[tsvwg] Possible UDP-Option: Cookie
Derek Fawcus <dfawcus+lists-tsvwg@employees.org> Wed, 20 March 2019 10:07 UTC
Return-Path: <dfawcus@employees.org>
X-Original-To: tsvwg@ietfa.amsl.com
Delivered-To: tsvwg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 25CD113109F for <tsvwg@ietfa.amsl.com>; Wed, 20 Mar 2019 03:07:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Y8sJJRRkgRlU for <tsvwg@ietfa.amsl.com>; Wed, 20 Mar 2019 03:07:37 -0700 (PDT)
Received: from bugle.employees.org (accordion.employees.org [198.137.202.74]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0BF8B130F84 for <tsvwg@ietf.org>; Wed, 20 Mar 2019 03:07:36 -0700 (PDT)
Received: by bugle.employees.org (Postfix, from userid 1736) id D56DFFECC040; Wed, 20 Mar 2019 10:07:43 +0000 (UTC)
Date: Wed, 20 Mar 2019 11:07:43 +0100
From: Derek Fawcus <dfawcus+lists-tsvwg@employees.org>
To: tsvwg <tsvwg@ietf.org>
Message-ID: <20190320100743.GA19737@bugle.employees.org>
References: <5C8FDEED.8010701@erg.abdn.ac.uk> <CALx6S36fQcRdgvCG3XS78EecFjdb36D22iBzovXcODH_W+BHbg@mail.gmail.com> <5be88c76-d65a-c491-86be-74a52fef7687@strayalpha.com> <CALx6S35h+ANRpqrEyC97JocXUrDw_+b85a8bP7QgjSchMPXF-g@mail.gmail.com> <62f9f885-5dd6-78d4-2d8a-8fab83871529@strayalpha.com> <CALx6S35bb5YpjR16OfQN+JJw3O3LG=NqkdFEnKdTEd3UoZWo5A@mail.gmail.com> <190BFA86-2DE3-4BB1-A833-E67D49B641FB@strayalpha.com> <CALx6S35vym9jfN5E6HVLU5RJj0k2p0i=dc1a+pb=ETx1WQUoxg@mail.gmail.com> <57E0E8CF-EA9A-4BC8-89D2-296D3CBBF7BA@strayalpha.com> <20190319231309.GA38527@bugle.employees.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <20190319231309.GA38527@bugle.employees.org>
User-Agent: Mutt/1.11.1 (2018-12-01)
Archived-At: <https://mailarchive.ietf.org/arch/msg/tsvwg/GFeekzs9xvXtYmtcVQjrmnOHws0>
Subject: [tsvwg] Possible UDP-Option: Cookie
X-BeenThere: tsvwg@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Transport Area Working Group <tsvwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tsvwg>, <mailto:tsvwg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tsvwg/>
List-Post: <mailto:tsvwg@ietf.org>
List-Help: <mailto:tsvwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tsvwg>, <mailto:tsvwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 20 Mar 2019 10:07:39 -0000
On Wed, Mar 20, 2019 at 12:13:09AM +0100, Derek Fawcus wrote: > We have the DNS request use case, we want to be able to send a packet > containing options expressing that we can receive Segmented UDP data. > > A legacy stack, or legacy server on a new stack will not see those > options, but will reply to the basic UDP packet - possibly generating > an IP fragmented response. A new server on a new stack will be able > to send a UDP segmented response. > > There could well be other examples falling in to that scenario. The above got me wondering about current UDP reflected expansion attacks using a spoofed source address, of which DNS is a case that has been exploited. What we're proposing with the Segmented UDP data mechanism could be similarly exploited in the future. So do we need some text in the security considerations section to discuss this, or maybe even a new cookie option to allow for a form of soft state acknowledged handshake? Assume we have an option like: +--------+-------------+-----+------+---------+-- | Kind=X | Len=2/4/4+n | lifetime | cookie | +--------+-------------+-----+------+---------+-- UDP Cookie option format Where we have 3 possible lengths, one with no payload, one for sending lifetime alone, one for sending lifetime and cookie. The cookie when present is of variable length. The no payload form would simply be used to indicate that the option is supported. Then for users who might benefit, we could have an exchange like: 1. A -> B : UDP data | Options: Cookie(lifetime-q1) 2. B -> A : UDP data | Options: Cookie(lifetime-r1,cookie-1) 3. A -> B : UDP data | Options: Cookie(lifetime-q2,cookie-1) 4. B -> A : UDP data | Options: Cookie(lifetime-r2,cookie-2) ... 5. B -> A : UDP data | Options: Cookie(lifetime-q3,cookie-2) at 1 A sends a message, including a desire for a cookie with lifetime q1. at 2 B responds, including a cookie of arbitrary length and lifetime r1. at 3 A sends a message, where the cookie inherently validates its source address. at 4 B responds, including fresh cookie data, but now knowing it can now send larger reponses. i.e. this adds an optional generic 'soft state' connection acknowledge mechanism to UDP, which could then be used by various applications. The above could then be combined with sending the Segmentation/FRAG options to perform parallel negotiation of that capability, I'd imagine that for the DNS query case we could end up with something like: 1. A -> B | Q=A, N=example.com, EDNS-sz=Y | Options: Cookie(life); MSS(); FRAG() 2. B -> A | Q=A, N=example.com, EDNS-sz=Y, trunc | Options: Cookie(life,value1); MSS(); FRAG() 3. A -> B | Q=A, N=example.com, EDNS-sz=Y | Options: Cookie(life,value1); MSS(); FRAG() 4. B -> A | | Options: Cookie(life,value2); MSS(); FRAG(Q=A, N=example.com, A=1.2.3.4, EDNS-sz=Z) ... n. B -> A | | Options: Cookie(life,value2); MSS(); FRAG(Q=A, N=example.com, A=1.2.3.4, EDNS-sz=Z) For the case of a legacy server, this would probably fall back to one of IP fragmented UDP response packet at 2 (EDNS support, no truncated response), or opening a TCP connection at stage 3 (because stage 2 would have been a truncated response). i.e. rather than force the client to switch to TCP, or sending an IP fragmented UDP response, we would be able to acknowledge that it is safe to send a large amount of DNS response in many segmented UDP packets, that the source of the query was not spoofed, and then the subsequent second query would trigger that. I suspect there may be cases where we do not need to segment the response, but since it would be significantly larger than the request, such an acknowledgement pattern may prove useful. DF
- Re: [tsvwg] Alternative version of the UDP FRAG o… C. M. Heard
- Re: [tsvwg] Alternative version of the UDP FRAG o… Joe Touch
- Re: [tsvwg] Alternative version of the UDP FRAG o… C. M. Heard
- Re: [tsvwg] Alternative version of the UDP FRAG o… Joe Touch
- Re: [tsvwg] Alternative version of the UDP FRAG o… Derek Fawcus
- Re: [tsvwg] Alternative version of the UDP FRAG o… C. M. Heard
- Re: [tsvwg] Alternative version of the UDP FRAG o… Raffaele Zullo
- Re: [tsvwg] Alternative version of the UDP FRAG o… C. M. Heard
- Re: [tsvwg] Alternative version of the UDP FRAG o… Joe Touch
- Re: [tsvwg] Alternative version of the UDP FRAG o… C. M. Heard
- Re: [tsvwg] Alternative version of the UDP FRAG o… Tom Herbert
- Re: [tsvwg] Alternative version of the UDP FRAG o… Joe Touch
- Re: [tsvwg] Alternative version of the UDP FRAG o… Joe Touch
- Re: [tsvwg] Alternative version of the UDP FRAG o… Tom Herbert
- Re: [tsvwg] Alternative version of the UDP FRAG o… Joe Touch
- Re: [tsvwg] Alternative version of the UDP FRAG o… Tom Herbert
- Re: [tsvwg] Alternative version of the UDP FRAG o… Joe Touch
- Re: [tsvwg] Alternative version of the UDP FRAG o… Tom Herbert
- Re: [tsvwg] Alternative version of the UDP FRAG o… Derek Fawcus
- Re: [tsvwg] Alternative version of the UDP FRAG o… Tom Herbert
- Re: [tsvwg] Alternative version of the UDP FRAG o… C. M. Heard
- Re: [tsvwg] Alternative version of the UDP FRAG o… Tom Herbert
- Re: [tsvwg] Alternative version of the UDP FRAG o… Gorry Fairhurst
- Re: [tsvwg] Alternative version of the UDP FRAG o… Tom Herbert
- Re: [tsvwg] Alternative version of the UDP FRAG o… Tom Herbert
- Re: [tsvwg] Alternative version of the UDP FRAG o… Gorry Fairhurst
- Re: [tsvwg] Alternative version of the UDP FRAG o… Tom Herbert
- Re: [tsvwg] Alternative version of the UDP FRAG o… Joe Touch
- Re: [tsvwg] Alternative version of the UDP FRAG o… Tom Herbert
- Re: [tsvwg] Alternative version of the UDP FRAG o… Joe Touch
- Re: [tsvwg] Alternative version of the UDP FRAG o… Tom Herbert
- Re: [tsvwg] Alternative version of the UDP FRAG o… Joe Touch
- Re: [tsvwg] Alternative version of the UDP FRAG o… Tom Herbert
- Re: [tsvwg] Alternative version of the UDP FRAG o… Joe Touch
- Re: [tsvwg] Alternative version of the UDP FRAG o… Gorry Fairhurst
- Re: [tsvwg] Alternative version of the UDP FRAG o… Tom Herbert
- Re: [tsvwg] Alternative version of the UDP FRAG o… Derek Fawcus
- [tsvwg] Possible UDP-Option: Cookie Derek Fawcus
- Re: [tsvwg] Possible UDP-Option: Cookie Tom Herbert
- Re: [tsvwg] Possible UDP-Option: Cookie tjw ietf
- Re: [tsvwg] Possible UDP-Option: Cookie Derek Fawcus
- Re: [tsvwg] Alternative version of the UDP FRAG o… Joe Touch
- Re: [tsvwg] Possible UDP-Option: Cookie Joe Touch
- Re: [tsvwg] Alternative version of the UDP FRAG o… Tom Herbert
- Re: [tsvwg] Alternative version of the UDP FRAG o… Joe Touch
- Re: [tsvwg] Alternative version of the UDP FRAG o… Tom Herbert
- Re: [tsvwg] Alternative version of the UDP FRAG o… Gorry Fairhurst