IETF Logo Mail Archive

Re: [tsvwg] Review of draft-ietf-tsvwg-udp-options-32

"touch@strayalpha.com" <touch@strayalpha.com> Wed, 10 April 2024 05:53 UTC

Return-Path: <touch@strayalpha.com>
X-Original-To: tsvwg@ietfa.amsl.com
Delivered-To: tsvwg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B5EB7C14F610; Tue, 9 Apr 2024 22:53:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.315
X-Spam-Level:
X-Spam-Status: No, score=-1.315 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NEUTRAL=0.779, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=strayalpha.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PFzOCGQm2w12; Tue, 9 Apr 2024 22:53:23 -0700 (PDT)
Received: from server217-3.web-hosting.com (server217-3.web-hosting.com [198.54.115.226]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 90ED7C14F5FF; Tue, 9 Apr 2024 22:53:23 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=strayalpha.com; s=default; h=To:References:Message-Id:Cc:Date:In-Reply-To: From:Subject:Mime-Version:Content-Type:Sender:Reply-To: Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=lPS0NJ1TOg+GS8NJiJufI93DyieYQBbmykPKFwBLBa0=; b=SImay82oCaSxK9CoZSr8VBwkd8 IJl8jqsxXI9lFd21BRXU+LtLzrq4h90yX7h6XYC6CME32H8SvaKmjYz0nIZNGbvnQscVpei/kjNEr O899K8h6zVNA6fmJg/YCqEbHKSizUclGLUSLBNS9CjO3E62Z/w+JODLV3WCiUx28FH6HwZTqbBE7o sDOLdzgNGovEMb60HLVk/QPPNvSMvHU7GkKltSU5J7wHu9I6QiHvRDVNY6n2nwh9BX50fhtE1msSg I9R8bTRmnrCbBo/Vf+yEsvXmkBP7mDCPdRkELS1wxGJ1Axfe+LiQlIRfChN/87u82E039Mwbh0sTx TVm0IZHQ==;
Received: from [172.58.208.48] (port=48715 helo=smtpclient.apple) by server217.web-hosting.com with esmtpsa (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96.2) (envelope-from <touch@strayalpha.com>) id 1ruQtZ-003m9x-1E; Wed, 10 Apr 2024 01:53:21 -0400
Content-Type: multipart/alternative; boundary="Apple-Mail=_CA8412FB-C279-4FAA-8783-3FF87DC877CD"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3774.500.171.1.1\))
From: "touch@strayalpha.com" <touch@strayalpha.com>
In-Reply-To: <9bff172e-1cf3-4403-8088-eb9a25ba4185@huitema.net>
Date: Tue, 09 Apr 2024 22:53:02 -0700
Cc: "Gorry (erg)" <gorry@erg.abdn.ac.uk>, tsvwg <tsvwg@ietf.org>, draft-ietf-tsvwg-udp-options.all@ietf.org
Message-Id: <2B86769C-7BC7-4BCC-948A-E014C4D9DDD0@strayalpha.com>
References: <f98c67c3-45e2-49bf-9b3e-6545239355a1@huitema.net> <0CCBFF2B-9397-4E86-85F0-FD109A426C45@strayalpha.com> <9bff172e-1cf3-4403-8088-eb9a25ba4185@huitema.net>
To: Christian Huitema <huitema@huitema.net>
X-Mailer: Apple Mail (2.3774.500.171.1.1)
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - server217.web-hosting.com
X-AntiAbuse: Original Domain - ietf.org
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - strayalpha.com
X-Get-Message-Sender-Via: server217.web-hosting.com: authenticated_id: touch@strayalpha.com
X-Authenticated-Sender: server217.web-hosting.com: touch@strayalpha.com
X-Source:
X-Source-Args:
X-Source-Dir:
X-From-Rewrite: unmodified, already matched
Archived-At: <https://mailarchive.ietf.org/arch/msg/tsvwg/sXyz27C-2qmSEznd00abH3I1bRY>
Subject: Re: [tsvwg] Review of draft-ietf-tsvwg-udp-options-32
X-BeenThere: tsvwg@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Transport Area Working Group <tsvwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tsvwg>, <mailto:tsvwg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tsvwg/>
List-Post: <mailto:tsvwg@ietf.org>
List-Help: <mailto:tsvwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tsvwg>, <mailto:tsvwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 10 Apr 2024 05:53:27 -0000

> On Apr 9, 2024, at 7:11 PM, Christian Huitema <huitema@huitema.net> wrote:
> 
> On 4/9/2024 3:41 PM, Joe Touch wrote:
>>> On Apr 9, 2024, at 12:17 PM, Christian Huitema<huitema@huitema.net <mailto:huitema@huitema.net>>  wrote:
>>> the maximum segment size option.
>>> Anything that adds clear text to an already encrypted packet should be considered an attack.
>> That would make all TCP or IP options used with TLS an attack. Please let us know when those are addressed.
> 
> But there have indeed been attacks against clear text TCP headers, from SYN attacks to RST to data insertion.

Yes, but that does not mean that every use of cleartext in TCP headers *is* an attack.

An attack is not simply something you don’t expect.

> There are also lots of intermediaries that like to mess with the TCP headers, for example rewriting flow control parameters or the maximum segment size option.
> These have been addressed over time in TCP.

Yes - partly by the use of VPNs. In some places (e.g., BGP), by the use of in-protocol protections similar to what we’re already planning here for UDP. But in most places, they’re not protected for TCP at all and yet the Internet still works.

> These attacks are largely mitigated in encrypted transports like QUIC.

Everywhere someone has the required certificate, which isn’t everywhere.

Again, simply assuming encryption isn’t enough if there aren't deployed keys.

> Adding clear text options to encrypted transports will bring new attack scenarios, which will typically only be discovered over time and which will necessitate ad hoc mitigations.

We are opt-in, not default on. We already have hooks for TCP-AO style protection. And we’re also already protected by VPNs the same way TCP is.

If this is so dangerous, then TCP is too - which would be convenient as we wouldn’t be exchanging emails like this ;-)

Joe

v2.23.0 | Report a Bug | By Email