Re: [tsvwg] I-D Action: draft-ietf-tsvwg-udp-options-21.txt

"" <> Fri, 09 June 2023 17:56 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 868BCC14CE4B for <>; Fri, 9 Jun 2023 10:56:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -6.315
X-Spam-Status: No, score=-6.315 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NEUTRAL=0.779, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id IhNqAEm1WyuB for <>; Fri, 9 Jun 2023 10:56:43 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 79178C151060 for <>; Fri, 9 Jun 2023 10:56:43 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;; s=default; h=To:References:Message-Id:Cc:Date:In-Reply-To: From:Subject:Mime-Version:Content-Type:Sender:Reply-To: Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=ttXNtqVS/mfltIjIVbuADGfc58+sSbOjtRXVG5PM0Qs=; b=1s8P8kZd8u6r+0sSLlgdSgYG9/ rB6MNx4MZjjjIKvgfI/itoKZiUAaUBKDdWUy6bX1ZtbvWb3G6ZKntyJC7Vbu8ZjuJU6Z/Mbq++XXM A50l4kfs7ClFWpgNGtWotq5QSKKVL/6zhYaA7ky+SIFNQQnAIDYZ4Pjb4moqaYK1EsbUyRNjzWal+ aDjpvow2tEtH4iqLkJYaJNo533wS+RvuFMIKobPx+8h/KCL5ki7d0sxhtGLzUwyvVNkCT7XlWBdeT JUKcNtObpH4C5MCJamw9TIw7T4h/PCCWU+VUr3ZZ3qMi8K9w+DxDRNCx92z/tJQS/XOM8BB5BF2jh T3t5fD8A==;
Received: from [] (port=14605 by with esmtpsa (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from <>) id 1q7gLj-00EHjK-Er; Fri, 09 Jun 2023 13:56:40 -0400
Content-Type: multipart/alternative; boundary="Apple-Mail=_390570DE-2603-4D94-A488-CEB186244FDD"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3731.600.7\))
From: "" <>
In-Reply-To: <>
Date: Fri, 09 Jun 2023 10:56:23 -0700
Message-Id: <>
References: <> <>
To: Tom Herbert <>
X-Mailer: Apple Mail (2.3731.600.7)
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname -
X-AntiAbuse: Original Domain -
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain -
X-Get-Message-Sender-Via: authenticated_id:
X-From-Rewrite: unmodified, already matched
Archived-At: <>
Subject: Re: [tsvwg] I-D Action: draft-ietf-tsvwg-udp-options-21.txt
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Transport Area Working Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 09 Jun 2023 17:56:47 -0000

See below...
Dr. Joe Touch, temporal epistemologist

> On Jun 9, 2023, at 8:24 AM, Tom Herbert <> wrote:
>> From the draft:
>>> Receivers persistently experiencing packets with more than seven
> consecutive NOPs SHOULD log such events, at least occasionally, as a
> potential DOS indicator.
> Logging that a DOS attack might be happening is fine, but if the user
> is experiencing a DOS attack what is the recommended mitigation? I
> suggest text similar to RFC8504 would be applicable:
> "A host MAY limit the number of consecutive PAD1 options in
> destination options or hop-by-hop options to 7.  In this case, if
> there are more than 7 consecutive PAD1 options present, the packet MAY
> be silently discarded."
> where for UDP options the correct behavior is probably to stop options
> processing and ignore whatever is past the offset where the limit is
> exceeded.

Agreed, but this needs to be in the context of responding to an attack. We need to make it clear that sending 8 NOPs once doesn’t make the packet silently drop - because sending more than 7 is a SHOULD NOT, not a MUST NOT.

I’ll add text to that shortly.

> There are some other potential DOS issues.
>>> Receivers supporting UDP options MUST silently ignore unknown
>   SAFE options (i.e., in the same way a legacy receiver would). That
>   includes options whose length does not indicate the specified
>   value(s), as long as the length is not inherently invalid (i.e.,
>   smaller than 2 for the default and 4 for the extended formats).
> I'm not sure what this means. A legacy receiver ignores all options,
> but in this case it seems like the intent is probably to skip over
> unknown SAFE options.

SAFE are safe to skip over, UNSAFE are not. I will clarify that in the text.

> If that's the case, then this creates a
> potential DOS attack similar to the one for NOPs where an attacker
> could fill a packet with a bunch of SAFE options that it knows are
> going to be unknown to the user. Again, RFC8504 provide guidance that
> might be applicable for this:

I disagree; we can ignore unknown SAFE options forever, and should. 

> A host MAY impose" a limit on the maximum number of non-padding
>   options allowed in the destination options and hop-by-hop extension
>   headers.  If this feature is supported, the maximum number SHOULD be
>   configurable, and the default value SHOULD be set to 8.  The limits
>   for destination options and hop-by-hop options may be separately
>   configurable.  If a packet is received and the number of destination
>   or hop-by-hop options exceeds the limit, then the packet SHOULD be
>   silently discarded."

Again, I disagree. We might say that “a large number of unknown SAFE options MAY be treated similarly to a large number of NOPs, i.e., to be logged and MAY be silently discarded if a DOS attack is inferred from additional information, e.g., the frequency or number of such options, but they MUST NOT be discarded as a matter of course without such additional context.

>>> Receivers supporting UDP options MUST silently drop all UDP
>   options in a datagram containing an UNSAFE option when any UNSAFE
>   option it contains is unknown. See Section 10 for further discussion
>   of UNSAFE options.
> If there are multiple UNSAFE options in a packet, how does this work?
> Does this require that the receiver scans the packet searching for any
> unknown UNSAFE option before starting to process options?

It doesn’t have to scan in advance, it just has to drop the packet when it encounters an unknown UNSAFE option.

“Hardened” systems might want to do such a scan, but again this is NOT an indication of an attack without additional information.


> Tom
> On Thu, Jun 8, 2023 at 9:04 PM <> wrote:
>> A New Internet-Draft is available from the on-line Internet-Drafts
>> directories. This Internet-Draft is a work item of the Transport Area Working
>> Group (TSVWG) WG of the IETF.
>>   Title           : Transport Options for UDP
>>   Author          : Joe Touch
>>   Filename        : draft-ietf-tsvwg-udp-options-21.txt
>>   Pages           : 44
>>   Date            : 2023-06-08
>> Abstract:
>>   Transport protocols are extended through the use of transport header
>>   options. This document extends UDP by indicating the location,
>>   syntax, and semantics for UDP transport layer options.
>> The IETF datatracker status page for this Internet-Draft is:
>> There is also an htmlized version available at:
>> A diff from the previous version is available at:
>> Internet-Drafts are also available by rsync at