IETF Logo Mail Archive

Re: [tsvwg] Remaining issues for draft-ietf-tsvwg-udp-options-22

Sebastian Moeller <moeller0@gmx.de> Sun, 02 July 2023 13:01 UTC

Return-Path: <moeller0@gmx.de>
X-Original-To: tsvwg@ietfa.amsl.com
Delivered-To: tsvwg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4E38FC15153F for <tsvwg@ietfa.amsl.com>; Sun, 2 Jul 2023 06:01:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.547
X-Spam-Level:
X-Spam-Status: No, score=-2.547 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmx.de
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qO-pSkh9qssf for <tsvwg@ietfa.amsl.com>; Sun, 2 Jul 2023 06:01:25 -0700 (PDT)
Received: from mout.gmx.net (mout.gmx.net [212.227.15.15]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B920CC151081 for <tsvwg@ietf.org>; Sun, 2 Jul 2023 06:01:24 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=gmx.de; s=s31663417; t=1688302874; x=1688907674; i=moeller0@gmx.de; bh=Dve8R5UqBGpIJfDMws4ZMlg/gWBRRsqMlEjxtMR9PD8=; h=X-UI-Sender-Class:Subject:From:In-Reply-To:Date:Cc:References:To; b=IveS0kiknmmBycQ4lbCeUbS9HN+xuz+SxoEpOp5/xdSXhxColPiUEU5EwaIHCo09KdbiCoO ZEOiMitClvYyV+PKNBTdDdyRqux7k6IbROSqS1i9Y5ccO+4qiVHaSakBnEox4NmLOzTzroVil /RV6womJgJnKEMGYtZ6Nz6/MlWJ8OIjXmlHbSUjCGi5pKkcYk2M2Sb6/RlmRu5evvSV/qUY6P M8ttvhyL3zmErHE4VoHxDV1zFx386LEKg4dGPgU5DPUC182saqnxaJh8wro2DKj7DVeouH+Ee Hki87Aat83frEHX9miE7g/C2bqmHcwl+n6NIzM/fYN8EkVfioUfg==
X-UI-Sender-Class: 724b4f7f-cbec-4199-ad4e-598c01a50d3a
Received: from smtpclient.apple ([77.8.56.18]) by mail.gmx.net (mrgmx004 [212.227.17.190]) with ESMTPSA (Nemesis) id 1MmDEg-1pY3JK0fOi-00iCfj; Sun, 02 Jul 2023 15:01:14 +0200
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3696.120.41.1.3\))
From: Sebastian Moeller <moeller0@gmx.de>
In-Reply-To: <20230702122842.GA20114@unix-ag.uni-kl.de>
Date: Sun, 02 Jul 2023 15:01:10 +0200
Cc: Gorry Fairhurst <gorry@erg.abdn.ac.uk>, Joe Touch <touch@strayalpha.com>, TSVWG <tsvwg@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <08136480-5692-4B97-BA61-17833DE0E8CF@gmx.de>
References: <CACL_3VFNHVLc89BO_n12gKid6p0Y2tJ+-ThB0x_wGkMCMnSESA@mail.gmail.com> <14F6EC62-311B-46B3-8B80-7263345BCB80@gmx.de> <CACL_3VH4Zw_vVudO5WiFrD7AC5JhHXiSWfhW5Wu5O7W_rBYfMA@mail.gmail.com> <026B4018-4F96-49B4-B73A-E7F33FEE8A15@gmx.de> <CACL_3VEw4koyJSX3xA3UJ1Vikg+F9PPw1G030jQPHhZdoOETSA@mail.gmail.com> <d34aa821-207d-78eb-ead2-e2d918939dcf@erg.abdn.ac.uk> <20230629162807.GA8600@unix-ag.uni-kl.de> <20230701204510.GA29872@unix-ag.uni-kl.de> <CACL_3VG_c-+zqoEhufyLvDqCV1ZkUoS9ZoknxJWwvH2RddOD=A@mail.gmail.com> <8a7a4eb6-aaf2-edb6-8684-09d11f172dd0@erg.abdn.ac.uk> <20230702122842.GA20114@unix-ag.uni-kl.de>
To: Erik Auerswald <auerswal@unix-ag.uni-kl.de>
X-Mailer: Apple Mail (2.3696.120.41.1.3)
X-Provags-ID: V03:K1:xOK76+5rbKEWBTekrEOdgzF84FY22twT7bEcWyfb4QLhoHmxtFE Q3xgfsRkE2XTlMEt/YkhYAnGqGRtL9NotmXg5R4C+h9bQZ1aLkMZcbwS04DWMTl3ubpOdHp Lp724rgqFa8ukMPgJaxSfG8PczVHY1Eegrdqbm1ngjECxHfe6ab2PKbfCCCpsBnl0OGDLi8 7FdSiMt9bGwKveU3fDrkA==
UI-OutboundReport: notjunk:1;M01:P0:DD9WAGl/nHc=;crUZIbw+rd/It0NmELWtXxs1Qv4 Mo1NqsZbQD41hfdVCXBvhoS9UBZQX/iS3TFn2slOsa6pobHs2ndC9sVfuXlzeAjZXgyrEr60S i12Y63SejJ8tP1867Nc+zDQrwu/kr0N3v9q3AT0g68glOVYhw07hk7LbZ+Ml44qGUJIXry6i3 2xNIVWMvornISsGIz7Vk80j+30CGnS1Ohnxjvl19Ed6JzMtol9KvTo5VDh4NVrhhCaebQ2WLI EqqSFdxXtiK1QDDbs1d5N7mwXoHUZkQsEXtZzgq89tcoufYzZh3eCJS7gfdmMvAhby9jgNTzq nzSwm5vpTRT6BG6VJK+f1lFul1dfl40o6JPiDf3BHRwu82vKg2nrmXgYVYe3GMl5/G7GDR1V0 FM70KuqdO0Eu9TpV4Mddn90QE4HZ3qVKBSOUAVnLHaTIqOV4prj/odb1CTafZYwJS7f7/+TOA SB6xrAKkUymrApabXh5tBt1AWECVJzIMACklOR/Tt1htrALwfcwmhrPCMyW4EBjctjIEtsLqY lbJkXqrQp47rsnX9GmJYF+f1Vof0cS+vDpxRCxuk4DKODjedmsKHPontOsMw6injAp36rkVq4 wP5//KhccUJt0MQInsvXDeFR/QcOvxtMN02tegxrGqBBehoDHZ8l7+bs4vuMyy6iZZOj7avNi v0KBgAS+LN7ZePdyyGYoU2ZFb3Mw0E12AzqpCHGWSCV1dzAS1sT1i8B8jduw+qP42qdiHrE7U aScn3hr79AbxeDBkK+YCBERIrFp9vmC5wmhc2X+snhtDy3iBcm99SNZUjOZU8K7tH2Eo2or82 1aWe0osztH9KVZWIauSFaem1KJeWvcjkEYjinc8sq0/7CiF5EEZA5RudYGSwofauevJphtCFq L88GcMRxT8n/+Px5jos3q24pTqz9BvCJhWKISb1JH2MdoJPfNIpv6+uQP3SR/Jc38ZmFDCfdy HAmGf/agSd6covhHQ3q25kdaMB4=
Archived-At: <https://mailarchive.ietf.org/arch/msg/tsvwg/BXoWQxwBwynF11nWr9a7mreGV38>
Subject: Re: [tsvwg] Remaining issues for draft-ietf-tsvwg-udp-options-22
X-BeenThere: tsvwg@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Transport Area Working Group <tsvwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tsvwg>, <mailto:tsvwg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tsvwg/>
List-Post: <mailto:tsvwg@ietf.org>
List-Help: <mailto:tsvwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tsvwg>, <mailto:tsvwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 02 Jul 2023 13:01:29 -0000

Hi List,

> On Jul 2, 2023, at 14:28, Erik Auerswald <auerswal@unix-ag.uni-kl.de> wrote:
> 
> Hi,
> 
> On Sun, Jul 02, 2023 at 09:11:55AM +0100, Gorry Fairhurst wrote:
>> On 01/07/2023 22:39, C. M. Heard wrote:
>>> On Sat, Jul 1, 2023 at 1:45 PM Erik Auerswald wrote:
>>>> On Thu, Jun 29, 2023 at 06:28:07PM +0200, Erik Auerswald wrote:
>>>>> On Mon, Jun 26, 2023 at 10:03:00AM +0100, Gorry Fairhurst wrote:
>>>>> * Section 22: The second to last paragraph on page 35 states that
>>>>>   "no options (including ECHO) ever initiate UDP responses in the
>>>>>   absence of user transmission."  I think "ECHO" means "REQ", but
>>>>>   draft-ietf-tsvwg-udp-options-dplpmtud-08 allows for REQ to create
>>>>>   responses without use data, specifically when DPLPMTUD is
>>> implemented
>>>>>   inside the "Packetization Layer of UDP Options". This seems to be
>>>>>   inconsistent.
>>>> 
>>>> The description of REQ and RES in section 9.7 does not mention that the
>>>> RES option is only to be sent if some other data is to be sent anyway.
>>>> To the contrary, the description
>>>> 
>>>>   "The echo request (REQ, Kind=6) and echo response (RES, Kind=7)
>>>>    options provide a means for UDP options to be used to provide UDP
>>>>    packet-level acknowledgements."
>>>> 
>>>> seems to suggest that RES is sent as an acknowledgement when there would
>>>> be none otherwise.  Today, request-response protocols use the receipt
>>>> of the response as acknowledgement for the receipt of the request by
>>>> the receiver (e.g., DNS and RADIUS do this).  The additional capability
>>>> REQ and RES options could provide would be to elicit a response when
>>>> there would be none otherwise.  This is definitely the assumption made
>>>> for DPLPMTUD implemented in the "UDP Options Packetization Layer" (as
>>>> opposed to the application) in draft-ietf-tsvwg-udp-options-dplpmtud-09.
>>> 
>>> Good catch.
>>> 
>>> I did actually flag the issue with the Security Considerations in
>>> https://mailarchive.ietf.org/arch/msg/tsvwg/ocDWz4jWZdqVP6CTuAhsBXer2Bc/:
>>> 
>>> =======================================================================
>>> In draft-ietf-tsvwg-udp-options-22 Section 22, 3rd paragraph, we see:
>>> 
>>>    UDP options create new potential opportunities for DDOS attacks,
>>>    notably through the use of fragmentation. Except when enabled, UDP
>>>    options cause no additional work at the receiver. At most, the
>>>    required options (if enabled) result in a responding option in the
>>>    next transmitted packet, but no options (including ECHO) ever
>>>    initiate UDP responses in the absence of user transmission.
>>> 
>>> Corrected:
>>> 
>>>    UDP options create new potential opportunities for DDOS attacks,
>>>    notably through the use of fragmentation. When enabled, UDP options
>>>    may cause some additional work at the receiver; however, of the
>>>    must-support options, only REQ (when used on a DLPMTUD probe [Fa22])
>>>    will initiate a UDP response in the absence of a user transmission.
>>> 
>>> Note that [Fa22] needs to be updated to [Fa23].
>>> 
>>> This comment was made originally against -19 on 27-Jan-2023 but was not
>>> addressed.
>>> =======================================================================
>>> 
>>> However, I didn't mention the need to bring this up in Section 9.7
>>> 
>>> Perhaps a reference to the last paragraph in Section 6 of
>>> draft-ietf-tsvwg-udp-options-dplpmtud would help. See
>>> 
>>> https://datatracker.ietf.org/doc/html/draft-ietf-tsvwg-udp-options-dplpmtud#name-examples-with-different-rec
>>> 
>>> I think this applies no matter whether DLPMTUD is implemented within
>>> the UDP transport service or by an upper layer protocol or application.
>>> 
>>> Mike Heard
>> 
>> I wonder if it may be better to explain this as when "explicitly" enabled:
>> 
>> NEW:
>> 
>>    UDP options create new potential opportunities for DDOS attacks,
>>    notably through the use of fragmentation. When enabled, UDP options
>>    may cause some additional work at the receiver; however, of the
>>    must-support options, only REQ (when explicitly enabled
>> 
>>    for a DLPMTUD probe (Section 6 of [Fa22])
>>    will initiate a UDP response in the absence of a user transmission.
> 
> Yes, I think that would be better for the security considerations section.
> I would suggest to designate DPLPMTUD as an example by inserting "e.g., "
> directly after the opening parenthesis:
> 
>    (e.g., when explicitly enabled for DPLPMTUD probing (Section 6 of
>    [Fa22]))
> 
> I still think that this behavior needs to be explicitly described in
> the sections before the security considerations.
> 
> The idea that REQ does in general not result in RES, even after enabling
> UDP Option processing, unless application data were to be sent from the
> receiver of the REQ option irrespective of this REQ, or unless some
> additional mechanism (e.g., a DPLPMTUD State Machine sitting between
> the application and UDP Options) were to process the REQ and create a
> response including a RES, does not seem to be obvious from reading the
> UDP Options specification as currently written.  I'd say that it should
> be made obvious.

	[SM] In which case (no immediate response required) this thing should not be called an echo, as it neither mimics how a real echo works nor how ICMP echo requests mostly* operate. I note that the REQ and RES monikers seem fine as they do not contain "echo" once expanded, but the paragraph text in the draft might be changed if "delayed/eventual response" is expected as the default mode. And I think that:
	"but no options (including ECHO) ever initiate UDP responses in the absence of user transmission."
pretty much means delayed response is the default.


	For security considerations I want to ask whether it could be helpful to note in the draft that the REQ option is (considerably) larger (as expected e.g. for DPLPMTUD probes) than the RES response, so this mechanism can not be used with spoofed addresses to amplify an attack but rather attenuate it (at least on the byte volume level)

Regards
	Sebastian


*) modulo rate-limiting and de-prioritization, and similar operations at the remote end.


> 
> Regards,
> Erik

v2.23.0 | Report a Bug | By Email