[tsvwg] Re: Request for consensus call for Auth in UDP options

Christian Huitema <huitema@huitema.net> Sat, 07 September 2024 03:59 UTC

Return-Path: <huitema@huitema.net>
X-Original-To: tsvwg@ietfa.amsl.com
Delivered-To: tsvwg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 00AA4C151087; Fri, 6 Sep 2024 20:59:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.904
X-Spam-Level:
X-Spam-Status: No, score=-1.904 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uwcp5pPuWVBr; Fri, 6 Sep 2024 20:59:16 -0700 (PDT)
Received: from semf08.mfg.siteprotect.com (semf08.mfg.siteprotect.com [64.26.60.171]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A7064C14F6A3; Fri, 6 Sep 2024 20:59:15 -0700 (PDT)
Received: from smtpauth01.mfg.siteprotect.com ([64.26.60.150]) by se02.mfg.siteprotect.com with esmtp (Exim 4.92) (envelope-from <huitema@huitema.net>) id 1smmbQ-00Fdvu-90; Fri, 06 Sep 2024 23:59:14 -0400
Received: from [192.168.1.109] (unknown [172.56.168.73]) (Authenticated sender: huitema@huitema.net) by smtpauth01.mfg.siteprotect.com (Postfix) with ESMTPSA id 4X0zqb590Dz163NqN; Fri, 6 Sep 2024 23:59:07 -0400 (EDT)
Message-ID: <116a09e2-4c7e-4175-badb-2200912a5d2b@huitema.net>
Date: Fri, 06 Sep 2024 20:59:05 -0700
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
To: "touch@strayalpha.com" <touch@strayalpha.com>, Tom Herbert <tom=40herbertland.com@dmarc.ietf.org>
References: <CALx6S34JjFegygq3D=XnJxiy9tARNtkw2v4BqaCXS80u2J478g@mail.gmail.com> <3188D50F-104C-4505-A5BB-39BED72E3DC6@strayalpha.com> <CALx6S35hsV9HSE+CLg-7jXdVFX5XP_500tDXKxV0HYeA1PVzgA@mail.gmail.com> <D7618F0D-5820-49C0-B415-DF4925903773@strayalpha.com>
Content-Language: en-US
From: Christian Huitema <huitema@huitema.net>
In-Reply-To: <D7618F0D-5820-49C0-B415-DF4925903773@strayalpha.com>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Authentication-Results: mfg.siteprotect.com; auth=pass smtp.auth=huitema@huitema.net
X-Originating-IP: 64.26.60.150
X-SpamExperts-Domain: mfg.outbound
X-SpamExperts-Username: 64.26.60.150/31
Authentication-Results: mfg.siteprotect.com; auth=pass smtp.auth=64.26.60.150/31@mfg.outbound
X-SpamExperts-Outgoing-Class: ham
X-SpamExperts-Outgoing-Evidence: Combined (0.28)
X-Recommended-Action: accept
X-Filter-ID: Pt3MvcO5N4iKaDQ5O6lkdGlMVN6RH8bjRMzItlySaT+ASjtDs07u5fcHGZVz2zo2PUtbdvnXkggZ 3YnVId/Y5jcf0yeVQAvfjHznO7+bT5zG+V06mNFlabDzEQ3rrM+xMiJrwQT+kEXQZMGrd9mNjl0J Y29uZNSqU9cnt1orp/QXOfHa25AeSW6Kw9x/1wJ2xFaDSXbn0V54fx71Y8FZuerm+98qRz0zSdpe wmD8rQKVe5aYu2UkLLbj6l3L3mgzQaXPwIlI4yu/PH1NWDdGRWhmFQNYH8eEtkEKpr6o4eGd//P8 Hyj64YXfRO8Dzu9RKIKF3peWxpztlbP70ni4IjQAWpI/rSCdEK3XHDD5MYcp8A5/el+UjJ7/bSP+ qis5IbaGC+OXmaWP+f3KKWVVwjK6gbDCKCURbXPXAu+OFbt8K4EgtgsN2Ij6q4Ui0HC+NiazvEL/ EQK6tjMFmjZ4flLiBdsp9N7O00t4IZtr4AaW+T5+n7UGVSvSvBAI59+7FIOvXg2DXtorQpU90u24 0FAqOT2SbC3GORZjYafiQ8YD0j9eQBt/ykrfEqUGImaPb9tZ+C5yOc2YAGkaEP1NOzM7hKQHOuNA eKeISDggO3OlcJV6HvtU1tgPH+4zjslD17NirEYyqwqMBGrw8ELiqGdRC0sIg7dqGZjzmrH1zBxC rViBlOUhWLyPKHrrFz18GrbDAnP7F5nItgfXFPgEHtjlDHh8k6TTdHl8m1/8O/+D5afguYCSx2IW cZZcphYefdqQPXbxriiD2MjcekrZjuR5Wfsqcpp2E7+INp3gDwSzJmgsZtfLkIQuQLz4y20jSbRt qnHNDP9UyypgspCDChPRtvDmqCYAZgmAKJYQ9oi/rRhnG7ENLFErCjCl8NrQmLkXw+CGG7VEieBd S/H/Jd+y7sdDf5ABPNcDM6cpPq6eV1ousthGylxVdU+R0ZjbcsOsKj1jwXU9Usyl/uLp0e/+xDVR VUJoToKhCH6aDw02/EOTJwXctSFriEBE/SueIbtf63VNbf0lrvssY+k7AErjM7mw0P+XZetVCvbr /I5T32fZt/1tFI44Z/M7ZcA903PP3PhBMpAREt+lUYId9TMaIL48SHdwBur7C9FrSAWgwUlrtiUD cpBDDI4/rDiY6dBx3/bNlhtF5ZFpG9nV/xjgvu7pAn+NdcA8i2i+TTgX/yKqiwsSAD8v4KLl1LEW TaWkBSHQc1+gHZZZssPyhNeBmqAYcElwMu1lSgC7JgQ=
X-Report-Abuse-To: spam@se02.mfg.siteprotect.com
Message-ID-Hash: X374JTH56YSTZLU627BEK3N5W75IAFEI
X-Message-ID-Hash: X374JTH56YSTZLU627BEK3N5W75IAFEI
X-MailFrom: huitema@huitema.net
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-tsvwg.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: tsvwg-chairs <tsvwg-chairs@ietf.org>, tsvwg <tsvwg@ietf.org>
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [tsvwg] Re: Request for consensus call for Auth in UDP options
List-Id: Transport Area Working Group <tsvwg.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tsvwg/7ON77aMqdHrBLHcX7dd4O4C1up0>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tsvwg>
List-Help: <mailto:tsvwg-request@ietf.org?subject=help>
List-Owner: <mailto:tsvwg-owner@ietf.org>
List-Post: <mailto:tsvwg@ietf.org>
List-Subscribe: <mailto:tsvwg-join@ietf.org>
List-Unsubscribe: <mailto:tsvwg-leave@ietf.org>

My personal feeling is that authentication only is not terribly useful. 
We can see that in IPv6, where the AH header is used much less than the 
ESP header. If the endpoints have negotiated a key, they should use 
something like AEAD encryption, not just authentication. That would 
probably help address some of the concerns about peers ignoring the 
authentication: they may access the content of a field that is protected 
by authentication only, but they not be able to do that if the field is 
encrypted -- and AEAD gives you authentication more or less "for free".

In any case, shipping any protocol today that does not have a strong 
security posture seems like a very bad idea.

-- Christian Huitema

On 9/6/2024 7:40 PM, touch@strayalpha.com wrote:
> Tom,
>
> Sending AUTH to an endpoint that doesn’t expect it and have a key is useless as well.
>
> That endpoint can and should already override.
>
> A fundamental design principle - that was agreed by rough consensus - is that the receiver decides what to do with options, not the sender.
>
> Until a NEW point has been made, I will wait to see what others think.
>
> Joe
>
> —
> Dr. Joe Touch, temporal epistemologist
> www.strayalpha.com
>
>> On Sep 6, 2024, at 7:34 PM, Tom Herbert <tom=40herbertland.com@dmarc.ietf.org> wrote:
>>
>> On Fri, Sep 6, 2024 at 7:06 PM touch@strayalpha.com
>> <touch@strayalpha.com> wrote:
>>> Hi Tom (et al.),
>>>
>>> As context:
>>>
>>> - NOBODY said a receiver cannot override the default behavior and decide to drop anything arriving with AUTH on a given socket.
>>> That’s already part of the design and a required capability.
>>>
>>> - what the current doc IS currently saying is that, *absent such explicit action by a receiver*, that AUTH doesn’t itself cause a packet to be dropped before being given to the receiver endpoint. Note that a failed AUTH would arrive with “AUTH failed” as context, not simply received without any indication of whether AUTH was present or whether it failed.
>>>
>>> The goal of the current *default* behavior is to act like a legacy endpoint, i.e., to allow users to enable AUTH on transmission without immediately breaking legacy endpoints, which would silently drop the AUTH anyway. Endpoints that know better - an endpoint that has installed a key for that socket - would already presumably override that default for that socket. The goal is to ensure that AUTH doesn’t break things unless the receiver takes specific action to NOT act like a legacy endpoint.
>> Joe,
>>
>> I fundamentally disagree that supporting legacy receivers is more
>> important than security. But in the case of the Auth option it's a
>> moot point, there is no valid use case of ever sending the
>> authentication option to a legacy receiver.
>>
>> Authentication requires some sort of key negotiation, which means for
>> someone to be able to send the option they were told what key to use
>> by the receiving site. So for a site to go at all the expense of
>> giving out keys, but then to not bother actually validating them at
>> receivers makes no sense. If receivers are allowed to ignore
>> authentication then that opens the door for a misconfiguration, and if
>> they willfully ignore authentication after negotiating keys that might
>> even be legal problem in some jurisdictions (i.e. this is akin to a
>> landlord giving a tenant keys to an apartment without bothering to
>> tell them that *any* key will work to get into their apartment; when
>> someone breaks and steals all the tenant's stuff the landlord is going
>> to be held liable).
>>
>>> That is the current state of the document and was our understanding of “rough consensus”. If that’s not the case, the chair can help us either find such consensus or direct otherwise.
>> There has never been any consensus on this, that's why I am asking for
>> a consensus call.
>>
>> Tom
>>
>>> Joe
>>>
>>> —
>>> Dr. Joe Touch, temporal epistemologist
>>> www.strayalpha.com
>>>
>>> On Sep 6, 2024, at 6:33 PM, Tom Herbert <tom=40herbertland.com@dmarc.ietf.org> wrote:
>>>
>>> TSVWG chairs,
>>>
>>> I have raised an objection to the UDP Options draft that the
>>> Authentication may be ignored by a receiver. I believe this is a
>>> serious security vulnerability in the protocol.
>>>
>>> If a sender uses the option that must mean that a key negotiation must
>>> have happened, so when the sender places the option in a packet they
>>> naturally have the full expectation that the receiver will validate
>>> the authentication credentials. If the receiver elects to ignore the
>>> authentication then they will not only allow legitimate senders but an
>>> attacker will be able to access the system as well-- so basically
>>> there is no security and the user is at risk for harm. Ignoring an
>>> authentication option is not safe.
>>>
>>> The counter argument seems to be that it should be up to the receiver
>>> to decide if the authentication option must be validated. That stands
>>> in contrast to other authentication protocols like IPv6 AH that
>>> explicitly require authentication option to be validated if it is
>>> present (if they can't validate, then the packet MUST be dropped). If
>>> the idea is that the user decides this then security is wholly
>>> dependent on the user configuring the protocol correctly, so a slight
>>> misconfiguration could allow a major breach (note this cannot happen
>>> in IPv6 AH).
>>>
>>> Please consider doing a consensus call on whether ignoring an
>>> Authentication option in UDP options is allowed.
>>>
>>> Thanks,
>>> Tom
>>>
>>>
>