IETF Logo Mail Archive

Re: [tsvwg] Way forward for UDP option FRAGs with limited router hardwara

Joe Touch <touch@strayalpha.com> Tue, 12 April 2022 16:35 UTC

Return-Path: <touch@strayalpha.com>
X-Original-To: tsvwg@ietfa.amsl.com
Delivered-To: tsvwg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 95CEC3A07A2 for <tsvwg@ietfa.amsl.com>; Tue, 12 Apr 2022 09:35:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.328
X-Spam-Level:
X-Spam-Status: No, score=-1.328 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_NEUTRAL=0.779, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=strayalpha.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vaFe8DJbEs7I for <tsvwg@ietfa.amsl.com>; Tue, 12 Apr 2022 09:35:00 -0700 (PDT)
Received: from server217-1.web-hosting.com (server217-1.web-hosting.com [198.54.114.226]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1C5D63A079B for <tsvwg@ietf.org>; Tue, 12 Apr 2022 09:35:00 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=strayalpha.com; s=default; h=To:References:Message-Id:Cc:Date:In-Reply-To: From:Subject:Mime-Version:Content-Transfer-Encoding:Content-Type:Sender: Reply-To:Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender :Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=gaYIFN/TYp4mT5o0rs3ALAx22rzcOemUq9TcXxYOgQk=; b=inosSXpqmK/jHN9jAtNs0vbvzA QFpW56f5giJnDeu87iU16VJ4smqD7hFqLc+HK4ROF5zqep3vcfuXaZHZnicMtZuj9+Jl8Dnc3RJAS kq+FHjDJq/wLSehxpYb5R2QuTfRySzw7EnNB21uWAeTXYrTi2a/Ld3PgAORpxn7Fp8LNQVJ/jGY34 Lg055tbvdPdGtndsmMXTl8uZwHZv51JDU18gEA6wprS06QNnvYDVgdhLWuGbuFjn65tM4U0B1MN1z 6d0DNmt9VrxNG/H++XJszN/1+O8K6YHZkERt7uOTlp5ejvp286k8WGsfuc9rTxTgHW9PhL2XQPx8A vsgBWuzw==;
Received: from cpe-172-114-237-88.socal.res.rr.com ([172.114.237.88]:55055 helo=smtpclient.apple) by server217.web-hosting.com with esmtpsa (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from <touch@strayalpha.com>) id 1neJTi-004Qp7-Ub; Tue, 12 Apr 2022 12:34:59 -0400
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Mime-Version: 1.0 (1.0)
From: Joe Touch <touch@strayalpha.com>
In-Reply-To: <CACL_3VF0yY4C1cCid-QK00ub_j1pOi6+3m0y+vCOdL4xp1tFVw@mail.gmail.com>
Date: Tue, 12 Apr 2022 09:34:54 -0700
Cc: Christian Huitema <huitema@huitema.net>, TSVWG <tsvwg@ietf.org>
Message-Id: <0F97135B-22A4-45E3-9ED3-82B7368F265F@strayalpha.com>
References: <CACL_3VF0yY4C1cCid-QK00ub_j1pOi6+3m0y+vCOdL4xp1tFVw@mail.gmail.com>
To: "C. M. Heard" <heard@pobox.com>
X-Mailer: iPhone Mail (19E258)
X-OutGoing-Spam-Status: No, score=-1.0
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - server217.web-hosting.com
X-AntiAbuse: Original Domain - ietf.org
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - strayalpha.com
X-Get-Message-Sender-Via: server217.web-hosting.com: authenticated_id: touch@strayalpha.com
X-Authenticated-Sender: server217.web-hosting.com: touch@strayalpha.com
X-Source:
X-Source-Args:
X-Source-Dir:
X-From-Rewrite: unmodified, already matched
Archived-At: <https://mailarchive.ietf.org/arch/msg/tsvwg/nLa78U48pVgfsI-aOLSWKGf_ycI>
Subject: Re: [tsvwg] Way forward for UDP option FRAGs with limited router hardwara
X-BeenThere: tsvwg@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Transport Area Working Group <tsvwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tsvwg>, <mailto:tsvwg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tsvwg/>
List-Post: <mailto:tsvwg@ietf.org>
List-Help: <mailto:tsvwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tsvwg>, <mailto:tsvwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 12 Apr 2022 16:35:05 -0000


> On Apr 12, 2022, at 9:18 AM, C. M. Heard <heard@pobox.com> wrote:
> 
> 2.) There is a concern that packets with UDP trailers -- i.e., where
> the IP Payload Length exceeds the UDP Length -- will be filtered in
> intermediate systems. If I understand correctly, this is the concern
> (or at least one of the concerns) that Christian Huitema has raised.

Right but:

- stripping UDP trailers provides no unique protection vs stripping IP options. Ie, if you think this is an issue, neither is reliable.

- UDP options are the only proposed way that allows fragments to pass through firewalls without flowID state (which is another covert channel, BTW). This *increases* traversal of devices, which should be balanced with concerns of it being stripped. 

- UDP options CAN always be stripped; we’re designing with the assumption that this is what legacy endpoints would do anyway. So users need to verify capabilities they rely upon. This is better than IP option use, which doesn’t tend to force users to make that assumption and check. 

The better way to think of this draft - and, for that matter, the TCP header extensions in TCPM, is “if you want this, here’s a way it can possibly work”. Nobody is being required to implement either extension. That means they’re both a lot more legacy friendly than most other changes to these essential protocols.  

Joe

v2.23.0 | Report a Bug | By Email