IETF Logo Mail Archive

Re: [tsvwg] Review of draft-ietf-tsvwg-udp-options-32

Christian Huitema <huitema@huitema.net> Tue, 09 April 2024 15:29 UTC

Return-Path: <huitema@huitema.net>
X-Original-To: tsvwg@ietfa.amsl.com
Delivered-To: tsvwg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 89DE5C14F5F9; Tue, 9 Apr 2024 08:29:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oNPw-1Rwv-hr; Tue, 9 Apr 2024 08:29:44 -0700 (PDT)
Received: from semf08.mfg.siteprotect.com (semf08.mfg.siteprotect.com [64.26.60.171]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7D017C14F5E3; Tue, 9 Apr 2024 08:29:44 -0700 (PDT)
Received: from smtpauth01.mfg.siteprotect.com ([64.26.60.150]) by se02.mfg.siteprotect.com with esmtp (Exim 4.92) (envelope-from <huitema@huitema.net>) id 1ruDPn-00EQwk-FC; Tue, 09 Apr 2024 11:29:40 -0400
Received: from [192.168.1.102] (unknown [172.56.169.185]) (Authenticated sender: huitema@huitema.net) by smtpauth01.mfg.siteprotect.com (Postfix) with ESMTPSA id 4VDVHx2S8pz162NvV; Tue, 9 Apr 2024 11:29:33 -0400 (EDT)
Message-ID: <017b6905-d56c-4821-a313-644f003f2925@huitema.net>
Date: Tue, 09 Apr 2024 08:29:32 -0700
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
To: Tom Herbert <tom@herbertland.com>
Cc: Zaheduzzaman Sarker <zahed.sarker.ietf@gmail.com>, "Gorry (erg)" <gorry@erg.abdn.ac.uk>, tsvwg <tsvwg@ietf.org>, draft-ietf-tsvwg-udp-options.all@ietf.org
References: <CAEh=tcd2FzQxgbSivuX2cEg2FpsnkoqdFw5gMhrx3pkT_JV88Q@mail.gmail.com> <2BEB5CC3-BB54-4119-A20F-8497ED4B5AE2@erg.abdn.ac.uk> <CAEh=tccKg7YHYkwKZ978uaXmTkBu3zyA+WBAW=eBMKAh2PSVDw@mail.gmail.com> <b7f7b836-c625-445d-bd38-f5ed8f4ba757@huitema.net> <CALx6S34=5CCDY_Wj1+9Moj0NMnZr=gBjpT3NBfom6r6oouGJEw@mail.gmail.com>
Content-Language: en-US
From: Christian Huitema <huitema@huitema.net>
Autocrypt: addr=huitema@huitema.net; keydata= xjMEXtavGxYJKwYBBAHaRw8BAQdA1ou9A5MHTP9N3jfsWzlDZ+jPnQkusmc7sfLmWVz1RmvN J0NocmlzdGlhbiBIdWl0ZW1hIDxodWl0ZW1hQGh1aXRlbWEubmV0PsKWBBMWCAA+FiEEw3G4 Nwi4QEpAAXUUELAmqKBYtJQFAl7WrxsCGwMFCQlmAYAFCwkIBwIGFQoJCAsCBBYCAwECHgEC F4AACgkQELAmqKBYtJQbMwD/ebj/qnSbthC/5kD5DxZ/Ip0CGJw5QBz/+fJp3R8iAlsBAMjK r2tmyWyJz0CUkVG24WaR5EAJDvgwDv8h22U6QVkAzjgEXtavGxIKKwYBBAGXVQEFAQEHQJoM 6MUAIqpoqdCIiACiEynZf7nlJg2Eu0pXIhbUGONdAwEIB8J+BBgWCAAmFiEEw3G4Nwi4QEpA AXUUELAmqKBYtJQFAl7WrxsCGwwFCQlmAYAACgkQELAmqKBYtJRm2wD7BzeK5gEXSmBcBf0j BYdSaJcXNzx4yPLbP4GnUMAyl2cBAJzcsR4RkwO4dCRqM9CHpVJCwHtbUDJaa55//E0kp+gH
In-Reply-To: <CALx6S34=5CCDY_Wj1+9Moj0NMnZr=gBjpT3NBfom6r6oouGJEw@mail.gmail.com>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Authentication-Results: mfg.siteprotect.com; auth=pass smtp.auth=huitema@huitema.net
X-Originating-IP: 64.26.60.150
X-SpamExperts-Domain: mfg.outbound
X-SpamExperts-Username: 64.26.60.150/31
Authentication-Results: mfg.siteprotect.com; auth=pass smtp.auth=64.26.60.150/31@mfg.outbound
X-SpamExperts-Outgoing-Class: ham
X-SpamExperts-Outgoing-Evidence: Combined (0.06)
X-Recommended-Action: accept
X-Filter-ID: Pt3MvcO5N4iKaDQ5O6lkdGlMVN6RH8bjRMzItlySaT+GsMBZGQ+nh+Q32LHnxiD/PUtbdvnXkggZ 3YnVId/Y5jcf0yeVQAvfjHznO7+bT5z5W83tr/6vNQtj+4/xevXoW95spUSdK3VnU+g2XY9jxtqG 1OdKLK9CK9haUsE78VyOvEc/lOQBjdEi9z2Y/BVY5/LD2g4mUo4Dbk4/l8IQHbyyMZOmEDgX6xV3 lQblnjq+LzRXdJ1YqdfatOCcqltxJOxOjR0ukcYY3oUWkOlDyz1/9zj2k5FXUATjIZ74enpPZDez DN9a/J+reU9kttGlX0vXC+rEaeGi2eD5Xf3Joc1Fcs0SC8nblZenCVIev6lgr8xvzLDaRSc9eiji LL8obV7BxxPBKzU39/yjS6/oyVEu5C5Qpt+ySX+arCVy82MVoKan+n/RNkihWEY9fqXQhaUHyuMr hMOgFibBDgffCjxvOFsZtiumh0uu8B3QoJGaVs2c1Tq+ByoZMREACQxLeojJCimrFgJg48+TIHuv ZTQGAMrrTbtqaiS1SstPlN2yGf9cCvIdooB6k0a0807VqmqFAo87iPgwXjSZgtJYfr2cTA3dsuWI QitrJuuk0g+3QM22Wm73+PngL70p9A+Wb9dYDDnKXVLIVIlzIQf7nQRWnlCuVd/azL8F4K4Nury8 Ksk+aedMfNWSnJswrtlNS87h4lKCwD/NGHcUTRljLVHuAq4k7PqG9M5idz7joR5wmQf9cgFUgdFJ 0BSVzvcZ4exMJTW1cRLuCgKRuG4mt3MhuFWv1ncsgMffAZBRnhSUEd3bAnnes+zbrnBytZciV1CY WRJ1Q8UJMgZYFNjZFSDSzN559B4Yeo3BSxhgpGasfvb5KPhZrKE4R3WRADwZMlhFSGOSgMb4Ksdr uPR1UXOwK6vRcBOFxeMs/w071h4usDyLvokxtMASEJgCA3vrQoKdJKNIB5sQWa7OUAEYCtdvBDTn OTjBiQxnB6xW4IcURZUp8O7sSoXMAYYKzVg5Ux0q+mKpeyk22UgO3o9UYjui6aTcmgkzSGNNCjF7 7qpy2DNwOgV373pfDhBQ21OdCgZhRFFHnhPb3RWMN/14rsvXM4+UoMvWl+F4zfbBclZe1BHI/RJa DL+5WxaVd0U9nJ2rhFQmZ4f7y75y21ZHFH7nvaSSAXIbJiVqolw0h6Bi6i9rgM2bOkddbSPARoPu a7X/CX9/5OOSfZtD8DykThFlpIn/hi+29TNbQAfExDUDI/CtZtprHrOXK6bygwRgtUnRM43wTVPb os0UB2tm+A==
X-Report-Abuse-To: spam@se02.mfg.siteprotect.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/tsvwg/SIrwhSd48p5wyr487FwIgwuUR3I>
Subject: Re: [tsvwg] Review of draft-ietf-tsvwg-udp-options-32
X-BeenThere: tsvwg@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Transport Area Working Group <tsvwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tsvwg>, <mailto:tsvwg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tsvwg/>
List-Post: <mailto:tsvwg@ietf.org>
List-Help: <mailto:tsvwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tsvwg>, <mailto:tsvwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 09 Apr 2024 15:29:48 -0000


On 4/9/2024 8:17 AM, Tom Herbert wrote:
> On Tue, Apr 9, 2024 at 7:29 AM Christian Huitema <huitema@huitema.net> wrote:
>>
>>
>>
>> On 4/9/2024 6:09 AM, Zaheduzzaman Sarker wrote:
>>>
>>>
>>> On Tue, Apr 9, 2024 at 12:48 PM Gorry (erg) <gorry@erg.abdn.ac.uk
>>> <mailto:gorry@erg.abdn.ac.uk>> wrote:
>>>
>>>      See below for my 2c.
>>>
>>>       > On 9 Apr 2024, at 11:31, Zaheduzzaman Sarker
>>>      <zahed.sarker.ietf@gmail.com <mailto:zahed.sarker.ietf@gmail.com>>
>>>      wrote:
>>>       >
>>>       > Hi all,
>>>       >
>>>       > Putting my AD hat on, if we specify protocol features only for
>>>      endpoints to
>>>       > consume and not for endpoints to network, then we should make
>>>      sure that is
>>>       > case when we design and describe it. We cannot expect all the
>>>       > intermediaries are well behaved or features are used as intended when
>>>       > designed. From that point of view it is not good enough to send
>>>      information
>>>       > in clear and just say "UDP Options are for Transport, Not
>>>      Transit". With
>>>       > the current, well placed, scrutiny of privacy and security on all the
>>>       > protocols that IETF is producing- It would require a huge
>>>      exception to get
>>>       > it published.
>>>       >
>>>       > The questions I would like to get answer is  -
>>>       >
>>>       >      Is it OK for the endpoints to send information in UDP
>>>      options which
>>>       > can be read (only) by the transit nodes and react to it? if NO,
>>>      then how
>>>       > to prevent that to happen?
>>>       >
>>>       > //Zahed
>>>
>>>      this is a transport/encapsulation that can be used without the
>>>      benefits of encryption.To me, this was already clear when the
>>>      working group asked to start this work (it certainly was made clear
>>>      after the work was adopted), and this spec developed over many years.
>>>
>>>
>>> Right, many years have past and we should then recheck the consensus on
>>> this. From the mentioned email discussions and views expressed here I am
>>> not sure it is clear to me what consensus we have now. Could you also
>>> please provide me any reference to the consensus?
>>>
>>>
>>>
>>>      So.   I think given this, it is OK for the endpoints to send
>>>      information in UDP options which can be read (only) by the transit
>>>      nodes and they can indeed react to this. That has always been
>>>      possible with tunnels, extension headers, and transports - at least
>>>      those not using transport encryption. This comes with positive and
>>>      negative impacts.
>>>
>>>      In today’s world, a designer can choose to protect all of the
>>>      transport eg using QUIC - and many designs will follow that path.
>>>      Although, there is a large body of work in the IETF that still
>>>      directly uses UDP. That to me is OK if that best fits the use.
>>>
>>>
>>> Yes, UDP should be considered as transport protocol. It would be good to
>>> have a view on how many of those large body of work uses or envision to
>>> use UDP options in clear. This would boost the motivation for this work
>>> and back up the need of UDP options.
>>
>> Depending on the application stack, UDP is either a transport protocol
>> or a transparent pass-through. Indeed, this is pretty much the intended
>> design of UDP, as stated in RFC 768: "This protocol provides a procedure
>> for application programs to send messages to other programs with a
>> minimum of protocol mechanism."
>>
>> If the application stack is including its own transport protocol, then
>> we are in the "pass-through" case. This is absolutely the case if the
>> application stack includes QUIC, SCTP or DTLS, but there are other examples.
>>
>> In the pass-through examples, and especially when the application
>> transport uses encryption, adding clear-text options does not add value.
>> It destroys it, re-enabling surveillance despite encryption of the
>> application.
>>
>> I think there should be a very clear mechanism for application to
>> "opt-in" the usage of clear-text application, and that for applications
>> that did not opt in the reception of clear-text options should be
>> treated as a protocol error.
>>
> 
> Christian,
> 
> In current host stack implementation, when a UDP packet is received
> with surplus area we truncate the packet down to UDP Length and
> otherwise ignore the surplus area bits. Are you suggesting that the
> default behavior should be to drop packets with a UDP surplus area?

If the application did not opt-in, yes, because that's the best way to 
prevent "off standard" deployment of clear-text options.

> 
> IMO, this might be worth considering. I agree that this would tighten
> security. Also, I would point out that even truncating the surplus
> area like we do today is not without cost. If we are doing protocol
> agnostic checksum offload, the preferred method, then we need to
> compute the checksum over the surplus area when truncating and so we
> do this in the CPU. For a large surplus area this can burn a lot of
> cycles to process data that is useless to the receiver; conceivably,
> this could be a basis for a DoS attack on CPU resources.

Yes, there is also a security aspect. Adding option processing does 
increase the attack surface, and even simple options like Ping have 
caused issues like Heartbleed. Add the extra CPU requirements that you 
mention, and I can see why security conscious application would want to 
not use any clear-text addition to UDP packets.

-- Christian Huitema

v2.23.0 | Report a Bug | By Email