Re: [tsvwg] https://notes.ietf.org/notes-ietf-117-tsvwg# UDP options discussion
"C. M. Heard" <heard@pobox.com> Wed, 26 July 2023 18:33 UTC
Return-Path: <heard@pobox.com>
X-Original-To: tsvwg@ietfa.amsl.com
Delivered-To: tsvwg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2AFD8C1527A0 for <tsvwg@ietfa.amsl.com>; Wed, 26 Jul 2023 11:33:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.105
X-Spam-Level:
X-Spam-Status: No, score=-2.105 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=pobox.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UyBX6oTE2Vh7 for <tsvwg@ietfa.amsl.com>; Wed, 26 Jul 2023 11:32:56 -0700 (PDT)
Received: from pb-smtp21.pobox.com (pb-smtp21.pobox.com [173.228.157.53]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 75D5FC15270E for <tsvwg@ietf.org>; Wed, 26 Jul 2023 11:32:56 -0700 (PDT)
Received: from pb-smtp21.pobox.com (unknown [127.0.0.1]) by pb-smtp21.pobox.com (Postfix) with ESMTP id BEFB526F5F for <tsvwg@ietf.org>; Wed, 26 Jul 2023 14:32:55 -0400 (EDT) (envelope-from heard@pobox.com)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed; d=pobox.com; h= mime-version:references:in-reply-to:from:date:message-id:subject :to:cc:content-type; s=sasl; bh=4fg0gJV5faunT+c/+Jfv0E4V6qa2Xrab SjhQgHS/F88=; b=hCtm8/SifrfKuwL6Hsd0+mldbjiJY+7VocH0AU+SxcNQlacq Ut57p4EKVQIag8xwEVKjCuB9xo+bwvY3Yxw3eRWP9iRdA6HWfhWkhY6nvUfNMOVO vj1Q0H1X+fp+COZHpZKly5VGJghKm8LZRpL1gINY+JDlyQd1k9cw6W+xUe0=
Received: from pb-smtp21.sea.icgroup.com (unknown [127.0.0.1]) by pb-smtp21.pobox.com (Postfix) with ESMTP id B7B3B26F5E for <tsvwg@ietf.org>; Wed, 26 Jul 2023 14:32:55 -0400 (EDT) (envelope-from heard@pobox.com)
Received: from mail-ed1-f51.google.com (unknown [209.85.208.51]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by pb-smtp21.pobox.com (Postfix) with ESMTPSA id 5021126F5B for <tsvwg@ietf.org>; Wed, 26 Jul 2023 14:32:51 -0400 (EDT) (envelope-from heard@pobox.com)
Received: by mail-ed1-f51.google.com with SMTP id 4fb4d7f45d1cf-5222c5d71b8so91021a12.2 for <tsvwg@ietf.org>; Wed, 26 Jul 2023 11:32:51 -0700 (PDT)
X-Gm-Message-State: ABy/qLYv2AiI/ooEvglZ/Xi5bWXrFWGI0EMTI/KCnw8Etf5atFQkP3UV 9jueq8BOy02v2ZkgsnrkpnnHlYl5Oc892bB/y/Y=
X-Google-Smtp-Source: APBJJlF/cElz9qdmiphthYUvIaFAir/+etNmNCJemvkaPC2vSTA4UfMNEpCKKQeIw5I1CJurHnH2rPqE23h1CobS71g=
X-Received: by 2002:aa7:c309:0:b0:51d:7fa6:62ca with SMTP id l9-20020aa7c309000000b0051d7fa662camr6543edq.14.1690396368906; Wed, 26 Jul 2023 11:32:48 -0700 (PDT)
MIME-Version: 1.0
References: <trinity-35b7d0fa-f62c-4f38-8778-06054cf80141-1690353455216@3c-app-gmx-bs42> <CACL_3VHOnsSXVgma7iOLcoJiKPAhb8yXRVQft1NRX_VJZDD8RQ@mail.gmail.com> <CALx6S36c6GmD=BdhSMy7QHCwYi8Dj+eb0Np4vuGMaazWDsiQkg@mail.gmail.com>
In-Reply-To: <CALx6S36c6GmD=BdhSMy7QHCwYi8Dj+eb0Np4vuGMaazWDsiQkg@mail.gmail.com>
From: "C. M. Heard" <heard@pobox.com>
Date: Wed, 26 Jul 2023 11:32:36 -0700
X-Gmail-Original-Message-ID: <CACL_3VE+oKOHe7FukjQfTG9qRVipaUyOFJZYVQdSn_GKVOVVUw@mail.gmail.com>
Message-ID: <CACL_3VE+oKOHe7FukjQfTG9qRVipaUyOFJZYVQdSn_GKVOVVUw@mail.gmail.com>
To: Tom Herbert <tom@herbertland.com>
Cc: Sebastian Moeller <moeller0@gmx.de>, tsvwg <tsvwg@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000001931e90601681384"
X-Pobox-Relay-ID: D3F01C6C-2BE2-11EE-8A38-B31D44D1D7AA-06080547!pb-smtp21.pobox.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/tsvwg/nm3ZN8Y31W76n6Cx0-QCcw6L6a4>
Subject: Re: [tsvwg] https://notes.ietf.org/notes-ietf-117-tsvwg# UDP options discussion
X-BeenThere: tsvwg@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Transport Area Working Group <tsvwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tsvwg>, <mailto:tsvwg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tsvwg/>
List-Post: <mailto:tsvwg@ietf.org>
List-Help: <mailto:tsvwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tsvwg>, <mailto:tsvwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 26 Jul 2023 18:33:00 -0000
On Wed, Jul 26, 2023 at 9:45 AM Tom Herbert wrote: > It's not so much design principles, it's realities of deployment or > lack of deployment that we have learned with experience from other > protocols. We know that protocols with unlimited TLVs where unknown > TLVs can be ignored is an invitation to DOS attack. We also know that > any plain text in a packet will be read and consumed by some > intermediate nodes in the network; this is an invitation to ossifying > transport layers, or worse a security vulnerability when the plain > text reveals information about encrypted data. As I said, there is a > real risk that providers will filter packets with surplus area if > there is ever a problem with UDP Options (even the perception that > there might be a problem could be enough to drop packets). Thank you for clarifying and expanding upon your mic comment. > That being said, the more troublesome issue is about Christian > comments that UDP Options should not be allowed with encrypted > payloads. I get the sense that the WG is generally in agreement with this; in the case of QUIC in particular, it's been established that the currently specified UDP options do not offer any capabilities that QUIC does not already have, while on the other hand there is a temptation in some quarters to define new options that expose information QUIC was explicitly designed to conceal (I'm thinking of specifically of draft-reddy-tsvwg-explcit-signal). I do understand Christian's antipathy to exposing anything about QUIC (or any other encrypted protocol carried over UDP) as cleartext in the surplus area. That certainly is not something that we should standardize. But given that the whether insertion of such cleartext information is done is under endpoint control, I fail to see how the very existence of UDP options poses a threat to QUIC or other end-to-end encrypted protocols that use UDP as a substrate. I'm expecting to be educated shortly :-) > Given that the trend is towards encrypting as much of the > packet as possible (if it was feasible, I think we'd regularly be > encrypting TCP headers), if UDP Options were restricted to only work > with unencrypted payloads I have to wonder if there are a sufficient > number of use cases to justify the protocol. I don't know how this can > be addressed; maybe since UDP Options are end-to-end, there should be > a way to encrypt them along with the payload... The potential lack of sufficient use cases is definitely an issue, and the length of time that it is taking to get this spec done has not helped at all. The greatest potential that I see in UDP options is to improve matters for legacy applications such as DNS that rely heavily on classical UDP but suffer from poor network handling of IP fragments. A migration to UDP fragmentation can be done in a manner that is backward compatible and incrementally deployable. If DNS has at best a long and tortuous path to migrate all of its use of classical UDP to an encrypted protocol such as QUIC, then maybe there still is a role for UDP options. Mike Heard
- [tsvwg] https://notes.ietf.org/notes-ietf-117-tsv… Sebastian Moeller
- Re: [tsvwg] https://notes.ietf.org/notes-ietf-117… C. M. Heard
- Re: [tsvwg] https://notes.ietf.org/notes-ietf-117… Tom Herbert
- Re: [tsvwg] https://notes.ietf.org/notes-ietf-117… C. M. Heard
- Re: [tsvwg] https://notes.ietf.org/notes-ietf-117… Tom Herbert