IETF Logo Mail Archive

Re: [tsvwg] Regarding DTLS and UDP options

Tom Herbert <tom@herbertland.com> Mon, 17 April 2017 21:06 UTC

Return-Path: <tom@herbertland.com>
X-Original-To: tsvwg@ietfa.amsl.com
Delivered-To: tsvwg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7241C128C82 for <tsvwg@ietfa.amsl.com>; Mon, 17 Apr 2017 14:06:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=herbertland-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6R3HMm15w_LM for <tsvwg@ietfa.amsl.com>; Mon, 17 Apr 2017 14:06:16 -0700 (PDT)
Received: from mail-qt0-x230.google.com (mail-qt0-x230.google.com [IPv6:2607:f8b0:400d:c0d::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0A2A11286CA for <tsvwg@ietf.org>; Mon, 17 Apr 2017 14:06:16 -0700 (PDT)
Received: by mail-qt0-x230.google.com with SMTP id g60so44773021qtd.3 for <tsvwg@ietf.org>; Mon, 17 Apr 2017 14:06:15 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=herbertland-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=x/nzY+ONh51QtTfv7QQRr1z9fxl4szavx0iA4zwfAoU=; b=Tm641DD09dl/47mS/MucVsQSzr2dODsy7NK6uCzv6sqVqfT+IRh4YN7pewLF1h1juJ bWWMqXoqAEWmjxe2e5Qydvr87BBqelMiMblZnO4LeY8/Q8qrliTu6OgxvGFm5mwhoQ0L Z4/Qxi5VSJRBpeNwIecuIuw+zdZepmywnat9QJPN4GK7Iw5lEfVr4fqY4zRUx5DKH4wr PR0swfJnXmj494vsfnXAK5/PP8XyhDzK+Sx7BAT57e7AwO7aUabWnIZsWzUVTzsrP+96 doy0sGjFmbVYZSeokJieSD5avM8hk3RTLLFrVCPK11DlPp0BdNZiDwI61zcOZEyfqeKj NZuQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=x/nzY+ONh51QtTfv7QQRr1z9fxl4szavx0iA4zwfAoU=; b=tdl7WYxxljM0Ker4JlKKDwTdurv+xRJSWoPozR2RPawFk8XiJXs/Zdz4RoRSKKVcp4 qT3Omcq75gqIdJI+oPM/fTZ0xt0u9IBeHD9SFrNWxbw3mGhQlKuE3Z17YULLzmiJIGAL 1wWn3+SzfuLxNTHPODIM75XSKygiRMFG2wZRzg20MQTuurEoVFXdmIbF0nDp6OSYBOKZ 3+vNiOuXb6Fb27/lHfdAntZ5f49t9ex/T5oWtVomZbPMq3D9LmaIuFW0MVm4LGiQFTt9 SluiWUFD/sauQDDSlZm/IoM4xPmjwB/ngOHrqCXjy2cVp0+4gdGnQQaIOT2b6PHVe0lV 9Uxg==
X-Gm-Message-State: AN3rC/5UEne0K1AO7Q5MdTbheJg268H1gyZ1T9Dt9s0ljTVU7aJHEoKG ktzhW7H+Xf+tttIyDf2cFo7bRAjdQA==
X-Received: by 10.200.34.144 with SMTP id f16mr11612899qta.186.1492463175197; Mon, 17 Apr 2017 14:06:15 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.140.97.10 with HTTP; Mon, 17 Apr 2017 14:06:14 -0700 (PDT)
In-Reply-To: <4e36af95-84c3-bc7e-b18a-614f8bfab662@isi.edu>
References: <CACL_3VFeJs7KzG9Bchh15bfZ3CmaOPWcfisEreNoGYK5CsEJ+g@mail.gmail.com> <3a4a6b78-8146-de4c-6246-7bd09de44f1c@isi.edu> <CACL_3VFkr3mGe-yTbvHrTZcKVCpEv3FeSOyoShUxCK5+9Tdqqg@mail.gmail.com> <c79fe3d0-8567-ea7d-72fc-bd33732df60e@isi.edu> <CACL_3VHmoCSo23OWqQFq7upw749CqMK7iazXrBKZARzwbzY5mw@mail.gmail.com> <f97f08d4-0070-437a-e22a-8782497c76eb@isi.edu> <4e36af95-84c3-bc7e-b18a-614f8bfab662@isi.edu>
From: Tom Herbert <tom@herbertland.com>
Date: Mon, 17 Apr 2017 14:06:14 -0700
Message-ID: <CALx6S35dRcvCaVmZD7uZ02x1o7iBCMXZ8Lf9DzAXC1APKDapVA@mail.gmail.com>
To: Joe Touch <touch@isi.edu>
Cc: tsvwg <tsvwg@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tsvwg/jyG8irevUAfuGF3n7926j_1_hBs>
Subject: Re: [tsvwg] Regarding DTLS and UDP options
X-BeenThere: tsvwg@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Transport Area Working Group <tsvwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tsvwg>, <mailto:tsvwg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tsvwg/>
List-Post: <mailto:tsvwg@ietf.org>
List-Help: <mailto:tsvwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tsvwg>, <mailto:tsvwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 17 Apr 2017 21:06:17 -0000

On Fri, Apr 14, 2017 at 4:56 PM, Joe Touch <touch@isi.edu> wrote:
> Hi, all,
>
> Christian Huitema a question about the interaction between DTLS and UDP
> options during my remote presentation at IETF 98.
>
> I took a closer look and consulted with Eric Rescorla (DTLS author). He
> and I agreed as follows:
> - DTLS would currently not cover UDP options; DTLS protects only the UDP
> payload
> - the situation is analogous to TCP options, which are not covered by TLS
> I.e., both TLS and DTLS are transport *payload* security only, despite
> their names.
>
> Christian noted that this may be a reason QUIC prefers UDP (to avoid the
> need to protection transport options), however QUIC does not (and
> cannot) deprecate UDP payloads that are smaller than the IP payload.
> That would require a change to RFC 768.
>
> I'll add a clarification on this point to the next rev of the UDP
> options document.
>
Since the UDP options are not covered by DTLS couldn't that allow a
middleman attacker to add arbitrary UDP options to a packet thereby
potentially circumventing the security provided DTLS? Maybe if DTLS is
in use then AE option should be required also? Note that this case
differs from TCP options since the sender in my example my not even
have a clue as to what UDP options are.

Tom

> Joe
>

v2.23.0 | Report a Bug | By Email