Re: [dnssd] Genart last call review of draft-ietf-dnssd-push-20

David Schinazi <dschinazi.ietf@gmail.com> Sat, 06 July 2019 00:45 UTC

Return-Path: <dschinazi.ietf@gmail.com>
X-Original-To: dnssd@ietfa.amsl.com
Delivered-To: dnssd@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E4F9E1200DB; Fri, 5 Jul 2019 17:45:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.997
X-Spam-Level:
X-Spam-Status: No, score=-1.997 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3BEj2RhiqC3J; Fri, 5 Jul 2019 17:45:25 -0700 (PDT)
Received: from mail-lf1-x141.google.com (mail-lf1-x141.google.com [IPv6:2a00:1450:4864:20::141]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8EB691200A3; Fri, 5 Jul 2019 17:45:24 -0700 (PDT)
Received: by mail-lf1-x141.google.com with SMTP id q26so7315013lfc.3; Fri, 05 Jul 2019 17:45:24 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=8BCl72kwFPqkJdUT9Jz6oxBvNtrbjhUR3CfM1OC2Inc=; b=B5SKjWCZ72oXqXiJ+vMLB5v3qV7opXRgWZKxssOkHFPgW8yB6VrTfaXuBnwjkpNQNH LICqxmmvD0YNsuWHPfI4TvlhBLzoS1rNVItovBVbtAVC+MN4i4duam7Qt3btvB9CmoUr RQvK+Qzowrukp7xgODeuuJy+ovzGuV3MGIKHGz8d3MzVb15vlRkPql7ZWuFGJa9N68r4 2uamNT1j6dLCFIoHfhfh6Iu4YGzsq50lQbNbf7dVrqVv0//W91Nh3fGJ2GxIgmgOzqHf hCx14V6SaR7Lz3OuZHmqCZeGuLRlxLft61gDUZw6F1amQOSSJYX+dGnG5tBM6yROIu+n Ra9Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=8BCl72kwFPqkJdUT9Jz6oxBvNtrbjhUR3CfM1OC2Inc=; b=bm39IYOfRajoIFOP/CmirvkZ8PSYBVU26S0I/5UAq0pkEH0+9d4mR1dWDHUnxAMYr0 4HP+aIqLrKU2iUtPEeHvB0AkiDhDbyDrKCItfLOXLiVP5ViTN5mCqJh4YjkXm1Ke4l22 dZWaeNAuWIEVZLd1JX78Gd1QriOLu0SH1Fpe/l437FJdov7CwdH/FmPOHxJsK10W3rYk +pVc3ExGUMOsq1eNngb18nVOeoOvFQDJ8Q8nTnze18QHL17yCTu5UU4dZSnclUxT9Z+G U7uHmdcNGV0eMICLBK+ITvH5OxRbR1weiTOn/FyZP+cQzdTZAwAh3j4/Wo/4gcvk5fD4 fJ+Q==
X-Gm-Message-State: APjAAAW8P33oOINqlU4F0+V9UiJC5VV+EwRpIHquWUjLpNef+WKdsXVJ Gh4itAnv6ZzMFNvIubJXNT9mO13k6FcPtIHDh6Zi5w==
X-Google-Smtp-Source: APXvYqz5xymLKZJlJgalHmayIPD51RpV2/zrpUq91x0PjDm2DSJyaC79/JLXRdXaIWdlQdwz1n3DWpq7KK0VOoeRDPU=
X-Received: by 2002:ac2:46ce:: with SMTP id p14mr3310396lfo.148.1562373922700; Fri, 05 Jul 2019 17:45:22 -0700 (PDT)
MIME-Version: 1.0
References: <156175221593.21875.9525138908968318905@ietfa.amsl.com> <1CCCFE4D-9F75-432A-9839-A75C94C6E170@bangj.com> <a1812b4c-d443-fd36-ed51-bf054170efe6@nostrum.com> <31B20480-C368-46FE-8D5E-654584358EF2@fugue.com> <AA6C3215-EA6A-4777-B615-819CB0F78662@bangj.com>
In-Reply-To: <AA6C3215-EA6A-4777-B615-819CB0F78662@bangj.com>
From: David Schinazi <dschinazi.ietf@gmail.com>
Date: Fri, 5 Jul 2019 17:45:11 -0700
Message-ID: <CAPDSy+7kRdGcb8p0fDV3iWWG1Fd790B_8iVGO8B=aXsJ=9zQCw@mail.gmail.com>
To: Tom Pusateri <pusateri@bangj.com>
Cc: Ted Lemon <mellon@fugue.com>, draft-ietf-dnssd-push.all@ietf.org, DNSSD <dnssd@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000ab4121058cf8862f"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnssd/Ojemu7k7Q66Vh0cJE-o2aFuwXvM>
Subject: Re: [dnssd] Genart last call review of draft-ietf-dnssd-push-20
X-BeenThere: dnssd@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Discussion of extensions to DNS-based service discovery for routed networks." <dnssd.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnssd>, <mailto:dnssd-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnssd/>
List-Post: <mailto:dnssd@ietf.org>
List-Help: <mailto:dnssd-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnssd>, <mailto:dnssd-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 06 Jul 2019 00:45:27 -0000

On Thu, Jul 4, 2019 at 9:52 AM Tom Pusateri <pusateri@bangj.com> wrote:

> On Jul 3, 2019, at 11:12 AM, Ted Lemon <mellon@fugue.com> wrote:
>
> And thanks for the advice about how to terminate TLS connections—I had
> missed that nuance.  Are TLS implementations actually able to do this (to
> reject RST packets)?
>
>
> This was actually a comment from David Schinazi (and a good one). I’ve
> adjusted the working copy on github but there’s still one section I’m
> wrestling with regarding TCP RST.
>

On most operating systems today, TCP is in the kernel and TLS is in
user-space, so most implementations of TLS over TCP do not have the ability
to discard TCP RSTs that were injected by attackers. However, the TLS
close_notify alert allows endpoints to be able to tell the difference
between a connection that was closed gracefully by the peer and one that
was forcefully terminated (possibly by an attacker). So upon receipt of a
TCP RST without prior TLS close_notify, the connection will die, but the
application will know that the latest message could have been truncated
halfway through transmission and should therefore be discarded.

David