[tsvwg] Re: I-D Action: draft-ietf-tsvwg-udp-options-33.txt

Sebastian Moeller <moeller0@gmx.de> Wed, 11 September 2024 07:26 UTC

Return-Path: <moeller0@gmx.de>
X-Original-To: tsvwg@ietfa.amsl.com
Delivered-To: tsvwg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D0D26C151075; Wed, 11 Sep 2024 00:26:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.853
X-Spam-Level:
X-Spam-Status: No, score=-1.853 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmx.de
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LPjyfv8SKQ72; Wed, 11 Sep 2024 00:26:52 -0700 (PDT)
Received: from mout.gmx.net (mout.gmx.net [212.227.15.15]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 895EFC14F5EC; Wed, 11 Sep 2024 00:26:51 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmx.de; s=s31663417; t=1726039609; x=1726644409; i=moeller0@gmx.de; bh=QPfFImtgjA/hvxP+6RzW7vLD4O2G7cWi/Uk/ZRPtQps=; h=X-UI-Sender-Class:Content-Type:Mime-Version:Subject:From: In-Reply-To:Date:Cc:Content-Transfer-Encoding:Message-Id: References:To:cc:content-transfer-encoding:content-type:date:from: message-id:mime-version:reply-to:subject:to; b=UJ+RAGzCiq63qORHDQ5BZW3w02kV/f2QEMkdiAso1VE7zyBKBQAi0qWythoJ83y5 EfE9F4prolczSG1d51yxL1n0v8ZJeTuVsrkOnJuIdJ3IfslqqDZNjE9Mupy7VDAsY 6SMCC5LM39rWg6JZkeGt/+Mm5JtBhZjVXxvNBgROEZtho7qlW/c5oFmUmq0pX6Vbd 6Df9ja5VD+nx557Yt49ygoLgqK/abZYHm09oUx9D2725BInPGm6ouQlqFjFMqBu6b wnISo4DcvPT32bkTwO2z+PTZMGiGHWQS26h1LQxiOfYweJ7jEmWbw2N0g2LfiyEme Ral2LvQa+Cdhbk0olw==
X-UI-Sender-Class: 724b4f7f-cbec-4199-ad4e-598c01a50d3a
Received: from smtpclient.apple ([134.76.241.253]) by mail.gmx.net (mrgmx005 [212.227.17.190]) with ESMTPSA (Nemesis) id 1M8QWA-1sshar20PI-00Flk3; Wed, 11 Sep 2024 09:26:49 +0200
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3776.700.51\))
From: Sebastian Moeller <moeller0@gmx.de>
In-Reply-To: <D8C1B4D0-1DE1-478E-804F-20D8D4964AF9@strayalpha.com>
Date: Wed, 11 Sep 2024 09:26:38 +0200
Content-Transfer-Encoding: quoted-printable
Message-Id: <1C7A0E1F-E150-4F05-BE26-6FDC54412191@gmx.de>
References: <172550306709.1770786.15730705299947048772@dt-datatracker-68b7b78cf9-q8rsp> <4BA70A7D-AB39-4EED-82DB-7BDF9C3AC064@strayalpha.com> <e1a66d25-4c33-4e78-a182-8f5a06a6a750@erg.abdn.ac.uk> <CALx6S37th5ZzKVxJxZL2S3_WH-SAUxs0x5_kTLYr+PuYMSe4eQ@mail.gmail.com> <d71d390e-ffab-4f20-9b30-567a53c44cc9@erg.abdn.ac.uk> <CALx6S35hWYUgZqdaYharL3k1BviXkXvBFEnVUNd=yVsTfzbK8g@mail.gmail.com> <da02c827-cfd2-4fb7-a047-1b71dc806142@erg.abdn.ac.uk> <B1CED44D-A3C0-4BF8-BA4F-198A96DAA854@strayalpha.com> <BB412B73-9B21-49BD-80AE-DB94E6FD01A1@gmx.de> <D8C1B4D0-1DE1-478E-804F-20D8D4964AF9@strayalpha.com>
To: "touch@strayalpha.com" <touch@strayalpha.com>
X-Mailer: Apple Mail (2.3776.700.51)
X-Provags-ID: V03:K1:Ussn98vgtXEiY0l+1wCSgTmA/QH34BSUGgNWXzDVKM9FtCfVk5t J84gnBlLpPLUjuv8ErYUIJz0efcHHEiCmWFBgo2+h0PJLkzInYjmFD0AZL2+dshPgjQt9Mk iO9q8pkwFtZa40K6b6pZrzCNJoFYntMfMrke3Rm4ILhNUspcVO/l3O/s/ZdjQZ7QP91nigc RUuB2073Yjc1briIqeXsg==
UI-OutboundReport: notjunk:1;M01:P0:ot4MzDtT/Mo=;pJGrAlm70HIaz+5ukCxonB6Sbio MovvKjRbUfM+WREljE8K5kcjhSBOjYQ3T9NhaUH5+4q8bhhdV3bBZKVPbOnzKEi1BSGQGlfxU ToeSwRlJJVHCGstuGGu5Epqi0dz1cz3S5Iz0qF8pLv1JpziaGZQPv9bte1WEOyTULLzg4ecLq 2eVG34mJrb9zdP4VUdOOmdKQIzFr2EX2Dq8juvIYi6iHIa8OdDeWhd1HodAfjSo2XhjJktUlm /Vm9kRoDGEncrBKalAD2QBomQBaE3ns8x1gCSLjhkiEwnvpADkAeGF3ucTgSI4Ln7p6WssAYA o+b686QONenrmhIbzyX/A9cOSHzgLZIGcpT8n35qZqfkJUVAbjxOCJ8zfbPVYvjiEqOFHj9V4 48pSEsmuWdA2QxfngrAfBjbDQgSKXYC5Cr4gkewIc4uqPysdjEfSQo6Je2AFA2dKMu0CQvcoI yRj5I1baLYKU5Qp/ujMveCv5ho871/J4kMyMX7985CahQbGid1sYZ8OcYZ0fcS/UEJI2nmcwd Eky9ZM5jNbWrc6yHv3/Udx2yi1pMkUHmcjEiejiWV+dUzqKQJ0ryP13jIZxn7BmWCDxUdhk3l 79T4NuFTg5ffQyrwovGISi2v4ITLKi2y7y3thmUk9iZx/bnY+yArGPSLhWWRzsuiD/YhwZjgy TR26nUNgC6D6GGa2D83RVdzktBB8rzyO0QysaRVNojGszqX6IV+aEBDMI4Ho+nBEVX8Dxg4+8 u/ixwPpDlFIROAjxUnvc8WGxaotNQHUPM9lnJMwpbE+/ylSHNB33M63nDp+33QA0HJDC26yko nrbGO8jll3P/l5ruwtKWcBcg==
Message-ID-Hash: CZ5DY5GDKQPIUIBBKBSKJ7CHTZFAXHPP
X-Message-ID-Hash: CZ5DY5GDKQPIUIBBKBSKJ7CHTZFAXHPP
X-MailFrom: moeller0@gmx.de
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-tsvwg.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: Gorry Fairhurst <gorry@erg.abdn.ac.uk>, Tom Herbert <tom=40herbertland.com@dmarc.ietf.org>, tsvwg IETF list <tsvwg@ietf.org>
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [tsvwg] Re: I-D Action: draft-ietf-tsvwg-udp-options-33.txt
List-Id: Transport Area Working Group <tsvwg.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tsvwg/adlRyAVHkCURruOlzmpZHFa4Zzg>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tsvwg>
List-Help: <mailto:tsvwg-request@ietf.org?subject=help>
List-Owner: <mailto:tsvwg-owner@ietf.org>
List-Post: <mailto:tsvwg@ietf.org>
List-Subscribe: <mailto:tsvwg-join@ietf.org>
List-Unsubscribe: <mailto:tsvwg-leave@ietf.org>

Hi Joe,


> On 10. Sep 2024, at 17:05, touch@strayalpha.com wrote:
> 
>> On Sep 10, 2024, at 7:52 AM, Sebastian Moeller <moeller0@gmx.de> wrote:
>> 
>> Hi Joe.
>> 
>>> ...
>>> 
>>> So far, you are the only party claiming this default is a problem. AFAICT, we have three others who feel otherwise. I would like to hear from others on the list as well.
>> 
>> [SM] Since you asked...
>> 
>> Trying to assume I would build a real protocol using the UDP options framework:
>> If I desire authentication I likely will want a "proper" client on the receiver side that is able to handle that properly, as purely opportunistic AUTH does not seem to be what I want.
>> 
>> Now my options are:
>> a) require a UDP options aware stack on the other end
>> b) re-implement the required UDP option capabilities for authentication for legacy clients, and sends these as part of the UDP-payload (so these clients see the data)
>> 
>> If I chose a) than making AUTH UNSAFE seems like what I would want (I also need a handshake to make sure the remote end actually speaks my protocol) as that legacy client will not be proper for my protocol anyway.
>> 
>> If I choose b) I likely would not care, as if I have my own option handling, why should I not use that unconditionally?
>> 
>> So let me ask, what good will it do to have a legacy UDP receiver see an unauthenticated and potentially corrupted packet that was intended to be authenticated as part of an UDP options based protocol? What utility do you see in such opportunistic unidirectional authentication without error signalling, that makes it worth to allow that?
> 
> This views impact from the perspective of AUTH that fails with a good key. It can also be viewed from the perspective AUTH that could also succeed with a good key but would cause a legacy receiver to fail.
> 
> “Opportunistic” just that - opportunistic.

[SM] Yes, but the question is, what protocol do you envision where opportunistic authentication is a desired feature? 

> IMO, that means “benefits where it can, but doesn’t break when it’s not used”.

[SM] But you are not really breaking anything when making AUTH payload UNSAFE, as these are new users by definition so there is no existing legacy use-cases that could exist and need to be taken care of, no?

> AUTH that isn’t checked at the receiver doesn’t just pass failed authenticity checks; it passes ones that would have succeeded to, so it acts like it’s not there. That’s “opportunistic” to me.

[SM] Yes, but what utility does this offer to somebody employing AUTRH in a new protocol based on top of UDP options? Surely if AUTH is used UDP options are required and hence that legacy receiver is not a valid client, so dropping such a packet will hardly di any harm? Note that such a client is unlikely to actually implement any feedback that is likely part of the new protocol either...

> 
>> I understand that making AUTH UNSAFE has some mild implications on how to define what UNSAFE means, but is that really an unacceptable cost?
> 
> The issue is impact to legacy receivers who might not be aware AUTH. Any option is arguably something the sender wants the receiver to react to, but if we make all options UNSAFE, we end up basically with a new protocol hidden only in the surplus area.

[SM] Which honestly would be my preference...

> An important consideration of UDP options is to have features that legacy receivers could ignore but still do useful work.

[SM] Again explain how a new UDP-options based protocol that wants to use AUTH can actually do something reasonable with legacy clients?

> 
> In the case of AUTH, what you pass to the user as default is something as if AUTH isn’t there. That’s true for all SAFE options. It simply doesn’t perform the check. If the receiver cares - especially if it has a key, but even if it doesn’t - it can simply override the default.

[SM] That is not how I understand that protocols work... these are not pick your own choice kind of affairs, so what is the value proposition here?

> 
> Again, we’re talking about DEFAULT behavior, and design principle 6 is to try where possible to make the receiver with options have the same default behavior as one without.

[SM] Makes little sense here. If my protocol wants to use AUTH I will need to have non-legacy clients anyway... a legacy clent, by definition, can not use a UDP-options based protocol, so I wonder what utility is in having such a client application see AURH payload?

> The question is whether doing AUTH on a packet means “you’d better do this or else” - but again, everything in UDP is designed to let the receiver decide what to do, not the sender force.

[SM] Sure, but UDP already exists, UDP options is advertized as framework to build protocols on top of UDP, if "anything goes" is desired, why would I not simply stick to existing UDP?

> 
> FWIW, if we’re talking about precedent across IETF protocols, that’s a fundamental - transmitter offers, receiver decides. In stateful protocols, e.g., TCP, SCTP, etc., option capabilities are announced in the SYN but the receiver decides whether to accept them or not. The initiator has to wait for feedback to decide whether to proceed based on that information.
> 
> In this case, the transmitter can try to figure out of the receiver will honor AUTH using an app level exchange; if it doesn’t, then it can always decide to cease transmissions too.

[SM] Yes, and respectfully UPD options as framework should offer a convenient way to perforrm such a negotiation/handshake, does it?


> 
>> Regards
>> Sebastian
>> 
>> P.S.: I wonder whether "working code" could not be helpful to decide such questions…
> 
> AFAICT this would be a decision that would determine the behavior of working code, not the converse, so I don’t see how that would affect this discussion.

[SM] I disagree, working code likely would show whether a theoretical idea has real utility... 

> 
> Joe