[tsvwg] Re: Request for consensus call for Auth in UDP options

"touch@strayalpha.com" <touch@strayalpha.com> Sat, 07 September 2024 02:40 UTC

Return-Path: <touch@strayalpha.com>
X-Original-To: tsvwg@ietfa.amsl.com
Delivered-To: tsvwg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 11F44C14F605; Fri, 6 Sep 2024 19:40:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.106
X-Spam-Level:
X-Spam-Status: No, score=-2.106 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=strayalpha.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cVgIpHKQjCsc; Fri, 6 Sep 2024 19:40:31 -0700 (PDT)
Received: from server217-3.web-hosting.com (server217-3.web-hosting.com [198.54.115.226]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D05F0C14F6F3; Fri, 6 Sep 2024 19:40:31 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=strayalpha.com; s=default; h=To:References:Message-Id:Cc:Date:In-Reply-To: From:Subject:Mime-Version:Content-Type:Sender:Reply-To: Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=pvFCk3BqGUPOHIXlT+1IVq6ZBbPqZaivtEbpmZRgyrk=; b=2rLRk3Y8bSfFkHO3XngbBEy/I3 1t35KU8Y0bMuy4hzw4+tGMQPVAhVkrspojgrcgOmq0DvZAMwasqVAlKZMqCZtzJ3Qvr18CxOredLp okUHa6ocUVvUCHEM1sDDSZrm1YeJAvKCC3u2NkXcXjS8iCZIwpu9bTjZfD9e+ARCisWVaMxY7fYUU xwauMM+ZaG8xLs/sPwS6lXl1WBnSrZSJ5KiI7tpleuUdw7+C7eXo3597uDdm5vHCamfMBoJnq45+e 6LJwjb/aVHwhv3N9oyuMZ/bM3S55IwK+3Bad0ro0tS+2YS1iEFTcc4L7hOfiu75+L59ypOVZdPCfj XkR6OMyA==;
Received: from [172.58.208.157] (port=62270 helo=smtpclient.apple) by server217.web-hosting.com with esmtpsa (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96.2) (envelope-from <touch@strayalpha.com>) id 1smlNG-00G10q-2t; Fri, 06 Sep 2024 22:40:30 -0400
Content-Type: multipart/alternative; boundary="Apple-Mail=_A198BFD1-16A6-4C25-8BD4-F8C152D6D52F"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3776.700.51\))
From: "touch@strayalpha.com" <touch@strayalpha.com>
In-Reply-To: <CALx6S35hsV9HSE+CLg-7jXdVFX5XP_500tDXKxV0HYeA1PVzgA@mail.gmail.com>
Date: Fri, 06 Sep 2024 19:40:19 -0700
Message-Id: <D7618F0D-5820-49C0-B415-DF4925903773@strayalpha.com>
References: <CALx6S34JjFegygq3D=XnJxiy9tARNtkw2v4BqaCXS80u2J478g@mail.gmail.com> <3188D50F-104C-4505-A5BB-39BED72E3DC6@strayalpha.com> <CALx6S35hsV9HSE+CLg-7jXdVFX5XP_500tDXKxV0HYeA1PVzgA@mail.gmail.com>
To: Tom Herbert <tom=40herbertland.com@dmarc.ietf.org>
X-Mailer: Apple Mail (2.3776.700.51)
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - server217.web-hosting.com
X-AntiAbuse: Original Domain - ietf.org
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - strayalpha.com
X-Get-Message-Sender-Via: server217.web-hosting.com: authenticated_id: touch@strayalpha.com
X-Authenticated-Sender: server217.web-hosting.com: touch@strayalpha.com
X-Source:
X-Source-Args:
X-Source-Dir:
X-From-Rewrite: unmodified, already matched
Message-ID-Hash: JSDBAMXW3LRGY7TQWXS3ZR5V3APVWACR
X-Message-ID-Hash: JSDBAMXW3LRGY7TQWXS3ZR5V3APVWACR
X-MailFrom: touch@strayalpha.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-tsvwg.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: tsvwg-chairs <tsvwg-chairs@ietf.org>, tsvwg <tsvwg@ietf.org>
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [tsvwg] Re: Request for consensus call for Auth in UDP options
List-Id: Transport Area Working Group <tsvwg.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tsvwg/qYXN4uQwaHXqHj57uMqZz4xk7Io>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tsvwg>
List-Help: <mailto:tsvwg-request@ietf.org?subject=help>
List-Owner: <mailto:tsvwg-owner@ietf.org>
List-Post: <mailto:tsvwg@ietf.org>
List-Subscribe: <mailto:tsvwg-join@ietf.org>
List-Unsubscribe: <mailto:tsvwg-leave@ietf.org>

Tom,

Sending AUTH to an endpoint that doesn’t expect it and have a key is useless as well.

That endpoint can and should already override.

A fundamental design principle - that was agreed by rough consensus - is that the receiver decides what to do with options, not the sender.

Until a NEW point has been made, I will wait to see what others think.

Joe

—
Dr. Joe Touch, temporal epistemologist
www.strayalpha.com

> On Sep 6, 2024, at 7:34 PM, Tom Herbert <tom=40herbertland.com@dmarc.ietf.org> wrote:
> 
> On Fri, Sep 6, 2024 at 7:06 PM touch@strayalpha.com
> <touch@strayalpha.com> wrote:
>> 
>> Hi Tom (et al.),
>> 
>> As context:
>> 
>> - NOBODY said a receiver cannot override the default behavior and decide to drop anything arriving with AUTH on a given socket.
>> That’s already part of the design and a required capability.
>> 
>> - what the current doc IS currently saying is that, *absent such explicit action by a receiver*, that AUTH doesn’t itself cause a packet to be dropped before being given to the receiver endpoint. Note that a failed AUTH would arrive with “AUTH failed” as context, not simply received without any indication of whether AUTH was present or whether it failed.
>> 
>> The goal of the current *default* behavior is to act like a legacy endpoint, i.e., to allow users to enable AUTH on transmission without immediately breaking legacy endpoints, which would silently drop the AUTH anyway. Endpoints that know better - an endpoint that has installed a key for that socket - would already presumably override that default for that socket. The goal is to ensure that AUTH doesn’t break things unless the receiver takes specific action to NOT act like a legacy endpoint.
> 
> Joe,
> 
> I fundamentally disagree that supporting legacy receivers is more
> important than security. But in the case of the Auth option it's a
> moot point, there is no valid use case of ever sending the
> authentication option to a legacy receiver.
> 
> Authentication requires some sort of key negotiation, which means for
> someone to be able to send the option they were told what key to use
> by the receiving site. So for a site to go at all the expense of
> giving out keys, but then to not bother actually validating them at
> receivers makes no sense. If receivers are allowed to ignore
> authentication then that opens the door for a misconfiguration, and if
> they willfully ignore authentication after negotiating keys that might
> even be legal problem in some jurisdictions (i.e. this is akin to a
> landlord giving a tenant keys to an apartment without bothering to
> tell them that *any* key will work to get into their apartment; when
> someone breaks and steals all the tenant's stuff the landlord is going
> to be held liable).
> 
>> 
>> That is the current state of the document and was our understanding of “rough consensus”. If that’s not the case, the chair can help us either find such consensus or direct otherwise.
> 
> There has never been any consensus on this, that's why I am asking for
> a consensus call.
> 
> Tom
> 
>> 
>> Joe
>> 
>> —
>> Dr. Joe Touch, temporal epistemologist
>> www.strayalpha.com
>> 
>> On Sep 6, 2024, at 6:33 PM, Tom Herbert <tom=40herbertland.com@dmarc.ietf.org> wrote:
>> 
>> TSVWG chairs,
>> 
>> I have raised an objection to the UDP Options draft that the
>> Authentication may be ignored by a receiver. I believe this is a
>> serious security vulnerability in the protocol.
>> 
>> If a sender uses the option that must mean that a key negotiation must
>> have happened, so when the sender places the option in a packet they
>> naturally have the full expectation that the receiver will validate
>> the authentication credentials. If the receiver elects to ignore the
>> authentication then they will not only allow legitimate senders but an
>> attacker will be able to access the system as well-- so basically
>> there is no security and the user is at risk for harm. Ignoring an
>> authentication option is not safe.
>> 
>> The counter argument seems to be that it should be up to the receiver
>> to decide if the authentication option must be validated. That stands
>> in contrast to other authentication protocols like IPv6 AH that
>> explicitly require authentication option to be validated if it is
>> present (if they can't validate, then the packet MUST be dropped). If
>> the idea is that the user decides this then security is wholly
>> dependent on the user configuring the protocol correctly, so a slight
>> misconfiguration could allow a major breach (note this cannot happen
>> in IPv6 AH).
>> 
>> Please consider doing a consensus call on whether ignoring an
>> Authentication option in UDP options is allowed.
>> 
>> Thanks,
>> Tom
>> 
>> 
>