IETF Logo Mail Archive

Re: [tsvwg] Review of draft-ietf-tsvwg-udp-options-32

Christian Huitema <huitema@huitema.net> Tue, 09 April 2024 19:17 UTC

Return-Path: <huitema@huitema.net>
X-Original-To: tsvwg@ietfa.amsl.com
Delivered-To: tsvwg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 280C0C14F6FC; Tue, 9 Apr 2024 12:17:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id r0P2RbbJUULN; Tue, 9 Apr 2024 12:17:32 -0700 (PDT)
Received: from se01.mfg.siteprotect.com (se01.mfg.siteprotect.com [64.26.60.164]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8B495C14F5EC; Tue, 9 Apr 2024 12:17:31 -0700 (PDT)
Received: from smtpauth01.mfg.siteprotect.com ([64.26.60.150]) by se01.mfg.siteprotect.com with esmtp (Exim 4.92) (envelope-from <huitema@huitema.net>) id 1ruGyE-006GfV-Sr; Tue, 09 Apr 2024 15:17:28 -0400
Received: from [10.32.61.225] (unknown [192.0.32.236]) (Authenticated sender: huitema@huitema.net) by smtpauth01.mfg.siteprotect.com (Postfix) with ESMTPSA id 4VDbLl3sBhz163Nqq; Tue, 9 Apr 2024 15:17:19 -0400 (EDT)
Message-ID: <f98c67c3-45e2-49bf-9b3e-6545239355a1@huitema.net>
Date: Tue, 09 Apr 2024 12:17:18 -0700
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
To: "C. M. Heard" <heard@pobox.com>, Zaheduzzaman Sarker <zahed.sarker.ietf@gmail.com>
Cc: "Gorry (erg)" <gorry@erg.abdn.ac.uk>, Martin Duke <martin.h.duke@gmail.com>, tsvwg <tsvwg@ietf.org>, draft-ietf-tsvwg-udp-options.all@ietf.org
References: <CAEh=tcd2FzQxgbSivuX2cEg2FpsnkoqdFw5gMhrx3pkT_JV88Q@mail.gmail.com> <2BEB5CC3-BB54-4119-A20F-8497ED4B5AE2@erg.abdn.ac.uk> <CAEh=tccKg7YHYkwKZ978uaXmTkBu3zyA+WBAW=eBMKAh2PSVDw@mail.gmail.com> <CACL_3VG6k9Rg4316dZUd5ksQ2pLZHxzDc2dZqVD0Z9yPQBo3Yw@mail.gmail.com>
Content-Language: en-US
From: Christian Huitema <huitema@huitema.net>
Autocrypt: addr=huitema@huitema.net; keydata= xjMEXtavGxYJKwYBBAHaRw8BAQdA1ou9A5MHTP9N3jfsWzlDZ+jPnQkusmc7sfLmWVz1RmvN J0NocmlzdGlhbiBIdWl0ZW1hIDxodWl0ZW1hQGh1aXRlbWEubmV0PsKWBBMWCAA+FiEEw3G4 Nwi4QEpAAXUUELAmqKBYtJQFAl7WrxsCGwMFCQlmAYAFCwkIBwIGFQoJCAsCBBYCAwECHgEC F4AACgkQELAmqKBYtJQbMwD/ebj/qnSbthC/5kD5DxZ/Ip0CGJw5QBz/+fJp3R8iAlsBAMjK r2tmyWyJz0CUkVG24WaR5EAJDvgwDv8h22U6QVkAzjgEXtavGxIKKwYBBAGXVQEFAQEHQJoM 6MUAIqpoqdCIiACiEynZf7nlJg2Eu0pXIhbUGONdAwEIB8J+BBgWCAAmFiEEw3G4Nwi4QEpA AXUUELAmqKBYtJQFAl7WrxsCGwwFCQlmAYAACgkQELAmqKBYtJRm2wD7BzeK5gEXSmBcBf0j BYdSaJcXNzx4yPLbP4GnUMAyl2cBAJzcsR4RkwO4dCRqM9CHpVJCwHtbUDJaa55//E0kp+gH
In-Reply-To: <CACL_3VG6k9Rg4316dZUd5ksQ2pLZHxzDc2dZqVD0Z9yPQBo3Yw@mail.gmail.com>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Authentication-Results: mfg.siteprotect.com; auth=pass smtp.auth=huitema@huitema.net
X-Originating-IP: 64.26.60.150
X-SpamExperts-Domain: mfg.outbound
X-SpamExperts-Username: 64.26.60.150/31
Authentication-Results: mfg.siteprotect.com; auth=pass smtp.auth=64.26.60.150/31@mfg.outbound
X-SpamExperts-Outgoing-Class: ham
X-SpamExperts-Outgoing-Evidence: Combined (0.22)
X-Recommended-Action: accept
X-Filter-ID: Pt3MvcO5N4iKaDQ5O6lkdGlMVN6RH8bjRMzItlySaT9kwaN+66tRGBqhoStBmdUBPUtbdvnXkggZ 3YnVId/Y5jcf0yeVQAvfjHznO7+bT5z5W83tr/6vNQtj+4/xevXo2Zybh0C7q2u3ACfXjTyoXiyb 5GIeP46iSHCD/hbqgmu1tKRQLPmP9InHnx1Brj2eX/LhG7FXTm6Tybw4nzs9RzpvjJMlRqtLYdVR m5o1UatFouhV/hTlnP3gizNJ4cCTbODl0npQ7QiJwO4ZFU5qPmw3eNeOhkLncll6ybXS3v37YzVM +DNLaG9EqC8HPWpqIecagTeih6ZIlZsKCgIlymJdA95Fl8JFhtIaBLWO1XgEybI1sOftHmSKUCHC vcq0YTPNT555B5Mf73FCdrCIg3BXvrLBlKCVRjjdPbjQ4HnU/Pi2QiSAHmtoEaz2bwGM/SySBKPE LGmZ8koc19ew0uGF6ePhLVNfQ99xpFdqMeOm+0Y1sWl/JtNpzYpDIJ+3tPQt8ktwubmkyIGt5wqx bNYmyTxrQyWytnV+j2TEcDbyPOsQNm1yLTjGbseEpgCNV4nXdhmqZFgXvtwoyf4nBPqexC/FKmrB VQq3b2CTOB3jT+mbShou6hktCloTvTOZCr3KS+nSmfB/Le8WyggcZGNMyMGzGQ/sIq/J9wLEXmWK 2sg7fhU6xWMp7cHXwP7QnNBzJuL8Gr1cSOdPD+8kUhsGUBCdud6r3d8EwqZuwQA8bzhbGbYrpodL rvAd0KCRSdsy/sW8HAfzzH+4WszBuBOaHC5n55mAcO/V9SpUSv/jlorFXW3bhC79ikuI4jpG++Du IQUs/5JJj4C/n4CILpQjvpxZ7UPYmlSOVPdsu4mPA8mbzdTvSqWoD0J+HqTLLBLle5iYhjQWM8AY MMZ04X7HgAd3NkOV15aRTCT2yxkQ4sKVqNBqZI8EvH6iEaQNA0ktIwG6OzbKAMPdy8PF1PdjzQ6Y C7Heg3Xf7O1TOd7Y2z38I45lVHJj/OkikRxgGOC+7ukCf411wDyLaL5NOLyFj7ORksGGTcv5Mk/R OpoZQyyjnxaho5xTcy6zYqY58zxyXwfouI3MCpKcH4rvOr8sFZYmujn9w1cwNWBS7bID2O/lje9q 2a6dDRTnPCqtB/aO4y6heshmOzypSUjkQTkt4W3lwein2F36yqDcD1BR7gKuJOz6hvTOYnc+46Ee YZuk+LRvHwhK/P1D2xoYX1AWGtsACu2JT7qExpH5i1stXXqfBUgOanr8kY4bkjzQpxo6McVVb7Dx QuoZigjAq/Q+PE9CfPRaI6O+XszhTgw=
X-Report-Abuse-To: spam@se02.mfg.siteprotect.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/tsvwg/jwlTF9N1I2AXq5IIbgHhFvFCQGo>
Subject: Re: [tsvwg] Review of draft-ietf-tsvwg-udp-options-32
X-BeenThere: tsvwg@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Transport Area Working Group <tsvwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tsvwg>, <mailto:tsvwg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tsvwg/>
List-Post: <mailto:tsvwg@ietf.org>
List-Help: <mailto:tsvwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tsvwg>, <mailto:tsvwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 09 Apr 2024 19:17:38 -0000


On 4/9/2024 11:25 AM, C. M. Heard wrote:
> On Tue, Apr 9, 2024 at 6:09 AM Zaheduzzaman Sarker 
> <zahed.sarker.ietf@gmail.com <mailto:zahed.sarker.ietf@gmail.com>> wrote:
> 
>     On Tue, Apr 9, 2024 at 12:48 PM Gorry (erg) <gorry@erg.abdn.ac.uk
>     <mailto:gorry@erg.abdn.ac.uk>> wrote:
> 
> [ ... ]
> 
>         So.   I think given this, it is OK for the endpoints to send
>         information in UDP options which can be read (only) by the
>         transit nodes and they can indeed react to this. That has always
>         been possible with tunnels, extension headers, and transports -
>         at least those not using transport encryption. This comes with
>         positive and negative impacts.
> 
>         In today’s world, a designer can choose to protect all of the
>         transport eg using QUIC - and many designs will follow that
>         path. Although, there is a large body of work in the IETF that
>         still directly uses UDP. That to me is OK if that best fits the use.
> 
> 
>     Yes, UDP should be considered as transport protocol. It would be
>     good to have a view on how many of those large body of work uses or
>     envision to use UDP options in clear. This would boost the
>     motivation for this work and back up the need of UDP options.
> 
> 
> 
> It was recognized early in the development of the UDP options that they 
> would be useful for DPLPMTUD. This use case is documented 
> in draft-ietf-tsvwg-udp-options-dplpmtud, which has actually been ready 
> for publication for quite some time.

Except that if the application includes its own transport, that 
transport is the normal place to include Path MTU discovery. In the case 
of encrypted transport like QUIC, there is a deliberate design decision 
to not use clear text data, because it can be manipulated by on path 
devices. Using UDP options for path MTU discovery would open a security 
issue.


> Another potentially attractive use case was use of UDP options to allow 
> UDP-based request/response protocols such as DNS to send large responses 
> without relying on IP fragmentation (especially IPv6 fragmentation). 
> Here's how this would work: client includes the MRDS option in the 
> request; responder ignores said option unless it is option aware and has 
> UDP options enabled, in which case it can use the option to determine 
> how to send a large response using UDP fragmentation. This is 
> incrementally deployable as long as legacy applications ignore the UDP 
> surplus area. We don't have an I-D describing this use case. but one 
> could be written if it would help to back up the need for UDP options.

Did you check that assumption with DNSOP? I don't see the DNS users 
clamoring for such a solution. Indeed, most DNS development seems to be 
focused on avoiding UDP fragmentation by either picking a small packet 
size, or using transports like TCP, DoT, DoH or DoQ that do include 
their own fragmentation mechanisms.


>         The backwards compatibility with UDP was considered important in
>         the development of this Spec.
> 
> 
>     This point is absent, AFAIK in Section 16 of the draft now.
> 
> 
> 
> Adding such a discussion is a reasonable request; IMO the best place 
> would be Section 6 (Design Principles).
> 
> 
>   On Tue, Apr 9, 2024 at 10:16 AM Christian Huitema wrote:
> 
>     On 4/9/2024 9:09 AM, Tom Herbert wrote:
>      > I believe that processing of the options is already opt-in. Accepting
>      > UDP surplus area (at least ignoring it and not dropping packet)
>     and the
>      > checksum processing I described are currently mandatory.
> 
>     And that's probably what need to change before this draft is published.
>     Using the surplus area without the explicit consent of the application
>     is an attack. The proper way to stop such attacks is to drop the whole
>     packet, because only that inflicts a cost to the attacker.
> 
> 
> 
> I disagree that use of the surplus area without the explicit consent of 
> the receiver automatically constitutes an attack, as long as the surplus 
> area is ignored by default.

Anything that adds clear text to an already encrypted packet should be 
considered an attack. See Martin Duke's "attractive nuisance" 
discussion. If we want to avoid that, we should either make sure that 
UDP options are encrypted, or recommend dropping unexpected options.

> The attitude of dropping whatever you don't have a predetermined use for 
> is exactly what has made IPv4 options and IPv6 extension headers 
> essentially unusable in the open internet.

I understand that you are concerned about deployment of UDP options, and 
that dropping packets with unexpected options would not ease that 
deployment. But we should not ease deployment at the cost of security or 
privacy.

-- Christian Huitema

v2.23.0 | Report a Bug | By Email