Re: [dnssd] Genart last call review of draft-ietf-dnssd-push-20

"Christopher Wood" <caw@heapingbits.net> Sat, 06 July 2019 13:50 UTC

Return-Path: <caw@heapingbits.net>
X-Original-To: dnssd@ietfa.amsl.com
Delivered-To: dnssd@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A25311201D0 for <dnssd@ietfa.amsl.com>; Sat, 6 Jul 2019 06:50:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=heapingbits.net header.b=Y7X6FG8t; dkim=pass (2048-bit key) header.d=messagingengine.com header.b=yW42+t7B
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IL0wwhhASqz8 for <dnssd@ietfa.amsl.com>; Sat, 6 Jul 2019 06:50:38 -0700 (PDT)
Received: from wout1-smtp.messagingengine.com (wout1-smtp.messagingengine.com [64.147.123.24]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A9DBD1201CA for <dnssd@ietf.org>; Sat, 6 Jul 2019 06:50:38 -0700 (PDT)
Received: from compute6.internal (compute6.nyi.internal [10.202.2.46]) by mailout.west.internal (Postfix) with ESMTP id 1AE7F48D for <dnssd@ietf.org>; Sat, 6 Jul 2019 09:50:38 -0400 (EDT)
Received: from imap4 ([10.202.2.54]) by compute6.internal (MEProxy); Sat, 06 Jul 2019 09:50:38 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=heapingbits.net; h=mime-version:message-id:in-reply-to:references:date:from:to :subject:content-type:content-transfer-encoding; s=fm1; bh=1427O EQdGF6/z5C6ppd28pwc3GLzeZrukwfG91E/CdU=; b=Y7X6FG8tObfpWDoCSkQx9 YopAzawLBiFSawRZ708G4uLMD8g0zZ0OrBA/E3iQ/K6mvgvijb88ondwk+7Rt7hm xJZNOId4MkWqy0xUY1IzMhY4TtNVr9ui7JajJNmpuVBZSa2toSRIBelqm/LfIYo3 CcbsbBRDLf1y4bCSFbLRGv340lK/yRUu5E5l3q8b6syFRcPy1z8HZZiNhka2M9kA iHNenov9YV55qyguNJiUODTPUKaalSYF1B0BA8fUG0ePuthNqAwiyLf2iaaWrJRw VimNy0XT7FXOPk5HAccHF1jLnhsuXuNTYEL1Z05syZ0S4mXLYkgS1AS+3MUXN1uL Q==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=content-transfer-encoding:content-type :date:from:in-reply-to:message-id:mime-version:references :subject:to:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender :x-sasl-enc; s=fm3; bh=1427OEQdGF6/z5C6ppd28pwc3GLzeZrukwfG91E/C dU=; b=yW42+t7BeBvQzR1VMHJ8W9KvhVtK4M4iEW8sD7Sh52DYQKhzOZfxuGUxd YsfHJwvaNzaGbERbolEG4/KFhuG6O3aO5Ri2VdasfyciB9hfRxL1c9urMTv5ZILV 8VyIH20cGUb3XqfppYOA7Z9ZTVmN0C/mZ8IOwxVgkYmxw9hLa02kDol/L1ue2HDb BmVT/2s4AoSdLjudzwzcLAkk/8uyJNtZljJsU9j6Olvqw+vNExR/lT+PUP9vLlSj 74sKFXHjcyC6UOsPRzGljj7cPQOnxpML9rP7/qPSjwZ1CFysX30hAgUAylP8nAWJ IHWX6ak3X9bo0Er3OWgxOqB2e7I1w==
X-ME-Sender: <xms:LacgXVFTLMacGj8TmbndBCN-bnIiM6R2nxBMgr_tJfqyH6M73T1hTQ>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeduvddrfeeigdeilecutefuodetggdotefrodftvf curfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfghnecu uegrihhlohhuthemuceftddtnecunecujfgurhepofgfggfkjghffffhvffutgfgsehtqh ertderreejnecuhfhrohhmpedfvehhrhhishhtohhphhgvrhcuhghoohgufdcuoegtrgif sehhvggrphhinhhgsghithhsrdhnvghtqeenucfrrghrrghmpehmrghilhhfrhhomheptg grfieshhgvrghpihhnghgsihhtshdrnhgvthenucevlhhushhtvghrufhiiigvpedt
X-ME-Proxy: <xmx:LacgXRlJRViXRHo_qUqKL0thnZyTeoCoYQugdIQ8dJgzXKJcE9ppww> <xmx:LacgXb0UQLzhvUUPUtfbtZ9Ll5DuzGleO3Ns9HfNLNipLSd18-dtrQ> <xmx:LacgXXyCgmeubX8ilSJ46I5rbM00b4GPI6LvGIoG2LMGwcptty2Z0Q> <xmx:LacgXXAEgNrtc6QjPHRcGG0vPg3rtIVe53DF5wKiicR4yqRNAwbkjg>
Received: by mailuser.nyi.internal (Postfix, from userid 501) id 328BC3C00A1; Sat, 6 Jul 2019 09:50:37 -0400 (EDT)
X-Mailer: MessagingEngine.com Webmail Interface
User-Agent: Cyrus-JMAP/3.1.6-731-g19d3b16-fmstable-20190627v1
Mime-Version: 1.0
Message-Id: <1f4642f7-a976-45d1-a297-997fb39fe7ad@www.fastmail.com>
In-Reply-To: <CAPDSy+7kRdGcb8p0fDV3iWWG1Fd790B_8iVGO8B=aXsJ=9zQCw@mail.gmail.com>
References: <156175221593.21875.9525138908968318905@ietfa.amsl.com> <1CCCFE4D-9F75-432A-9839-A75C94C6E170@bangj.com> <a1812b4c-d443-fd36-ed51-bf054170efe6@nostrum.com> <31B20480-C368-46FE-8D5E-654584358EF2@fugue.com> <AA6C3215-EA6A-4777-B615-819CB0F78662@bangj.com> <CAPDSy+7kRdGcb8p0fDV3iWWG1Fd790B_8iVGO8B=aXsJ=9zQCw@mail.gmail.com>
Date: Sat, 06 Jul 2019 06:50:36 -0700
From: "Christopher Wood" <caw@heapingbits.net>
To: dnssd@ietf.org
Content-Type: text/plain;charset=utf-8
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnssd/BsEpiO7GigM8jFH5IqxmKl45GQU>
Subject: Re: [dnssd] Genart last call review of draft-ietf-dnssd-push-20
X-BeenThere: dnssd@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Discussion of extensions to DNS-based service discovery for routed networks." <dnssd.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnssd>, <mailto:dnssd-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnssd/>
List-Post: <mailto:dnssd@ietf.org>
List-Help: <mailto:dnssd-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnssd>, <mailto:dnssd-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 06 Jul 2019 13:50:41 -0000

On Fri, Jul 5, 2019, at 5:45 PM, David Schinazi wrote:
> 
> On Thu, Jul 4, 2019 at 9:52 AM Tom Pusateri <pusateri@bangj.com> wrote:
> >> On Jul 3, 2019, at 11:12 AM, Ted Lemon <mellon@fugue.com> wrote:
> >> And thanks for the advice about how to terminate TLS connections—I had missed that nuance. Are TLS implementations actually able to do this (to reject RST packets)?
> > 
> > This was actually a comment from David Schinazi (and a good one). I’ve adjusted the working copy on github but there’s still one section I’m wrestling with regarding TCP RST.
> 
> On most operating systems today, TCP is in the kernel and TLS is in 
> user-space, so most implementations of TLS over TCP do not have the 
> ability to discard TCP RSTs that were injected by attackers. However, 
> the TLS close_notify alert allows endpoints to be able to tell the 
> difference between a connection that was closed gracefully by the peer 
> and one that was forcefully terminated (possibly by an attacker). So 
> upon receipt of a TCP RST without prior TLS close_notify, the 
> connection will die, but the application will know that the latest 
> message could have been truncated halfway through transmission and 
> should therefore be discarded.

+1 (though some applications might choose to use the partial message)