IETF Logo Mail Archive

Re: [radext] Session closure in DTLS (was: Review of draft-ietf-radext-radiusdtls)

Jan-Frederik Rieckers <rieckers@dfn.de> Thu, 18 April 2024 12:47 UTC

Return-Path: <rieckers@dfn.de>
X-Original-To: radext@ietfa.amsl.com
Delivered-To: radext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AEA35C14F6A7 for <radext@ietfa.amsl.com>; Thu, 18 Apr 2024 05:47:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=dfn.de
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cI0LRBs4X6Tr for <radext@ietfa.amsl.com>; Thu, 18 Apr 2024 05:47:25 -0700 (PDT)
Received: from c1004.mx.srv.dfn.de (c1004.mx.srv.dfn.de [IPv6:2001:638:d:c303:acdc:1979:2:58]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 00A9EC14F61E for <radext@ietf.org>; Thu, 18 Apr 2024 05:47:23 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=dfn.de; h= content-type:content-type:in-reply-to:organization:from:from :content-language:references:subject:subject:user-agent :mime-version:date:date:message-id:received; s=s1; t=1713444438; x=1715258839; bh=vPoc2qJ3cciRTaLJKYqNGjhd5Oga/mj9Pp6W4cc1zu8=; b= TBvxahwBJhSVLAb2oDhHwpQ4wy28heX0/gQutcL5496duoerKi4DxjXmRfbA1/Lf ePJ/P4ECpdATv3J+SqxDVNRbD30yvJSuOfeir660yfJl8z8/t88s7UfB9LIDVJNW 1b9g2Lw3lVadGyH7GPmY+wjiowBQZJ3NALRcwUYld8Y=
Received: from mail.dfn.de (mail.dfn.de [194.95.245.150]) by c1004.mx.srv.dfn.de (Postfix) with ESMTPS id A2826120130 for <radext@ietf.org>; Thu, 18 Apr 2024 14:47:18 +0200 (CEST)
Received: from [10.100.248.131] (airoserv.dfn.de [192.76.176.250]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mspool2.in.dfn.de (Postfix) with ESMTPSA id 7B2183D6 for <radext@ietf.org>; Thu, 18 Apr 2024 14:47:18 +0200 (CEST)
Message-ID: <f73233a3-2c0c-48f6-b80b-d3e7e1ccd753@dfn.de>
Date: Thu, 18 Apr 2024 14:47:18 +0200
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
To: radext@ietf.org
References: <CA9BEA9C-39EF-4764-A0FE-D122413B37F7@deployingradius.com> <47fb04d9-a224-457f-b169-d94e29fe007e@dfn.de>
Content-Language: en-US
From: Jan-Frederik Rieckers <rieckers@dfn.de>
X-Enigmail-Draft-Status: N11222
Organization: DFN e.V.
In-Reply-To: <47fb04d9-a224-457f-b169-d94e29fe007e@dfn.de>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-512"; boundary="------------ms090005050402020106030406"
Archived-At: <https://mailarchive.ietf.org/arch/msg/radext/anix57suqdu6A5RbYMr6fid4dEQ>
Subject: Re: [radext] Session closure in DTLS (was: Review of draft-ietf-radext-radiusdtls)
X-BeenThere: radext@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: RADIUS EXTensions working group discussion list <radext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/radext>, <mailto:radext-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/radext/>
List-Post: <mailto:radext@ietf.org>
List-Help: <mailto:radext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/radext>, <mailto:radext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 18 Apr 2024 12:47:30 -0000

On 20.03.24 07:59, Jan-Frederik Rieckers wrote:
>> 6.4.1.1
>>
>>     ... Sessions (both 4-tuple and entry) MUST be deleted when a TLS 
>> Closure Alert ([RFC5246], Section 7.2.1) or a fatal TLS Error Alert 
>> ([RFC5246], Section 7.2.2) is received
>>
>>    Perhaps note that sessions must be deleted when the TLS connection 
>> is closed for any reason.  And then enumerate the reasons as per the 
>> existing text.
> 
> I've added a TODO to look into this, I want to look at the DTLS spec first.

After having read the text again, and looking at RFC7360, I'm not sure 
this is what we mean.

"Closed for any reason" may be too wide.

It may be useful to have session information after a graceful closure, 
which would also fall under "closed for any reason".
Before we change that, I would like to hear opinions from other people 
(hopefully some people a bit more familiar with DTLS)

Cheers,
Janfred

-- 
Herr Jan-Frederik Rieckers
Security, Trust & Identity Services

E-Mail: rieckers@dfn.de | Fon: +49 30884299-339 | Fax: +49 30884299-370
Pronomen: er/sein | Pronouns: he/him
__________________________________________________________________________________

DFN - Deutsches Forschungsnetz | German National Research and Education 
Network
Verein zur Förderung eines Deutschen Forschungsnetzes e.V.
Alexanderplatz 1 | 10178 Berlin
https://www.dfn.de

Vorstand: Prof. Dr.-Ing. Stefan Wesner | Prof. Dr. Helmut Reiser | 
Christian Zens
Geschäftsführung: Dr. Christian Grimm | Jochem Pattloch
VR AG Charlottenburg 7729B | USt.-ID. DE 136623822

v2.23.0 | Report a Bug | By Email