 is bad but 21 is OK unless we have a specific reason to pick those numbers.

> This is why RFC8504 style limits are useful;

They’ve basically killed IPv6 options - without actually having the hurdle of being an actual update to the standard.

It’s not OK to tell everyone they “MAY ignore a single header option:
   A host MAY disallow unknown options in destination options or hop-by-hop options.

Doing that gives permission for everyone to stop supporting it:

It’s not OK to say:
   A host MAY impose a limit on the maximum number of non-padding
   options allowed in the destination options and hop-by-hop extension
   headers.  If this feature is supported, the maximum number SHOULD be
   configurable, and the default value SHOULD be set to 8.

The problem with that statement is it ought to have updated RFC8200 to say “IPv6 packets MUST NOT use more than 8 options”, because that’s the net effect. 

In our case, we can add:
	- A host MAY impose a limit on the max number of options in a UDP packet.

	- A host MAY also impose a separate limit on the max number of unknown options in a UDP packet

	- A host MUST NOT impose these limits by default. Any such limits MUST be activated only after a threshold that combines the number of offending options AND significant repeated attempts to use those options in multiple packets. This document does not indicate a specific such limit.