Re: [tsvwg] Remaining issues for draft-ietf-tsvwg-udp-options-22
Gorry Fairhurst <gorry@erg.abdn.ac.uk> Sun, 02 July 2023 08:12 UTC
Return-Path: <gorry@erg.abdn.ac.uk>
X-Original-To: tsvwg@ietfa.amsl.com
Delivered-To: tsvwg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 063BAC1524A3 for <tsvwg@ietfa.amsl.com>; Sun, 2 Jul 2023 01:12:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.898
X-Spam-Level:
X-Spam-Status: No, score=-6.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, NICE_REPLY_A=-0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id g6PH5WoDuwGf for <tsvwg@ietfa.amsl.com>; Sun, 2 Jul 2023 01:12:01 -0700 (PDT)
Received: from pegasus.erg.abdn.ac.uk (pegasus.erg.abdn.ac.uk [IPv6:2001:630:42:150::2]) by ietfa.amsl.com (Postfix) with ESMTP id 756EDC151073 for <tsvwg@ietf.org>; Sun, 2 Jul 2023 01:12:00 -0700 (PDT)
Received: from [192.168.1.130] (fgrpf.plus.com [212.159.18.54]) by pegasus.erg.abdn.ac.uk (Postfix) with ESMTPSA id B0E1A1B0009C; Sun, 2 Jul 2023 09:11:55 +0100 (BST)
Message-ID: <8a7a4eb6-aaf2-edb6-8684-09d11f172dd0@erg.abdn.ac.uk>
Date: Sun, 02 Jul 2023 09:11:55 +0100
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:102.0) Gecko/20100101 Thunderbird/102.12.0
To: "C. M. Heard" <heard@pobox.com>, Erik Auerswald <auerswal@unix-ag.uni-kl.de>
Cc: TSVWG <tsvwg@ietf.org>, Joe Touch <touch@strayalpha.com>
References: <79CA7F65-335D-4A93-8BBE-9E4FAFCC6D2C@gmx.de> <FA4064D9-D37D-4590-BB77-2F2C37421BDC@strayalpha.com> <6E04EE05-2E36-4B3A-ABB4-A4E22B233B50@gmx.de> <CACL_3VFNHVLc89BO_n12gKid6p0Y2tJ+-ThB0x_wGkMCMnSESA@mail.gmail.com> <14F6EC62-311B-46B3-8B80-7263345BCB80@gmx.de> <CACL_3VH4Zw_vVudO5WiFrD7AC5JhHXiSWfhW5Wu5O7W_rBYfMA@mail.gmail.com> <026B4018-4F96-49B4-B73A-E7F33FEE8A15@gmx.de> <CACL_3VEw4koyJSX3xA3UJ1Vikg+F9PPw1G030jQPHhZdoOETSA@mail.gmail.com> <d34aa821-207d-78eb-ead2-e2d918939dcf@erg.abdn.ac.uk> <20230629162807.GA8600@unix-ag.uni-kl.de> <20230701204510.GA29872@unix-ag.uni-kl.de> <CACL_3VG_c-+zqoEhufyLvDqCV1ZkUoS9ZoknxJWwvH2RddOD=A@mail.gmail.com>
From: Gorry Fairhurst <gorry@erg.abdn.ac.uk>
Organization: UNIVERSITY OF ABERDEEN
In-Reply-To: <CACL_3VG_c-+zqoEhufyLvDqCV1ZkUoS9ZoknxJWwvH2RddOD=A@mail.gmail.com>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/tsvwg/McP551bcHRAYHCBtV8K7OdicYTw>
Subject: Re: [tsvwg] Remaining issues for draft-ietf-tsvwg-udp-options-22
X-BeenThere: tsvwg@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Transport Area Working Group <tsvwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tsvwg>, <mailto:tsvwg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tsvwg/>
List-Post: <mailto:tsvwg@ietf.org>
List-Help: <mailto:tsvwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tsvwg>, <mailto:tsvwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 02 Jul 2023 08:12:06 -0000
On 01/07/2023 22:39, C. M. Heard wrote: > On Sat, Jul 1, 2023 at 1:45 PM Erik Auerswald wrote: > > On Thu, Jun 29, 2023 at 06:28:07PM +0200, Erik Auerswald wrote: > > > On Mon, Jun 26, 2023 at 10:03:00AM +0100, Gorry Fairhurst wrote: > > > * Section 22: The second to last paragraph on page 35 states that > > > "no options (including ECHO) ever initiate UDP responses in the > > > absence of user transmission." I think "ECHO" means "REQ", but > > > draft-ietf-tsvwg-udp-options-dplpmtud-08 allows for REQ to create > > > responses without use data, specifically when DPLPMTUD is > implemented > > > inside the "Packetization Layer of UDP Options". This seems to be > > > inconsistent. > > > > The description of REQ and RES in section 9.7 does not mention that the > > RES option is only to be sent if some other data is to be sent anyway. > > To the contrary, the description > > > > "The echo request (REQ, Kind=6) and echo response (RES, Kind=7) > > options provide a means for UDP options to be used to provide UDP > > packet-level acknowledgements." > > > > seems to suggest that RES is sent as an acknowledgement when there would > > be none otherwise. Today, request-response protocols use the receipt > > of the response as acknowledgement for the receipt of the request by > > the receiver (e.g., DNS and RADIUS do this). The additional capability > > REQ and RES options could provide would be to elicit a response when > > there would be none otherwise. This is definitely the assumption made > > for DPLPMTUD implemented in the "UDP Options Packetization Layer" (as > > opposed to the application) in draft-ietf-tsvwg-udp-options-dplpmtud-09. > > Good catch. > > I did actually flag the issue with the Security Considerations in > https://mailarchive.ietf.org/arch/msg/tsvwg/ocDWz4jWZdqVP6CTuAhsBXer2Bc/: > > ======================================================================= > In draft-ietf-tsvwg-udp-options-22 Section 22, 3rd paragraph, we see: > > UDP options create new potential opportunities for DDOS attacks, > notably through the use of fragmentation. Except when enabled, UDP > options cause no additional work at the receiver. At most, the > required options (if enabled) result in a responding option in the > next transmitted packet, but no options (including ECHO) ever > initiate UDP responses in the absence of user transmission. > > Corrected: > > UDP options create new potential opportunities for DDOS attacks, > notably through the use of fragmentation. When enabled, UDP options > may cause some additional work at the receiver; however, of the > must-support options, only REQ (when used on a DLPMTUD probe [Fa22]) > will initiate a UDP response in the absence of a user transmission. > > Note that [Fa22] needs to be updated to [Fa23]. > > This comment was made originally against -19 on 27-Jan-2023 but was not > addressed. > ======================================================================= > > However, I didn't mention the need to bring this up in Section 9.7 > > Perhaps a reference to the last paragraph in Section 6 of > draft-ietf-tsvwg-udp-options-dplpmtud would help. See > > https://datatracker.ietf.org/doc/html/draft-ietf-tsvwg-udp-options-dplpmtud#name-examples-with-different-rec > > I think this applies no matter whether DLPMTUD is implemented within > the UDP transport service or by an upper layer protocol or application. > > Mike Heard I wonder if it may be better to explain this as when "explicitly" enabled: NEW: UDP options create new potential opportunities for DDOS attacks, notably through the use of fragmentation. When enabled, UDP options may cause some additional work at the receiver; however, of the must-support options, only REQ (when explicitly enabled for a DLPMTUD probe (Section 6 of [Fa22]) will initiate a UDP response in the absence of a user transmission. --- Gorry
- [tsvwg] Comments on draft-ietf-tsvwg-udp-options-… C. M. Heard
- Re: [tsvwg] Comments on draft-ietf-tsvwg-udp-opti… C. M. Heard
- Re: [tsvwg] Comments on draft-ietf-tsvwg-udp-opti… touch@strayalpha.com
- Re: [tsvwg] Comments on draft-ietf-tsvwg-udp-opti… touch@strayalpha.com
- Re: [tsvwg] Comments on draft-ietf-tsvwg-udp-opti… touch@strayalpha.com
- [tsvwg] Comments on draft-ietf-tsvwg-udp-options-… C. M. Heard
- Re: [tsvwg] Comments on draft-ietf-tsvwg-udp-opti… C. M. Heard
- Re: [tsvwg] Comments on draft-ietf-tsvwg-udp-opti… Tom Herbert
- Re: [tsvwg] Comments on draft-ietf-tsvwg-udp-opti… touch@strayalpha.com
- Re: [tsvwg] Comments on draft-ietf-tsvwg-udp-opti… touch@strayalpha.com
- Re: [tsvwg] Comments on draft-ietf-tsvwg-udp-opti… Tom Herbert
- Re: [tsvwg] Comments on draft-ietf-tsvwg-udp-opti… C. M. Heard
- Re: [tsvwg] Comments on draft-ietf-tsvwg-udp-opti… Tom Herbert
- Re: [tsvwg] Comments on draft-ietf-tsvwg-udp-opti… Sebastian Moeller
- Re: [tsvwg] Comments on draft-ietf-tsvwg-udp-opti… touch@strayalpha.com
- Re: [tsvwg] Comments on draft-ietf-tsvwg-udp-opti… Sebastian Moeller
- Re: [tsvwg] Comments on draft-ietf-tsvwg-udp-opti… touch@strayalpha.com
- Re: [tsvwg] Comments on draft-ietf-tsvwg-udp-opti… Gorry Fairhurst
- Re: [tsvwg] Comments on draft-ietf-tsvwg-udp-opti… Tom Herbert
- Re: [tsvwg] Comments on draft-ietf-tsvwg-udp-opti… Sebastian Moeller
- Re: [tsvwg] Comments on draft-ietf-tsvwg-udp-opti… Gorry Fairhurst
- Re: [tsvwg] Comments on draft-ietf-tsvwg-udp-opti… C. M. Heard
- Re: [tsvwg] Comments on draft-ietf-tsvwg-udp-opti… C. M. Heard
- Re: [tsvwg] Comments on draft-ietf-tsvwg-udp-opti… Sebastian Moeller
- Re: [tsvwg] Comments on draft-ietf-tsvwg-udp-opti… C. M. Heard
- Re: [tsvwg] Comments on draft-ietf-tsvwg-udp-opti… Sebastian Moeller
- Re: [tsvwg] Comments on draft-ietf-tsvwg-udp-opti… C. M. Heard
- [tsvwg] Remaining issues for draft-ietf-tsvwg-udp… Gorry Fairhurst
- Re: [tsvwg] Remaining issues for draft-ietf-tsvwg… Sebastian Moeller
- Re: [tsvwg] Remaining issues for draft-ietf-tsvwg… Gorry Fairhurst
- Re: [tsvwg] Remaining issues for draft-ietf-tsvwg… C. M. Heard
- Re: [tsvwg] Remaining issues for draft-ietf-tsvwg… Tom Herbert
- Re: [tsvwg] Remaining issues for draft-ietf-tsvwg… Gorry Fairhurst
- Re: [tsvwg] Remaining issues for draft-ietf-tsvwg… C. M. Heard
- Re: [tsvwg] Remaining issues for draft-ietf-tsvwg… Tom Herbert
- Re: [tsvwg] Remaining issues for draft-ietf-tsvwg… C. M. Heard
- Re: [tsvwg] Remaining issues for draft-ietf-tsvwg… Tom Herbert
- Re: [tsvwg] Remaining issues for draft-ietf-tsvwg… Gorry Fairhurst
- Re: [tsvwg] Remaining issues for draft-ietf-tsvwg… Tom Herbert
- Re: [tsvwg] Remaining issues for draft-ietf-tsvwg… Gorry Fairhurst
- Re: [tsvwg] Remaining issues for draft-ietf-tsvwg… Tom Herbert
- Re: [tsvwg] Remaining issues for draft-ietf-tsvwg… Gorry Fairhurst
- Re: [tsvwg] Remaining issues for draft-ietf-tsvwg… Erik Auerswald
- Re: [tsvwg] Remaining issues for draft-ietf-tsvwg… Tom Herbert
- Re: [tsvwg] Remaining issues for draft-ietf-tsvwg… Gorry Fairhurst
- Re: [tsvwg] Remaining issues for draft-ietf-tsvwg… C. M. Heard
- Re: [tsvwg] Remaining issues for draft-ietf-tsvwg… Erik Auerswald
- Re: [tsvwg] Remaining issues for draft-ietf-tsvwg… Erik Auerswald
- Re: [tsvwg] Remaining issues for draft-ietf-tsvwg… C. M. Heard
- Re: [tsvwg] Remaining issues for draft-ietf-tsvwg… Gorry Fairhurst
- Re: [tsvwg] Remaining issues for draft-ietf-tsvwg… Erik Auerswald
- Re: [tsvwg] Remaining issues for draft-ietf-tsvwg… Sebastian Moeller
- Re: [tsvwg] Remaining issues for draft-ietf-tsvwg… Christian Huitema
- Re: [tsvwg] Remaining issues for draft-ietf-tsvwg… Gorry Fairhurst
- Re: [tsvwg] Remaining issues for draft-ietf-tsvwg… C. M. Heard
- Re: [tsvwg] Remaining issues for draft-ietf-tsvwg… Erik Auerswald
- Re: [tsvwg] Remaining issues for draft-ietf-tsvwg… Erik Auerswald
- Re: [tsvwg] Remaining issues for draft-ietf-tsvwg… Tom Herbert
- Re: [tsvwg] Remaining issues for draft-ietf-tsvwg… C. M. Heard
- Re: [tsvwg] Remaining issues for draft-ietf-tsvwg… Tom Herbert
- Re: [tsvwg] Remaining issues for draft-ietf-tsvwg… C. M. Heard