IETF Logo Mail Archive

Re: [Syslog] [TLS] Missing dead peer detection in DTLS

Erick O <ericko0@yahoo.com> Fri, 18 September 2009 06:33 UTC

Return-Path: <ericko0@yahoo.com>
X-Original-To: syslog@core3.amsl.com
Delivered-To: syslog@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 728C93A6AB9 for <syslog@core3.amsl.com>; Thu, 17 Sep 2009 23:33:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.148
X-Spam-Level:
X-Spam-Status: No, score=-2.148 tagged_above=-999 required=5 tests=[AWL=-0.150, BAYES_00=-2.599, HTML_MESSAGE=0.001, J_CHICKENPOX_35=0.6]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Q5HdJ4IEkonb for <syslog@core3.amsl.com>; Thu, 17 Sep 2009 23:33:39 -0700 (PDT)
Received: from web45508.mail.sp1.yahoo.com (web45508.mail.sp1.yahoo.com [68.180.197.116]) by core3.amsl.com (Postfix) with SMTP id F1F1B3A6A53 for <syslog@ietf.org>; Thu, 17 Sep 2009 23:33:38 -0700 (PDT)
Received: (qmail 84565 invoked by uid 60001); 18 Sep 2009 06:34:28 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s1024; t=1253255668; bh=YcdjeFFvA8iz2He0JXzPzkGNFtJ+Mffgfk4wEn0DLb8=; h=Message-ID:X-YMail-OSG:Received:X-Mailer:References:Date:From:Subject:To:Cc:In-Reply-To:MIME-Version:Content-Type; b=RWC5dxByG6EjP4el8AExZLilTGwdERRIIMOtUMCmFP4Y2yr9yUKkTe7/GAT6fUV6DjwNvaqB/cR5ntIHKGnOIUENJOoJX+UDGzoAyazp0NomdW4rSCjm0dMgBmMpu9xstgSw/J/5PnXCq7bloIjzu/42Sl1537ilm3196kvP+2Q=
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=Message-ID:X-YMail-OSG:Received:X-Mailer:References:Date:From:Subject:To:Cc:In-Reply-To:MIME-Version:Content-Type; b=ubFNVE1NxdWAE+xETN66k9CZLDcLNwIRRY8qQmUrlqU60lbeZPjAW9I0IELuICZAltTIQgChY81DCavMSRgaRj8KB30XGLs9ezY2G7VxTMHzAh8e47vYEsmG216YRkkrxPv288SXJUs26kmkbx/6QkR2kLKPhw8yfBAkBuM0jic=;
Message-ID: <587230.84105.qm@web45508.mail.sp1.yahoo.com>
X-YMail-OSG: oHADBLAVM1mmsg3A.6UvOWC9G5G3A6jX4mRmLqxUHQgLW7_.b5nOvJ5xpOkYDH.rSrfs.ZiF9aA_28aZWMTnCmfgzDajixYNE5R7qqibTBoM6vy7OHPLM_ryHEEVJ5yojxFoMuNXh.7Ot0vdWI0zrmIATdQLKE7sK0.bUsdxrHv5XSCj46vEtrGmV37COuAMo3o.jFMazLTQRUHSyy..R8c54sqOcnnO0SXRP06WYHKQsGQiWl8-
Received: from [68.106.217.192] by web45508.mail.sp1.yahoo.com via HTTP; Thu, 17 Sep 2009 23:34:27 PDT
X-Mailer: YahooMailRC/157.18 YahooMailWebService/0.7.347.2
References: <4A6EB9BB.9040002@net.in.tum.de> <000401ca111a$3bb01da0$0601a8c0@allison>
Date: Thu, 17 Sep 2009 23:34:27 -0700
From: Erick O <ericko0@yahoo.com>
To: "tom.petch" <cfinss@dial.pipex.com>, Gerhard Muenz <muenz@net.in.tum.de>, syslog@ietf.org, ipfix@ietf.org, tls@ietf.org
In-Reply-To: <000401ca111a$3bb01da0$0601a8c0@allison>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="0-1333662422-1253255667=:84105"
X-Mailman-Approved-At: Fri, 18 Sep 2009 08:09:14 -0700
Cc: Michael Tuexen <tuexen@fh-muenster.de>, Daniel Mentz <mentz@in.tum.de>
Subject: Re: [Syslog] [TLS] Missing dead peer detection in DTLS
X-BeenThere: syslog@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Issues in Network Event Logging <syslog.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/syslog>, <mailto:syslog-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/syslog>
List-Post: <mailto:syslog@ietf.org>
List-Help: <mailto:syslog-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/syslog>, <mailto:syslog-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 18 Sep 2009 06:33:40 -0000





________________________________
From: tom.petch <cfinss@dial.pipex.com>
To: Gerhard Muenz <muenz@net.in.tum.de>; syslog@ietf.org; ipfix@ietf.org; tls@ietf.org
Cc: Michael Tuexen <tuexen@fh-muenster.de>; Daniel Mentz <mentz@in.tum.de>
Sent: Thursday, July 30, 2009 2:44:11 AM
Subject: Re: [TLS] [Syslog] Missing dead peer detection in DTLS

Gerhard

Thank you for pointing this out; it had escaped me.

What I had thought though was that the lack of flow control with DTLS over UDP
is a problem, and that the lack of this with syslog over UDP led the syslog RFC
[RFC5424] to make syslog over TLS the RECOMMENDED transport, not, as might be
expected, syslog over UDP.

This in turn led me to expect that syslog over DTLS over UDP would not be
acceptable to the IESG, rather that syslog over DTLS over SCTP would become the
RECOMMENDED transport.

So; several thoughts.

This is an update to the extensions RFC, RFC4366, which itself is being updated
by the TLS working group (hence my addition of them to the list) and I would
much rather have one extensions RFC rather than several.  This is a good concept
and fills a need; perhaps the TLS working group would take this on.

Flow control remains an issue which I do not think that this extension
addresses.

Is this a security exposure? or just, like syslog over UDP, an inconvenient
truth?

The petch-gerhards draft allows the recipient of the unidirectional flow to
initiate the DTLS 'connection', and so enables it to re-establish the connection
when anything goes wrong.  This would seem an alternative to consider.

Tom Petch

----- Original Message -----
From: "Gerhard Muenz" <muenz@net.in.tum.de>
To: <syslog@ietf.org>; <ipfix@ietf.org>
Cc: "Michael Tuexen" <tuexen@fh-muenster.de>; "Robin Seggelmann"
<seggelmann@fh-muenster.de>; "Daniel Mentz" <mentz@in.tum.de>
Sent: Tuesday, July 28, 2009 10:41 AM
Subject: [Syslog] Missing dead peer detection in DTLS


Hi,

This mail goes to the ipfix and syslog mailing lists in order to
summarize the common issues regarding DTLS.

IPFIX specifies support of DTLS as mandatory for transport over UDP and
SCTP in RFC5101. In SYSLOG, it is intended to standardize DTLS for
transport over UDP.

In IPFIX, we have a first implementation of IPFIX-over-DTLS/UDP, and we
will have a first implementation of IPFIX-over-DTLS/SCTP very soon.
During this implementation effort, we found that the current
specification of DTLS/UDP has a severe flaw when used with
unidirectional protocols (like IPFIX): The sender cannot recognize if
the receiver has crashed and lost the DTLS state.

We discuss this issue in a draft:
http://tools.ietf.org/html/draft-mentz-ipfix-dtls-recommendations-00
http://www.ietf.org/proceedings/75/slides/ipfix-6.pdf

I've had a look at draft-feng-syslog-transport-dtls-01 and
draft-petch-gerhards-syslog-transport-dtls-02. It seems that this
problem has not yet been covered, although the problem should be the
same for SYSLOG.

As a solution, the DTLS Heartbeat Extension has been proposed very recently:
http://tools.ietf.org/html/draft-seggelmann-tls-dtls-heartbeat-00
A feature patch for OpenSSL is available:
http://sctp.fh-muenster.de/dtls-patches.html#features

So, I think that we should support this standardization initiative as it
solves our problem. For IPFIX and SYSLOG over DTLS/UDP, we then can
specify that the DTLS Heartbeat Extension MUST be implemented.

Dan suggested to have a single document solving the DTLS issues
regarding unidirectional protocols. I think that such a document is not
needed if we have DTLS Heartbeat Extension.

Regards,
Gerhard

Dipl.-Ing. Gerhard Münz
Chair for Network Architectures and Services (I8)
Department of Informatics
Technische Universität München
Boltzmannstr. 3, 85748 Garching bei München, Germany
Phone:  +49 89 289-18008      Fax: +49 89 289-18033
E-mail: muenz@net.in.tum.de    WWW: http://www.net.in.tum.de/~muenz



_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

v2.23.0 | Report a Bug | By Email