[tsvwg] Request for consensus call for Auth in UDP options

Tom Herbert <tom@herbertland.com> Sat, 07 September 2024 01:33 UTC

Return-Path: <tom@herbertland.com>
X-Original-To: tsvwg@ietfa.amsl.com
Delivered-To: tsvwg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2829BC14F6B8 for <tsvwg@ietfa.amsl.com>; Fri, 6 Sep 2024 18:33:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.108
X-Spam-Level:
X-Spam-Status: No, score=-2.108 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=herbertland.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Lk0xlrWpEjUA for <tsvwg@ietfa.amsl.com>; Fri, 6 Sep 2024 18:33:42 -0700 (PDT)
Received: from mail-ej1-x62c.google.com (mail-ej1-x62c.google.com [IPv6:2a00:1450:4864:20::62c]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 486E9C14F69F for <tsvwg@ietf.org>; Fri, 6 Sep 2024 18:33:42 -0700 (PDT)
Received: by mail-ej1-x62c.google.com with SMTP id a640c23a62f3a-a86910caf9cso668735066b.1 for <tsvwg@ietf.org>; Fri, 06 Sep 2024 18:33:41 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=herbertland.com; s=google; t=1725672820; x=1726277620; darn=ietf.org; h=to:subject:message-id:date:from:mime-version:from:to:cc:subject :date:message-id:reply-to; bh=v9M5NLomqEQre3Q5lRfKUgS/MTwn2Gghx8tqBGZVhkc=; b=akWPwmBbOlC4ITtUYTn/TY0x+rvIU6bxOx/R8OooUmiEpIKHs4UZ/gS2mEF/aKNcEs woiDgkelnlVYpeOtbd9ZHrehH0L5AE0fowKlbVNzbfsRO2RxbuGsG+FA8pQnTfsa7wPS aer6bGN2437uZwcj2ZM9BB9RNnCOJygo5XDXo+WSPUCjfN/wkWH5fsMV+/hYQ+58GKQK j5isbhpTMMI8V+29Zvub4BYEhYFm/QrHVHBHSl+0ZOCCumMlhlfnzTEmSN1/pjTI9r4y PUXLZPccw6lSHp/3j2oHcVNwErGCyPZ/tYH01Z2p/dk/mVvc798y/SxFktu7r9bRez6m ANSw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1725672820; x=1726277620; h=to:subject:message-id:date:from:mime-version:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=v9M5NLomqEQre3Q5lRfKUgS/MTwn2Gghx8tqBGZVhkc=; b=MOZXAJ13JPDwRB7zDCY7ja59WP0F/twgiJ/5mNLa/RSiUpL8X1MUfm0iqQ5sYpCFPE H0xQpLnBMoOf/kHkWeuclSu13YjzxGUwJnCAmovRFmSbx8mRcRnUuUe3wHwZISeCsC8q gZYjscJD70PrQajq9sgpjlMWtYdrfiW7qAayHN0Zmh+mLmERITO9OPncJ7PJ6u/4mzGH GYUt8V/FPgG7JWKyCawTA4eodA4ZfyeFIsZVzZpod5qrF8ciKlt2Q8Q533c0MBE4dIGE kerADzfN6Op36TGEtvSZk77ohGXchFJu/fOCvlruiYuFGCaaS651qv5gVjBFWJgaxJ7i j+NQ==
X-Forwarded-Encrypted: i=1; AJvYcCXU28g0QR3nE3B0Fc0S6qWbUFsrGsjhfb2VzPuSMhM+M/1IFBzWNaCLB+I6RQTNFj80JCGgBA==@ietf.org
X-Gm-Message-State: AOJu0Yz21sJJmri+SK4V0+VHs4WcNcJgpfeo3w6TfeOVE7v3c1jEo2hY xDfX40c/mmKHSCZ0I20MFBMh//J7Z8kOQVxJJSekpPiuJfiWmsgPXor0Tg7MxqtmqnsZLs0oxlx NobLWEo3WBut7OMv0Y2N3DL6TnNR9FLs2XF6v
X-Google-Smtp-Source: AGHT+IFbgT2Aj0RuxdPKcKTkhYMcvRHzHHgkitHOaNx+ON135UNrj9PSCU1z8YeWm1Pxj7pTH3WPtgSQ7oHKGRl8SWo=
X-Received: by 2002:a17:906:6a29:b0:a80:f616:5cf9 with SMTP id a640c23a62f3a-a8a42cab866mr1167271166b.0.1725672819295; Fri, 06 Sep 2024 18:33:39 -0700 (PDT)
MIME-Version: 1.0
From: Tom Herbert <tom@herbertland.com>
Date: Fri, 06 Sep 2024 18:33:28 -0700
Message-ID: <CALx6S34JjFegygq3D=XnJxiy9tARNtkw2v4BqaCXS80u2J478g@mail.gmail.com>
To: tsvwg-chairs@ietf.org, tsvwg <tsvwg@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Message-ID-Hash: 5BD7Y6TBZ3KR52LGGJWPNXDMRJTTQLFI
X-Message-ID-Hash: 5BD7Y6TBZ3KR52LGGJWPNXDMRJTTQLFI
X-MailFrom: tom@herbertland.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-tsvwg.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [tsvwg] Request for consensus call for Auth in UDP options
List-Id: Transport Area Working Group <tsvwg.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tsvwg/hsv83lTcNoGeWeTnlv0APO2JZFI>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tsvwg>
List-Help: <mailto:tsvwg-request@ietf.org?subject=help>
List-Owner: <mailto:tsvwg-owner@ietf.org>
List-Post: <mailto:tsvwg@ietf.org>
List-Subscribe: <mailto:tsvwg-join@ietf.org>
List-Unsubscribe: <mailto:tsvwg-leave@ietf.org>

TSVWG chairs,

I have raised an objection to the UDP Options draft that the
Authentication may be ignored by a receiver. I believe this is a
serious security vulnerability in the protocol.

If a sender uses the option that must mean that a key negotiation must
have happened, so when the sender places the option in a packet they
naturally have the full expectation that the receiver will validate
the authentication credentials. If the receiver elects to ignore the
authentication then they will not only allow legitimate senders but an
attacker will be able to access the system as well-- so basically
there is no security and the user is at risk for harm. Ignoring an
authentication option is not safe.

The counter argument seems to be that it should be up to the receiver
to decide if the authentication option must be validated. That stands
in contrast to other authentication protocols like IPv6 AH that
explicitly require authentication option to be validated if it is
present (if they can't validate, then the packet MUST be dropped). If
the idea is that the user decides this then security is wholly
dependent on the user configuring the protocol correctly, so a slight
misconfiguration could allow a major breach (note this cannot happen
in IPv6 AH).

Please consider doing a consensus call on whether ignoring an
Authentication option in UDP options is allowed.

Thanks,
Tom