IETF Logo Mail Archive

Re: [tsvwg] Possible UDP-Option: Cookie

tjw ietf <tjw.ietf@gmail.com> Wed, 20 March 2019 10:35 UTC

Return-Path: <tjw.ietf@gmail.com>
X-Original-To: tsvwg@ietfa.amsl.com
Delivered-To: tsvwg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8B8E71310C7 for <tsvwg@ietfa.amsl.com>; Wed, 20 Mar 2019 03:35:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lm9zku4kUGdy for <tsvwg@ietfa.amsl.com>; Wed, 20 Mar 2019 03:35:56 -0700 (PDT)
Received: from mail-pf1-x42d.google.com (mail-pf1-x42d.google.com [IPv6:2607:f8b0:4864:20::42d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E02C9130F97 for <tsvwg@ietf.org>; Wed, 20 Mar 2019 03:35:55 -0700 (PDT)
Received: by mail-pf1-x42d.google.com with SMTP id a3so1609068pff.11 for <tsvwg@ietf.org>; Wed, 20 Mar 2019 03:35:55 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=gI6YcQ1/yzd+KidwpLF4iqPVtb/1szlUVF9XjV8hEqM=; b=d4SntTFH6Awh3mJcI/lR6jYs3AqlS3ZDudLT6aiRKquEllOu/XheOFofgOAR5fiast riH3HjUAQMBqYmNgGW3qFKAwM42uz98YnDhfzpNimecNeZ928X4w92kJD5szTvBiEN3d e2rtWizZDhJv/q4LlYcGleRBXsFW8NJeGj25yDYkwFDGwY44hdQbziLuYsGQMPqZ7dWz 1qsipqRnQAPD5dTKdG3D1dTL8XoXi7O61auNbvrOY/KAQzMbjt8mPc1wmNt54vAvYULn MW0i6SKF+fKkki1q7uU2ESUmIw2lV8viJl0VWbMyYAOOJS7ZvmouvndPuMHUb9MAJVPZ D+xg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=gI6YcQ1/yzd+KidwpLF4iqPVtb/1szlUVF9XjV8hEqM=; b=PsVr5MJLGbGQBN914mv7iy0JGt4AgnV7KPRFYrb9TFcyg0KsrHfGUHFLkZznB1Pcjf KYp0h/R8vRa6Qxvkkj8wi54Jk/6cfHklxxMi+kd2UJZy4WmzbiiA8W5+qxVK9oHOnJyp Gzlvr3UzxruQ4y+eidRqPMgjifvr9IE/asYDJvgCXDzsfwcW0VGisbl1D0bOiMAS3nnW d2NMMbc6393YdF9nH9QhAh1ljzRXYFGYxkQXfOcGaEt4uPn2HtSHej9lUwPCoF4kZfgl QfV5glVmveKTxxs23wD5uJ1AtCLZfUypWYBya7Os8LUkpFFrSK1bs7Y0KXcgFvKfltBg 2NrQ==
X-Gm-Message-State: APjAAAW4u0bMKIdo/G2lJ/0W0sVhGyIXq1o0NgJAY6nWbk5T2R3jJ/S3 ZYRj3+A8cNjlrh8pJrOv6+keiUJe
X-Google-Smtp-Source: APXvYqxrG/ZSBhH96s/5bYrQUZa2y+EsYIz25+MXY4HXFsvqtAck44Wbjp0q+L2TefNu+Q5xl5Pv6A==
X-Received: by 2002:a62:568e:: with SMTP id h14mr7628042pfj.134.1553078155331; Wed, 20 Mar 2019 03:35:55 -0700 (PDT)
Received: from ?IPv6:2600:380:8539:8393:60b5:b58a:d355:33bf? ([2600:380:8539:8393:60b5:b58a:d355:33bf]) by smtp.gmail.com with ESMTPSA id l84sm4969166pfb.113.2019.03.20.03.35.54 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 20 Mar 2019 03:35:54 -0700 (PDT)
Content-Type: multipart/alternative; boundary="Apple-Mail-9D1989B4-1C27-43FD-844F-D8C85DEFC267"
Mime-Version: 1.0 (1.0)
From: tjw ietf <tjw.ietf@gmail.com>
X-Mailer: iPhone Mail (16D57)
In-Reply-To: <20190320100743.GA19737@bugle.employees.org>
Date: Wed, 20 Mar 2019 03:35:53 -0700
Cc: tsvwg <tsvwg@ietf.org>
Content-Transfer-Encoding: 7bit
Message-Id: <A00FF02E-13D7-40C2-AF01-3CEE206E8812@gmail.com>
References: <5C8FDEED.8010701@erg.abdn.ac.uk> <CALx6S36fQcRdgvCG3XS78EecFjdb36D22iBzovXcODH_W+BHbg@mail.gmail.com> <5be88c76-d65a-c491-86be-74a52fef7687@strayalpha.com> <CALx6S35h+ANRpqrEyC97JocXUrDw_+b85a8bP7QgjSchMPXF-g@mail.gmail.com> <62f9f885-5dd6-78d4-2d8a-8fab83871529@strayalpha.com> <CALx6S35bb5YpjR16OfQN+JJw3O3LG=NqkdFEnKdTEd3UoZWo5A@mail.gmail.com> <190BFA86-2DE3-4BB1-A833-E67D49B641FB@strayalpha.com> <CALx6S35vym9jfN5E6HVLU5RJj0k2p0i=dc1a+pb=ETx1WQUoxg@mail.gmail.com> <57E0E8CF-EA9A-4BC8-89D2-296D3CBBF7BA@strayalpha.com> <20190319231309.GA38527@bugle.employees.org> <20190320100743.GA19737@bugle.employees.org>
To: Derek Fawcus <dfawcus+lists-tsvwg@employees.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tsvwg/hD32tWeco65X8nlZeA6WaofSDLk>
Subject: Re: [tsvwg] Possible UDP-Option: Cookie
X-BeenThere: tsvwg@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Transport Area Working Group <tsvwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tsvwg>, <mailto:tsvwg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tsvwg/>
List-Post: <mailto:tsvwg@ietf.org>
List-Help: <mailto:tsvwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tsvwg>, <mailto:tsvwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 20 Mar 2019 10:35:59 -0000

https://datatracker.ietf.org/doc/rfc7873/

You know of the DNS cookies standard right?

Tim

From my high tech gadget

> On Mar 20, 2019, at 03:07, Derek Fawcus <dfawcus+lists-tsvwg@employees.org> wrote:
> 
>> On Wed, Mar 20, 2019 at 12:13:09AM +0100, Derek Fawcus wrote:
>> We have the DNS request use case, we want to be able to send a packet
>> containing options expressing that we can receive Segmented UDP data.
>> 
>> A legacy stack, or legacy server on a new stack will not see those
>> options, but will reply to the basic UDP packet - possibly generating
>> an IP fragmented response.  A new server on a new stack will be able
>> to send a UDP segmented response.
>> 
>> There could well be other examples falling in to that scenario.
> 
> The above got me wondering about current UDP reflected expansion attacks
> using a spoofed source address, of which DNS is a case that has been
> exploited.  What we're proposing with the Segmented UDP data mechanism
> could be similarly exploited in the future.
> 
> So do we need some text in the security considerations section to discuss
> this, or maybe even a new cookie option to allow for a form of soft state
> acknowledged handshake?
> 
> Assume we have an option like:
> 
>                   +--------+-------------+-----+------+---------+--
>                   | Kind=X | Len=2/4/4+n |  lifetime  |  cookie |
>                   +--------+-------------+-----+------+---------+--
> 
>                             UDP Cookie option format
> 
> Where we have 3 possible lengths, one with no payload, one for sending
> lifetime alone, one for sending lifetime and cookie.  The cookie when
> present is of variable length.  The no payload form would simply be
> used to indicate that the option is supported.
> 
> Then for users who might benefit, we could have an exchange like:
> 
> 1. A -> B : UDP data | Options: Cookie(lifetime-q1)
> 2. B -> A : UDP data | Options: Cookie(lifetime-r1,cookie-1)
> 3. A -> B : UDP data | Options: Cookie(lifetime-q2,cookie-1)
> 4. B -> A : UDP data | Options: Cookie(lifetime-r2,cookie-2)
> ....
> 5. B -> A : UDP data | Options: Cookie(lifetime-q3,cookie-2)
> 
> at 1 A sends a message, including a desire for a cookie with lifetime q1.
> at 2 B responds, including a cookie of arbitrary length and lifetime r1.
> at 3 A sends a message, where the cookie inherently validates its source address.
> at 4 B responds, including fresh cookie data, but now knowing it can now send
>       larger reponses.
> 
> i.e. this adds an optional generic 'soft state' connection acknowledge
> mechanism to UDP, which could then be used by various applications.
> 
> The above could then be combined with sending the Segmentation/FRAG options
> to perform parallel negotiation of that capability,  I'd imagine that for
> the DNS query case we could end up with something like:
> 
> 1. A -> B | Q=A, N=example.com, EDNS-sz=Y | Options: Cookie(life); MSS(); FRAG()
> 2. B -> A | Q=A, N=example.com, EDNS-sz=Y, trunc | Options: Cookie(life,value1); MSS(); FRAG()
> 3. A -> B | Q=A, N=example.com, EDNS-sz=Y | Options: Cookie(life,value1); MSS(); FRAG()
> 4. B -> A | | Options: Cookie(life,value2); MSS(); FRAG(Q=A, N=example.com, A=1.2.3.4, EDNS-sz=Z)
> ....
> n. B -> A | | Options: Cookie(life,value2); MSS(); FRAG(Q=A, N=example.com, A=1.2.3.4, EDNS-sz=Z)
> 
> For the case of a legacy server, this would probably fall back to one of
> IP fragmented UDP response packet at 2 (EDNS support, no truncated response),
> or opening a TCP connection at stage 3 (because stage 2 would have been a
> truncated response).
> 
> i.e. rather than force the client to switch to TCP, or sending an IP fragmented
> UDP response, we would be able to acknowledge that it is safe to send a large
> amount of DNS response in many segmented UDP packets, that the source of the
> query was not spoofed, and then the subsequent second query would trigger that.
> 
> I suspect there may be cases where we do not need to segment the response,
> but since it would be significantly larger than the request,  such an
> acknowledgement pattern may prove useful.
> 
> DF
>

v2.23.0 | Report a Bug | By Email