IETF Logo Mail Archive

[secdir] Secdir review of draft-ietf-tls-record-limit

Alan DeKok <aland@deployingradius.com> Thu, 22 February 2018 22:21 UTC

Return-Path: <aland@deployingradius.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 132E112420B; Thu, 22 Feb 2018 14:21:10 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UUP2Znlpinv5; Thu, 22 Feb 2018 14:21:08 -0800 (PST)
Received: from mail.networkradius.com (mail.networkradius.com [62.210.147.122]) by ietfa.amsl.com (Postfix) with ESMTP id CCD65120725; Thu, 22 Feb 2018 14:21:07 -0800 (PST)
Received: from [192.168.2.28] (198-84-205-59.cpe.teksavvy.com [198.84.205.59]) by mail.networkradius.com (Postfix) with ESMTPSA id B8F081FE7; Thu, 22 Feb 2018 22:21:06 +0000 (UTC)
From: Alan DeKok <aland@deployingradius.com>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Message-Id: <5C2E06FE-8685-457D-ACED-5600092C1CB1@deployingradius.com>
Date: Thu, 22 Feb 2018 17:21:05 -0500
To: draft-ietf-tls-record-limit@ietf.org, IESG <iesg@ietf.org>, secdir@ietf.org
Mime-Version: 1.0 (Mac OS X Mail 9.3 \(3124\))
X-Mailer: Apple Mail (2.3124)
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/3gSqHvZskxMvwqXTEvRemigqYYs>
Subject: [secdir] Secdir review of draft-ietf-tls-record-limit
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 22 Feb 2018 22:21:10 -0000

  I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments.

  The summary of the review is ready with nits.

4.  The "record_size_limit" Extension
	... an endpoint
   MUST NOT send a value higher than the protocol-defined maximum record
   size ...

Comment: That's good, so later we have:

   The record size limit can interact with the maximum transmission unit
   (MTU) in DTLS, but it is a separate and independent constraint on
   record size.

Nit:  perhaps say that this is an *additional* constraint.  Which is (to me) a clearer indication that both constraints must be matched.  "independent" constraints sound like not only they vary independently, but that they can be applied independently (i.e. separately).  Saying "additional" constraint is a clearer indication that both constraints must be applied at the same time.

   In particular, it is not appropriate to use the record
   size limit in place of path MTU detection. 

Q: How would that be done?  I don't mean that the document needs to explain how to do something wrong.  I mean that it would be good to explain the misunderstanding which would lead to using record size limit in place of path MTU detection.

  e.g. "the reception of an illegal_parameter error on a session gives no information about the allowed MTU size"

   The record size limit is
   a fixed property of an endpoint that is set during the handshake and
   fixed thereafter.  In comparison, the MTU is determined by the
   network path and can change dynamically over time.

Comment:  it would be good to give guidance on what to do here, and what happens in error cases.

  e.g. should the record size limit to be set at the start of a session to the *smallest expected MTU*?  If so, what are the side effects?

  Or what about this - the MTU is large at the start of a session, and a record size limit is negotiated which matches that MTU.  At some later time, the MTU changes to a lower value than the negotiated record size limit.

  What happens then?  The application may receive an ICMP message indicating destination unreachable, with a code indicating fragmentation needed.  If Don't Fragment (DF) is not set.. the packet cannot be sent.

  Should the session be closed?  If not, why not?  If so, should the application keep track of minimum MTU across multiple sessions, and negotiate a value of record size limit which is more likely to work?

  It would be good to have guidance for edge / error conditions.  They tend to be a source of network problems and interoperability issues.

5.  Deprecating "max_fragment_length"
	...A server that supports the "record_size_limit"
   extension MUST ignore and "max_fragment_length"

Nit: this is probably "any" instead of "and".


  7.  IANA Considerations
	...
   This document registers the "record_size_limit" extension in the TLS
   "ExtensionType Values" registry ...

   In the same registry, the "max_fragment_length" [[has been|will be]]
   changed to a status of not recommended.

Comment: the registry has no "status" column.

  It may be useful to update that registry to add a "deprecated" note, perhaps as is done with the ICMP parameters registry:

https://www.iana.org/assignments/icmp-parameters/icmp-parameters.xhtml

  In which case the "max_fragment_length" entry should be changed to:

Value				1
Extension name		max_fragment_length (deprecated)
Reference			RFC6066, draft-ietf-tls-record-limit

v2.23.0 | Report a Bug | By Email