IETF Logo Mail Archive

Re: [tsvwg] Checksums in UDP options

Tom Herbert <tom@herbertland.com> Thu, 06 September 2018 19:10 UTC

Return-Path: <tom@herbertland.com>
X-Original-To: tsvwg@ietfa.amsl.com
Delivered-To: tsvwg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1C43112F18C for <tsvwg@ietfa.amsl.com>; Thu, 6 Sep 2018 12:10:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.909
X-Spam-Level:
X-Spam-Status: No, score=-1.909 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, T_DKIMWL_WL_MED=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=herbertland-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PVUWQlAposf1 for <tsvwg@ietfa.amsl.com>; Thu, 6 Sep 2018 12:10:40 -0700 (PDT)
Received: from mail-qt0-x232.google.com (mail-qt0-x232.google.com [IPv6:2607:f8b0:400d:c0d::232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CB3B9129385 for <tsvwg@ietf.org>; Thu, 6 Sep 2018 12:10:39 -0700 (PDT)
Received: by mail-qt0-x232.google.com with SMTP id d4-v6so13544422qtn.13 for <tsvwg@ietf.org>; Thu, 06 Sep 2018 12:10:39 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=herbertland-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=Xv6VX44HhK+7behHp6bgCDXipiVowWI+4SQ7nHtBqjQ=; b=YBibC5QPMAGz+DZrbxvVYQbES+2lgVdCcCvwqCrmmCMy0X03B9ptbd4B/sI5erBce2 SQKa8EfIwGR3IMSkLNAcs+2r/rxBtROgAfTAJDlM14RbJMswUO6VY4gakwRijSuRPSbC nawSfowPAHVrFCttn8ZYiNPQC3U+OEBAc/ZB+obSqkx05EowNdib9o895JRv47uyB1da O2YubT+eKnwZpD064XheQ33p/0Z8iu1bpKtsk8k3+Bf4LVX5qByMh0vU40B+I+nsXgxn /Z7TFsQBTvbxPyjb6c3ofJiC12kWg42McmlgTJMfUX88APzYa/e2e8Du7aHDhHdQmx/J iDOQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=Xv6VX44HhK+7behHp6bgCDXipiVowWI+4SQ7nHtBqjQ=; b=EANmIWhoInvzeO+2kDQxCcSRISALOPvpqFPh9fQ3lE7gnM+U7aHg4SeL4cc8QHy4Ox s3EMBCBu73qM7IxCD5Gqnc0jsk3+yqZBsYBNOIyoZKsaovJaefa4kZafNf8Ox+wowYxU M8fA9Upj4tXxgxewlnsq5BIW7Jxi7OOlvWZ9LPyD1cr/bC2VLsVb+5vMjB05qrvVWoKQ 7SO1Fjt4nIWDqZeS6+lJXS7rnHgJj4zN6dWgjrEoTo1Oa1Rs6tFb+uiDXy13Zk8EdlsN JTBR4QiOexvQTooDVJ2pYvAfNy7azCn+2l8YFSEDyW8f2vol6y2oOSXqMynBzw/g/6d7 +dzQ==
X-Gm-Message-State: APzg51CE9KRZbfy1if+Odjng0Gb3EcPC2XnDZZD9wHgTonmA9OcyJ7DO vn7C/uVZs3Aa/Y7IB3KbjlXfLc6jRkN+kcE6YFZhew==
X-Google-Smtp-Source: ANB0VdbVhPHjP3lGEj2uE0BOM/SF3XvgQuUiCFTpyAjHN7FFbS/cxyjxjkALc2L4vmnUNSY/pT0NB2p+sR0zAtFjyhE=
X-Received: by 2002:ac8:2862:: with SMTP id 31-v6mr3442166qtr.18.1536261038748; Thu, 06 Sep 2018 12:10:38 -0700 (PDT)
MIME-Version: 1.0
Received: by 2002:ac8:2a94:0:0:0:0:0 with HTTP; Thu, 6 Sep 2018 12:10:37 -0700 (PDT)
In-Reply-To: <CACL_3VEgTQW5JpUX61ffBMxf+tdwrtmHPwiTuer67tFE8=UF7A@mail.gmail.com>
References: <CACL_3VEh6rKDzS7rQoxsj8K+Uj9QL6CAR+mGSkB3u-xUet62pQ@mail.gmail.com> <CACL_3VGACAxiJk=6G0Nr2LMkFTMkPT-zbZo3J1+3fx4-Eqv+3Q@mail.gmail.com> <CALx6S34rzW+pnFOpe2MjcPiDGdvpz+zTHbnC8OfY3yTBU+qurw@mail.gmail.com> <CACL_3VFiJ1vCpr2SruU0dsyFbDczZteQQMG6O-tnPn3pb5ZXCA@mail.gmail.com> <CALx6S367eq-gee2a97UNdEgWQFZwjcr4gx5d01zECOm4jScPMw@mail.gmail.com> <CACL_3VHBt7gh29ZSjfFgZ9WjZx3E6wu_RbcGOg3VepYkEWD+wQ@mail.gmail.com> <CALx6S375LYkmMkS-AbbZbykQc7KJB3NVeZ9aD2=0xR4PQUQPww@mail.gmail.com> <CACL_3VEgTQW5JpUX61ffBMxf+tdwrtmHPwiTuer67tFE8=UF7A@mail.gmail.com>
From: Tom Herbert <tom@herbertland.com>
Date: Thu, 06 Sep 2018 12:10:37 -0700
Message-ID: <CALx6S36KhEbWdqxzK+8Sp9M-4sF0pDf0TSMfoiGnJueZ9piLOg@mail.gmail.com>
To: "C. M. Heard" <heard@pobox.com>
Cc: Joe Touch <touch@strayalpha.com>, Gorry Fairhurst <gorry@erg.abdn.ac.uk>, tsvwg <tsvwg@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tsvwg/OGWZd0pYQQ_iCa6qyGoZanCcr5M>
Subject: Re: [tsvwg] Checksums in UDP options
X-BeenThere: tsvwg@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Transport Area Working Group <tsvwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tsvwg>, <mailto:tsvwg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tsvwg/>
List-Post: <mailto:tsvwg@ietf.org>
List-Help: <mailto:tsvwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tsvwg>, <mailto:tsvwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 06 Sep 2018 19:10:42 -0000

On Thu, Sep 6, 2018 at 12:00 PM, C. M. Heard <heard@pobox.com> wrote:
> On Thu, Sep 6, 2018 at 11:30 AM Tom Herbert wrote:
>> On Thu, Sep 6, 2018 at 11:03 AM, C. M. Heard wrote:
>>> On Thu, Sep 6, 2018 at 10:45 AM Tom Herbert wrote:
>>>> On Thu, Sep 6, 2018 at 10:23 AM, C. M. Heard wrote:
>>>>> That is certainly correct, and for that reason I would agree that AE
>>>>> and any other option that requires reversal of a transform on the
>>>>> data must be used in conjunction with LITE, in order to prevent
>>>>> misinterpretation of payload data in case of an OCS failures.
>>>>>
>>>>> I don't want to see this required for all UDP options, though. That
>>>>> would exclude some desirable use cases. Consider the case of
>>>>> DNSSEC, which is known to have issues with IPv6 fragmentation.
>>>>> A client can safely include a FRAG option with offset zero,
>>>>> length 12, and checksum zero in a UDP datagram sent to any server.
>>>>> That FRAG option is a no-op that indicates that it is safe for the
>>>>> server to return a reply using UDP fragmentation.
>>>>
>>>> Where's the security in that? If an attacker spoof my address and
>>>> sends a FRAG option to a DNS server, then AFAICT the DNS server will
>>>> think that the host with my address supports FRAG.So next time I do a
>>>> DNS look up, the the server may respond with UDP fragments. If my host
>>>> doesn't support UDP options, then the application gets DNS response
>>>> that are gibberish. This is a perfect Denial of Service Attack.
>>>
>>> Your legacy host won't see gibberish if FRAG is combined with LITE as
>>> we've been discussing. Rather, it will see a UDP length of zero in each of
>>> the fragments, and its UDP layer will deliver no data to its application layer.
>>> That's actually more innocuous that the threat that already exists today.
>>>
>> It's still a problem. The server may infer that receiving the FRAG
>> option means that the sending host supports options. So then when the
>> server starts sending options with LITE, the packets are now dropped
>> at the client. The effect of DOS attack is still the same. The client
>> isn't seeing responses from the server, the server thinks everything
>> is okay since there's no error reports coming back to it,
>>
>> You might get away with this negotiation method in a request/response
>> protocol like DNS if the server only responds using UDP options if it
>> the client indicated support in the request.
>
> Indeed, in the DNS case, the negotiation I describe is safe only if
> the server does not retain memory of the client's ability to use FRAG
> across transactions. The negotiation has to apply to exactly one
> request -- which is what I was implicitly assuming. But subject to
> that proviso, I fail to see any security vulnerabilities (either from a
> spoofing attack or a MITM attack) that do not already exist today.
>
> I grant that this is a special case, but I believe that it is a potentially
> important special case (though the DNSOP folks may not agree --
> see draft-song-atr-large-resp for an alternative approach).
>
I'm not sure I would call DNS a special case. Isn't that one of the
biggest users of UDP on the Internet?

> Again, though, you bring up a good point: negotiating the use of
> options that transform the data can introduce security vulnerabilities
> unless there is some means to authenticate the remote peer.
>
Look at it this way, we've spent about forty years trying to get TCP
handshake to be secure and efficient and it's still not perfect. These
are not easy problems to solve! :-)

>> But note, only the
>> server side can use mandatory options like FRAG, not the client in
>> this case.
>
> I think what you meant to say here was not "mandatory options"
> but rather something like "options that transform the data" -- is
> that correct?
>
"Mandatory" in the sense that they must be processed, not that they
must be in the packet. I consider options with strong CRCs set by the
sender to be in that class, since the effects of ignoring a CRC really
isn't innocuous.

Tom


> Mike Heard

v2.23.0 | Report a Bug | By Email