[tsvwg] Re: I-D Action: draft-ietf-tsvwg-udp-options-33.txt
Tom Herbert <tom@herbertland.com> Wed, 11 September 2024 16:44 UTC
Return-Path: <tom@herbertland.com>
X-Original-To: tsvwg@ietfa.amsl.com
Delivered-To: tsvwg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 11600C169438 for <tsvwg@ietfa.amsl.com>; Wed, 11 Sep 2024 09:44:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.108
X-Spam-Level:
X-Spam-Status: No, score=-7.108 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_HI=-5, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=herbertland.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GnHpu9GT6M-4 for <tsvwg@ietfa.amsl.com>; Wed, 11 Sep 2024 09:44:41 -0700 (PDT)
Received: from mail-ed1-x532.google.com (mail-ed1-x532.google.com [IPv6:2a00:1450:4864:20::532]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2DA85C151070 for <tsvwg@ietf.org>; Wed, 11 Sep 2024 09:44:41 -0700 (PDT)
Received: by mail-ed1-x532.google.com with SMTP id 4fb4d7f45d1cf-5c413cf5de5so62118a12.0 for <tsvwg@ietf.org>; Wed, 11 Sep 2024 09:44:41 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=herbertland.com; s=google; t=1726073080; x=1726677880; darn=ietf.org; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=re0rRnGnzYIhVG7qyLzxLzMAdNneBw1QRqZJFS49ayI=; b=KspaGVhqtMbWh2BvaywMlQyO3yoCYu8KPSpDGNRVCWQLaaVNZ9m51+7FB6siG/O3Cj 5WOcT48eNoAFnVpn/iQyC6EpoxRLTRUnMkCgzHFL+9UNFDluVNONEP08QmtWSDCgPdds Fiux7MOXdWXUdGR5KdX0CG+hOhGHJ8tyd15oEmBEfj0bwV32o+bwm63pxFFhtoJYxpGO ++Sor9Iv6I/neTb+GGVXu54s9WzZnqMBlbI9o+YVU+Ej3Bhk3pJX9HWaUT74nDHODEeu GG23FidOSiZaMb7VCieCZ2tW1Oq9AhNjk6mRiqfryz0RZURVAfZnd/HOn2atitGNCrtw UX+A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1726073080; x=1726677880; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=re0rRnGnzYIhVG7qyLzxLzMAdNneBw1QRqZJFS49ayI=; b=moZcPM8ggIismWiDeCvbxclg/NEoLWoDB+YMY5z/+p4e4kW2uudIDx20Sf6try5ajL f4bxkgUL6WsxFqdSLu09J4NDUyV8aW7Fj6awzPMzxPjCtROatrxc1JkXVVo9CJZXFlKK YuJjMw1v9BK2DXGEmqH7kDdM45BbUgR7kIOlR3+WMZI9SHwH7xp/uFeAIN8XfMaqtrU+ UpY16KgcKkK7GxFrmOXSTX6HjqFPihRUQEJV0rjxJNekaulSPn+MutS3UWKdO8GL0H0B 0sFuw7++lcVS7l1Ljzp/5x/gFEaNGndvqLE6zPuqL1AwIdIEbtkWKVb0jB49/Rv+h1M+ 5kDQ==
X-Forwarded-Encrypted: i=1; AJvYcCWZzDEXvu0kojX7RdtDfpI8+itYIatAh4QFLnIIX+H6lgdMbwQg4cIIf7pNmpSavSdV2R3IzQ==@ietf.org
X-Gm-Message-State: AOJu0YxOV0RkNtpgG1sS1I6Vk+EFHNZD7Ae4i+INa4mzeBHjPvwBChIX 0PVDdlFLMS1Q2V9STfJf9PTjd3WHnuPAaLn4CbZRq/+7v3UqltTqfWNmmqE+Ncmc9jONGnLV9rE HH0nLErFlifT/TQDR0Vu5Ntm98ecpsrVMZWjQrXuN2y38+oE=
X-Google-Smtp-Source: AGHT+IFPaRvf03T7bdBD1mT4IyorNgkMJhN4HDSGORJZpE4aIbrPuwfE4Rf/a9+fUV6lvsV8pAQZ6fUcWbO1y5BKxvQ=
X-Received: by 2002:a05:6402:1f44:b0:5c2:68e9:8cf with SMTP id 4fb4d7f45d1cf-5c413e4ac5dmr63343a12.24.1726073078782; Wed, 11 Sep 2024 09:44:38 -0700 (PDT)
MIME-Version: 1.0
References: <172550306709.1770786.15730705299947048772@dt-datatracker-68b7b78cf9-q8rsp> <4BA70A7D-AB39-4EED-82DB-7BDF9C3AC064@strayalpha.com> <e1a66d25-4c33-4e78-a182-8f5a06a6a750@erg.abdn.ac.uk> <CALx6S37th5ZzKVxJxZL2S3_WH-SAUxs0x5_kTLYr+PuYMSe4eQ@mail.gmail.com> <d71d390e-ffab-4f20-9b30-567a53c44cc9@erg.abdn.ac.uk> <CALx6S35hWYUgZqdaYharL3k1BviXkXvBFEnVUNd=yVsTfzbK8g@mail.gmail.com> <da02c827-cfd2-4fb7-a047-1b71dc806142@erg.abdn.ac.uk> <B1CED44D-A3C0-4BF8-BA4F-198A96DAA854@strayalpha.com> <BB412B73-9B21-49BD-80AE-DB94E6FD01A1@gmx.de> <D8C1B4D0-1DE1-478E-804F-20D8D4964AF9@strayalpha.com> <1C7A0E1F-E150-4F05-BE26-6FDC54412191@gmx.de> <9AA60AF0-06F8-456A-B995-FDB52883B7A7@strayalpha.com> <CALx6S35Rv4XzJxxYNUsu2sf=0Cks5PyBXXRmH8sqJj6COzb6Qw@mail.gmail.com> <BAF86E72-D047-47D6-8655-FD62A7F52BE7@strayalpha.com>
In-Reply-To: <BAF86E72-D047-47D6-8655-FD62A7F52BE7@strayalpha.com>
From: Tom Herbert <tom@herbertland.com>
Date: Wed, 11 Sep 2024 09:44:27 -0700
Message-ID: <CALx6S36M-rw+4AmrQp_UZTLwt+jCXO=vR1za-=fxQe9ODX7h4Q@mail.gmail.com>
To: "touch@strayalpha.com" <touch@strayalpha.com>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Message-ID-Hash: CMGLZBBRVB3USJXDWDUFN4US3KXUXIKB
X-Message-ID-Hash: CMGLZBBRVB3USJXDWDUFN4US3KXUXIKB
X-MailFrom: tom@herbertland.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-tsvwg.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: Gorry Fairhurst <gorry@erg.abdn.ac.uk>, tsvwg IETF list <tsvwg@ietf.org>
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [tsvwg] Re: I-D Action: draft-ietf-tsvwg-udp-options-33.txt
List-Id: Transport Area Working Group <tsvwg.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tsvwg/o9GyGShnL1Y7UK_Poajrb6znQkA>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tsvwg>
List-Help: <mailto:tsvwg-request@ietf.org?subject=help>
List-Owner: <mailto:tsvwg-owner@ietf.org>
List-Post: <mailto:tsvwg@ietf.org>
List-Subscribe: <mailto:tsvwg-join@ietf.org>
List-Unsubscribe: <mailto:tsvwg-leave@ietf.org>
On Wed, Sep 11, 2024 at 8:59 AM touch@strayalpha.com <touch@strayalpha.com> wrote: > > Hi, Tom, > > > On Sep 11, 2024, at 8:11 AM, Tom Herbert <tom=40herbertland.com@dmarc.ietf.org> wrote: > > > >> ... > >> Signed emails are a good example. The signatures happen at a layer above TCP. SMTP doesn’t ensure that the recipient has a key, nor does it drop all mails that lack keys, even when authentication is present. > > > > Joe, > > > > But Authentication Header (RFC4302) is much closer in functionallity > > and use case than SMTP, and if a receiver can cannot validate the AH > > in packet, for *any* reason, the packet MUST be dropped. That is the > > relevant IETF precedent. > > You asked for an example of a use case where the current approach (SAFE) is still meaningful and useful. SMTP is it. > > Yes, AH works more like you prefer. But I would note that AH is deprecated in IPsec anyway. If we compare the only current IPsec required mode - ESP - that correlates to UENC and both are rightfully treated the same way, basically UNSAFE., > > >> > >> We could add optional AUTH to NFS without breaking NFS everywhere; those who care would benefit, but those who don’t - or don’t yet have a key - would not be affected. That works for many other UDP protocols, from DNS to DHCP. > >> > >> AUTH that isn’t checked at the receiver doesn’t just pass failed authenticity checks; it passes ones that would have succeeded to, so it acts like it’s not there. That’s “opportunistic” to me. > > > > Okay how about we call Auth it "Best Effort security" (pretty much an > > oxymoron :-) ...) > > If you consider signing but not encrypting email equally oxymoronic, sure. It’s very widely used, though. > > >> [SM] Yes, but what utility does this offer to somebody employing AUTRH in a new protocol based on top of UDP options? Surely if AUTH is used UDP options are required ... > >> > >> > >> That’s exactly the opposite of how the SAFE UDP options are designed. They’re silently ignored by legacy endpoints. > > > > And that obviously implies that SAFE options are safe to ignore. Auth > > is not safe to ignore since it creates a security hole when ignored. > > I would be glad to discuss new perspectives further, but continuing to claim that *defaulting* AUTH as OK to accept regardless of the check result is the same as saying every signed email you receive should be dropped when you lack the key - or try to read them on a device that doesn’t support signatures. Joe, Email has the same problem. If you accept a signed email without validating it then you are potentially accepting a forged email. That is a problem. The sending user didn't sign the email just for fun or to waste compute cycles, they did it because they want to protect THEMSELVES. If the receiver does accept a forged email because they're too lazy to authenticate it, then when the user incurs damages because of that laziness, liability is going to rest on the receiver. You seem to assume that only the receiver has a vested interest in secure communications. That is not true. Whenever I sign an email, enter a login password, send a packet with Auth option I FULLY EXPECT the receiver to authenticate the data. If they can't then I'd rather be informed that communications are feasible than be lulled into a false sense of security only to find out later that my service provider gave me zero protection when my account is breached. If Auth option can be ignored, then it is only a matter of time before somewhere and for someone a security breach happens and a user incurs harm. And the fact, this breach could have been prevented had the protocol specified receiver requirements. > > That’s basically a complete proof of why AUTH needs to be SAFE. > Hardly. If you want to prove that you need to show that ignoring Auth does not introduce a security risk for users. Tom > >> > >> ... > >> > >> The question is whether doing AUTH on a packet means “you’d better do this or else” - but again, everything in UDP is designed to let the receiver decide what to do, not the sender force. > > > > No, that's not how UDP works. From RFC1122: > > > > "If a UDP datagram is received with a checksum that is non-zero and > > invalid, UDP MUST silently discard the datagram." > > That’s a core part of the protocol. We do not have the luxury of making such assertions to a legacy protocol. > > >> [SM] Sure, but UDP already exists, UDP options is advertized as framework to build protocols on top of UDP, if "anything goes" is desired, why would I not simply stick to existing UDP? > >> > >> > >> Anything doesn’t go per se; it’s just up to the receiver to decide what goes - JUST AS IT IS FOR TCP SYN OPTIONS, i.e., the stateless initiation of the TCP control protocol. > >> > >> FWIW, if we’re talking about precedent across IETF protocols, that’s a fundamental - transmitter offers, receiver decides. In stateful protocols, e.g., TCP, SCTP, etc., option capabilities are announced in the SYN but the receiver decides whether to accept them or not. The initiator has to wait for feedback to decide whether to proceed based on that information. > >> > > > > Except that UDP is a stateless protocol and it does not have SYNs, > > SYNs arrive with no context, so they are handled exactly the same as every UDP packet - statelessly. > > > so > > the comparison to TCP has little relevance. If you want to make a > > meaningful comparison, then compare UDP options to other option > > formats in stateless protocols (IIPv4 options, IPv6 HBH and Dest > > options, Authenrication header, et.c). > > AH is not an option. It’s a tunnel. And yes, this is very much like options that were designed AFTER the protocol was designed, but not at all like those designed when the protocol was introduced. > > > > >> In this case, the transmitter can try to figure out of the receiver will honor AUTH using an app level exchange; if it doesn’t, then it can always decide to cease transmissions too. > > > > We already negotiated a key with the receiver, > > AGAIN (and again and again) - if you negotiate a key with the receiver, then the receiver would (and could be required per the negotiation) to override the default. THAT IS NOT BEING DEBATED and we can make that clear as a suggestion for future negotiation protocol designers. > > The default is a concern ONLY for endpoints that either don’t support AUTH or haven’t negotiated keys. Just like email readers that don’t have keys or support signatures. > > Joe
- [tsvwg] Re: I-D Action: draft-ietf-tsvwg-udp-opti… touch@strayalpha.com
- [tsvwg] Re: I-D Action: draft-ietf-tsvwg-udp-opti… Gorry Fairhurst
- [tsvwg] Re: I-D Action: draft-ietf-tsvwg-udp-opti… C. M. Heard
- [tsvwg] Re: I-D Action: draft-ietf-tsvwg-udp-opti… Tom Herbert
- [tsvwg] Re: I-D Action: draft-ietf-tsvwg-udp-opti… Gorry Fairhurst
- [tsvwg] Re: I-D Action: draft-ietf-tsvwg-udp-opti… Tom Herbert
- [tsvwg] Re: I-D Action: draft-ietf-tsvwg-udp-opti… touch@strayalpha.com
- [tsvwg] Re: I-D Action: draft-ietf-tsvwg-udp-opti… Sebastian Moeller
- [tsvwg] Re: I-D Action: draft-ietf-tsvwg-udp-opti… touch@strayalpha.com
- [tsvwg] Re: I-D Action: draft-ietf-tsvwg-udp-opti… touch@strayalpha.com
- [tsvwg] Re: I-D Action: draft-ietf-tsvwg-udp-opti… Tom Herbert
- [tsvwg] Re: I-D Action: draft-ietf-tsvwg-udp-opti… Tom Herbert
- [tsvwg] Re: I-D Action: draft-ietf-tsvwg-udp-opti… touch@strayalpha.com
- [tsvwg] Re: I-D Action: draft-ietf-tsvwg-udp-opti… touch@strayalpha.com
- [tsvwg] Re: I-D Action: draft-ietf-tsvwg-udp-opti… Tom Herbert
- [tsvwg] Re: I-D Action: draft-ietf-tsvwg-udp-opti… touch@strayalpha.com
- [tsvwg] Re: I-D Action: draft-ietf-tsvwg-udp-opti… Tom Herbert
- [tsvwg] Re: I-D Action: draft-ietf-tsvwg-udp-opti… Tom Herbert
- [tsvwg] Re: I-D Action: draft-ietf-tsvwg-udp-opti… Tom Herbert
- [tsvwg] Re: I-D Action: draft-ietf-tsvwg-udp-opti… Tom Herbert
- [tsvwg] Re: I-D Action: draft-ietf-tsvwg-udp-opti… Tom Herbert
- [tsvwg] Re: I-D Action: draft-ietf-tsvwg-udp-opti… C. M. Heard
- [tsvwg] Re: I-D Action: draft-ietf-tsvwg-udp-opti… touch@strayalpha.com
- [tsvwg] Re: I-D Action: draft-ietf-tsvwg-udp-opti… touch@strayalpha.com
- [tsvwg] Re: I-D Action: draft-ietf-tsvwg-udp-opti… Tom Herbert
- [tsvwg] Re: I-D Action: draft-ietf-tsvwg-udp-opti… Joe Touch
- [tsvwg] Re: I-D Action: draft-ietf-tsvwg-udp-opti… touch@strayalpha.com
- [tsvwg] Re: I-D Action: draft-ietf-tsvwg-udp-opti… touch@strayalpha.com
- [tsvwg] Re: I-D Action: draft-ietf-tsvwg-udp-opti… Tom Herbert
- [tsvwg] Re: I-D Action: draft-ietf-tsvwg-udp-opti… touch@strayalpha.com
- [tsvwg] Re: I-D Action: draft-ietf-tsvwg-udp-opti… Christian Huitema
- [tsvwg] Re: I-D Action: draft-ietf-tsvwg-udp-opti… Tom Herbert
- [tsvwg] Re: I-D Action: draft-ietf-tsvwg-udp-opti… Gorry Fairhurst
- [tsvwg] Re: I-D Action: draft-ietf-tsvwg-udp-opti… Tom Herbert
- [tsvwg] Re: I-D Action: draft-ietf-tsvwg-udp-opti… touch@strayalpha.com
- [tsvwg] Re: I-D Action: draft-ietf-tsvwg-udp-opti… C. M. Heard
- [tsvwg] Re: I-D Action: draft-ietf-tsvwg-udp-opti… Sebastian Moeller
- [tsvwg] Re: I-D Action: draft-ietf-tsvwg-udp-opti… Gorry Fairhurst
- [tsvwg] Re: I-D Action: draft-ietf-tsvwg-udp-opti… Sebastian Moeller
- [tsvwg] Re: I-D Action: draft-ietf-tsvwg-udp-opti… Gorry Fairhurst
- [tsvwg] Re: I-D Action: draft-ietf-tsvwg-udp-opti… Tom Herbert
- [tsvwg] Re: I-D Action: draft-ietf-tsvwg-udp-opti… touch@strayalpha.com
- [tsvwg] I-D Action: draft-ietf-tsvwg-udp-options-… internet-drafts
- [tsvwg] Re: I-D Action: draft-ietf-tsvwg-udp-opti… Tom Herbert
- [tsvwg] Re: I-D Action: draft-ietf-tsvwg-udp-opti… Gorry Fairhurst
- [tsvwg] Re: I-D Action: draft-ietf-tsvwg-udp-opti… touch@strayalpha.com
- [tsvwg] Re: I-D Action: draft-ietf-tsvwg-udp-opti… Sebastian Moeller
- [tsvwg] Re: I-D Action: draft-ietf-tsvwg-udp-opti… Tom Herbert
- [tsvwg] Re: I-D Action: draft-ietf-tsvwg-udp-opti… Tom Herbert
- [tsvwg] Re: I-D Action: draft-ietf-tsvwg-udp-opti… Tom Herbert
- [tsvwg] Re: I-D Action: draft-ietf-tsvwg-udp-opti… Tom Herbert
- [tsvwg] Re: I-D Action: draft-ietf-tsvwg-udp-opti… touch@strayalpha.com
- [tsvwg] Re: I-D Action: draft-ietf-tsvwg-udp-opti… touch@strayalpha.com
- [tsvwg] Re: I-D Action: draft-ietf-tsvwg-udp-opti… Tom Herbert
- [tsvwg] Re: I-D Action: draft-ietf-tsvwg-udp-opti… C. M. Heard
- [tsvwg] Re: I-D Action: draft-ietf-tsvwg-udp-opti… Tom Herbert
- [tsvwg] Re: I-D Action: draft-ietf-tsvwg-udp-opti… Sebastian Moeller
- [tsvwg] Re: I-D Action: draft-ietf-tsvwg-udp-opti… touch@strayalpha.com
- [tsvwg] Re: I-D Action: draft-ietf-tsvwg-udp-opti… Joe Touch
- [tsvwg] Re: I-D Action: draft-ietf-tsvwg-udp-opti… Tom Herbert
- [tsvwg] Re: I-D Action: draft-ietf-tsvwg-udp-opti… touch@strayalpha.com
- [tsvwg] Re: I-D Action: draft-ietf-tsvwg-udp-opti… touch@strayalpha.com
- [tsvwg] Re: I-D Action: draft-ietf-tsvwg-udp-opti… touch@strayalpha.com
- [tsvwg] sS Sebastian Moeller
- [tsvwg] Re: sS C. M. Heard
- [tsvwg] Re: socketpair (was Re: sS) Christian Huitema
- [tsvwg] Re: socketpair (was Re: sS) touch@strayalpha.com
- [tsvwg] Re: socketpair (was Re: sS) Christian Huitema
- [tsvwg] Re: I-D Action: draft-ietf-tsvwg-udp-opti… Erik Auerswald
- [tsvwg] Re: I-D Action: draft-ietf-tsvwg-udp-opti… Sebastian Moeller
- [tsvwg] Re: I-D Action: draft-ietf-tsvwg-udp-opti… Joe Touch
- [tsvwg] Re: I-D Action: draft-ietf-tsvwg-udp-opti… Tom Herbert