[Syslog] Missing dead peer detection in DTLS
Gerhard Muenz <muenz@net.in.tum.de> Tue, 28 July 2009 08:41 UTC
Return-Path: <muenz@net.in.tum.de>
X-Original-To: syslog@core3.amsl.com
Delivered-To: syslog@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 760E13A69C8; Tue, 28 Jul 2009 01:41:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.599
X-Spam-Level:
X-Spam-Status: No, score=-1.599 tagged_above=-999 required=5 tests=[AWL=0.650, BAYES_00=-2.599, HELO_EQ_DE=0.35]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XKw82O23rL3w; Tue, 28 Jul 2009 01:41:31 -0700 (PDT)
Received: from mail-out1.informatik.tu-muenchen.de (mail-out1.informatik.tu-muenchen.de [131.159.0.8]) by core3.amsl.com (Postfix) with ESMTP id CECF93A6DB9; Tue, 28 Jul 2009 01:41:30 -0700 (PDT)
Received: from phoenix.net.informatik.tu-muenchen.de (phoenix.net.in.tum.de [131.159.14.1]) by services.net.informatik.tu-muenchen.de (Postix Mailer @ mail) with ESMTP id 3F232480F0; Tue, 28 Jul 2009 10:41:29 +0200 (CEST)
Received: from [131.159.20.251] (vpn-1.net.in.tum.de [131.159.20.251]) by phoenix.net.informatik.tu-muenchen.de (Postfix) with ESMTP id DCF0E50BD; Tue, 28 Jul 2009 10:41:28 +0200 (CEST)
Message-ID: <4A6EB9BB.9040002@net.in.tum.de>
Date: Tue, 28 Jul 2009 10:41:31 +0200
From: Gerhard Muenz <muenz@net.in.tum.de>
User-Agent: Thunderbird 2.0.0.22 (Windows/20090605)
MIME-Version: 1.0
To: syslog@ietf.org, "ipfix@ietf.org" <ipfix@ietf.org>
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="sha1"; boundary="------------ms070108000207050009070503"
X-Virus-Scanned: ClamAV using ClamSMTP
Cc: Michael Tuexen <tuexen@fh-muenster.de>, Robin Seggelmann <seggelmann@fh-muenster.de>, Daniel Mentz <mentz@in.tum.de>
Subject: [Syslog] Missing dead peer detection in DTLS
X-BeenThere: syslog@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Issues in Network Event Logging <syslog.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/syslog>, <mailto:syslog-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/syslog>
List-Post: <mailto:syslog@ietf.org>
List-Help: <mailto:syslog-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/syslog>, <mailto:syslog-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 28 Jul 2009 08:41:35 -0000
Hi, This mail goes to the ipfix and syslog mailing lists in order to summarize the common issues regarding DTLS. IPFIX specifies support of DTLS as mandatory for transport over UDP and SCTP in RFC5101. In SYSLOG, it is intended to standardize DTLS for transport over UDP. In IPFIX, we have a first implementation of IPFIX-over-DTLS/UDP, and we will have a first implementation of IPFIX-over-DTLS/SCTP very soon. During this implementation effort, we found that the current specification of DTLS/UDP has a severe flaw when used with unidirectional protocols (like IPFIX): The sender cannot recognize if the receiver has crashed and lost the DTLS state. We discuss this issue in a draft: http://tools.ietf.org/html/draft-mentz-ipfix-dtls-recommendations-00 http://www.ietf.org/proceedings/75/slides/ipfix-6.pdf I've had a look at draft-feng-syslog-transport-dtls-01 and draft-petch-gerhards-syslog-transport-dtls-02. It seems that this problem has not yet been covered, although the problem should be the same for SYSLOG. As a solution, the DTLS Heartbeat Extension has been proposed very recently: http://tools.ietf.org/html/draft-seggelmann-tls-dtls-heartbeat-00 A feature patch for OpenSSL is available: http://sctp.fh-muenster.de/dtls-patches.html#features So, I think that we should support this standardization initiative as it solves our problem. For IPFIX and SYSLOG over DTLS/UDP, we then can specify that the DTLS Heartbeat Extension MUST be implemented. Dan suggested to have a single document solving the DTLS issues regarding unidirectional protocols. I think that such a document is not needed if we have DTLS Heartbeat Extension. Regards, Gerhard -- Dipl.-Ing. Gerhard Münz Chair for Network Architectures and Services (I8) Department of Informatics Technische Universität München Boltzmannstr. 3, 85748 Garching bei München, Germany Phone: +49 89 289-18008 Fax: +49 89 289-18033 E-mail: muenz@net.in.tum.de WWW: http://www.net.in.tum.de/~muenz
- [Syslog] Missing dead peer detection in DTLS Gerhard Muenz
- Re: [Syslog] Missing dead peer detection in DTLS tom.petch
- Re: [Syslog] Missing dead peer detection in DTLS Michael Tuexen
- Re: [Syslog] Missing dead peer detection in DTLS tom.petch
- Re: [Syslog] Missing dead peer detection in DTLS Michael Tuexen
- Re: [Syslog] Missing dead peer detection in DTLS Pasi.Eronen
- [Syslog] Choice of substrate wasRe: Missing dead … tom.petch
- Re: [Syslog] [TLS] Missing dead peer detection in… Erick O
- Re: [Syslog] [TLS] Missing dead peer detection in… Michael Tuexen
- Re: [Syslog] [TLS] Missing dead peer detection in… Erick O
- Re: [Syslog] [TLS] Missing dead peer detection in… Erick O