Re: [tsvwg] Possible UDP-Option: Cookie
tjw ietf <tjw.ietf@gmail.com> Wed, 20 March 2019 10:35 UTC
Return-Path: <tjw.ietf@gmail.com>
X-Original-To: tsvwg@ietfa.amsl.com
Delivered-To: tsvwg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8B8E71310C7 for <tsvwg@ietfa.amsl.com>; Wed, 20 Mar 2019 03:35:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lm9zku4kUGdy for <tsvwg@ietfa.amsl.com>; Wed, 20 Mar 2019 03:35:56 -0700 (PDT)
Received: from mail-pf1-x42d.google.com (mail-pf1-x42d.google.com [IPv6:2607:f8b0:4864:20::42d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E02C9130F97 for <tsvwg@ietf.org>; Wed, 20 Mar 2019 03:35:55 -0700 (PDT)
Received: by mail-pf1-x42d.google.com with SMTP id a3so1609068pff.11 for <tsvwg@ietf.org>; Wed, 20 Mar 2019 03:35:55 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=gI6YcQ1/yzd+KidwpLF4iqPVtb/1szlUVF9XjV8hEqM=; b=d4SntTFH6Awh3mJcI/lR6jYs3AqlS3ZDudLT6aiRKquEllOu/XheOFofgOAR5fiast riH3HjUAQMBqYmNgGW3qFKAwM42uz98YnDhfzpNimecNeZ928X4w92kJD5szTvBiEN3d e2rtWizZDhJv/q4LlYcGleRBXsFW8NJeGj25yDYkwFDGwY44hdQbziLuYsGQMPqZ7dWz 1qsipqRnQAPD5dTKdG3D1dTL8XoXi7O61auNbvrOY/KAQzMbjt8mPc1wmNt54vAvYULn MW0i6SKF+fKkki1q7uU2ESUmIw2lV8viJl0VWbMyYAOOJS7ZvmouvndPuMHUb9MAJVPZ D+xg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=gI6YcQ1/yzd+KidwpLF4iqPVtb/1szlUVF9XjV8hEqM=; b=PsVr5MJLGbGQBN914mv7iy0JGt4AgnV7KPRFYrb9TFcyg0KsrHfGUHFLkZznB1Pcjf KYp0h/R8vRa6Qxvkkj8wi54Jk/6cfHklxxMi+kd2UJZy4WmzbiiA8W5+qxVK9oHOnJyp Gzlvr3UzxruQ4y+eidRqPMgjifvr9IE/asYDJvgCXDzsfwcW0VGisbl1D0bOiMAS3nnW d2NMMbc6393YdF9nH9QhAh1ljzRXYFGYxkQXfOcGaEt4uPn2HtSHej9lUwPCoF4kZfgl QfV5glVmveKTxxs23wD5uJ1AtCLZfUypWYBya7Os8LUkpFFrSK1bs7Y0KXcgFvKfltBg 2NrQ==
X-Gm-Message-State: APjAAAW4u0bMKIdo/G2lJ/0W0sVhGyIXq1o0NgJAY6nWbk5T2R3jJ/S3 ZYRj3+A8cNjlrh8pJrOv6+keiUJe
X-Google-Smtp-Source: APXvYqxrG/ZSBhH96s/5bYrQUZa2y+EsYIz25+MXY4HXFsvqtAck44Wbjp0q+L2TefNu+Q5xl5Pv6A==
X-Received: by 2002:a62:568e:: with SMTP id h14mr7628042pfj.134.1553078155331; Wed, 20 Mar 2019 03:35:55 -0700 (PDT)
Received: from ?IPv6:2600:380:8539:8393:60b5:b58a:d355:33bf? ([2600:380:8539:8393:60b5:b58a:d355:33bf]) by smtp.gmail.com with ESMTPSA id l84sm4969166pfb.113.2019.03.20.03.35.54 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 20 Mar 2019 03:35:54 -0700 (PDT)
Content-Type: multipart/alternative; boundary="Apple-Mail-9D1989B4-1C27-43FD-844F-D8C85DEFC267"
Mime-Version: 1.0 (1.0)
From: tjw ietf <tjw.ietf@gmail.com>
X-Mailer: iPhone Mail (16D57)
In-Reply-To: <20190320100743.GA19737@bugle.employees.org>
Date: Wed, 20 Mar 2019 03:35:53 -0700
Cc: tsvwg <tsvwg@ietf.org>
Content-Transfer-Encoding: 7bit
Message-Id: <A00FF02E-13D7-40C2-AF01-3CEE206E8812@gmail.com>
References: <5C8FDEED.8010701@erg.abdn.ac.uk> <CALx6S36fQcRdgvCG3XS78EecFjdb36D22iBzovXcODH_W+BHbg@mail.gmail.com> <5be88c76-d65a-c491-86be-74a52fef7687@strayalpha.com> <CALx6S35h+ANRpqrEyC97JocXUrDw_+b85a8bP7QgjSchMPXF-g@mail.gmail.com> <62f9f885-5dd6-78d4-2d8a-8fab83871529@strayalpha.com> <CALx6S35bb5YpjR16OfQN+JJw3O3LG=NqkdFEnKdTEd3UoZWo5A@mail.gmail.com> <190BFA86-2DE3-4BB1-A833-E67D49B641FB@strayalpha.com> <CALx6S35vym9jfN5E6HVLU5RJj0k2p0i=dc1a+pb=ETx1WQUoxg@mail.gmail.com> <57E0E8CF-EA9A-4BC8-89D2-296D3CBBF7BA@strayalpha.com> <20190319231309.GA38527@bugle.employees.org> <20190320100743.GA19737@bugle.employees.org>
To: Derek Fawcus <dfawcus+lists-tsvwg@employees.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tsvwg/hD32tWeco65X8nlZeA6WaofSDLk>
Subject: Re: [tsvwg] Possible UDP-Option: Cookie
X-BeenThere: tsvwg@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Transport Area Working Group <tsvwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tsvwg>, <mailto:tsvwg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tsvwg/>
List-Post: <mailto:tsvwg@ietf.org>
List-Help: <mailto:tsvwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tsvwg>, <mailto:tsvwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 20 Mar 2019 10:35:59 -0000
https://datatracker.ietf.org/doc/rfc7873/ You know of the DNS cookies standard right? Tim From my high tech gadget > On Mar 20, 2019, at 03:07, Derek Fawcus <dfawcus+lists-tsvwg@employees.org> wrote: > >> On Wed, Mar 20, 2019 at 12:13:09AM +0100, Derek Fawcus wrote: >> We have the DNS request use case, we want to be able to send a packet >> containing options expressing that we can receive Segmented UDP data. >> >> A legacy stack, or legacy server on a new stack will not see those >> options, but will reply to the basic UDP packet - possibly generating >> an IP fragmented response. A new server on a new stack will be able >> to send a UDP segmented response. >> >> There could well be other examples falling in to that scenario. > > The above got me wondering about current UDP reflected expansion attacks > using a spoofed source address, of which DNS is a case that has been > exploited. What we're proposing with the Segmented UDP data mechanism > could be similarly exploited in the future. > > So do we need some text in the security considerations section to discuss > this, or maybe even a new cookie option to allow for a form of soft state > acknowledged handshake? > > Assume we have an option like: > > +--------+-------------+-----+------+---------+-- > | Kind=X | Len=2/4/4+n | lifetime | cookie | > +--------+-------------+-----+------+---------+-- > > UDP Cookie option format > > Where we have 3 possible lengths, one with no payload, one for sending > lifetime alone, one for sending lifetime and cookie. The cookie when > present is of variable length. The no payload form would simply be > used to indicate that the option is supported. > > Then for users who might benefit, we could have an exchange like: > > 1. A -> B : UDP data | Options: Cookie(lifetime-q1) > 2. B -> A : UDP data | Options: Cookie(lifetime-r1,cookie-1) > 3. A -> B : UDP data | Options: Cookie(lifetime-q2,cookie-1) > 4. B -> A : UDP data | Options: Cookie(lifetime-r2,cookie-2) > .... > 5. B -> A : UDP data | Options: Cookie(lifetime-q3,cookie-2) > > at 1 A sends a message, including a desire for a cookie with lifetime q1. > at 2 B responds, including a cookie of arbitrary length and lifetime r1. > at 3 A sends a message, where the cookie inherently validates its source address. > at 4 B responds, including fresh cookie data, but now knowing it can now send > larger reponses. > > i.e. this adds an optional generic 'soft state' connection acknowledge > mechanism to UDP, which could then be used by various applications. > > The above could then be combined with sending the Segmentation/FRAG options > to perform parallel negotiation of that capability, I'd imagine that for > the DNS query case we could end up with something like: > > 1. A -> B | Q=A, N=example.com, EDNS-sz=Y | Options: Cookie(life); MSS(); FRAG() > 2. B -> A | Q=A, N=example.com, EDNS-sz=Y, trunc | Options: Cookie(life,value1); MSS(); FRAG() > 3. A -> B | Q=A, N=example.com, EDNS-sz=Y | Options: Cookie(life,value1); MSS(); FRAG() > 4. B -> A | | Options: Cookie(life,value2); MSS(); FRAG(Q=A, N=example.com, A=1.2.3.4, EDNS-sz=Z) > .... > n. B -> A | | Options: Cookie(life,value2); MSS(); FRAG(Q=A, N=example.com, A=1.2.3.4, EDNS-sz=Z) > > For the case of a legacy server, this would probably fall back to one of > IP fragmented UDP response packet at 2 (EDNS support, no truncated response), > or opening a TCP connection at stage 3 (because stage 2 would have been a > truncated response). > > i.e. rather than force the client to switch to TCP, or sending an IP fragmented > UDP response, we would be able to acknowledge that it is safe to send a large > amount of DNS response in many segmented UDP packets, that the source of the > query was not spoofed, and then the subsequent second query would trigger that. > > I suspect there may be cases where we do not need to segment the response, > but since it would be significantly larger than the request, such an > acknowledgement pattern may prove useful. > > DF >
- Re: [tsvwg] Alternative version of the UDP FRAG o… C. M. Heard
- Re: [tsvwg] Alternative version of the UDP FRAG o… Joe Touch
- Re: [tsvwg] Alternative version of the UDP FRAG o… C. M. Heard
- Re: [tsvwg] Alternative version of the UDP FRAG o… Joe Touch
- Re: [tsvwg] Alternative version of the UDP FRAG o… Derek Fawcus
- Re: [tsvwg] Alternative version of the UDP FRAG o… C. M. Heard
- Re: [tsvwg] Alternative version of the UDP FRAG o… Raffaele Zullo
- Re: [tsvwg] Alternative version of the UDP FRAG o… C. M. Heard
- Re: [tsvwg] Alternative version of the UDP FRAG o… Joe Touch
- Re: [tsvwg] Alternative version of the UDP FRAG o… C. M. Heard
- Re: [tsvwg] Alternative version of the UDP FRAG o… Tom Herbert
- Re: [tsvwg] Alternative version of the UDP FRAG o… Joe Touch
- Re: [tsvwg] Alternative version of the UDP FRAG o… Joe Touch
- Re: [tsvwg] Alternative version of the UDP FRAG o… Tom Herbert
- Re: [tsvwg] Alternative version of the UDP FRAG o… Joe Touch
- Re: [tsvwg] Alternative version of the UDP FRAG o… Tom Herbert
- Re: [tsvwg] Alternative version of the UDP FRAG o… Joe Touch
- Re: [tsvwg] Alternative version of the UDP FRAG o… Tom Herbert
- Re: [tsvwg] Alternative version of the UDP FRAG o… Derek Fawcus
- Re: [tsvwg] Alternative version of the UDP FRAG o… Tom Herbert
- Re: [tsvwg] Alternative version of the UDP FRAG o… C. M. Heard
- Re: [tsvwg] Alternative version of the UDP FRAG o… Tom Herbert
- Re: [tsvwg] Alternative version of the UDP FRAG o… Gorry Fairhurst
- Re: [tsvwg] Alternative version of the UDP FRAG o… Tom Herbert
- Re: [tsvwg] Alternative version of the UDP FRAG o… Tom Herbert
- Re: [tsvwg] Alternative version of the UDP FRAG o… Gorry Fairhurst
- Re: [tsvwg] Alternative version of the UDP FRAG o… Tom Herbert
- Re: [tsvwg] Alternative version of the UDP FRAG o… Joe Touch
- Re: [tsvwg] Alternative version of the UDP FRAG o… Tom Herbert
- Re: [tsvwg] Alternative version of the UDP FRAG o… Joe Touch
- Re: [tsvwg] Alternative version of the UDP FRAG o… Tom Herbert
- Re: [tsvwg] Alternative version of the UDP FRAG o… Joe Touch
- Re: [tsvwg] Alternative version of the UDP FRAG o… Tom Herbert
- Re: [tsvwg] Alternative version of the UDP FRAG o… Joe Touch
- Re: [tsvwg] Alternative version of the UDP FRAG o… Gorry Fairhurst
- Re: [tsvwg] Alternative version of the UDP FRAG o… Tom Herbert
- Re: [tsvwg] Alternative version of the UDP FRAG o… Derek Fawcus
- [tsvwg] Possible UDP-Option: Cookie Derek Fawcus
- Re: [tsvwg] Possible UDP-Option: Cookie Tom Herbert
- Re: [tsvwg] Possible UDP-Option: Cookie tjw ietf
- Re: [tsvwg] Possible UDP-Option: Cookie Derek Fawcus
- Re: [tsvwg] Alternative version of the UDP FRAG o… Joe Touch
- Re: [tsvwg] Possible UDP-Option: Cookie Joe Touch
- Re: [tsvwg] Alternative version of the UDP FRAG o… Tom Herbert
- Re: [tsvwg] Alternative version of the UDP FRAG o… Joe Touch
- Re: [tsvwg] Alternative version of the UDP FRAG o… Tom Herbert
- Re: [tsvwg] Alternative version of the UDP FRAG o… Gorry Fairhurst