Open gorryfair opened 2 months ago
Consensus call comments for:
--- Comments follow --- 1) Q3: This one is less clear. Section 9.9 from version 18 defines an Auth option, this was carried over to 11.9 of version 32. However, the Auth option is not fully specified. There are some preliminary requirements that Auth is a SAFE option and should be ignored by default-- it is an open issue as to whether these requirements are acceptable for an Auth option. Since authentication isn't being fully specified at this time, I suggest simply removing section 11.9 without loss of useful content. It is sufficient to say that UDP options are extensible and an Auth option could be specified in the future.
Note: Already discussed - and was included as issue #58.
2) Q1/3 See 3. below, unless we find a way for the receiver to assert that a packet was not modified, I would think it more pragmatic to go for 'SHOULD NOT'...
The consequence of 1 and 3 seems to be that the only defence against on-path manipulations is the wording "UDP Options MUST NOT be modified in transit" and IMHO even more tricky the receiver has no way to actually detect such changes. This should not stand, either we allow on-path changes (no need to endorse them thjough) or we make UDP options sufficiently complete to detect them.
Note: There is a suggested improvement.
3) Q2: The text in #2 is weaker than the requirement in #1 (MUST NOT), as the IETF seems to now accept that NAT and ALGs are part of the Internet and so there are obviously portions of the transport datagram that get modified in-transit. I think my comment here is similar to Sebastian's mentioning MSS clamping. I don't know if a good solution to this discrepancy might be to weaken the "MUST NOT" to a "SHOULD NOT", and trust that the rest of the text is discouraging enough to carry the WG's intention.
Either way, realistically, I think that option additions and modifications on-path are likely to happen, so the question is probably whether we want to leave the door a little bit open (via "SHOULD NOT") to make sure the IETF can properly specify how those special cases are least-harmfully done (i.e. similar to the old BEHAVE WG goals), or to just stick with the "MUST NOT" and insist that it is not valid behavior (in which case, the text in question 2 is too weak).
I am fine either way, just want to point out the discrepancy between #1 and #2.
Note: There is a suggested improvement.
4) Q3: Kinda. It is a bit too weak.
I will rather say "Mechanisms to support encryption/authentication will separately be added at a later stage (see section 9.9,9.10)." This will establish the expectation that intermediaries should definitely not attempt to modify the content of options, and should not rely on being able to understand that content.
Note: This is a suggested improvement.
(see TSVWG list for full mail)
On Tue, Apr 9, 2024 at 5:01 PM touch wrote:
We can prevent that if/when we proceed with the UDP encryption option or using IPsec.
I wanted to make sure we have a consensus here that it is good enough to do so. ... But all this talk about transport protocols and their vulnerability to on-path mods strikes me as hollow. We have had such protections for TCP for a generation (over 25 yrs) with TCP-MD5 and its successor TCP-AO. Neither one protects packets from on-path tampering with IP options, but we’ve had that for just as long too.
(I am not sure why that is not widely deployed yet :-).)
The obligation here is that we have thought about the possibilities, understand the pros and cons, made the right choice, and well describe them on what we published.
I am not AD reviewing the document now, but I would not like wait till my AD review to express what I would be looking for. Now you know and can just tell me yes we have done those thoughts and in section XXX we have described it well.
Please, do that!!.
I am late to respond and I am not sure I am supposed to respond, but have we created the issue.. It would be great for the record to share the issue link in this email thread.
Request: "The obligation here is that we have thought about the possibilities, understand the pros and cons, made the right choice, and well describe them on what we published."