IETF Logo Mail Archive

Re: [tsvwg] design assumptions - draft-ietf-udp-options

Tom Herbert <tom@herbertland.com> Wed, 17 July 2019 21:31 UTC

Return-Path: <tom@herbertland.com>
X-Original-To: tsvwg@ietfa.amsl.com
Delivered-To: tsvwg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 349F4120116 for <tsvwg@ietfa.amsl.com>; Wed, 17 Jul 2019 14:31:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Level:
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=herbertland-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OUq03-ZKISeE for <tsvwg@ietfa.amsl.com>; Wed, 17 Jul 2019 14:31:01 -0700 (PDT)
Received: from mail-ed1-x52b.google.com (mail-ed1-x52b.google.com [IPv6:2a00:1450:4864:20::52b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CA2DF120113 for <tsvwg@ietf.org>; Wed, 17 Jul 2019 14:31:00 -0700 (PDT)
Received: by mail-ed1-x52b.google.com with SMTP id k8so27696351edr.11 for <tsvwg@ietf.org>; Wed, 17 Jul 2019 14:31:00 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=herbertland-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=vC0AEtuD3ocjgqbfv4MILacnG8EC5MlLOcv7+sdb83I=; b=og9vv7HnTp3kAmFbTJwgQ4HcmQcMRhmDTeNbzHH0IuO8DMTvmDS4jdo8OhKSzHJnJC QGdYawzKmXXGzsEJuGWk/e4lQCoUNeGQFo/tROv/kFwo7sXIarftKokoom5oxphIh4Um rQNRo1JNEsc/NzPvEgVB+WDD06NNT2vm1V7pyx3PBmVaxHuWOvvtGTkGDW90MLFEYFPm G8SXWLcGW3hJE5CrDSKLOjTADl5u1u2iZH8rvwkTr0XigbfuQsJPjEYIXkd/fd9CPOaY 5LbwxuMYhPO5oQCiPnQQeFzKTdHDAs7ldnZghzojMlCkSvdC5Jlsv4Mlbm4tAzBw7nkO Mpgw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=vC0AEtuD3ocjgqbfv4MILacnG8EC5MlLOcv7+sdb83I=; b=Pw8GxvdsJfs110HiI/alQd77K0xox8zr0CwGH71DtzduGeKg8ViKOsJm+kS/97+rYh gN7WUouspoFltrNXjDBUQWE5pe818NEW99UYfi/Ejmie1tGVHUpxtPFjsRQZwTRjF9jn wokENiKOnqyQp9JgOd6z0+E0FaDyLJIBX9Lvv8Je14+B0nOfSZUNTmCuz05ux0K561wA Z8gS/8Ufuoa6o50UOfMQJn0deKNEjZsw3ER6rWV+B1IqANtnSKStycmC7lYAmp4/edf1 p3f4vWjU77qC5inWPUZ4fFr8Fg+moNr879CxobO2SyVNUdK2gF5uzsixKQCrhxJ2LRdz aN3w==
X-Gm-Message-State: APjAAAVBvaXzElFYZtKFMd74TD7nMCUhlWrwImQYMOCssUQlSv51nFkU 2HzqpDbWRmeVY0FWjvnGXhnyE7l3uEb5Ngc8+i09JQ==
X-Google-Smtp-Source: APXvYqxyZM/dijlv/9DDEM45DoVmjD71Y2uVQEa5eTZAPBVg3GGIrF/9GCOtkRnV1WruPYjICC+fhThAGyo8eGqUedc=
X-Received: by 2002:a50:b87c:: with SMTP id k57mr36567439ede.226.1563399059223; Wed, 17 Jul 2019 14:30:59 -0700 (PDT)
MIME-Version: 1.0
References: <CALx6S37wOkz0436CmevOjSe=VwAxKstSR9Jc66PUmXwUKK4vBw@mail.gmail.com> <075C3166-DF88-4160-8E6C-1C32511F4D46@strayalpha.com> <811C4C35-48D8-4382-A4B4-784FAC1B9F1D@strayalpha.com> <CE03DB3D7B45C245BCA0D2432779493630620745@MX307CL04.corp.emc.com> <80BB381B-9B2F-4ACF-9F3A-27E7B8B10AC2@strayalpha.com> <CE03DB3D7B45C245BCA0D24327794936306212A0@MX307CL04.corp.emc.com> <CACL_3VGS8-3susS-qm3oDD3=fwT6QmRa4_hgceJKhqjz3n+H5Q@mail.gmail.com> <CALx6S37GyRuVtoERrp1bDr3iCj0tZwGFH5CEsBJG3t0seii=3w@mail.gmail.com> <deae8d1cb6f4af0086a2b48f11a6886d@strayalpha.com> <CACL_3VGdJRJDLLxN6ODtqG3+9X3RkZMWMSo9GMhqWVXhjnxf3w@mail.gmail.com> <20190717212220.GA19997@clarinet.employees.org>
In-Reply-To: <20190717212220.GA19997@clarinet.employees.org>
From: Tom Herbert <tom@herbertland.com>
Date: Wed, 17 Jul 2019 14:30:47 -0700
Message-ID: <CALx6S345v5AMb4s59S0r7qCU_AzMtLMu2vscU3A2xea9UUVFPQ@mail.gmail.com>
To: Derek Fawcus <dfawcus+lists-tsvwg@employees.org>
Cc: tsvwg <tsvwg@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tsvwg/UNfuUCZCEbsho1EKySUHsvHCNa8>
Subject: Re: [tsvwg] design assumptions - draft-ietf-udp-options
X-BeenThere: tsvwg@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Transport Area Working Group <tsvwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tsvwg>, <mailto:tsvwg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tsvwg/>
List-Post: <mailto:tsvwg@ietf.org>
List-Help: <mailto:tsvwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tsvwg>, <mailto:tsvwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 17 Jul 2019 21:31:04 -0000

On Wed, Jul 17, 2019 at 2:22 PM Derek Fawcus
<dfawcus+lists-tsvwg@employees.org> wrote:
>
> On Wed, Jul 17, 2019 at 02:04:49PM -0700, C. M. Heard wrote:
> > On Wed, Jul 17, 2019 at 12:16 PM Joe Touch <touch@strayalpha.com> wrote:
> >
> > > And no, doing security, integrity checks, etc., on fragments is not the
> > > same as doing it over the reassembled whole.
> > >
> >
> > But that's EXACTLY how TCP works -- both TCP checksums and TCP-AO
> > cover *individual segments*.
>
> It is also a lesson which has been hard learnt in the various crypto
> protocols.  We should authenticate (and encrypt) individual packets.
>
Derek,

That's certainly true in the case of QUIC and DTLS. However, in those
cases the crypto is done in the UDP payload under application control.
I'm skeptical there's going to be much push to do this into a lower
layer. For instance, I don't believe TCP-AO has gained much traction.
Also, it's hard to tell where this starts to compete with IPsec.

Tom

> Which I suggest in this case means authenticate the UDP fragments.
>
> As to ACS, I'm not sure.  I belive to date it has been defined to be
> over the reassembled fragment.
>
> DF
>

v2.23.0 | Report a Bug | By Email