Re: [Isms] wg last call on the (d)tls transport model
<Pasi.Eronen@nokia.com> Fri, 06 November 2009 11:15 UTC
Return-Path: <Pasi.Eronen@nokia.com>
X-Original-To: isms@core3.amsl.com
Delivered-To: isms@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 1F3493A68AA for <isms@core3.amsl.com>; Fri, 6 Nov 2009 03:15:38 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.216
X-Spam-Level:
X-Spam-Status: No, score=-4.216 tagged_above=-999 required=5 tests=[AWL=-2.317, BAYES_00=-2.599, J_CHICKENPOX_23=0.6, J_CHICKENPOX_43=0.6, J_CHICKENPOX_47=0.6, J_CHICKENPOX_74=0.6, MANGLED_LIST=2.3, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rAmjuelXwyFr for <isms@core3.amsl.com>; Fri, 6 Nov 2009 03:15:36 -0800 (PST)
Received: from mgw-mx06.nokia.com (smtp.nokia.com [192.100.122.233]) by core3.amsl.com (Postfix) with ESMTP id 46AC03A689E for <isms@ietf.org>; Fri, 6 Nov 2009 03:15:35 -0800 (PST)
Received: from vaebh105.NOE.Nokia.com (vaebh105.europe.nokia.com [10.160.244.31]) by mgw-mx06.nokia.com (Switch-3.3.3/Switch-3.3.3) with ESMTP id nA6BFtWX031797 for <isms@ietf.org>; Fri, 6 Nov 2009 13:15:56 +0200
Received: from vaebh102.NOE.Nokia.com ([10.160.244.23]) by vaebh105.NOE.Nokia.com with Microsoft SMTPSVC(6.0.3790.3959); Fri, 6 Nov 2009 13:15:48 +0200
Received: from smtp.mgd.nokia.com ([65.54.30.8]) by vaebh102.NOE.Nokia.com over TLS secured channel with Microsoft SMTPSVC(6.0.3790.3959); Fri, 6 Nov 2009 13:15:36 +0200
Received: from NOK-EUMSG-01.mgdnok.nokia.com ([65.54.30.86]) by nok-am1mhub-04.mgdnok.nokia.com ([65.54.30.8]) with mapi; Fri, 6 Nov 2009 12:15:18 +0100
From: Pasi.Eronen@nokia.com
To: isms@ietf.org
Date: Fri, 06 Nov 2009 12:15:14 +0100
Thread-Topic: [Isms] wg last call on the (d)tls transport model
Thread-Index: AcpYiMAzsIkGQPMRQ1qHp8jCzwTAEAGSThRQ
Message-ID: <808FD6E27AD4884E94820BC333B2DB774E7F81BEAD@NOK-EUMSG-01.mgdnok.nokia.com>
References: <20091029111229.GA20307@elstar.local>
In-Reply-To: <20091029111229.GA20307@elstar.local>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginalArrivalTime: 06 Nov 2009 11:15:36.0022 (UTC) FILETIME=[76A61760:01CA5ED2]
X-Nokia-AV: Clean
Subject: Re: [Isms] wg last call on the (d)tls transport model
X-BeenThere: isms@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Mailing list for the ISMS working group <isms.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/isms>, <mailto:isms-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/isms>
List-Post: <mailto:isms@ietf.org>
List-Help: <mailto:isms-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/isms>, <mailto:isms-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 06 Nov 2009 11:15:38 -0000
Some random comments scribbled on printout during my flight earlier today (or yesterday, depending on your point of view :-): - How the notification originator authenticates the other end (TLS server) when fingerprints are not used is very unclear (the fingerprint case is clear). Section 5.3, step 3b, suggests we could use path validation, but it doesn't e.g. say what the "reference identity" (in draft-saintandre-tls-server-id-check terminology) would be. Perhaps the MIB should allow specifying that reference identity. (MIB, tlstmAddrTable, is relevant here.) (I guess this applies to command generators, too, to some degree at least -- they also act as TLS clients, and have to authenticate the server somehow.) - While TLS supports several different authentication mechanism (X.509 certs, OpenPGP certs, pre-shared keys, Kerberos, SRP, ...), TLSTM supports only one of them (X.509 certs). This should be mentioned in e.g. Section 1 and Section 4.1. - Section 1.1, 2nd to last paragraph, and Section 3.1.3: These parts should probably explicitly say that the concept of "session" here is totally unrelated to TLS sessions in RFC 5246 (which are TLS-internal optimization detail not visible to TLSTM). But the name "tlsSessionID" is very poorly chosen, since it's very different from the TLS SessionID in RFC 5246. - Section 5.3 (last para) and Section 8.2: (D)TLS does have the "server_name" extension that does allow doing this. - MIB, Snmp*Address TCs: do we need four pages worth of new TCs to just describe (IPv4 address/IPv6 address/hostname)+port? Surely many existing MIBs use address+port, too, and we could import from somewhere? - MIB, Fingerprint TC, last paragraph: this is not really consistent with how certificate fingerprints are used in many other protocols -- usually we compare just the fingerprint (not the whole certificate), and assume it's produced by a good hash function. - MIB, tlstmCertToSNSANType: is SecurityName case sensitive? If it is, you need to specify the case for IPv6 address, and probably normalize the dNSName and domain part of rfc822name (e.g., convert to lower case). - MIB, tlstmCertToSNSANType: how would othername be converted to SnmpAdminString? (which is UTF-8, so "take the raw DER" does not work -- and it would be very administator-unfriendly, too) - Sections 3.3 and others: the document has snmpTLSDomain, snmpDTLSUDPDomain and snmpDTLSSCTPDomain. Probably for consistency, the first should be snmpTLSTCPDomain, since SCTP would also normally use TLS, not DTLS (there's a draft proposing how to run DTLS over SCTP, but it's just work in progress, not something that can be done today). - Section 2.1: if the CG/NO is always the (D)TLS client, and it MUST be authenticated (2nd bullet), then why is authenticating the client only SHOULD? (1st bullet) - The openSession ASI in Section 4.4.1 looks very different from the SSHTM ASI -- is this intentional? - Section 4.4.1: "this restriction is not needed for TLS or DTLS over SCTP": this restriction is present in TLS-over-TCP/SCTP, too, but TCP/SCTP take care of ensuring that <src IP, src port, dst IP, dst port> is unique. - Section 4.4.2 and 4.4.3: I think these sections should be just deleted -- these are TLS internal details. Furthermore, for normal TLS (or DTLS, when a single datagram contains multiple DTLS records), TLSTM cannot even determine "wholeTlsMsgLength", since that would require parsing the TLS messages (which would be a layering violation). Section 5.1.1 is also a bit questionable; it also seems to suggest parsing DTLS records by TLSTM. And the details aren't quite right: the same demultiplexing (mapping incoming UDP packet, based on <src IP,src port,dst IP, dst port> tuple, to the right DTLS connection/context) has to happen for DTLS handshake messages, too, not just DTLS application data messages. - Section 8.1, 1st paragraph: the last sentence of this paragraph is very confusing, since the sessions this document talks about are totally unrelated to TLS sessions (and TLS session resumption). Besides, all TLS implementations support session resumption, so this SHOULD is not really needed in this document. - Section 8.1, 2nd paragraph: Separate ports might be a reasonable idea, but I don't understand what the rest of the paragraph is saying... - Section 10: SSHTM uses ports >1023 -- should be good enough for TLSTM, too (the criteria for allocating ports <1023 is much stricter). - In normal SNMP-over-UDP, if e.g. the notification receiver restarts, that's not a problem: at least if the notification generator didn't send anything exactly when the restart was ongoing, everything will continue just fine after the restart. But when using DTLS-over-UDP, if the notification receiver restarts, the notification generator has to know that it needs to start a new DTLS "connection" (because otherwise the receiver will just silently drop all the packets it gets). The same problem has been discussed for syslog-over-DTLS recently, and draft-seggelmann-tls-dtls-heartbeat proposes one possible solution. In SNMP most requests result in a response, so if no response is seen, *some* component will know there's something wrong. But since TLSTM isn't supposed to know about PDU types, it might be architecturally slightly tricky how opening a new DTLS "connection" should be triggered here. But the document should probably say something about this issue. - Should the document say something about MTU/avoiding fragmentation for DTLS-over-UDP? - DTLS allows multiple DTLS records in a single datagram -- should the document say something about this? - Should the document say something about SCTP Partial Reliability, or use of SCTP streams? Minor editorial comments: - The document title should have the acronym "TLS" in it. - Section 4.1.1: While the actual details of how self-signed certificates can be used in TLSTM (in the rest of the spec) look mostly OK, I would recommend against using the term "trust anchor" to refer to self-signed end-entity certificates. - Section 3.1.1, item 4, 2nd paragraph: this is quite unclear, and goes into details that are IMHO not relevant for TLSTM. Perhaps something like "Most TLS cipher suites do encryption" ? - Section 3.1.1, item 5,: the sentence about "amplification" is quite unclear; the main purpose of DTLS cookie exchange is to limit server-side resource consumption, not amplification (and "detecting" amplification could be tricky). - Section 3.1.2: This text should probably mention that TLS does not have any NULL integrity cipher suites. - MIB, tlstmParamsEntry: should "usable" be "unusable"? - Section 9, "DTLS is more vulnerable to denial of service attacks". Well, a hypothetical version of DTLS that didn't include the cookie exchange might be more vulnerable, but since we don't have such a version, this isn't really true. - Global: s/US-US-ASCII/US-ASCII/; - The reference [x509] looks wrong. - Appendix A and B: I would suggest deleting these. - Appendix C: "blueberry" is not a valid rfc822Name ("blueberry@example.com" would be) Best regards, Pasi
- [Isms] wg last call on the (d)tls transport model Juergen Schoenwaelder
- Re: [Isms] wg last call on the (d)tls transport m… Donati Andrew-MGIA0477
- Re: [Isms] wg last call on the (d)tls transport m… Pasi.Eronen
- Re: [Isms] wg last call on the (d)tls transport m… Wes Hardaker
- Re: [Isms] wg last call on the (d)tls transport m… Wes Hardaker
- Re: [Isms] wg last call on the (d)tls transport m… Wes Hardaker
- Re: [Isms] wg last call on the (d)tls transport m… David Harrington
- Re: [Isms] wg last call on the (d)tls transport m… David Harrington
- Re: [Isms] wg last call on the (d)tls transport m… Wes Hardaker
- Re: [Isms] wg last call on the (d)tls transport m… Donati Andrew-MGIA0477
- Re: [Isms] wg last call on the (d)tls transport m… Juergen Schoenwaelder
- Re: [Isms] wg last call on the (d)tls transport m… Donati Andrew-MGIA0477
- Re: [Isms] wg last call on the (d)tls transport m… Wes Hardaker
- Re: [Isms] wg last call on the (d)tls transport m… Wes Hardaker