Re: [tsvwg] Regarding DTLS and UDP options

[Joe Touch <touch@isi.edu>]

On 4/17/2017 2:06 PM, Tom Herbert wrote:
> On Fri, Apr 14, 2017 at 4:56 PM, Joe Touch <touch@isi.edu> wrote:
>> Hi, all,
>>
>> Christian Huitema a question about the interaction between DTLS and UDP
>> options during my remote presentation at IETF 98.
>>
>> I took a closer look and consulted with Eric Rescorla (DTLS author). He
>> and I agreed as follows:
>> - DTLS would currently not cover UDP options; DTLS protects only the UDP
>> payload
>> - the situation is analogous to TCP options, which are not covered by TLS
>> I.e., both TLS and DTLS are transport *payload* security only, despite
>> their names.
>>
>> Christian noted that this may be a reason QUIC prefers UDP (to avoid the
>> need to protection transport options), however QUIC does not (and
>> cannot) deprecate UDP payloads that are smaller than the IP payload.
>> That would require a change to RFC 768.
>>
>> I'll add a clarification on this point to the next rev of the UDP
>> options document.
>>
> Since the UDP options are not covered by DTLS couldn't that allow a
> middleman attacker to add arbitrary UDP options to a packet thereby
> potentially circumventing the security provided DTLS?
Everything you just said is already true for TCP and TLS.

The "TL" in TLS and DTLS is a misnomer; neither one provides
transport-layer protection.

> Maybe if DTLS is
> in use then AE option should be required also? 

That's no more appropriate than it would be to require TCP-AO whenever
TLS is in use.

> Note that this case
> differs from TCP options since the sender in my example my not even
> have a clue as to what UDP options are.
That's irrelevant. In both cases, a MITM can add an option that the
sender might not know about.

If you want to protect the transport header, you have to use true
transport-layer protection (TCP-AO, UDO AE) or IPsec.

Joe