Re: [radext] Session closure in DTLS (was: Review of draft-ietf-radext-radiusdtls)
Jan-Frederik Rieckers <rieckers@dfn.de> Thu, 18 April 2024 12:47 UTC
Return-Path: <rieckers@dfn.de>
X-Original-To: radext@ietfa.amsl.com
Delivered-To: radext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AEA35C14F6A7 for <radext@ietfa.amsl.com>; Thu, 18 Apr 2024 05:47:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=dfn.de
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cI0LRBs4X6Tr for <radext@ietfa.amsl.com>; Thu, 18 Apr 2024 05:47:25 -0700 (PDT)
Received: from c1004.mx.srv.dfn.de (c1004.mx.srv.dfn.de [IPv6:2001:638:d:c303:acdc:1979:2:58]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 00A9EC14F61E for <radext@ietf.org>; Thu, 18 Apr 2024 05:47:23 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=dfn.de; h= content-type:content-type:in-reply-to:organization:from:from :content-language:references:subject:subject:user-agent :mime-version:date:date:message-id:received; s=s1; t=1713444438; x=1715258839; bh=vPoc2qJ3cciRTaLJKYqNGjhd5Oga/mj9Pp6W4cc1zu8=; b= TBvxahwBJhSVLAb2oDhHwpQ4wy28heX0/gQutcL5496duoerKi4DxjXmRfbA1/Lf ePJ/P4ECpdATv3J+SqxDVNRbD30yvJSuOfeir660yfJl8z8/t88s7UfB9LIDVJNW 1b9g2Lw3lVadGyH7GPmY+wjiowBQZJ3NALRcwUYld8Y=
Received: from mail.dfn.de (mail.dfn.de [194.95.245.150]) by c1004.mx.srv.dfn.de (Postfix) with ESMTPS id A2826120130 for <radext@ietf.org>; Thu, 18 Apr 2024 14:47:18 +0200 (CEST)
Received: from [10.100.248.131] (airoserv.dfn.de [192.76.176.250]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mspool2.in.dfn.de (Postfix) with ESMTPSA id 7B2183D6 for <radext@ietf.org>; Thu, 18 Apr 2024 14:47:18 +0200 (CEST)
Message-ID: <f73233a3-2c0c-48f6-b80b-d3e7e1ccd753@dfn.de>
Date: Thu, 18 Apr 2024 14:47:18 +0200
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
To: radext@ietf.org
References: <CA9BEA9C-39EF-4764-A0FE-D122413B37F7@deployingradius.com> <47fb04d9-a224-457f-b169-d94e29fe007e@dfn.de>
Content-Language: en-US
From: Jan-Frederik Rieckers <rieckers@dfn.de>
X-Enigmail-Draft-Status: N11222
Organization: DFN e.V.
In-Reply-To: <47fb04d9-a224-457f-b169-d94e29fe007e@dfn.de>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-512"; boundary="------------ms090005050402020106030406"
Archived-At: <https://mailarchive.ietf.org/arch/msg/radext/anix57suqdu6A5RbYMr6fid4dEQ>
Subject: Re: [radext] Session closure in DTLS (was: Review of draft-ietf-radext-radiusdtls)
X-BeenThere: radext@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: RADIUS EXTensions working group discussion list <radext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/radext>, <mailto:radext-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/radext/>
List-Post: <mailto:radext@ietf.org>
List-Help: <mailto:radext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/radext>, <mailto:radext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 18 Apr 2024 12:47:30 -0000
On 20.03.24 07:59, Jan-Frederik Rieckers wrote: >> 6.4.1.1 >> >> ... Sessions (both 4-tuple and entry) MUST be deleted when a TLS >> Closure Alert ([RFC5246], Section 7.2.1) or a fatal TLS Error Alert >> ([RFC5246], Section 7.2.2) is received >> >> Perhaps note that sessions must be deleted when the TLS connection >> is closed for any reason. And then enumerate the reasons as per the >> existing text. > > I've added a TODO to look into this, I want to look at the DTLS spec first. After having read the text again, and looking at RFC7360, I'm not sure this is what we mean. "Closed for any reason" may be too wide. It may be useful to have session information after a graceful closure, which would also fall under "closed for any reason". Before we change that, I would like to hear opinions from other people (hopefully some people a bit more familiar with DTLS) Cheers, Janfred -- Herr Jan-Frederik Rieckers Security, Trust & Identity Services E-Mail: rieckers@dfn.de | Fon: +49 30884299-339 | Fax: +49 30884299-370 Pronomen: er/sein | Pronouns: he/him __________________________________________________________________________________ DFN - Deutsches Forschungsnetz | German National Research and Education Network Verein zur Förderung eines Deutschen Forschungsnetzes e.V. Alexanderplatz 1 | 10178 Berlin https://www.dfn.de Vorstand: Prof. Dr.-Ing. Stefan Wesner | Prof. Dr. Helmut Reiser | Christian Zens Geschäftsführung: Dr. Christian Grimm | Jochem Pattloch VR AG Charlottenburg 7729B | USt.-ID. DE 136623822
- [radext] Review of draft-ietf-radext-radiusdtls Alan DeKok
- Re: [radext] Review of draft-ietf-radext-radiusdt… Fabian Mauchle
- [radext] Certficate and certificate chain selecti… Heikki Vatiainen
- Re: [radext] Review of draft-ietf-radext-radiusdt… Jan-Frederik Rieckers
- [radext] RADIUS/(D)TLS port usage (was: Review of… Jan-Frederik Rieckers
- Re: [radext] Certficate and certificate chain sel… Alan DeKok
- Re: [radext] RADIUS/(D)TLS port usage (was: Revie… Alan DeKok
- Re: [radext] Review of draft-ietf-radext-radiusdt… Jan-Frederik Rieckers
- Re: [radext] Review of draft-ietf-radext-radiusdt… Fabian Mauchle
- Re: [radext] Server identity and RFC7585bis (was:… Mark Grayson (mgrayson)
- [radext] Accounting and Protocol-Error (was: Revi… Jan-Frederik Rieckers
- Re: [radext] RADIUS/(D)TLS port usage (was: Revie… Michael Richardson
- Re: [radext] RADIUS/(D)TLS port usage (was: Revie… Alan DeKok
- [radext] Server identity and RFC7585bis (was: Rev… Jan-Frederik Rieckers
- Re: [radext] Server identity and RFC7585bis (was:… Michael Richardson
- Re: [radext] Server identity and RFC7585bis (was:… Alexander Clouter
- Re: [radext] RADIUS/(D)TLS port usage (was: Revie… Michael Richardson
- Re: [radext] Server identity and RFC7585bis (was:… Alexander Clouter
- Re: [radext] Server identity and RFC7585bis Jan-Frederik Rieckers
- Re: [radext] Server identity and RFC7585bis Jan-Frederik Rieckers
- Re: [radext] Server identity and RFC7585bis Stephen Farrell
- Re: [radext] Server identity and RFC7585bis Jan-Frederik Rieckers
- Re: [radext] Server identity and RFC7585bis (was:… Alan DeKok
- Re: [radext] Server identity and RFC7585bis Stephen Farrell
- Re: [radext] Server identity and RFC7585bis (was:… Alan DeKok
- Re: [radext] Server identity and RFC7585bis Mark Grayson (mgrayson)
- Re: [radext] Server identity and RFC7585bis Jan-Frederik Rieckers
- Re: [radext] Server identity and RFC7585bis Jan-Frederik Rieckers
- Re: [radext] Server identity and RFC7585bis Alexander Clouter
- Re: [radext] Server identity and RFC7585bis Alan DeKok
- Re: [radext] Server identity and RFC7585bis Michael Richardson
- Re: [radext] Server identity and RFC7585bis Alan DeKok
- Re: [radext] Server identity in RADIUS/(D)TLS-bis Jan-Frederik Rieckers
- Re: [radext] Accounting and Protocol-Error (was: … Alan DeKok
- Re: [radext] Server identity in RADIUS/(D)TLS-bis Alan DeKok
- Re: [radext] Server identity and RFC7585bis Fabian Mauchle
- Re: [radext] Session closure in DTLS (was: Review… Jan-Frederik Rieckers
- Re: [radext] Session closure in DTLS (was: Review… Alan DeKok
- Re: [radext] Session closure in DTLS Fabian Mauchle
- Re: [radext] Session closure in DTLS Alan DeKok