Re: [secdir] Secdir review of draft-ietf-tls-record-limit
Martin Thomson <martin.thomson@gmail.com> Mon, 26 February 2018 01:31 UTC
Return-Path: <martin.thomson@gmail.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A8FA81273B1; Sun, 25 Feb 2018 17:31:48 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7ss0Kr489CYu; Sun, 25 Feb 2018 17:31:47 -0800 (PST)
Received: from mail-oi0-x22b.google.com (mail-oi0-x22b.google.com [IPv6:2607:f8b0:4003:c06::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 528971271FD; Sun, 25 Feb 2018 17:31:47 -0800 (PST)
Received: by mail-oi0-x22b.google.com with SMTP id j79so9515181oib.12; Sun, 25 Feb 2018 17:31:47 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=RDdwhU2awrnO8FcKYTTNthurUQVe3WQQbd6YT8IKmgw=; b=KzWv9yHDcM9LK47CipLhWjXA6Bmk1CAU7mMTzsUc2zbuFa7y01YLZCZ/dJAfBVgi0m audGk1qp9P4tb+LvJWZu6pNu5z99aZJJQKc7lFRJnR2qAJHkphpB3dXUoqYA0SLrTEEC 3f5HhWWQehGr5d890hTMHtgZwELgXCe6TiM/bNnfxTsi9PxrK4v7n2Oeq+lsdy5uQWsd DYO4iQ9OpZKXKEvKjVyGL0uMA8Ui4OPZBMOTV67xux0h+OUntJNgUGMeP4HhkB347PCe UKnEzychb7b6QGgyPKwVORAF0XCDpqAkuioTFJrNzeybZln2YirNy7W5oEPgfePR+v35 G6Pg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=RDdwhU2awrnO8FcKYTTNthurUQVe3WQQbd6YT8IKmgw=; b=ee6pJpxytUKRxkEt4XtzL8YXevBEcKGKc4lyf3R8SQEuXJdJAPv75vrP6LNHOe5kaf 13pX7NVHxSxJJFm15XgSd77lwkSX+GYLuo7o/Ge+D5g22ihEQRwH8LRcHsUA4IlxYTDJ Zo1jJXdWHKPPGfHiZ7Va6SRWXbCq/8CzLAeXIJDJ5t2ur97Xn46tvjZdjb4DW4F4da9B +G2kGafNDzbUsB0FMvt+YhPz23kRwnlCGfpR/o2zbcI7qoj1Sc67Bxwj1I3OtQ3FPaPw nOGUmhx/nwkJoObCICwouagKcmHHCPFZQ2niZOORYe76V5DlqwMIAOhhFw/c08kWDo+m ILhQ==
X-Gm-Message-State: APf1xPDBmxHInjmFSBfQp9IPiNzuAKftS/vDnVW/6mMdRI63uLMrkq7y aVPIhcjMnDqDKTpx1qDftfJl4/cUaFplPlZo8EAA2Tg/
X-Google-Smtp-Source: AG47ELuZ/oqftAGCQEWDSlUkkOzvicCG3MnTZFXwrzN5yX85T+qgBJJOW0bX/sA5RuIRdqOsl5+Nl1wid5Zf2HQIsrQ=
X-Received: by 10.202.235.133 with SMTP id j127mr5744504oih.346.1519608706461; Sun, 25 Feb 2018 17:31:46 -0800 (PST)
MIME-Version: 1.0
Received: by 10.157.16.85 with HTTP; Sun, 25 Feb 2018 17:31:45 -0800 (PST)
In-Reply-To: <20180223191714.GG50954@kduck.kaduk.org>
References: <5C2E06FE-8685-457D-ACED-5600092C1CB1@deployingradius.com> <CABkgnnVYbK-==zHyUTPiWxQ_so9XepWKpUpdd=1-OsJuv_0VFQ@mail.gmail.com> <F9726F86-DF0E-46DE-B0E4-F688C7D9A51C@deployingradius.com> <20180223191714.GG50954@kduck.kaduk.org>
From: Martin Thomson <martin.thomson@gmail.com>
Date: Mon, 26 Feb 2018 12:31:45 +1100
Message-ID: <CABkgnnULmVtg+a0ukGSETF1nJTav+Q969u93LgL-cO-=bx2RSA@mail.gmail.com>
To: Benjamin Kaduk <kaduk@mit.edu>, Hannes Tschofenig <Hannes.Tschofenig@arm.com>
Cc: Alan DeKok <aland@deployingradius.com>, draft-ietf-tls-record-limit@ietf.org, IESG <iesg@ietf.org>, secdir@ietf.org
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/ufeH4Xc8eSzEo9zT4aZuG5x5Go8>
Subject: Re: [secdir] Secdir review of draft-ietf-tls-record-limit
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 26 Feb 2018 01:31:49 -0000
On Sat, Feb 24, 2018 at 6:17 AM, Benjamin Kaduk <kaduk@mit.edu> wrote: > The record size limit is a cap, not a mandatory record size. That's right. Alan, does that address your primary concern? > On Fri, Feb 23, 2018 at 09:49:11AM -0500, Alan DeKok wrote: >> RFC 6347 Section 4.1.1.1 gives some guidance, but I think not enough. Exposing the MTU to the application is good, but what does the application *do* with this information? In many cases, nothing. My understanding of DTLS implementations is that the size of a write determines the size of the packet that is ultimately sent. Say I write 100 octets to the socket, so DTLS writes out a record of 128 octets. What stacks do when a write exceeds PMTU differs. The same applies to this new limit: * The stack I work on splits records based on its understanding of the MTU, but it only learns that during the handshake and so relies mostly on the application making smaller writes. (There is currently no way to set the MTU, which is an open bug.) It also sends a single record in each packet for application data, so the net effect of a large write is multiple UDP datagrams with one record each. If your stack operates like this, then the information is pretty much just advisory. The only thing you might contemplate is changing any coalescing rules you might have to compensate. * If a stack did automatic splits, but then put multiple records in the same datagram, that's the same for a using application. * If a stack rejects large writes and forces the application to write within its constraints, then that stack needs to be clear about what limit was in force, such as through the use of specific error codes. Such stack that adds this feature would need to be careful about introducing this feature.
- [secdir] Secdir review of draft-ietf-tls-record-l… Alan DeKok
- Re: [secdir] Secdir review of draft-ietf-tls-reco… Martin Thomson
- Re: [secdir] Secdir review of draft-ietf-tls-reco… Benjamin Kaduk
- Re: [secdir] Secdir review of draft-ietf-tls-reco… Martin Thomson
- Re: [secdir] Secdir review of draft-ietf-tls-reco… Alan DeKok
- Re: [secdir] Secdir review of draft-ietf-tls-reco… Kathleen Moriarty
- Re: [secdir] Secdir review of draft-ietf-tls-reco… Benjamin Kaduk
- Re: [secdir] Secdir review of draft-ietf-tls-reco… Martin Thomson
- Re: [secdir] Secdir review of draft-ietf-tls-reco… Hannes Tschofenig
- Re: [secdir] Secdir review of draft-ietf-tls-reco… Martin Thomson
- Re: [secdir] Secdir review of draft-ietf-tls-reco… Hannes Tschofenig
- Re: [secdir] Secdir review of draft-ietf-tls-reco… Martin Thomson
- Re: [secdir] Secdir review of draft-ietf-tls-reco… Hannes Tschofenig
- Re: [secdir] Secdir review of draft-ietf-tls-reco… Martin Thomson
- Re: [secdir] Secdir review of draft-ietf-tls-reco… Hannes Tschofenig