IETF Logo Mail Archive

Re: [Dots] Using Early Data in DOTS (RE: AD review of draft-ietf-dots-signal-channel)

Benjamin Kaduk <kaduk@mit.edu> Mon, 18 February 2019 16:23 UTC

Return-Path: <kaduk@mit.edu>
X-Original-To: dots@ietfa.amsl.com
Delivered-To: dots@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 64EB5130F1D; Mon, 18 Feb 2019 08:23:31 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.7
X-Spam-Level:
X-Spam-Status: No, score=-1.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_INVALID=0.1, DKIM_SIGNED=0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=fail (1024-bit key) reason="fail (body has been altered)" header.d=mit.edu
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GTEn3ikKR5kS; Mon, 18 Feb 2019 08:23:29 -0800 (PST)
Received: from NAM05-BY2-obe.outbound.protection.outlook.com (mail-eopbgr710110.outbound.protection.outlook.com [40.107.71.110]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EA68F1277CC; Mon, 18 Feb 2019 08:23:28 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mit.edu; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=+Tg70s9u19AsNt5RWSNstRyZxYUFzT1S5BmMlRTgEJQ=; b=wn57dhJLFyQnloo7cBu7vDPSgZK7GnfWBTten+7mhrKjROTBHoy+pO5ypQF+wu7v8jVyTbgvoxPeSXwdkpymLnGbDXhKINeyySyUdNqquEPzeIwgANYtk0AIGQhOCoHzOsNOi0XI4Iq26LU+5SvKtxdgWApS75h1yWhf7a5PIck=
Received: from MWHPR01CA0040.prod.exchangelabs.com (2603:10b6:300:101::26) by DM6PR01MB5177.prod.exchangelabs.com (2603:10b6:5:8::10) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1622.16; Mon, 18 Feb 2019 16:23:27 +0000
Received: from DM3NAM03FT047.eop-NAM03.prod.protection.outlook.com (2a01:111:f400:7e49::201) by MWHPR01CA0040.outlook.office365.com (2603:10b6:300:101::26) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.20.1622.16 via Frontend Transport; Mon, 18 Feb 2019 16:23:26 +0000
Authentication-Results: spf=pass (sender IP is 18.9.28.11) smtp.mailfrom=mit.edu; ietf.org; dkim=none (message not signed) header.d=none;ietf.org; dmarc=bestguesspass action=none header.from=mit.edu;
Received-SPF: Pass (protection.outlook.com: domain of mit.edu designates 18.9.28.11 as permitted sender) receiver=protection.outlook.com; client-ip=18.9.28.11; helo=outgoing.mit.edu;
Received: from outgoing.mit.edu (18.9.28.11) by DM3NAM03FT047.mail.protection.outlook.com (10.152.83.124) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.20.1643.13 via Frontend Transport; Mon, 18 Feb 2019 16:23:26 +0000
Received: from kduck.mit.edu (24-107-191-124.dhcp.stls.mo.charter.com [24.107.191.124]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by outgoing.mit.edu (8.14.7/8.12.4) with ESMTP id x1IGNM3L023003 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Mon, 18 Feb 2019 11:23:24 -0500
Date: Mon, 18 Feb 2019 10:23:22 -0600
From: Benjamin Kaduk <kaduk@mit.edu>
To: mohamed.boucadair@orange.com
CC: "Konda, Tirumaleswar Reddy" <TirumaleswarReddy_Konda@mcafee.com>, "draft-ietf-dots-signal-channel@ietf.org" <draft-ietf-dots-signal-channel@ietf.org>, "dots@ietf.org" <dots@ietf.org>
Message-ID: <20190218162322.GI24387@kduck.mit.edu>
References: <787AE7BB302AE849A7480A190F8B93302EA0EC85@OPEXCAUBMA2.corporate.adroot.infra.ftgroup> <787AE7BB302AE849A7480A190F8B93302EA20112@OPEXCAUBMA2.corporate.adroot.infra.ftgroup> <20190215150458.GV56447@kduck.mit.edu> <787AE7BB302AE849A7480A190F8B93302EA20406@OPEXCAUBMA2.corporate.adroot.infra.ftgroup>
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <787AE7BB302AE849A7480A190F8B93302EA20406@OPEXCAUBMA2.corporate.adroot.infra.ftgroup>
User-Agent: Mutt/1.10.1 (2018-07-13)
X-EOPAttributedMessage: 0
X-Forefront-Antispam-Report: CIP:18.9.28.11; IPV:CAL; SCL:-1; CTRY:US; EFV:NLI; SFV:NSPM; SFS:(10019020)(376002)(346002)(39860400002)(136003)(396003)(2980300002)(51444003)(199004)(189003)(55784004)(2351001)(6306002)(246002)(6916009)(33656002)(229853002)(8936002)(426003)(66574012)(106466001)(55016002)(6246003)(47776003)(1076003)(104016004)(53416004)(14444005)(8676002)(126002)(93886005)(2870700001)(88552002)(58126008)(316002)(54906003)(786003)(2906002)(75432002)(446003)(36906005)(26826003)(478600001)(336012)(486006)(966005)(86362001)(5660300002)(956004)(26005)(76176011)(23756003)(50466002)(476003)(106002)(11346002)(7696005)(4326008)(305945005)(186003)(356004)(18370500001); DIR:OUT; SFP:1102; SCL:1; SRVR:DM6PR01MB5177; H:outgoing.mit.edu; FPR:; SPF:Pass; LANG:en; PTR:outgoing-auth-1.mit.edu; A:1; MX:1;
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: ea080144-dba3-483f-5fc1-08d695bd6926
X-Microsoft-Antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(5600110)(711020)(4605104)(4608103)(4709054)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(2017052603328)(7153060); SRVR:DM6PR01MB5177;
X-MS-TrafficTypeDiagnostic: DM6PR01MB5177:
X-MS-Exchange-PUrlCount: 2
X-Microsoft-Exchange-Diagnostics: 1; DM6PR01MB5177; 20:Mjnd+40HmPDm8EnVjdGfuZeokW1wTeXQirwBNZPGYZO7LibWIQx0Zl8sfpUqqy0T2gD3c8xPRfu2r0K/H9Zy4iSNxMFqkqGTvOORekdCU5MJUEXe5baFxoiM8SMfbxGfNengJgC74O7joRsvw4i0vJTEgOvoPbsAu2d43ZJy0FcEYgEtaPUNOT13O2FYs67rcgX53g4KvCpsPJk9ZLSyfkJjp0EPsxuUFVBCzDgsVR3LIGnsWa2uvkJEQVhUjcvZyKNK+qz0gY5rTCglr55nRpJkO/KxQBlAJc1g7fnJszD1VeMo4ASEK4C4cPTGBUp2rWxxdY8V2NeCyuQync8aGRUiOjdqfQ7jh7YpPXtd06k6cA4qvqOnGsrcZlocQwTa9nRmRsXKJfYac6ulBkQnbBUDTMbw4JSKxHZ5zMSx7pD7GPzpmhtqoolAVTnVjRD+zvdzrKJrTbi4rQBLLNO2G4IjbELEq7ndrMKUmQv4+Vgpum6zZsKSL7lqO/K2/PtbPab/Wt/3F2Ng1obBOp09UU8G+WHwzgfWphEYszQEe36MZxLKoKnByLqpzMOK9hwki8YTorPmq/lkwlrW8Tk8KwXgiQ5KOzMUDhHPYDNhojY=
X-Microsoft-Antispam-PRVS: <DM6PR01MB5177730B55BF3355FEFE0882A0630@DM6PR01MB5177.prod.exchangelabs.com>
X-Forefront-PRVS: 09525C61DB
X-Microsoft-Exchange-Diagnostics: 1; DM6PR01MB5177; 23:D8phmiZ+hVwrrQe4o5OVdCAGVI/u9wv+1R3gzF/xCrjADTg3iVKBDIv2r9+WPLhrJoOt46RuALDlHPO33zt1gigllAoO2uDfxmch92BnXvcZtOE2VBFwITkmUHp3VxPspdGnxTGRWuS9T9FDGFO22wk2BuKsA67j25/AGdX26EgLHEphLg4qT9RY8+mbDyvCBdwAX6c9QPApMHupJfLOZ9JOSFihA3P4npsb1FXzUiuJymMxGb3gOkzLsPVVy+bOshaAY0MCBizTC3XzhKgDN+IV9NB8HUIGJ2WUT60hB4jLFHZWtZzdJ1kd1yN6YRzN5rfib8imKzmuY+x2GQ6mCijF0qdq7AOb7Zx8a8pT3lkBMjxg71lC3dIMAiKHE/qbk33W2R79HztEvcZvBsBeFhcJ40uNnX3jcQqXLgP/Yk1MTX06srAoUXbmarVPa2JliSTTiTo2L0MYPIFEGnpAbR8Ls9QZAhziOu6/3nKNHnwOM117oM2DI3FRK9LKTevSSYejSj2JPg/SgOlOMMijqygeqylyezh7WhuIaNT8kUuSd4+Jpw81KMu63V7bU8V/lD90oRTeRtkSk8+ycPqxItBYwotEoxjABiBSfreSurDZw+z20ofw9O3lRo/g0WB2IQH9Wd8zpLUO07JZLAEstAN4CERrcNjTDAmMgTLY/yuRcEtQvq+/ZDdR2xPkG8TVlpeM9puungwWd9xEPHEWLgelejBqWdeF0O56QI4LQPDAkQIhMODFEXYGlP66uKNfQXDOQHw8XWzAfi8VNkIRsj/6yzuGcePr3Art5gFgim/Of4V2inPBo0K9EAe4KUIL99tpjG+B883qNintdkFCZQReTNtW04CIHEAt7K2ihZ5t3NhTkIAu39CQIeHrL4FCKOmBqOurRA/e8H421t3qzvKUyxoZZ1SkgWVEljx8VFJF9bjMGnfN/2iLesFDUGOCDu3HWhVcZZX81gMzBT6Dl7Gp/oTON8vax+bwZ403P+yyCiplHvIXYy25W4Lp3LRCBqZeIXqfa+UUWjI1Mc2gGZgGJTt/jTFrRHYStqh/2/F3QNtgCbU4d2kdye3QjYi6FAsSUJ66JvXe1d/F3BWHfAv3gJXo+0xYMjfopkWZJoIZsL2sJXlx1pL9uIH6vJ3VSri8qkFyt4IvYRBbqN6+qtcFnrAJBVkHQGpjtUA8JhSXT9zDdk9nuTAng4NtPrBp54wukNRlhW3HdQ1uMVsw0wsvR5fgNouMpqzPtwXAkGMJZo/x/nXC9gKXYiib+laFbtjn0AshAhkZvu7lSBMySzSqcl1rGB/MEgb/R0xiIA8bbNpbSnZh915bYEaFvFHD
X-MS-Exchange-SenderADCheck: 1
X-Microsoft-Antispam-Message-Info: 3tTn6+4ceacYTJoqSVq0hiLvf4hPuoNPwAXfpwZQX9q4JOaJKIXPet2kRDdfM4EA0FS2EkzdFELzjC0Z5Z2fZrc1WFFN0g3A8PGiJz1ZvV5GdZC2t+os4w7Ib8z3RAiDViVcjE2WWlPUD8g0LTth1SsZr8aP4Sh6MzLjPSV16KYH0AO+9n0q7p5HQBCetOiG1DTGBHQlrGvTqzLlu5QPBkxODUsIUhtOsbTS//rRYfZ3X9sNOBICNob1nRgT9w4Tl6UrgDTjaKTxiDuYvWvt5JzfBSbLMFVqbVNWAfzJ5Boyh0wkKaDx3naTmVp+YUf+jKGZt96BGrkI6XQBGxzbgVfOlOSjCsG9nYgiPWQ54cAU5yQ4fUi5+C++Y7Ge986VFNN/fa5YlhpX1Sr2m7Mk5mO94txST0fHoePRY/KqjNg=
X-OriginatorOrg: mit.edu
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 18 Feb 2019 16:23:26.0710 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: ea080144-dba3-483f-5fc1-08d695bd6926
X-MS-Exchange-CrossTenant-Id: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=64afd9ba-0ecf-4acf-bc36-935f6235ba8b; Ip=[18.9.28.11]; Helo=[outgoing.mit.edu]
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM6PR01MB5177
Archived-At: <https://mailarchive.ietf.org/arch/msg/dots/3E3yLZhUDMVfXzKwOTYN5QQnxpw>
Subject: Re: [Dots] Using Early Data in DOTS (RE: AD review of draft-ietf-dots-signal-channel)
X-BeenThere: dots@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "List for discussion of DDoS Open Threat Signaling \(DOTS\) technology and directions." <dots.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dots>, <mailto:dots-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dots/>
List-Post: <mailto:dots@ietf.org>
List-Help: <mailto:dots-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dots>, <mailto:dots-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 18 Feb 2019 16:23:31 -0000

On Fri, Feb 15, 2019 at 03:36:05PM +0000, mohamed.boucadair@orange.com wrote:
> Re-,
> 
> Looking forward to discuss this further. 
> 
> I wonder whether you can consider putting the document in the IETF LC for now. If it happen that we need to modify the 0-RTT text, we will handle it as other IETF LC comments.

I would normally be pretty amenable to starting IETF LC and continuing
discussion; it's just for this issue in particular that I seem to be the
main person on the IESG that enforces the "application profile for 0-RTT
data" requirement, so it would feel rather odd to go forward in this case.
Luckily, I spent some time this weekend reading RFC 7252 and have some
substantive comments.

The key oberservation here seems to be that the Message ID is scoped per
endpoint, and replays can come from arbitrary addresses.

Specifically, we recall that:

   The DOTS signal channel is layered on existing standards (Figure 3).

                          +---------------------+
                          | DOTS Signal Channel |
                          +---------------------+
                          |         CoAP        |
                          +----------+----------+
                          |   TLS    |   DTLS   |
                          +----------+----------+
                          |   TCP    |   UDP    |
                          +----------+----------+
                          |          IP         |
                          +---------------------+

We note that CoAP is using the IP address or "DTLS session" (arguably a
poorly chosen term) to identify a CoAP association and that Message IDs are
only used within the scope of such an association, it seems pretty clear
that an attacker able to replay TLS 1.3 0-RTT data will slice off the top
three lines of this figure and swap out the TCP/UDP/IP layers.  In the
absence of DTLS connection IDs, my understanding is that the "DTLS session"
is identified solely by the transport connection, just as for coap-not-s,
so by spoofing the source address, the attacker causes the replayed 0-RTT
data (and thus, CoAP request) to be interpreted as a new incoming coaps
connection.

Given that Message ID is only 16 bits and the servers accepting 0-RTT data
have potential to be quite busy, it does not seem workable to attempt to
use the incoming Message IDs as globally unique replay defense, as the risk
of collision would be pretty large.

So I think that the 'mid' monotonicity and the rejection of conflicting
request scopes are the main mitigating factors against replay in the
current design (alongside the RFC 8446 mechanisms, of course), and the text
should be adjusted to reflect that.

It seems that the 'mid' ordering is probably enough to protect
reordering/replay of mitigiation request and withdraw, even when reordered
across other mitigation actions.  But I am more concerned about
reordering/replay of other messages, like efficacy updates and session
configuration changes.

Consider

client                   attacker                    server
|
|----efficacy: attack mitigated--------------------->|
|                                                    |
|----efficacy: under attack------------------------->|
|                                                    |
|                        |-replay: attack mitigated->|

Is the server going to end up with the expected state?

-Ben


> 
> > -----Message d'origine-----
> > De : Benjamin Kaduk [mailto:kaduk@mit.edu]
> > Envoyé : vendredi 15 février 2019 16:05
> > À : BOUCADAIR Mohamed TGI/OLN
> > Cc : Konda, Tirumaleswar Reddy; draft-ietf-dots-signal-channel@ietf.org;
> > dots@ietf.org
> > Objet : Re: Using Early Data in DOTS (RE: [Dots] AD review of draft-ietf-
> > dots-signal-channel)
> > 
> > Hi Med,
> > 
> > Short form: I need to think about it harder.  There's some indication that
> > the CoAp Message ID is at the wrong level to protect the 0-RTT data, but
> > I'm not sure yet.
> > 
> > Sorry for the delays; this has been a frenetic couple weeks :(
> > 
> > -Ben
> > 
> > On Fri, Feb 15, 2019 at 03:01:29PM +0000, mohamed.boucadair@orange.com wrote:
> > > Hi Ben,
> > >
> > > What is the status for this one? Are we OK to move forward?
> > >
> > > Thank you.
> > >
> > > Cheers,
> > > Med
> > >
> > > > -----Message d'origine-----
> > > > De : mohamed.boucadair@orange.com [mailto:mohamed.boucadair@orange.com]
> > > > Envoyé : mardi 29 janvier 2019 14:32
> > > > À : Benjamin Kaduk
> > > > Cc : Konda, Tirumaleswar Reddy; draft-ietf-dots-signal-channel@ietf.org;
> > > > dots@ietf.org
> > > > Objet : Using Early Data in DOTS (RE: [Dots] AD review of draft-ietf-
> > dots-
> > > > signal-channel)
> > > >
> > > > Hi Ben, all,
> > > >
> > > > We edited a short draft (https://tools.ietf.org/html/draft-boucadair-
> > dots-
> > > > earlydata-00) to motivate the following text included in the signal
> > channel
> > > > draft:
> > > >
> > > >       Section 8 of [RFC8446] discusses some mechanisms to implement to
> > > >       limit the impact of replay attacks on 0-RTT data.  If the DOTS
> > > >       server accepts 0-RTT, it MUST implement one of these mechanisms.
> > > >       A DOTS server can reject 0-RTT by sending a TLS HelloRetryRequest.
> > > >       The DOTS signal channel messages sent as early data by the DOTS
> > > >       client are idempotent requests.  As a reminder, Message ID
> > > >       (Section 3 of [RFC7252]) is changed each time a new CoAP request
> > > >       is sent, and the Token (Section 5.3.1 of [RFC7252]) is randomized
> > > >       in each CoAP request.  The DOTS server(s) can use Message ID and
> > > >       Token in the DOTS signal channel message to detect replay of early
> > > >       data, and accept 0-RTT data at most once.  Furthermore, 'mid'
> > > >       value is monotonically increased by the DOTS client for each
> > > >       mitigation request, attackers replaying mitigation requests with
> > > >       lower numeric 'mid' values and overlapping scopes with mitigation
> > > >       requests having higher numeric 'mid' values will be rejected
> > > >       systematically by the DOTS server.
> > > >
> > > >       Owing to the aforementioned protections, especially those afforded
> > > >       by CoAP deduplication (Section 4.5 of [RFC7252]) and RFC 8446
> > > >       anti-replay mechanisms, all DOTS signal channel requests are safe
> > > >       to transmit in TLS 1.3 as early data.  Refer to
> > > >       [I-D.boucadair-dots-earlydata] for more details.
> > > >
> > > > This text and also the Designated Expert guidelines are implemented in -
> > 28.
> > > > These are the two pending issues from your AD review.
> > > >
> > > > Other edits were also made to record what was agreed on the list.
> > > >
> > > > We hope this version is now ready to move forward.
> > > >
> > > > Cheers,
> > > > Med
> > > >
> > > > > > > > > Regarding the (D)TLS 1.3 0-RTT data, RFC 8446 notes that
> > > > "Application
> > > > > > > > > protocols MUST NOT use 0-RTT data without a profile that
> > defines
> > > > its
> > > > > > use.
> > > > > > > > > That profile needs to identify which messages or interactions
> > are
> > > > > safe
> > > > > > to
> > > > > > > > use
> > > > > > > > > with 0-RTT and how to handle the situation when the server
> > rejects
> > > > 0-
> > > > > > RTT
> > > > > > > > and
> > > > > > > > > falls back to 1-RTT."  So we either need to say which client
> > > > requests
> > > > > > are
> > > > > > > > 0-RTT
> > > > > > > > > safe (and why) or defer that profile to another document.
> > draft-
> > > > > ietf-
> > > > > > > > dnsop-
> > > > > > > > > session-signal is perhaps an example of a document that
> > specifies
> > > > > which
> > > > > > > > > messages are/aren't allowed in early data.
> > > > > > > > > (draft-ietf-acme-acme is another, but an uninteresting one,
> > since
> > > > > they
> > > > > > make
> > > > > > > > > every request include a single-use nonce, and all messages are
> > 0-
> > > > RTT
> > > > > > safe.)
> > > > > > > > > Our use of increasing 'mid' values may help here, in terms of
> > > > > allowing
> > > > > > > > DELETEs
> > > > > > > > > to be safe, but I'd have to think a little more to be sure that
> > > > > > requesting
> > > > > > > > > mitigation would be safe.  (On first glance the session-
> > managemnet
> > > > > bits
> > > > > > > > would
> > > > > > > > > not be safe, but I may be missing something.)
> > > > > > > >
> > > > > > > > The draft only uses idempotent requests (GET, PUT and DELETE),
> > and
> > > > CoAP
> > > > > > is
> > > > > > > > capable of detecting message duplication (see
> > > > > > > > https://tools.ietf.org/html/rfc7252#section-4.5) for both
> > confirmable
> > > > > and
> > > > > > > > non-confirmable messages.
> > > > > > > >  [1] An attacker replaying DELETE will not have any adverse
> > impact,
> > > > > 2.02
> > > > > > > > (Deleted) Response Code is returned even if the mitigation
> > request
> > > > does
> > > > > > not
> > > > > > > > exist.
> > > > > > > > [2] The techniques discussed in Section 8 of RFC8446 should
> > suffice
> > > > to
> > > > > > handle
> > > > > > > > anti-replay (e.g. an attacker replaying a 0-RTT data carrying an
> > old
> > > > > > > > mitigation request replaced by a new mitigation scope).
> > > > > > > >
> > > > > > >
> > > > > > > [Med] FWIW, we do already have this text in the draft:
> > > > > > >
> > > > > > >       Section 8 of [RFC8446] discusses some mechanisms to implement
> > to
> > > > > > >       limit the impact of replay attacks on 0-RTT data.  If the
> > DOTS
> > > > > > >       server accepts 0-RTT, it MUST implement one of these
> > mechanisms

v2.23.0 | Report a Bug | By Email