IETF Logo Mail Archive

Re: [Dots] Using Early Data in DOTS (RE: AD review of draft-ietf-dots-signal-channel)

"Konda, Tirumaleswar Reddy" <TirumaleswarReddy_Konda@McAfee.com> Tue, 19 February 2019 06:41 UTC

Return-Path: <TirumaleswarReddy_Konda@mcafee.com>
X-Original-To: dots@ietfa.amsl.com
Delivered-To: dots@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CFB9C130E76; Mon, 18 Feb 2019 22:41:13 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.301
X-Spam-Level:
X-Spam-Status: No, score=-4.301 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=mcafee.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id o7pvalwznurD; Mon, 18 Feb 2019 22:41:11 -0800 (PST)
Received: from DNVWSMAILOUT1.mcafee.com (dnvwsmailout1.mcafee.com [161.69.31.173]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C4981130E7A; Mon, 18 Feb 2019 22:41:10 -0800 (PST)
X-NAI-Header: Modified by McAfee Email Gateway (5500)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mcafee.com; s=s_mcafee; t=1550558345; h=From: To:CC:Subject:Thread-Topic:Thread-Index:Date: Message-ID:References:In-Reply-To:Accept-Language: Content-Language:X-MS-Has-Attach:X-MS-TNEF-Correlator: dlp-product:dlp-version:dlp-reaction:authentication-results: x-originating-ip:x-ms-publictraffictype:x-ms-office365-filtering-correlation-id: x-microsoft-antispam:x-ms-traffictypediagnostic: x-ms-exchange-purlcount:x-microsoft-exchange-diagnostics: x-microsoft-antispam-prvs:x-forefront-prvs: x-forefront-antispam-report:received-spf:x-ms-exchange-senderadcheck: x-microsoft-antispam-message-info:Content-Type: Content-Transfer-Encoding:MIME-Version:X-MS-Exchange-CrossTenant-Network-Message-Id: X-MS-Exchange-CrossTenant-originalarrivaltime: X-MS-Exchange-CrossTenant-fromentityheader: X-MS-Exchange-CrossTenant-id:X-MS-Exchange-CrossTenant-mailboxtype: X-MS-Exchange-Transport-CrossTenantHeadersStamped: X-OriginatorOrg:X-NAI-Spam-Flag:X-NAI-Spam-Level: X-NAI-Spam-Threshold:X-NAI-Spam-Score:X-NAI-Spam-Version; bh=yehttd8r3ha2RM+VV3NMKkG11ij8z9LPd+5G4y m6W9o=; b=qOQgkWXhYf3STVOtV/6E25qOFe+JvXABipxDqXFw rRaOSePh3/23pKSp4oCjCpq3yIxqJfxOC0gBtBcTVXhExbedIr gJQsD0ah0gxX9LtP9S/vECjpLEj69cfp7DPWTR+uMigVGhnVR0 ZsxTg4rnhIVpLRw4Q/2y3NgNXm7byrA=
Received: from DNVEXAPP1N06.corpzone.internalzone.com (unknown [10.44.48.90]) by DNVWSMAILOUT1.mcafee.com with smtp (TLS: TLSv1/SSLv3,256bits,ECDHE-RSA-AES256-SHA384) id 604b_1f5f_a623e17a_5469_4eea_bf53_fa1d9a75ca34; Mon, 18 Feb 2019 23:39:04 -0700
Received: from DNVEXAPP1N05.corpzone.internalzone.com (10.44.48.89) by DNVEXAPP1N06.corpzone.internalzone.com (10.44.48.90) with Microsoft SMTP Server (TLS) id 15.0.1395.4; Mon, 18 Feb 2019 23:40:32 -0700
Received: from DNVO365EDGE2.corpzone.internalzone.com (10.44.176.74) by DNVEXAPP1N05.corpzone.internalzone.com (10.44.48.89) with Microsoft SMTP Server (TLS) id 15.0.1395.4 via Frontend Transport; Mon, 18 Feb 2019 23:40:33 -0700
Received: from NAM02-SN1-obe.outbound.protection.outlook.com (10.44.176.240) by edge.mcafee.com (10.44.176.74) with Microsoft SMTP Server (TLS) id 15.0.1395.4; Mon, 18 Feb 2019 23:40:28 -0700
Received: from BYAPR16MB2790.namprd16.prod.outlook.com (20.178.233.91) by BYAPR16MB2760.namprd16.prod.outlook.com (20.178.233.12) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1643.14; Tue, 19 Feb 2019 06:40:31 +0000
Received: from BYAPR16MB2790.namprd16.prod.outlook.com ([fe80::9c48:452b:e39c:ef39]) by BYAPR16MB2790.namprd16.prod.outlook.com ([fe80::9c48:452b:e39c:ef39%2]) with mapi id 15.20.1622.020; Tue, 19 Feb 2019 06:40:31 +0000
From: "Konda, Tirumaleswar Reddy" <TirumaleswarReddy_Konda@McAfee.com>
To: Benjamin Kaduk <kaduk@mit.edu>, "mohamed.boucadair@orange.com" <mohamed.boucadair@orange.com>
CC: "draft-ietf-dots-signal-channel@ietf.org" <draft-ietf-dots-signal-channel@ietf.org>, "dots@ietf.org" <dots@ietf.org>
Thread-Topic: Using Early Data in DOTS (RE: [Dots] AD review of draft-ietf-dots-signal-channel)
Thread-Index: AQHUx6Zad4wSPXSxIUiJUgMrwAb+nKXmpwyw
Date: Tue, 19 Feb 2019 06:40:30 +0000
Message-ID: <BYAPR16MB2790B511B8D5362698DE61FCEA7C0@BYAPR16MB2790.namprd16.prod.outlook.com>
References: <787AE7BB302AE849A7480A190F8B93302EA0EC85@OPEXCAUBMA2.corporate.adroot.infra.ftgroup> <787AE7BB302AE849A7480A190F8B93302EA20112@OPEXCAUBMA2.corporate.adroot.infra.ftgroup> <20190215150458.GV56447@kduck.mit.edu> <787AE7BB302AE849A7480A190F8B93302EA20406@OPEXCAUBMA2.corporate.adroot.infra.ftgroup> <20190218162322.GI24387@kduck.mit.edu>
In-Reply-To: <20190218162322.GI24387@kduck.mit.edu>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
dlp-product: dlpe-windows
dlp-version: 11.2.0.6
dlp-reaction: no-action
authentication-results: spf=none (sender IP is ) smtp.mailfrom=TirumaleswarReddy_Konda@McAfee.com;
x-originating-ip: [103.245.47.20]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 7f6b8499-d9f6-43a4-4dfb-08d69635248d
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600110)(711020)(4605104)(2017052603328)(7153060)(7193020); SRVR:BYAPR16MB2760;
x-ms-traffictypediagnostic: BYAPR16MB2760:
x-ms-exchange-purlcount: 3
x-microsoft-exchange-diagnostics: 1;BYAPR16MB2760;23:nAHyBRDdptpK4J6Z9N//9GsYXM2oGdFi96AK/cEswFUFXKbeE5075GgfZB0GO6Uhp/+jOKSDvPu12KSBbuceIU9e5Hy4jZ1wrG7HlawIgzOFmogH/CDgHh4sF9N1EOsRV7o05YRPROFtEz3tUjZLkVJG9qqUnSpn41tIlf3xBQLsvTWUgGo9eFVEAguNGuaO4tkjR+UitR3EW3RZud/pfJBCyuDaiXqX1yC7hTo+9Hn/M1oZSpz8lpV+HFpRmQyqOKl+k0uCVPph+tqlwDUpw+wgzqfpJYhH82yGP49PbErLly3ph7FACl6MTJfIZ9aQnoW9hrsgiLs6XIuHhk1Ww2LyJhQYYDNrKEPN2194FPVRpxB7VqJVyWY4vjJMzJa6JuMjiQEKDi1n4i3sKBqer87STpKNV0gSfuuuZVjciJLP6O9NcPZiWozff1dD9pmkiPr7aOF1TvvrVWrIhzjVZu+mrDNbzr7uEHABY2acMHrZtyKixtqDTSe+07bsZl7hSFtC+laWP6m/u6SVNMY1cL0J/6dall4n9qChcy+vH+toJGxBU8LJDUSaaJfbbnIkgL6OASwTkaloCP9tk+V2uJZILnfKoHH/+wZwq5BlyXa7YbFXq4+boKac8EPmvdETvVnguQgo3fmCx0Ds5XbantRRMPG5trUkaAVcyOX32oq+18Ux0Pa0czObC7GcCREeIWmk2OijmzyRPOXbGTJA0NB1Sy5axtuLkeraKi/cxmJ8fyDdyLdximf+zKNM6dKEAkZhO930Dst4gyznXyNX/M0UPqHIuB9wWOBopk7AoHetc7EPx31ImkmDWnl9UOa/6Qh5PRxb2uPWws2YdchWZm8BspvRVY+FvP2JHqplARZ+YjXHVDOyzd8sVDV807padN2VeEBk6Rvfur0vF5oOG62UyQ/ERTldeOTU/Yj1hDw5x0pEdw2c+W1EIFtn9XQe+KlzWYkZj8Tojprpi/S+JulV2rWDDLujhcnnEpJ4qJZs0cVpaoLGFbylAjY9xRPXUipbf3LmqbTAb/GgeP8t/D9D21MKY0aDfuLie6+MWQ8+xPj4mexc/C2wEww9uFKpHGn0nisgSEgPdax+1uXdBKqL3BQDVWSfZCP1l5c6yuCOWTqmdU6gscS/7x9eEvkmctn4iUuQNfJRhNQpEyY3EQNdSfK3RfEclHw7v9fDafipghQ7BiKqULBXvfB+Ahhi29de/IRqGH51HqZsJCKiyG/f9oMCGqM+4bzL5xxyPOr3DksBnlaYO7E5aoG0OzVfTSaIAqJJPsvPWSM37Lc7vPbMuNrJI6LTpg4kxTnBYMyfbyBPvLGoZpFfAkllvTs4VRtebDW5pyKymHC2PQAq2HGcjM7rewyFWiYNUs0mwHS6D31pd6k9ac4xhIUzUxkja77HZ5tfR8XuPBKcs/DSH3KN2WeMR+qaGrkRUfnJZH9StzpTx3ejwfktrWW1AhLs7N4jjafll/QaejsTnep3YZJ6jZY2MlmeHcBOSuHVfmJhCwCqCt4X2dua04i5Nyx/8CMFCRN8J5iXXe0xHfBshg==
x-microsoft-antispam-prvs: <BYAPR16MB2760FC08D8EEAEFB13933E0AEA7C0@BYAPR16MB2760.namprd16.prod.outlook.com>
x-forefront-prvs: 09538D3531
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(396003)(346002)(136003)(376002)(39860400002)(366004)(55784004)(199004)(189003)(13464003)(32952001)(51444003)(105586002)(80792005)(97736004)(106356001)(6436002)(74316002)(86362001)(93886005)(54906003)(110136005)(316002)(305945005)(7736002)(3846002)(4326008)(6116002)(9686003)(6306002)(71200400001)(71190400001)(7696005)(99286004)(55016002)(76176011)(25786009)(66574012)(8676002)(2171002)(81166006)(81156014)(68736007)(229853002)(66066001)(5024004)(6246003)(30864003)(2501003)(53546011)(6506007)(446003)(11346002)(33656002)(186003)(102836004)(26005)(2906002)(14454004)(486006)(476003)(53936002)(256004)(8936002)(72206003)(966005)(5660300002)(14444005)(478600001)(85282002); DIR:OUT; SFP:1101; SCL:1; SRVR:BYAPR16MB2760; H:BYAPR16MB2790.namprd16.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: McAfee.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: WUh3jkgaaXvA4UfP1EfVdYaDrnGmQ20Qq2EexFaNMbx+dep5eWJ3E1SxFyB9kWw1Og1lBWm7PK2dJ09dHwNhA2YwGtia7R+PWyGSwzVv4hMthUHQS8Rt6cZOfEvFs/YMLCBUqGiB4mIVLFguY7RntjLOdPjPktbCTKmbPSv/ZcZ34m3I6Au0djpA2lo/Kj7kfJmnGOzxoNTlNC+18jJk0Ss2o9Rl0iYCmdCXP4SqliGe8CiUeRSa5ZizH0owimfRXGHejCrHPuV6znsgUi3bKbgCbroTFZS0+U4TLUiXTx2uC7TdIL9IPWoiRRUi8zpS0dH6NeGHQG+pKrdIk9tov0bW4k9bxUjBaLBRf+h8x0FoacxzntfaLxl+go0vAUDEXi65kHnyph8sCygHCWGRvMnADcuF1vSR66D/3VvcM9Q=
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: 7f6b8499-d9f6-43a4-4dfb-08d69635248d
X-MS-Exchange-CrossTenant-originalarrivaltime: 19 Feb 2019 06:40:30.8416 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 4943e38c-6dd4-428c-886d-24932bc2d5de
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BYAPR16MB2760
X-OriginatorOrg: mcafee.com
X-NAI-Spam-Flag: NO
X-NAI-Spam-Level:
X-NAI-Spam-Threshold: 15
X-NAI-Spam-Score: 0.1
X-NAI-Spam-Version: 2.3.0.9418 : core <6485> : inlines <7018> : streams <1813464> : uri <2798664>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dots/tgX-MliDos1kX8R7v_rufww7nqo>
Subject: Re: [Dots] Using Early Data in DOTS (RE: AD review of draft-ietf-dots-signal-channel)
X-BeenThere: dots@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "List for discussion of DDoS Open Threat Signaling \(DOTS\) technology and directions." <dots.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dots>, <mailto:dots-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dots/>
List-Post: <mailto:dots@ietf.org>
List-Help: <mailto:dots-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dots>, <mailto:dots-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 19 Feb 2019 06:41:14 -0000

Hi Ben,

Agree with you that Message IDs cannot be used as globally unique replay defense but the draft is using both Message ID and Token (or request ID) as unique relay defense within the DOTS server domain. CoAP allows the size of Token to be up to 8 bytes and is randomized (see https://tools.ietf.org/html/rfc7252#section-5.3.1). 

I also agree with you that 'mid' is not sufficient to detect all types of replay attacks and hence the DOTS signal channel is replying on Message ID and Token along-side the 0-RTT relay detection mechanisms in RFC 8446 to defend against attackers spoofing the DOTS client IP address and replaying the 0-RTT data.

Cheers,
-Tiru

> -----Original Message-----
> From: Benjamin Kaduk <kaduk@mit.edu>
> Sent: Monday, February 18, 2019 9:53 PM
> To: mohamed.boucadair@orange.com
> Cc: Konda, Tirumaleswar Reddy <TirumaleswarReddy_Konda@McAfee.com>;
> draft-ietf-dots-signal-channel@ietf.org; dots@ietf.org
> Subject: Re: Using Early Data in DOTS (RE: [Dots] AD review of draft-ietf-dots-
> signal-channel)
> 
> This email originated from outside of the organization. Do not click links or
> open attachments unless you recognize the sender and know the content is safe.
> 
> On Fri, Feb 15, 2019 at 03:36:05PM +0000, mohamed.boucadair@orange.com
> wrote:
> > Re-,
> >
> > Looking forward to discuss this further.
> >
> > I wonder whether you can consider putting the document in the IETF LC for
> now. If it happen that we need to modify the 0-RTT text, we will handle it as
> other IETF LC comments.
> 
> I would normally be pretty amenable to starting IETF LC and continuing
> discussion; it's just for this issue in particular that I seem to be the main person
> on the IESG that enforces the "application profile for 0-RTT data" requirement,
> so it would feel rather odd to go forward in this case.
> Luckily, I spent some time this weekend reading RFC 7252 and have some
> substantive comments.
> 
> The key oberservation here seems to be that the Message ID is scoped per
> endpoint, and replays can come from arbitrary addresses.
> 
> Specifically, we recall that:
> 
>    The DOTS signal channel is layered on existing standards (Figure 3).
> 
>                           +---------------------+
>                           | DOTS Signal Channel |
>                           +---------------------+
>                           |         CoAP        |
>                           +----------+----------+
>                           |   TLS    |   DTLS   |
>                           +----------+----------+
>                           |   TCP    |   UDP    |
>                           +----------+----------+
>                           |          IP         |
>                           +---------------------+
> 
> We note that CoAP is using the IP address or "DTLS session" (arguably a poorly
> chosen term) to identify a CoAP association and that Message IDs are only used
> within the scope of such an association, it seems pretty clear that an attacker
> able to replay TLS 1.3 0-RTT data will slice off the top three lines of this figure
> and swap out the TCP/UDP/IP layers.  In the absence of DTLS connection IDs,
> my understanding is that the "DTLS session"
> is identified solely by the transport connection, just as for coap-not-s, so by
> spoofing the source address, the attacker causes the replayed 0-RTT data (and
> thus, CoAP request) to be interpreted as a new incoming coaps connection.
> 
> Given that Message ID is only 16 bits and the servers accepting 0-RTT data
> have potential to be quite busy, it does not seem workable to attempt to use
> the incoming Message IDs as globally unique replay defense, as the risk of
> collision would be pretty large.
> 
> So I think that the 'mid' monotonicity and the rejection of conflicting request
> scopes are the main mitigating factors against replay in the current design
> (alongside the RFC 8446 mechanisms, of course), and the text should be
> adjusted to reflect that.
> 
> It seems that the 'mid' ordering is probably enough to protect
> reordering/replay of mitigiation request and withdraw, even when reordered
> across other mitigation actions.  But I am more concerned about
> reordering/replay of other messages, like efficacy updates and session
> configuration changes.
> 
> Consider
> 
> client                   attacker                    server
> |
> |----efficacy: attack mitigated--------------------->|
> |                                                    |
> |----efficacy: under attack------------------------->|
> |                                                    |
> |                        |-replay: attack mitigated->|
> 
> Is the server going to end up with the expected state?
> 
> -Ben
> 
> 
> >
> > > -----Message d'origine-----
> > > De : Benjamin Kaduk [mailto:kaduk@mit.edu] Envoyé : vendredi 15
> > > février 2019 16:05 À : BOUCADAIR Mohamed TGI/OLN Cc : Konda,
> > > Tirumaleswar Reddy; draft-ietf-dots-signal-channel@ietf.org;
> > > dots@ietf.org
> > > Objet : Re: Using Early Data in DOTS (RE: [Dots] AD review of
> > > draft-ietf-
> > > dots-signal-channel)
> > >
> > > Hi Med,
> > >
> > > Short form: I need to think about it harder.  There's some
> > > indication that the CoAp Message ID is at the wrong level to protect
> > > the 0-RTT data, but I'm not sure yet.
> > >
> > > Sorry for the delays; this has been a frenetic couple weeks :(
> > >
> > > -Ben
> > >
> > > On Fri, Feb 15, 2019 at 03:01:29PM +0000,
> mohamed.boucadair@orange.com wrote:
> > > > Hi Ben,
> > > >
> > > > What is the status for this one? Are we OK to move forward?
> > > >
> > > > Thank you.
> > > >
> > > > Cheers,
> > > > Med
> > > >
> > > > > -----Message d'origine-----
> > > > > De : mohamed.boucadair@orange.com
> > > > > [mailto:mohamed.boucadair@orange.com]
> > > > > Envoyé : mardi 29 janvier 2019 14:32 À : Benjamin Kaduk Cc :
> > > > > Konda, Tirumaleswar Reddy;
> > > > > draft-ietf-dots-signal-channel@ietf.org;
> > > > > dots@ietf.org
> > > > > Objet : Using Early Data in DOTS (RE: [Dots] AD review of
> > > > > draft-ietf-
> > > dots-
> > > > > signal-channel)
> > > > >
> > > > > Hi Ben, all,
> > > > >
> > > > > We edited a short draft
> > > > > (https://tools.ietf.org/html/draft-boucadair-
> > > dots-
> > > > > earlydata-00) to motivate the following text included in the
> > > > > signal
> > > channel
> > > > > draft:
> > > > >
> > > > >       Section 8 of [RFC8446] discusses some mechanisms to implement to
> > > > >       limit the impact of replay attacks on 0-RTT data.  If the DOTS
> > > > >       server accepts 0-RTT, it MUST implement one of these mechanisms.
> > > > >       A DOTS server can reject 0-RTT by sending a TLS HelloRetryRequest.
> > > > >       The DOTS signal channel messages sent as early data by the DOTS
> > > > >       client are idempotent requests.  As a reminder, Message ID
> > > > >       (Section 3 of [RFC7252]) is changed each time a new CoAP request
> > > > >       is sent, and the Token (Section 5.3.1 of [RFC7252]) is randomized
> > > > >       in each CoAP request.  The DOTS server(s) can use Message ID and
> > > > >       Token in the DOTS signal channel message to detect replay of early
> > > > >       data, and accept 0-RTT data at most once.  Furthermore, 'mid'
> > > > >       value is monotonically increased by the DOTS client for each
> > > > >       mitigation request, attackers replaying mitigation requests with
> > > > >       lower numeric 'mid' values and overlapping scopes with mitigation
> > > > >       requests having higher numeric 'mid' values will be rejected
> > > > >       systematically by the DOTS server.
> > > > >
> > > > >       Owing to the aforementioned protections, especially those afforded
> > > > >       by CoAP deduplication (Section 4.5 of [RFC7252]) and RFC 8446
> > > > >       anti-replay mechanisms, all DOTS signal channel requests are safe
> > > > >       to transmit in TLS 1.3 as early data.  Refer to
> > > > >       [I-D.boucadair-dots-earlydata] for more details.
> > > > >
> > > > > This text and also the Designated Expert guidelines are
> > > > > implemented in -
> > > 28.
> > > > > These are the two pending issues from your AD review.
> > > > >
> > > > > Other edits were also made to record what was agreed on the list.
> > > > >
> > > > > We hope this version is now ready to move forward.
> > > > >
> > > > > Cheers,
> > > > > Med
> > > > >
> > > > > > > > > > Regarding the (D)TLS 1.3 0-RTT data, RFC 8446 notes
> > > > > > > > > > that
> > > > > "Application
> > > > > > > > > > protocols MUST NOT use 0-RTT data without a profile
> > > > > > > > > > that
> > > defines
> > > > > its
> > > > > > > use.
> > > > > > > > > > That profile needs to identify which messages or
> > > > > > > > > > interactions
> > > are
> > > > > > safe
> > > > > > > to
> > > > > > > > > use
> > > > > > > > > > with 0-RTT and how to handle the situation when the
> > > > > > > > > > server
> > > rejects
> > > > > 0-
> > > > > > > RTT
> > > > > > > > > and
> > > > > > > > > > falls back to 1-RTT."  So we either need to say which
> > > > > > > > > > client
> > > > > requests
> > > > > > > are
> > > > > > > > > 0-RTT
> > > > > > > > > > safe (and why) or defer that profile to another document.
> > > draft-
> > > > > > ietf-
> > > > > > > > > dnsop-
> > > > > > > > > > session-signal is perhaps an example of a document
> > > > > > > > > > that
> > > specifies
> > > > > > which
> > > > > > > > > > messages are/aren't allowed in early data.
> > > > > > > > > > (draft-ietf-acme-acme is another, but an uninteresting
> > > > > > > > > > one,
> > > since
> > > > > > they
> > > > > > > make
> > > > > > > > > > every request include a single-use nonce, and all
> > > > > > > > > > messages are
> > > 0-
> > > > > RTT
> > > > > > > safe.)
> > > > > > > > > > Our use of increasing 'mid' values may help here, in
> > > > > > > > > > terms of
> > > > > > allowing
> > > > > > > > > DELETEs
> > > > > > > > > > to be safe, but I'd have to think a little more to be
> > > > > > > > > > sure that
> > > > > > > requesting
> > > > > > > > > > mitigation would be safe.  (On first glance the
> > > > > > > > > > session-
> > > managemnet
> > > > > > bits
> > > > > > > > > would
> > > > > > > > > > not be safe, but I may be missing something.)
> > > > > > > > >
> > > > > > > > > The draft only uses idempotent requests (GET, PUT and
> > > > > > > > > DELETE),
> > > and
> > > > > CoAP
> > > > > > > is
> > > > > > > > > capable of detecting message duplication (see
> > > > > > > > > https://tools.ietf.org/html/rfc7252#section-4.5) for
> > > > > > > > > both
> > > confirmable
> > > > > > and
> > > > > > > > > non-confirmable messages.
> > > > > > > > >  [1] An attacker replaying DELETE will not have any
> > > > > > > > > adverse
> > > impact,
> > > > > > 2.02
> > > > > > > > > (Deleted) Response Code is returned even if the
> > > > > > > > > mitigation
> > > request
> > > > > does
> > > > > > > not
> > > > > > > > > exist.
> > > > > > > > > [2] The techniques discussed in Section 8 of RFC8446
> > > > > > > > > should
> > > suffice
> > > > > to
> > > > > > > handle
> > > > > > > > > anti-replay (e.g. an attacker replaying a 0-RTT data
> > > > > > > > > carrying an
> > > old
> > > > > > > > > mitigation request replaced by a new mitigation scope).
> > > > > > > > >
> > > > > > > >
> > > > > > > > [Med] FWIW, we do already have this text in the draft:
> > > > > > > >
> > > > > > > >       Section 8 of [RFC8446] discusses some mechanisms to
> > > > > > > > implement
> > > to
> > > > > > > >       limit the impact of replay attacks on 0-RTT data.
> > > > > > > > If the
> > > DOTS
> > > > > > > >       server accepts 0-RTT, it MUST implement one of these
> > > mechanisms

v2.23.0 | Report a Bug | By Email