IETF Logo Mail Archive

Re: [tsvwg] Review of draft-ietf-tsvwg-udp-options-32

Tom Herbert <tom@herbertland.com> Tue, 09 April 2024 16:09 UTC

Return-Path: <tom@herbertland.com>
X-Original-To: tsvwg@ietfa.amsl.com
Delivered-To: tsvwg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E4708C14F60E for <tsvwg@ietfa.amsl.com>; Tue, 9 Apr 2024 09:09:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.095
X-Spam-Level:
X-Spam-Status: No, score=-2.095 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=herbertland.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BvJM4waJxoSX for <tsvwg@ietfa.amsl.com>; Tue, 9 Apr 2024 09:09:54 -0700 (PDT)
Received: from mail-ed1-x536.google.com (mail-ed1-x536.google.com [IPv6:2a00:1450:4864:20::536]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B72C4C14F6A1 for <tsvwg@ietf.org>; Tue, 9 Apr 2024 09:09:54 -0700 (PDT)
Received: by mail-ed1-x536.google.com with SMTP id 4fb4d7f45d1cf-56e2e09fc27so8229946a12.0 for <tsvwg@ietf.org>; Tue, 09 Apr 2024 09:09:54 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=herbertland.com; s=google; t=1712678992; x=1713283792; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=2wU/Ww9//MIYt2co0+GY7T3P1eAjIfajtYyD8Z5Bxxs=; b=USDLS17OO5UVw8agvSQhxYwWqy/fw8EGfFpDH7cq3QFhCD/ntWBEYEPE3wbo5Baw4f SDiLBwSvp7Mm7bm5Cm6Q4QkGNdJWhZqYLe3yUCbywGtQxJLDriEDXeRgfs9+FOVMGgbm F6k322gG5xbyuo6Z5Wpq1llNfCfaAAS8q2XUAvYYPkkrMRrxlGPPaAwDqjrkC/6bEnu/ 4NvPSjUxth6yt4Kx6oWed3DrjdqJSpOGSJkVao8q3xyuCJzkU8KJV8yRw0Ijsf96d+K5 mTVWQLe3XNU90l8VFz8p+gXm96xwMwljJD0wtqWPUzau3sYmX2cTDZbgRpJEqaLmlbTX Blkg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1712678992; x=1713283792; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=2wU/Ww9//MIYt2co0+GY7T3P1eAjIfajtYyD8Z5Bxxs=; b=bbHX95xL1N5zo9LQ3DAN334onNqVbfe04g5Z418aIWBicobtNf2k44i6TpXwmYkCWT LvgcCwmzJ1PMKDrL88BuXRAguQ+oVHxakdOIdgarQiYSi+Eaj5u+g5Hh63DcTTmk4ESH mbY70oFz+2BHfY225SKtauzxiRIT1/QtvNJY0hF2VZz06AF79DyCCTHVjS87ODqCFSrE COPc+ADV/ngv9lq+ojIiobN/kupdWTr9KhBFC2p5GgTwERzQDi6gniYiSRKrVhV1/e12 tMT5XmUNSrexIUeLbyCetzNFnnkaSXKJCxFe0gxc69bRyrvBMfoRTPyLuxC8mBQ5JnHo QqIg==
X-Forwarded-Encrypted: i=1; AJvYcCVMLo09s8PpqHqEJ5rE8oI+UY2bQv7p811wrt1Au0D/MHapBlkraJ/MgqUVGbUfvOWiaCEG7xKUK+a30SNtZw==
X-Gm-Message-State: AOJu0YwOa23blODPxYDTNZYpOgZKvdfDo/fxNHkX2mdL4rm3ugPxjq20 ilSHYaPrls5PvGOxlVd/WPK0y10NzbfH2w8trkqDZGkB6CSffMyLxUmURA5wUsFH7655pJoYQse xhOfgHVNSmFBcdopUVKYlt/th1QCjXKY5+HL6
X-Google-Smtp-Source: AGHT+IEDdtgGsLrHUHKQFIg+Z6zJl4SWdWIgRmovkD3pYiTtC/X10bIHC64VAFTSHuUtph2yAaV0AksljhAy1DJ0WvM=
X-Received: by 2002:a05:6402:c4a:b0:56e:6e9a:f64f with SMTP id cs10-20020a0564020c4a00b0056e6e9af64fmr3243975edb.19.1712678992282; Tue, 09 Apr 2024 09:09:52 -0700 (PDT)
MIME-Version: 1.0
References: <CAEh=tcd2FzQxgbSivuX2cEg2FpsnkoqdFw5gMhrx3pkT_JV88Q@mail.gmail.com> <2BEB5CC3-BB54-4119-A20F-8497ED4B5AE2@erg.abdn.ac.uk> <CAEh=tccKg7YHYkwKZ978uaXmTkBu3zyA+WBAW=eBMKAh2PSVDw@mail.gmail.com> <b7f7b836-c625-445d-bd38-f5ed8f4ba757@huitema.net> <CALx6S34=5CCDY_Wj1+9Moj0NMnZr=gBjpT3NBfom6r6oouGJEw@mail.gmail.com> <017b6905-d56c-4821-a313-644f003f2925@huitema.net>
In-Reply-To: <017b6905-d56c-4821-a313-644f003f2925@huitema.net>
From: Tom Herbert <tom@herbertland.com>
Date: Tue, 09 Apr 2024 12:09:39 -0400
Message-ID: <CALx6S36YKP6XN=51E0mAzUzJumsZKkhyYJ0XzR_7en8OJ_pAAQ@mail.gmail.com>
To: Christian Huitema <huitema@huitema.net>
Cc: Zaheduzzaman Sarker <zahed.sarker.ietf@gmail.com>, "Gorry (erg)" <gorry@erg.abdn.ac.uk>, tsvwg <tsvwg@ietf.org>, draft-ietf-tsvwg-udp-options.all@ietf.org
Content-Type: multipart/alternative; boundary="000000000000f32a840615ac268e"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tsvwg/RSdzPaw37NNFFhG54QCV8xUatdE>
Subject: Re: [tsvwg] Review of draft-ietf-tsvwg-udp-options-32
X-BeenThere: tsvwg@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Transport Area Working Group <tsvwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tsvwg>, <mailto:tsvwg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tsvwg/>
List-Post: <mailto:tsvwg@ietf.org>
List-Help: <mailto:tsvwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tsvwg>, <mailto:tsvwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 09 Apr 2024 16:09:59 -0000

On Tue, Apr 9, 2024, 11:29 AM Christian Huitema <huitema@huitema.net> wrote:

>
>
> On 4/9/2024 8:17 AM, Tom Herbert wrote:
> > On Tue, Apr 9, 2024 at 7:29 AM Christian Huitema <huitema@huitema.net>
> wrote:
> >>
> >>
> >>
> >> On 4/9/2024 6:09 AM, Zaheduzzaman Sarker wrote:
> >>>
> >>>
> >>> On Tue, Apr 9, 2024 at 12:48 PM Gorry (erg) <gorry@erg.abdn.ac.uk
> >>> <mailto:gorry@erg.abdn.ac.uk>> wrote:
> >>>
> >>>      See below for my 2c.
> >>>
> >>>       > On 9 Apr 2024, at 11:31, Zaheduzzaman Sarker
> >>>      <zahed.sarker.ietf@gmail.com <mailto:zahed.sarker.ietf@gmail.com
> >>
> >>>      wrote:
> >>>       >
> >>>       > Hi all,
> >>>       >
> >>>       > Putting my AD hat on, if we specify protocol features only for
> >>>      endpoints to
> >>>       > consume and not for endpoints to network, then we should make
> >>>      sure that is
> >>>       > case when we design and describe it. We cannot expect all the
> >>>       > intermediaries are well behaved or features are used as
> intended when
> >>>       > designed. From that point of view it is not good enough to send
> >>>      information
> >>>       > in clear and just say "UDP Options are for Transport, Not
> >>>      Transit". With
> >>>       > the current, well placed, scrutiny of privacy and security on
> all the
> >>>       > protocols that IETF is producing- It would require a huge
> >>>      exception to get
> >>>       > it published.
> >>>       >
> >>>       > The questions I would like to get answer is  -
> >>>       >
> >>>       >      Is it OK for the endpoints to send information in UDP
> >>>      options which
> >>>       > can be read (only) by the transit nodes and react to it? if NO,
> >>>      then how
> >>>       > to prevent that to happen?
> >>>       >
> >>>       > //Zahed
> >>>
> >>>      this is a transport/encapsulation that can be used without the
> >>>      benefits of encryption.To me, this was already clear when the
> >>>      working group asked to start this work (it certainly was made
> clear
> >>>      after the work was adopted), and this spec developed over many
> years.
> >>>
> >>>
> >>> Right, many years have past and we should then recheck the consensus on
> >>> this. From the mentioned email discussions and views expressed here I
> am
> >>> not sure it is clear to me what consensus we have now. Could you also
> >>> please provide me any reference to the consensus?
> >>>
> >>>
> >>>
> >>>      So.   I think given this, it is OK for the endpoints to send
> >>>      information in UDP options which can be read (only) by the transit
> >>>      nodes and they can indeed react to this. That has always been
> >>>      possible with tunnels, extension headers, and transports - at
> least
> >>>      those not using transport encryption. This comes with positive and
> >>>      negative impacts.
> >>>
> >>>      In today’s world, a designer can choose to protect all of the
> >>>      transport eg using QUIC - and many designs will follow that path.
> >>>      Although, there is a large body of work in the IETF that still
> >>>      directly uses UDP. That to me is OK if that best fits the use.
> >>>
> >>>
> >>> Yes, UDP should be considered as transport protocol. It would be good
> to
> >>> have a view on how many of those large body of work uses or envision to
> >>> use UDP options in clear. This would boost the motivation for this work
> >>> and back up the need of UDP options.
> >>
> >> Depending on the application stack, UDP is either a transport protocol
> >> or a transparent pass-through. Indeed, this is pretty much the intended
> >> design of UDP, as stated in RFC 768: "This protocol provides a procedure
> >> for application programs to send messages to other programs with a
> >> minimum of protocol mechanism."
> >>
> >> If the application stack is including its own transport protocol, then
> >> we are in the "pass-through" case. This is absolutely the case if the
> >> application stack includes QUIC, SCTP or DTLS, but there are other
> examples.
> >>
> >> In the pass-through examples, and especially when the application
> >> transport uses encryption, adding clear-text options does not add value.
> >> It destroys it, re-enabling surveillance despite encryption of the
> >> application.
> >>
> >> I think there should be a very clear mechanism for application to
> >> "opt-in" the usage of clear-text application, and that for applications
> >> that did not opt in the reception of clear-text options should be
> >> treated as a protocol error.
> >>
> >
> > Christian,
> >
> > In current host stack implementation, when a UDP packet is received
> > with surplus area we truncate the packet down to UDP Length and
> > otherwise ignore the surplus area bits. Are you suggesting that the
> > default behavior should be to drop packets with a UDP surplus area?
>
> If the application did not opt-in, yes, because that's the best way to
> prevent "off standard" deployment of clear-text options.
>
> >
> > IMO, this might be worth considering. I agree that this would tighten
> > security. Also, I would point out that even truncating the surplus
> > area like we do today is not without cost. If we are doing protocol
> > agnostic checksum offload, the preferred method, then we need to
> > compute the checksum over the surplus area when truncating and so we
> > do this in the CPU. For a large surplus area this can burn a lot of
> > cycles to process data that is useless to the receiver; conceivably,
> > this could be a basis for a DoS attack on CPU resources.
>
> Yes, there is also a security aspect. Adding option processing does
> increase the attack surface, and even simple options like Ping have
> caused issues like Heartbleed. Add the extra CPU requirements that you
> mention, and I can see why security conscious application would want to
> not use any clear-text addition to UDP packets.
>

Christian,

I believe that processing of the options is already opt-in. Accepting UDP
surplus area (at least ignoring it and not dropping packet) and the
checksum processing I described are currently mandatory.

Tom



> -- Christian Huitema
>

v2.23.0 | Report a Bug | By Email