Re: [tsvwg] Regarding DTLS and UDP options

[Joe Touch <touch@isi.edu>]

On 4/17/2017 1:29 PM, Tom Herbert wrote:
> On Mon, Apr 17, 2017 at 12:11 PM, Joe Touch <touch@isi.edu> wrote:
>> FYI - draft 08 has just been uploaded to address this issue in the
>> security considerations section.
>>
>> I would like to ask that the chairs to ask the WG to consider adopting
>> this as a standards track doc.
>>
> Joe,
>
> The draft lists intended status as experimental, but above you're
> asking for adoption for standard track? 

That's correct.

> I would be worried about
> making this standard if it retroactively defines all cases where IP
> length is greater than UDP length as now containing UDP options.

It does exactly that, but has checksums to validate when that happens.

>
> One thing that might be missing from the draft is middle box handling.
This is already discussed extensively in the document, including in
response to previous TSVWG discussion. That's why we now default to
using the OCS and a length validation. Do you have specific concerns?

> I suspect your intent is that options are meant only for end to end
> consumption 

That's frankly true of all transport options, not just these in UDP.

> and so middleboxes must pass packets with UDP options,
> should not attempt to parse the UDP options, and must not modify
> options.
We already addressed that in the doc.

Joe

>
> Tom
>
>> Joe
>>
>> A new version of I-D, draft-touch-tsvwg-udp-options-08.txt
>> has been successfully submitted by Joe Touch and posted to the
>> IETF repository.
>>
>> Name:           draft-touch-tsvwg-udp-options
>> Revision:       08
>> Title:          Transport Options for UDP
>> Document date:  2017-04-17
>> Group:          Individual Submission
>> Pages:          25
>> URL:            https://www.ietf.org/internet-drafts/draft-touch-tsvwg-udp-options-08.txt
>> Status:         https://datatracker.ietf.org/doc/draft-touch-tsvwg-udp-options/
>> Htmlized:       https://tools.ietf.org/html/draft-touch-tsvwg-udp-options-08
>> Htmlized:       https://datatracker.ietf.org/doc/html/draft-touch-tsvwg-udp-options-08
>> Diff:           https://www.ietf.org/rfcdiff?url2=draft-touch-tsvwg-udp-options-08
>>
>>
>> On 4/17/2017 1:59 AM, Gorry Fairhurst wrote:
>>> Thanks Joe,
>>>
>>> That seems to be exactly the question the WG asked to explore. I agree
>>> your next update should add a small susbsection on how DTLS should be
>>> handled.
>>>
>>> Gorry
>>>
>>> On 15/04/2017, 00:56, Joe Touch wrote:
>>>> Hi, all,
>>>>
>>>> Christian Huitema a question about the interaction between DTLS and UDP
>>>> options during my remote presentation at IETF 98.
>>>>
>>>> I took a closer look and consulted with Eric Rescorla (DTLS author). He
>>>> and I agreed as follows:
>>>> - DTLS would currently not cover UDP options; DTLS protects only the UDP
>>>> payload
>>>> - the situation is analogous to TCP options, which are not covered by
>>>> TLS
>>>> I.e., both TLS and DTLS are transport *payload* security only, despite
>>>> their names.
>>>>
>>>> Christian noted that this may be a reason QUIC prefers UDP (to avoid the
>>>> need to protection transport options), however QUIC does not (and
>>>> cannot) deprecate UDP payloads that are smaller than the IP payload.
>>>> That would require a change to RFC 768.
>>>>
>>>> I'll add a clarification on this point to the next rev of the UDP
>>>> options document.
>>>>
>>>> Joe