IETF Logo Mail Archive

Re: [tsvwg] Review of draft-ietf-tsvwg-udp-options-32

Christian Huitema <huitema@huitema.net> Tue, 09 April 2024 17:16 UTC

Return-Path: <huitema@huitema.net>
X-Original-To: tsvwg@ietfa.amsl.com
Delivered-To: tsvwg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 84E5EC14F69B; Tue, 9 Apr 2024 10:16:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.897
X-Spam-Level:
X-Spam-Status: No, score=-6.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yI0fWWAN12sP; Tue, 9 Apr 2024 10:15:57 -0700 (PDT)
Received: from se01.mfg.siteprotect.com (se01.mfg.siteprotect.com [64.26.60.164]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AE2A1C14F5E9; Tue, 9 Apr 2024 10:15:56 -0700 (PDT)
Received: from smtpauth02.mfg.siteprotect.com ([64.26.60.151]) by se01.mfg.siteprotect.com with esmtp (Exim 4.92) (envelope-from <huitema@huitema.net>) id 1ruF4Z-003fHR-LB; Tue, 09 Apr 2024 13:15:53 -0400
Received: from [192.168.1.102] (unknown [172.56.169.185]) (Authenticated sender: huitema@huitema.net) by smtpauth02.mfg.siteprotect.com (Postfix) with ESMTPSA id 4VDXfR2xP3z2YQR6s; Tue, 9 Apr 2024 13:15:43 -0400 (EDT)
Message-ID: <5f3d17fa-292a-4c22-ba31-1325acd08ade@huitema.net>
Date: Tue, 09 Apr 2024 10:15:42 -0700
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
To: Tom Herbert <tom@herbertland.com>
Cc: Zaheduzzaman Sarker <zahed.sarker.ietf@gmail.com>, "Gorry (erg)" <gorry@erg.abdn.ac.uk>, tsvwg <tsvwg@ietf.org>, draft-ietf-tsvwg-udp-options.all@ietf.org
References: <CAEh=tcd2FzQxgbSivuX2cEg2FpsnkoqdFw5gMhrx3pkT_JV88Q@mail.gmail.com> <2BEB5CC3-BB54-4119-A20F-8497ED4B5AE2@erg.abdn.ac.uk> <CAEh=tccKg7YHYkwKZ978uaXmTkBu3zyA+WBAW=eBMKAh2PSVDw@mail.gmail.com> <b7f7b836-c625-445d-bd38-f5ed8f4ba757@huitema.net> <CALx6S34=5CCDY_Wj1+9Moj0NMnZr=gBjpT3NBfom6r6oouGJEw@mail.gmail.com> <017b6905-d56c-4821-a313-644f003f2925@huitema.net> <CALx6S36YKP6XN=51E0mAzUzJumsZKkhyYJ0XzR_7en8OJ_pAAQ@mail.gmail.com>
Content-Language: en-US
From: Christian Huitema <huitema@huitema.net>
Autocrypt: addr=huitema@huitema.net; keydata= xjMEXtavGxYJKwYBBAHaRw8BAQdA1ou9A5MHTP9N3jfsWzlDZ+jPnQkusmc7sfLmWVz1RmvN J0NocmlzdGlhbiBIdWl0ZW1hIDxodWl0ZW1hQGh1aXRlbWEubmV0PsKWBBMWCAA+FiEEw3G4 Nwi4QEpAAXUUELAmqKBYtJQFAl7WrxsCGwMFCQlmAYAFCwkIBwIGFQoJCAsCBBYCAwECHgEC F4AACgkQELAmqKBYtJQbMwD/ebj/qnSbthC/5kD5DxZ/Ip0CGJw5QBz/+fJp3R8iAlsBAMjK r2tmyWyJz0CUkVG24WaR5EAJDvgwDv8h22U6QVkAzjgEXtavGxIKKwYBBAGXVQEFAQEHQJoM 6MUAIqpoqdCIiACiEynZf7nlJg2Eu0pXIhbUGONdAwEIB8J+BBgWCAAmFiEEw3G4Nwi4QEpA AXUUELAmqKBYtJQFAl7WrxsCGwwFCQlmAYAACgkQELAmqKBYtJRm2wD7BzeK5gEXSmBcBf0j BYdSaJcXNzx4yPLbP4GnUMAyl2cBAJzcsR4RkwO4dCRqM9CHpVJCwHtbUDJaa55//E0kp+gH
In-Reply-To: <CALx6S36YKP6XN=51E0mAzUzJumsZKkhyYJ0XzR_7en8OJ_pAAQ@mail.gmail.com>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Authentication-Results: mfg.siteprotect.com; auth=pass smtp.auth=huitema@huitema.net
X-Originating-IP: 64.26.60.151
X-SpamExperts-Domain: mfg.outbound
X-SpamExperts-Username: 64.26.60.150/31
Authentication-Results: mfg.siteprotect.com; auth=pass smtp.auth=64.26.60.150/31@mfg.outbound
X-SpamExperts-Outgoing-Class: ham
X-SpamExperts-Outgoing-Evidence: Combined (0.05)
X-Recommended-Action: accept
X-Filter-ID: Pt3MvcO5N4iKaDQ5O6lkdGlMVN6RH8bjRMzItlySaT9Lih/nvNZe9muqHieCOGgoPUtbdvnXkggZ 3YnVId/Y5jcf0yeVQAvfjHznO7+bT5z5W83tr/6vNQtj+4/xevXoW95spUSdK3VnU+g2XY9jxtqG 1OdKLK9CK9haUsE78VyOvEc/lOQBjdEi9z2Y/BVY5/LD2g4mUo4Dbk4/l8IQHbyyMZOmEDgX6xV3 lQblnjq+LzRXdJ1YqdfatOCcqltxJOxOjR0ukcYY3oUWkOlDyz1/9zj2k5FXUATjIZ74enpPZDez DN9a/J+reU9kttGlrh4vRlOXfMHwXupfKWcZNM1Fcs0SC8nblZenCVIev6lgr8xvzLDaRSc9eiji LL8obV7BxxPBKzU39/yjS6/oyVEu5C5Qpt+ySX+arCVy82MVoKan+n/RNkihWEY9fqXQhaUHyuMr hMOgFibBDgffCjMaIL48SHdwBur7C9FrSAWaVs2c1Tq+ByoZMREACQxLeojJCimrFgJg48+TIHuv ZTQGAMrrTbtqaiS1SstPlN2yGf9cCvIdooB6k0a0807VqmqFAo87iPgwXjSZgtJYfr2cTA3dsuWI QitrJuuk0g+3QM22Wm73+PngL70p9A+Wb9dYDDnKXVLIVIlzIQf7nQRWnlCuVd/azL8F4K4Nury8 Ksk+aedMfNWSnJswrtlNS87h4lKCwD/NGHcUTRljLVHuAq4k7PqG9M5idz7joR5wmQf9cgFUgdFJ 0BSVzvcZ4exMJTW1cRLuCgKRuG4mt3MhuFWv1ncsgMffAZBRnhSUEd3bAnnes+zbrnBytZciV1CY WRJ1Q8UJMgZYFNjZFYV7ZjyGBd8lSfQlsY7059jjcDndy1Y1Z2TcnjXgzGy4MlhFSGOSgMb4Ksdr uPR1UXOwK6vRcBOFxeMs/w071h4usDyLvokxtMASEJgCA3vrQoKdJKNIB5sQWa7OUAEYCgTiZUr9 jJhgIra1kzwOZ5oURZUp8O7sSoXMAYYKzVg5BDSTG6vBlnUNtrYvq579kUqEUVhhh2bpWU2I3BHu oJBy2DNwOgV373pfDhBQ21OdCgZhRFFHnhPb3RWMN/14rp9uLSnGhhTOKxudNYpaHjNe1BHI/RJa DL+5WxaVd0U9ylBN6DUWx0IuPmOb6UmZ9H7nvaSSAXIbJiVqolw0h6Bi6i9rgM2bOkddbSPARoPu a7X/CX9/5OOSfZtD8DykThFlpIn/hi+29TNbQAfExDUDI/CtZtprHrOXK6bygwRgtUnRM43wTVPb os0UB2tm+A==
X-Report-Abuse-To: spam@se02.mfg.siteprotect.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/tsvwg/iP6MPqUubsUW4iA4jTuig3aUOh0>
Subject: Re: [tsvwg] Review of draft-ietf-tsvwg-udp-options-32
X-BeenThere: tsvwg@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Transport Area Working Group <tsvwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tsvwg>, <mailto:tsvwg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tsvwg/>
List-Post: <mailto:tsvwg@ietf.org>
List-Help: <mailto:tsvwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tsvwg>, <mailto:tsvwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 09 Apr 2024 17:16:01 -0000


On 4/9/2024 9:09 AM, Tom Herbert wrote:
> 
> 
> On Tue, Apr 9, 2024, 11:29 AM Christian Huitema <huitema@huitema.net 
> <mailto:huitema@huitema.net>> wrote:
> 
> 
> 
>     On 4/9/2024 8:17 AM, Tom Herbert wrote:
>      > On Tue, Apr 9, 2024 at 7:29 AM Christian Huitema
>     <huitema@huitema.net <mailto:huitema@huitema.net>> wrote:
>      >>
>      >>
>      >>
>      >> On 4/9/2024 6:09 AM, Zaheduzzaman Sarker wrote:
>      >>>
>      >>>
>      >>> On Tue, Apr 9, 2024 at 12:48 PM Gorry (erg)
>     <gorry@erg.abdn.ac.uk <mailto:gorry@erg.abdn.ac.uk>
>      >>> <mailto:gorry@erg.abdn.ac.uk <mailto:gorry@erg.abdn.ac.uk>>> wrote:
>      >>>
>      >>>      See below for my 2c.
>      >>>
>      >>>       > On 9 Apr 2024, at 11:31, Zaheduzzaman Sarker
>      >>>      <zahed.sarker.ietf@gmail.com
>     <mailto:zahed.sarker.ietf@gmail.com>
>     <mailto:zahed.sarker.ietf@gmail.com
>     <mailto:zahed.sarker.ietf@gmail.com>>>
>      >>>      wrote:
>      >>>       >
>      >>>       > Hi all,
>      >>>       >
>      >>>       > Putting my AD hat on, if we specify protocol features
>     only for
>      >>>      endpoints to
>      >>>       > consume and not for endpoints to network, then we
>     should make
>      >>>      sure that is
>      >>>       > case when we design and describe it. We cannot expect
>     all the
>      >>>       > intermediaries are well behaved or features are used as
>     intended when
>      >>>       > designed. From that point of view it is not good enough
>     to send
>      >>>      information
>      >>>       > in clear and just say "UDP Options are for Transport, Not
>      >>>      Transit". With
>      >>>       > the current, well placed, scrutiny of privacy and
>     security on all the
>      >>>       > protocols that IETF is producing- It would require a huge
>      >>>      exception to get
>      >>>       > it published.
>      >>>       >
>      >>>       > The questions I would like to get answer is  -
>      >>>       >
>      >>>       >      Is it OK for the endpoints to send information in UDP
>      >>>      options which
>      >>>       > can be read (only) by the transit nodes and react to
>     it? if NO,
>      >>>      then how
>      >>>       > to prevent that to happen?
>      >>>       >
>      >>>       > //Zahed
>      >>>
>      >>>      this is a transport/encapsulation that can be used without the
>      >>>      benefits of encryption.To me, this was already clear when the
>      >>>      working group asked to start this work (it certainly was
>     made clear
>      >>>      after the work was adopted), and this spec developed over
>     many years.
>      >>>
>      >>>
>      >>> Right, many years have past and we should then recheck the
>     consensus on
>      >>> this. From the mentioned email discussions and views expressed
>     here I am
>      >>> not sure it is clear to me what consensus we have now. Could
>     you also
>      >>> please provide me any reference to the consensus?
>      >>>
>      >>>
>      >>>
>      >>>      So.   I think given this, it is OK for the endpoints to send
>      >>>      information in UDP options which can be read (only) by the
>     transit
>      >>>      nodes and they can indeed react to this. That has always been
>      >>>      possible with tunnels, extension headers, and transports -
>     at least
>      >>>      those not using transport encryption. This comes with
>     positive and
>      >>>      negative impacts.
>      >>>
>      >>>      In today’s world, a designer can choose to protect all of the
>      >>>      transport eg using QUIC - and many designs will follow
>     that path.
>      >>>      Although, there is a large body of work in the IETF that still
>      >>>      directly uses UDP. That to me is OK if that best fits the use.
>      >>>
>      >>>
>      >>> Yes, UDP should be considered as transport protocol. It would
>     be good to
>      >>> have a view on how many of those large body of work uses or
>     envision to
>      >>> use UDP options in clear. This would boost the motivation for
>     this work
>      >>> and back up the need of UDP options.
>      >>
>      >> Depending on the application stack, UDP is either a transport
>     protocol
>      >> or a transparent pass-through. Indeed, this is pretty much the
>     intended
>      >> design of UDP, as stated in RFC 768: "This protocol provides a
>     procedure
>      >> for application programs to send messages to other programs with a
>      >> minimum of protocol mechanism."
>      >>
>      >> If the application stack is including its own transport
>     protocol, then
>      >> we are in the "pass-through" case. This is absolutely the case
>     if the
>      >> application stack includes QUIC, SCTP or DTLS, but there are
>     other examples.
>      >>
>      >> In the pass-through examples, and especially when the application
>      >> transport uses encryption, adding clear-text options does not
>     add value.
>      >> It destroys it, re-enabling surveillance despite encryption of the
>      >> application.
>      >>
>      >> I think there should be a very clear mechanism for application to
>      >> "opt-in" the usage of clear-text application, and that for
>     applications
>      >> that did not opt in the reception of clear-text options should be
>      >> treated as a protocol error.
>      >>
>      >
>      > Christian,
>      >
>      > In current host stack implementation, when a UDP packet is received
>      > with surplus area we truncate the packet down to UDP Length and
>      > otherwise ignore the surplus area bits. Are you suggesting that the
>      > default behavior should be to drop packets with a UDP surplus area?
> 
>     If the application did not opt-in, yes, because that's the best way to
>     prevent "off standard" deployment of clear-text options.
> 
>      >
>      > IMO, this might be worth considering. I agree that this would tighten
>      > security. Also, I would point out that even truncating the surplus
>      > area like we do today is not without cost. If we are doing protocol
>      > agnostic checksum offload, the preferred method, then we need to
>      > compute the checksum over the surplus area when truncating and so we
>      > do this in the CPU. For a large surplus area this can burn a lot of
>      > cycles to process data that is useless to the receiver; conceivably,
>      > this could be a basis for a DoS attack on CPU resources.
> 
>     Yes, there is also a security aspect. Adding option processing does
>     increase the attack surface, and even simple options like Ping have
>     caused issues like Heartbleed. Add the extra CPU requirements that you
>     mention, and I can see why security conscious application would want to
>     not use any clear-text addition to UDP packets.
> 
> 
> Christian,
> 
> I believe that processing of the options is already opt-in. Accepting 
> UDP surplus area (at least ignoring it and not dropping packet) and the 
> checksum processing I described are currently mandatory.

And that's probably what need to change before this draft is published. 
Using the surplus area without the explicit consent of the application 
is an attack. The proper way to stop such attacks is to drop the whole 
packet, because only that inflicts a cost to the attacker.

-- Christian Huitema

v2.23.0 | Report a Bug | By Email