IETF Logo Mail Archive

Re: [tsvwg] Intdir early review of draft-ietf-tsvwg-udp-options-19

Tom Herbert <tom@herbertland.com> Tue, 14 February 2023 17:50 UTC

Return-Path: <tom@herbertland.com>
X-Original-To: tsvwg@ietfa.amsl.com
Delivered-To: tsvwg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B567FC1CAB45 for <tsvwg@ietfa.amsl.com>; Tue, 14 Feb 2023 09:50:23 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=herbertland.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fnsZ3KdJRQko for <tsvwg@ietfa.amsl.com>; Tue, 14 Feb 2023 09:50:18 -0800 (PST)
Received: from mail-pg1-x535.google.com (mail-pg1-x535.google.com [IPv6:2607:f8b0:4864:20::535]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 97772C1CAB22 for <tsvwg@ietf.org>; Tue, 14 Feb 2023 09:50:18 -0800 (PST)
Received: by mail-pg1-x535.google.com with SMTP id 7so10764749pga.1 for <tsvwg@ietf.org>; Tue, 14 Feb 2023 09:50:18 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=herbertland.com; s=google; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=INSjg4njFj3gaaOZT34Dx8qFBZreiJjLB38h/cHXCWo=; b=hGR0yUus0iTHib8sv/rQ4WcEicJkxeOZo1KzXXjJFa+6vhGDx+TSTuVMJCrquutSaz Ox8GiONIkQXEAbXawU47tki3eC/G4omzFcjpRuW2LOdZNNROYdVgNPk3G6KWnmnrQiAk j/E2D/akmTpzY5DXiSHSBHExPyjLPWnKkfscbed0FjNgrdwiP39BiVA3EQuGLQ44uLtV /LY50TD+TVClUM28PHmwy9B8oX1PGVNe83h/w4evv5P697JmbxSsHDCQUwjr6BKboVGa LVYqoM9PU+8GyAzbEQEhckZq79/L2Z4AphHhqEucA8DCQGeGi9R0ph4Sjyv0HZgT88ss WgWA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=INSjg4njFj3gaaOZT34Dx8qFBZreiJjLB38h/cHXCWo=; b=AtQ3byeQFgwZgAqf+fjzdgQ2rG1F/OmcA0G5ygLbvNLIRGaoAoHDvtVS+DS+sXx055 VoibKXKTspjOMC7rrlZfEVR7VL4P7Oo03x+cRjvcWUMqJ9hHF++P+pJtnVoPUlMslj5x czmaKv5hWSP3GbyL0r/eNXxBjTc/YVhqfXTdv4L1kH0YlwXzHvuYN5DOQPl/EFn6guu9 p5xKV6ka46FPiwryCkMZExtTopYbOItRDdPBu5zZxSm3QwSd9hsKZMt0slG0ACDcWhc1 huNsGOdKcynKd29EBN+UFy9gjsahZhQBeI8F0iCZuXXyMJ3iPrZV9xZuOVIUTAicrf3V e0rg==
X-Gm-Message-State: AO0yUKVgGCoLcgSkfkBlndELsTntxAMU3z/ibWTVjH5J6dfC77p5DaCH SxJxS0XwSFHqicgV4RiaewZL7Mye6fabuti+SwnG7JEaIUuBDVi5
X-Google-Smtp-Source: AK7set+Mofut4ei06p4g753pmc7TJ4rJog1kd3PiXCx/+az2S9/qkluVhr4oWDF4wKGsAFDmcayGZvAndZ3TgPW4wtE=
X-Received: by 2002:a63:3383:0:b0:4fb:9bb1:46fa with SMTP id z125-20020a633383000000b004fb9bb146famr35059pgz.0.1676397017698; Tue, 14 Feb 2023 09:50:17 -0800 (PST)
MIME-Version: 1.0
References: <167599146728.42049.10916891372133731811@ietfa.amsl.com> <CBCA1F49-73BC-4242-B162-2B743F23FAAF@strayalpha.com> <0E3756C7-E473-4B3A-9D6D-C43DA3C89C91@cisco.com> <CACL_3VHcMe87XnETGAzwpdPZK_HnY4KLKyHyyj-EXBo=WWNcMA@mail.gmail.com> <B743425D-38C0-49B8-B391-7AC6E51D9B1A@cisco.com> <CACL_3VFDHhmJL2_WXV60d-tyyfE8tkW8P6rwtcBOox4mxsHRzQ@mail.gmail.com> <CALx6S35T+H5ETDJVEawbOSs7EeBO7wbvmRSvH0+TfZiTXhK5cQ@mail.gmail.com> <CACL_3VFrtuDS4FW1xWzzdB4LGibrUWSvTgWi1ashh=D1hvFaNQ@mail.gmail.com> <CALx6S34qG0uv4tj1gzZxL7LZUeX6V1vEwYJ9A9Ybtszh074ovA@mail.gmail.com> <BB7783E3-273A-4D83-B4BF-BCE3DA00E609@strayalpha.com> <CALx6S36QovfwXjFmspVP4CgEOwmJzBLGX59c=zsvSGap8sX1gQ@mail.gmail.com> <CACL_3VFDQUjp5ez70RpyptZSOYvso2-QZsRvLhRNyU9p0iMayw@mail.gmail.com> <CALx6S34y6XttaEz_Uod4bSK50F-KArrv-V=HjKAb8v-9oWoM5Q@mail.gmail.com> <CACL_3VGKuk2HU1Hy4bZymUgPJqvhtzS_xSvZ987m58=fZAAXDw@mail.gmail.com> <CALx6S34dEdPgUvTQZda0qb-H3dERzo-3rjsnZ1MyscbJwJwvoQ@mail.gmail.com> <CACL_3VEhA-Jc_GH2isrJjYsheEp0phHdh71ZgRnvBW5tCKYR5A@mail.gmail.com>
In-Reply-To: <CACL_3VEhA-Jc_GH2isrJjYsheEp0phHdh71ZgRnvBW5tCKYR5A@mail.gmail.com>
From: Tom Herbert <tom@herbertland.com>
Date: Tue, 14 Feb 2023 09:50:05 -0800
Message-ID: <CALx6S3551sms4q_yKh8QYqeedB3uoK9ZRMNrDtVLoMxe-ENX5g@mail.gmail.com>
To: "C. M. Heard" <heard@pobox.com>
Cc: Joe Touch <touch@strayalpha.com>, "Carlos Pignataro (cpignata)" <cpignata@cisco.com>, "int-dir@ietf.org" <int-dir@ietf.org>, "draft-ietf-tsvwg-udp-options.all@ietf.org" <draft-ietf-tsvwg-udp-options.all@ietf.org>, "tsvwg@ietf.org" <tsvwg@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tsvwg/dy1WBQ4GJx5sUkNbpB3EH6y4Vc0>
Subject: Re: [tsvwg] Intdir early review of draft-ietf-tsvwg-udp-options-19
X-BeenThere: tsvwg@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Transport Area Working Group <tsvwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tsvwg>, <mailto:tsvwg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tsvwg/>
List-Post: <mailto:tsvwg@ietf.org>
List-Help: <mailto:tsvwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tsvwg>, <mailto:tsvwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 14 Feb 2023 17:50:23 -0000

On Mon, Feb 13, 2023 at 3:08 PM C. M. Heard <heard@pobox.com> wrote:
>
> On Mon, Feb 13, 2023 at 11:07 AM Tom Herbert wrote:
> > On Mon, Feb 13, 2023 at 10:28 AM C. M. Heard wrote:
> > > Those servers can (and probably should) be configured to reject UDP
> > > options with OCS=0, if they are not already configured to reject UDP
> > > packets with CS=0.
> >
> > I agree, but that suggests that there are conditions when it's
> > acceptable to not use OCS=0. What guidance is given for that? Just
> > saying the user needs to figure this out themselves seems like a
> > disservice; this is not the same risk as enabling a CS=0 for UDP. How
> > can a user determine what is safe and what is not in their network?
> > Note that it took two RFCs to describe the necessary conditions in
> > detail to enable CS=0 for UDPv6. Do we need an equivalent discussion
> > on when it's safe not to have the checksum in surplus space?
>
> Section 7 of the draft currently says:
>
>    Like the UDP checksum, the OCS is optional under certain
>    circumstances and contains zero when not used. UDP checksums can be
>    zero for IPv4 [RFC791] and for IPv6 [RFC8200] when UDP payload
>    already covered by another checksum, as might occur for tunnels
>    [RFC6935]. The same exceptions apply to the OCS when used to detect
>    bit errors; an additional exception occurs for its use in the UDP
>    datagram prior to fragmentation or after reassembly (see Section
>    9.4).
>
> If this guidance is too slender, how should it be improved?

Mike,

The casual reference to RFC6935 is a good example of why this text is
insufficient. RFC6935 and RFC6936 were created to allow UDPv6 packets
to have a zero checksum. The UDP checksum was required in IPv6
(RFC2460) because, unlike IPv4, the IPv6 header doesn't contain a
header checksum; the UDP checksum includes the pseudo header that
covers the IPv6 address. So the UDPv6 checksum is needed as an
integrity check of the IPv6 addresses, and the primary risk of using
CS=0 with UPDv6 is the potential for misdelivery when addresses are
corrupted. That is the primary consideration of RFC6935 and RFC6936.
Note that it is a misnomer that those RFCs allow a zero UDPv6 checksum
for all packets, in fact it is a narrowly defined exception applicable
to tunnel protocols under specific circumstances. Also note, in
RFC8086 (GRE over UDP), it still took three pages of requirements to
show how the specific protocol meets the requirements of RFC6935 and
RFC6936. IMO an offhand statement that the exceptions of RFC6935 and
RFC6936 are applicable for a new protocol is trite.

While the risk RFC6935 and RFC6936 is packet misdelivery, the risk of
UDP options is misinterpretation of protocol in a packet. UDP options
present an entirely different problem and the means to address it will
be different. The UDP checksum is completely independent and has no
correlation to the bits of the surplus space, the UDP checksum does
not cover the surplus space and neither is there any coverage if "UDP
payload is already covered by another checksum". So the "The same
exceptions apply to the OCS" are not valid since the exceptions refer
to the UDP checksum which has different properties and different
risks. Without a proper code point, the protocol of the surplus space
needs to be determined solely based on the contents of the space, not
the UDP checksum nor anything else in the packet, and any means of
this determination is probabilistically correct. The probability of
misinterpretation with a checksum is 1/65,536 which is presumably
sufficient. If the idea is to forgo the checksum, then one would
expect a quantitative analysis of both the probability of
misinterpretation and the risks of misinterpretation.

That being said, I see no zero value in making the checksum optional.
Aside from its critical role in validating the surplus is indeed UDP
options, UDPv6 packets are required to have a non-zero checksum so the
OCS is required for all of IPv6 (again RFC6935 and RFC6936 are narrow
exceptions). Furthermore, TCP, the original transport layer protocol
with options, and IPv4 have had a checksums since the beginning and we
don't see people complaining about the performance of those.

Tom

>
> Mike Heard

v2.23.0 | Report a Bug | By Email