Last Call Review of draft-ietf-masque-connect-udp-13
review-ietf-masque-connect-udp-13-secdir-lc-meadows-2022-06-07-00
| Request | Review of | draft-ietf-masque-connect-udp |
|---|---|---|
| Requested revision | No specific revision (document currently at 15) | |
| Type | Last Call Review | |
| Team | Security Area Directorate (secdir) | |
| Deadline | 2022-06-08 | |
| Requested | 2022-05-25 | |
| Authors | David Schinazi | |
| I-D last updated | 2022-06-07 | |
| Completed reviews |
Genart Last Call review of -12
by Christer Holmberg
(diff)
Secdir Last Call review of -13 by Catherine Meadows (diff) Opsdir Last Call review of -12 by Al Morton (diff) Opsdir Telechat review of -14 by Al Morton (diff) |
|
| Assignment | Reviewer | Catherine Meadows |
| State | Completed | |
| Request | Last Call review on draft-ietf-masque-connect-udp by Security Area Directorate Assigned | |
| Posted at | https://mailarchive.ietf.org/arch/msg/secdir/MA0fwDTOopGowbq3QfITHAqmAF4 | |
| Reviewed revision | 13 (document currently at 15) | |
| Result | Has issues | |
| Completed | 2022-06-07 |
review-ietf-masque-connect-udp-13-secdir-lc-meadows-2022-06-07-00
This draft describes a protocol for proxying UDP in HTTP, similar to the way in which HTTP CONNECT allows proxying TCP in HTTP. The Security Considerations Section, besides noting that the considerations identified in HTTP-DGRAM also apply, notes the necessity for authentication. It also notes the security issues (particularly, vulnerability to denial of service attacks)that arise from the fact that in UDP the target of a connection doesn’t have to indicate its willingness to accept a connection before a proxy sends data. It also discusses some issues that may arise from basing a UDP proxying implementation on a pre-existing implementation of the TCP CONNECT Protocol. I found a couple of minor issues, mainly having to do with clarity: Issue 1: I am confused by the last paragraph of the section, which runs as follows: UDP sockets for UDP proxying have a different lifetime than TCP sockets for CONNECT, therefore implementors would be well served to follow the advice in Section 3.1 if they base their UDP proxying implementation on a preexisting implementation of CONNECT. First of all, it’s not clear what the security implications of this are. This needs to be explained (or put elsewhere if there are no security implications). Secondly, it’s not clear what advice in Section 3.1 is relevant to this paragraph. Section 3.1 is mostly MUSTs and SHOULDs; I don’t see anything I would call advice. The paragraph needs to say more clearly what advice it is referring to. Issue 2: It is hard to draw a conclusion from the paragraph on DoS The first two sentences are clear. They state that the fact in the CONNECT method for TCP the target must indicate its willingness to receive data, while this is not the case for UDP, potentially makes it easier for UDP proxies implement denial of service attacks. However, I had trouble understanding the rest of the paragraph: However, in practice denial of service attacks target open TCP ports so the TCP SYN-ACK does not offer much protection in real scenarios. While a UDP proxy could potentially limit the number of UDP packets it is willing to forward until it has observed a response from the target, that is unlikely to provide any protection against denial of service attacks because such attacks target open UDP ports where the protocol running over UDP would respond, and that would be interpreted as willingness to accept UDP by the UDP proxy. I think that what this is intended to say is that because DoS attacks target open ports there is not much difference between TCP and UDP proxies as far as vulnerability to DoS is concerned. I would recommend saying this upfront. Then it would be easier to see how the two sentences above support that statement.