Re: [tsvwg] I-D Action: draft-ietf-tsvwg-udp-options-21.txt

Tom Herbert <> Fri, 09 June 2023 23:33 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 96B18C151B11 for <>; Fri, 9 Jun 2023 16:33:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id tp-I0VfNPd8J for <>; Fri, 9 Jun 2023 16:33:19 -0700 (PDT)
Received: from ( [IPv6:2607:f8b0:4864:20::1036]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by (Postfix) with ESMTPS id 9ED6CC15DD6A for <>; Fri, 9 Jun 2023 16:33:19 -0700 (PDT)
Received: by with SMTP id 98e67ed59e1d1-25673e8c464so880915a91.3 for <>; Fri, 09 Jun 2023 16:33:19 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=google; t=1686353599; x=1688945599; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=Y/nPeXcouThZzPKhAcbqbC4nxbymsbnFVMunNlzmjrY=; b=et+o39PaWLc9b3iaRFP9T7h73KvsGjKsB0HYa5Zo2Vv+IaAwJJjYs9Og7WPTN+TxWH gc0/XJKdo9M7sgXMTgaNWc00y/j/q+0KHmcLWotr3fmUlWW3r845uu7QpEY6t5+oQQGz n/9zLZV+F5+u4U7VrHIt6DwQwx3ACH0gUXNFnc5ke2exUaR2EUDycI6xMOJ1DWsZvx1G qArHSnXiyzgpPBsx3y/gi708mZ9cPujqFF0Q7eZ01u6gvDh2/C6UNxLg5T8am8gfdTof +ae8LrZtr6Fky0kl1go49qFcHzArhuFQslErc/NjRqIQa5U3+Y2OK/RrXVMWS4tvtenL QZAQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20221208; t=1686353599; x=1688945599; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=Y/nPeXcouThZzPKhAcbqbC4nxbymsbnFVMunNlzmjrY=; b=H7K1QEFzNuWb2PTfqEcInrnlE45b8PcwWDDfYk7LSaE+brNOxoTRKDHPu/i2NQWpOm fAhM+JAMz9P3hecez9Guw5p8JNABEXOYICFcP5YDfwPZBy20zyKKODyZSq/dpFLkUlK/ +AN68Akmt2lBTxN+ddIpipObD4Pv+fnZdtEzzN3eJ/dH2jGDykQs3S0l4G9ivSpEjbcF B/wW89Ramf8i6jVPKj/nxS2INQdesnBc3ISgh/hZ0/e0avbIVHcHF4s97QlFpy4EIrWi HKO9anJLUqgGUrXrKxq6yGah0J9Whttd27Vbu5WRlsN9RbDTyuQxpLxpvlzVP3H7yxj0 gwpg==
X-Gm-Message-State: AC+VfDxfQKl5X0QavJTpdsh800MCBpOC2otQQi8WsmS83jcvyV3QncFB uRsKbw1NIF7ZB4/1kGOUYWNMv1csTGX+eJGUGCtn0c7Ab/HCA2I1CAQ=
X-Google-Smtp-Source: ACHHUZ6haufsQMKcpWj43QzlPtJyxqAppn9xvVqR/+DoCVIkgW59KtluhmrMa5F0NeGenS4UDxGwqLg/lkqPJBaDgSk=
X-Received: by 2002:a17:90b:30d6:b0:24e:688:30f8 with SMTP id hi22-20020a17090b30d600b0024e068830f8mr1905700pjb.49.1686353598563; Fri, 09 Jun 2023 16:33:18 -0700 (PDT)
MIME-Version: 1.0
References: <> <> <> <> <> <> <>
In-Reply-To: <>
From: Tom Herbert <>
Date: Fri, 09 Jun 2023 16:33:06 -0700
Message-ID: <>
To: "" <>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <>
Subject: Re: [tsvwg] I-D Action: draft-ietf-tsvwg-udp-options-21.txt
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Transport Area Working Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 09 Jun 2023 23:33:23 -0000

On Fri, Jun 9, 2023 at 3:58 PM
<> wrote:
> Cutting to the chase…
> > On Jun 9, 2023, at 3:24 PM, Tom Herbert <> wrote:
> >> ...
> >>
> *
> >> There ARE good reasons a source might send more than N (for any N) SAFE options that a receiver might not support - and to do so repeatedly.
> >
> > Really? From the draft:
> >
> >>> Each option SHOULD NOT occur more than once in a single UDP
> >   datagram, the only exceptions being NOP, EXP, and UEXP. If an option
> >   other than these occurs more than once, a receiver MUST interpret
> >   only the first instance of that option and MUST ignore all others.
> The same option multiple times is NOT the same thing as many different options (the latter is what I refer to at the “*”)
> > So if an option is received more than once is ignored, how is that
> > possibly useful?
> It isn’t, but it isn’t necessarily an attack either.

Then what is it? An implementation bug on the sender? Either way,
these cause the receiver to consume power and burn resources without
beneficial effect. Receive one of these in a packet then it's in the
noise, receive a bunch of packets with 300 of these in each packet
then by any logic that's a Denial of Service Attack.

> > Also note that the MUST requirement here forces the
> > receiver to track the occurrence of each option and check if it has
> > been seen then that is more processing for the CPU that exacerbates
> > the DOS attack.
> We’re talking about different things:
> 1. Seeing many DIFFERENT unknown SAFE options is not an attack
>         there’s no good reason to treat it as such
>         if any socket consumes too much resources FOR ANY REASON, a host can always throttle resources to that socket
>         but that’s outside the scope of this doc
> 2. Seeing multiple copies of the same option
>         again, there are only a few cases where this should ever happen
>         but seeing one option twice or even three times is a mistake - not necessarily an attack
> Yes, the MUST here requires a check at the receiver - to ignore subsequent occurrences. NOT to treat it as an attack.
> NOP is the only one we include that way.  We can add “any time you see more than 7 NOPs or repeated other options is a problem, if the problem is persistent, then start doing something new like dropping packets”.
> But I think we’re engineering a protocol specification here, not an anti-DOS mechanism. I think we should the latter to implementers.

Every standard track protocol requires security considerations, and
DDOS is a security issue. Also note, that the protocol is CREATING the
DOS vector, so it's incumbent on the creators to provide solutions for
mitigating that.

> >>
> >> I do NOT endorse inferring DOS from behavior that is unexpected.
> >
> > Unlimited options are a known attack vector and this issue has been
> > addressed in other protocols. IMO, the mitigations described in this
> > draft are not sufficient and there's no reason to believe that UDP
> > Options is less susceptible to DOS attack than other protocols. I have
> > raised this issue several times.
> >
> > @working group chairs, please note my objection to UDP Options moving
> > forward because of insufficient considerations for Denial of Service
> > attacks
> It was raised largely in terms of NOPs before; now you’re raising it for all options.
> UDP has no strict limit on how many valid options can be used. That’s a feature, not a bug.
> Implementers can decide for themselves, for each connection, how much they want to support.
> But what we DO know is that finite limits WILL be exceeded for good reasons, then we’ll end up arguing how we can’t do anything because vendors locked in implementations with limits.
> This is a USER protocol. Let the USER decide.

Let the USER decide WHAT? The draft doesn't provide any useful
guidance that gives the user alternatives with tradeoffs. If the user
is experiencing a DOS attack because of UDP options, what does the
draft recommend they do? As I said, if you don't provide guidance, the
knee-jerk reaction is going to be to completely disable UDP Options
completely which ultimately threatens UDP Option from ever becoming
widely deployed. This is why RFC8504 style limits are useful; they are
not mandatory, the USER can decide which limits to set and what
values. The RFC recommends default values that MAY be used IF the USER
defines limits-- so the user gets to decide how to deal with DOS or
not. Note that RFC doesn't undermine RFC8200, to the contrary it is
attempting to SAVE it (at least HBH and Destination Options) by giving
an option to reasonably limit TLVs instead of dropping them

> Joe