Re: [TLS] DTLS 1.3 AEAD additional data

Hanno Becker <Hanno.Becker@arm.com> Wed, 22 April 2020 16:23 UTC

Return-Path: <Hanno.Becker@arm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 18A833A1037 for <tls@ietfa.amsl.com>; Wed, 22 Apr 2020 09:23:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=armh.onmicrosoft.com header.b=UYLkhaiy; dkim=pass (1024-bit key) header.d=armh.onmicrosoft.com header.b=UYLkhaiy
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id r-HaEKtQyyCd for <tls@ietfa.amsl.com>; Wed, 22 Apr 2020 09:23:34 -0700 (PDT)
Received: from EUR04-HE1-obe.outbound.protection.outlook.com (mail-eopbgr70058.outbound.protection.outlook.com [40.107.7.58]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CC48E3A102D for <tls@ietf.org>; Wed, 22 Apr 2020 09:23:33 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=armh.onmicrosoft.com; s=selector2-armh-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=Q1A1Wy0Dwh1jWKl7a+PT6217Cb8bs4/AAIbVvQKh6/w=; b=UYLkhaiy0OYIlFaO7itEsNDgjs5uLyaxP3Q+nBCnymStYTgl8Dl8jIlXhcRSuT6fWhUPYwyngUOa1ZHCm4H4bAIvQr8n4oXXsTvxxjhpA92CnYJUChxRETJCb6sKrS9Fis+nqu2hiJ/NWXE9YPqtQ/ZX85QebIzQrYGM/batFro=
Received: from DB6PR0202CA0029.eurprd02.prod.outlook.com (2603:10a6:4:a5::15) by AM6PR08MB3862.eurprd08.prod.outlook.com (2603:10a6:20b:8c::28) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2921.27; Wed, 22 Apr 2020 16:23:30 +0000
Received: from DB5EUR03FT032.eop-EUR03.prod.protection.outlook.com (2603:10a6:4:a5:cafe::82) by DB6PR0202CA0029.outlook.office365.com (2603:10a6:4:a5::15) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2937.13 via Frontend Transport; Wed, 22 Apr 2020 16:23:30 +0000
Authentication-Results: spf=pass (sender IP is 63.35.35.123) smtp.mailfrom=arm.com; ietf.org; dkim=pass (signature was verified) header.d=armh.onmicrosoft.com;ietf.org; dmarc=bestguesspass action=none header.from=arm.com;
Received-SPF: Pass (protection.outlook.com: domain of arm.com designates 63.35.35.123 as permitted sender) receiver=protection.outlook.com; client-ip=63.35.35.123; helo=64aa7808-outbound-1.mta.getcheckrecipient.com;
Received: from 64aa7808-outbound-1.mta.getcheckrecipient.com (63.35.35.123) by DB5EUR03FT032.mail.protection.outlook.com (10.152.20.162) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2900.18 via Frontend Transport; Wed, 22 Apr 2020 16:23:30 +0000
Received: ("Tessian outbound 43fc5cd677c4:v53"); Wed, 22 Apr 2020 16:23:30 +0000
X-CheckRecipientChecked: true
X-CR-MTA-CID: dc68b9283a574c9e
X-CR-MTA-TID: 64aa7808
Received: from 34623c100c1f.1 by 64aa7808-outbound-1.mta.getcheckrecipient.com id C6950AA1-9C4A-4025-9CB9-F884DB1B4927.1; Wed, 22 Apr 2020 16:23:24 +0000
Received: from EUR04-VI1-obe.outbound.protection.outlook.com by 64aa7808-outbound-1.mta.getcheckrecipient.com with ESMTPS id 34623c100c1f.1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384); Wed, 22 Apr 2020 16:23:24 +0000
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=R7dvMFArZn1OH5UHqyElls//fmpxf04ssXazrVXh30TEgwT/Auv92Mo75dcp+NZJoP6AZtZvdod4BlBf03UGkB6iYwMfI2m8uCOlb2KMGC9ePlMjVDh+L/G+qEdD5LWWGUwLR1pIgxLKmkcQ7nSGFdP4sjc7tjxsBPv97wMNx3ebj93Ceb3/M2mrWV1Aq2ILvXViglKD7gK7VTbDE+ps7hV3Mev+VX0oq4Nlixzf42dhKiEuIejWbT+kFYAdOd5jpl86M7f4MMZQIZnjlvN8VbNOY3q4u8eivGh3yEsYNaRrp99PFzMEvejcUk+JUSEtInH6n2+/dS+0B8gx3+97wQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=Q1A1Wy0Dwh1jWKl7a+PT6217Cb8bs4/AAIbVvQKh6/w=; b=FnQSZ6L+sAD7dLHhFziFUGcvIir5g1oFcfFmV5aKUQ75aZztU5taI9mwHaAyBmLWwd3NOmZaoUVPm637JvoCK9mkk9vz5wbcYL6J5CBtitso0aHT4I3iKUppsGz0IIeIuHlY/OULzUNRf99SZ8wdA33a2ECwboB7AzqO9Hg/vdUfhubafc5zsQnB0gzBuVoy71+v9/7yt5h62827/zXDFg6ARPYxb7dP/t5r//1Ld+ixf6B+xSrMeBeHUWgw348dDhbdK68QBhBGQfe/eghBC8k+t/r9912wiTxuHMjDAf23wDoxieTaQxfY5AlGGJNu3V8g1zY7h8vOSGrcSUie+A==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=arm.com; dmarc=pass action=none header.from=arm.com; dkim=pass header.d=arm.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=armh.onmicrosoft.com; s=selector2-armh-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=Q1A1Wy0Dwh1jWKl7a+PT6217Cb8bs4/AAIbVvQKh6/w=; b=UYLkhaiy0OYIlFaO7itEsNDgjs5uLyaxP3Q+nBCnymStYTgl8Dl8jIlXhcRSuT6fWhUPYwyngUOa1ZHCm4H4bAIvQr8n4oXXsTvxxjhpA92CnYJUChxRETJCb6sKrS9Fis+nqu2hiJ/NWXE9YPqtQ/ZX85QebIzQrYGM/batFro=
Received: from AM6PR08MB3318.eurprd08.prod.outlook.com (2603:10a6:209:45::15) by AM6PR08MB4769.eurprd08.prod.outlook.com (2603:10a6:20b:d0::11) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2937.13; Wed, 22 Apr 2020 16:23:23 +0000
Received: from AM6PR08MB3318.eurprd08.prod.outlook.com ([fe80::1579:b7d9:f543:200d]) by AM6PR08MB3318.eurprd08.prod.outlook.com ([fe80::1579:b7d9:f543:200d%5]) with mapi id 15.20.2921.030; Wed, 22 Apr 2020 16:23:23 +0000
From: Hanno Becker <Hanno.Becker@arm.com>
To: Eric Rescorla <ekr@rtfm.com>
CC: "tls@ietf.org" <tls@ietf.org>
Thread-Topic: [TLS] DTLS 1.3 AEAD additional data
Thread-Index: AQHWF+iN1gKILcDltkmRr5OfopCaAaiD3VMAgAB8FQCAAE7VmIAAawyAgAAHdS6AAB8+AIAACQCR
Date: Wed, 22 Apr 2020 16:23:23 +0000
Message-ID: <AM6PR08MB3318717D21E69A2373AC1ACE9BD20@AM6PR08MB3318.eurprd08.prod.outlook.com>
References: <AM6PR08MB3318911C71C0DDB90480694A9BD50@AM6PR08MB3318.eurprd08.prod.outlook.com> <CABcZeBMs+o4BU5VhqJKmQvnkEe9RkQXRv7Ej6pVD1-e1vdMoyA@mail.gmail.com> <CABcZeBM9Ri=Rz5kbWn08Vk-Y14MVSALwB1Bd9QV=HfWoq3XqSA@mail.gmail.com> <AM6PR08MB33184161239B6383EA7D776C9BD20@AM6PR08MB3318.eurprd08.prod.outlook.com> <CABcZeBM4wVkH_pdTZMakyV9Y=tk8PNDknHTFhjwX-sw3GOOaZw@mail.gmail.com> <AM6PR08MB3318D6A11587449627F6EA679BD20@AM6PR08MB3318.eurprd08.prod.outlook.com>, <CABcZeBNcODKehe217nr2jSedy6N6Gun+QYcksFp2Oqv6gLrzzw@mail.gmail.com>
In-Reply-To: <CABcZeBNcODKehe217nr2jSedy6N6Gun+QYcksFp2Oqv6gLrzzw@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Authentication-Results-Original: spf=none (sender IP is ) smtp.mailfrom=Hanno.Becker@arm.com;
x-originating-ip: [217.140.99.251]
x-ms-publictraffictype: Email
X-MS-Office365-Filtering-HT: Tenant
X-MS-Office365-Filtering-Correlation-Id: 517655d2-2389-4dce-d7a5-08d7e6d97ed3
x-ms-traffictypediagnostic: AM6PR08MB4769:|AM6PR08MB3862:
X-Microsoft-Antispam-PRVS: <AM6PR08MB38627C1C124CFD47833237AF9BD20@AM6PR08MB3862.eurprd08.prod.outlook.com>
x-checkrecipientrouted: true
nodisclaimer: true
x-ms-oob-tlc-oobclassifiers: OLM:9508;OLM:9508;
x-forefront-prvs: 03818C953D
X-Forefront-Antispam-Report-Untrusted: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:AM6PR08MB3318.eurprd08.prod.outlook.com; PTR:; CAT:NONE; SFTY:; SFS:(4636009)(376002)(346002)(366004)(396003)(136003)(39860400002)(71200400001)(7696005)(6506007)(26005)(4326008)(186003)(316002)(8936002)(8676002)(81156014)(86362001)(53546011)(6916009)(66556008)(66476007)(52536014)(76116006)(5660300002)(33656002)(9686003)(66446008)(64756008)(2906002)(478600001)(55016002)(19627405001)(966005)(66946007); DIR:OUT; SFP:1101;
received-spf: None (protection.outlook.com: arm.com does not designate permitted sender hosts)
X-MS-Exchange-SenderADCheck: 1
X-Microsoft-Antispam-Untrusted: BCL:0;
X-Microsoft-Antispam-Message-Info-Original: gXpwWL/NKRDlFjLnoSIqdR//GdlZTfKdUCc42OsF29/0iDuR3Ly4ndlj3GysvugVH58P6HJNb6iAVMP+qDZvxAAMbMf/QCMsEeKW5wDQpE+L1fZOLG9ErQy4UpChYxwFY+wVtRVUzDQwmffe/NwJ4CQpocEx81XX2IhI7blWndEMCZHdzw0Wb/u2VpSNsu27fN6iw31EKpC7+jiI6iRcS5Bi7d/19e++ChkFIUuQ/gFAuRWQaLlj2W9HoeUC4DPlZSku52nGsjjqJkRsPPjRMLyWJUREbUJZn2nRT7s9FQFEQlTaETk7t2T5PjyxDIvF75N+k8xeWCUw+nMjyAsKuBtaT/WW9GOg2+Ydjolp3g62jk1h7REGVoeLK5MO74MWeuYV+cVRorlpOyzoxGV+bO4FQaFVOzlSx/nP7T22Oejru7EFKPX6XaYWA5wB3VYCIOeIJLS7w2VtLG7CmW2HKmryXnw7Ts6UXlkXdabBFOB2PmuGY07X2dwaCLEUpfr1Y4xae9dENT/y0OoYq+tprw==
x-ms-exchange-antispam-messagedata: UysydkuFfW4yTqmzTgWy18n3XUkfzsuPSlQxldYvQJn9KPllINTF8vfeR+WqfHZy/Whk1RHzWq8CekzRH/WRFhiktjb1uZDbay8unrmUtK4i0Je5CE7cHGZicQ8dyaERpLH+vLFzudlno2B/J2F3RA==
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_AM6PR08MB3318717D21E69A2373AC1ACE9BD20AM6PR08MB3318eurp_"
MIME-Version: 1.0
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM6PR08MB4769
Original-Authentication-Results: spf=none (sender IP is ) smtp.mailfrom=Hanno.Becker@arm.com;
X-EOPAttributedMessage: 0
X-MS-Exchange-Transport-CrossTenantHeadersStripped: DB5EUR03FT032.eop-EUR03.prod.protection.outlook.com
X-Forefront-Antispam-Report: CIP:63.35.35.123; CTRY:IE; LANG:en; SCL:1; SRV:; IPV:CAL; SFV:NSPM; H:64aa7808-outbound-1.mta.getcheckrecipient.com; PTR:ec2-63-35-35-123.eu-west-1.compute.amazonaws.com; CAT:NONE; SFTY:; SFS:(10009020)(4636009)(39860400002)(396003)(376002)(136003)(346002)(46966005)(7696005)(478600001)(82740400003)(356005)(6862004)(19627405001)(81166007)(4326008)(966005)(86362001)(8676002)(81156014)(52536014)(55016002)(9686003)(336012)(8936002)(2906002)(30864003)(26005)(6506007)(5660300002)(33656002)(316002)(70586007)(47076004)(53546011)(70206006)(186003)(82310400002); DIR:OUT; SFP:1101;
X-MS-Office365-Filtering-Correlation-Id-Prvs: b47ac96b-69bd-488b-99b5-08d7e6d97a89
X-Forefront-PRVS: 03818C953D
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: AEHYqJLM5GwJW7u+++xq4O++LDQgLKKcQqUstxgt8GWEKGXl8umJ8geIRzUvE0WgI8EhVbI8+7yJ/Z7PmMXj4GERz17aaygU1v+1s0wMbnn5kIilz7N9x59gU/icuPx7yHHQ/QBTpF16JHi8E0OhVcg+A/axx9a5DH0nY40iG711spFA2u/v0MRc+3U8OGaIGe9jGDHc4G/MaSabvrcjCjcmtZpoaAXsuaMU8CKVnE3jDXD7H+YPHPTCFny5hfy3jz2Y9tnEGh6KZBvJoqR0CgIjecog5OzY54Lzqj1JbYVwUIWpoXXm3SR01jqb7U+ZfJDmIsyXHAKbvoRr8bM6lKYwr46FSLr9un4YJYqm2yYyL2wu1y6JiygBI0+juQpXidPyEOMuHFmYswUkejWuVR4FZf3iQhW0wDnfjSb2wQmeW/COhsINZgfgtFG5+DctQNBiB9ccdq0zMudAtA9FnlxcTgYvHwjLnMy7194cYyAmgKhyCrYY0a8IVmipiA0sl75Y6m8DmIKnkCjc2E/fBIR+l0dmOxW07Ahnn2ND9GMvJ8/p7bqBcRxx56NYqJMINbixRAIPqjQyo5vgkyzJmA==
X-OriginatorOrg: arm.com
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 22 Apr 2020 16:23:30.6248 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 517655d2-2389-4dce-d7a5-08d7e6d97ed3
X-MS-Exchange-CrossTenant-Id: f34e5979-57d9-4aaa-ad4d-b122a662184d
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=f34e5979-57d9-4aaa-ad4d-b122a662184d; Ip=[63.35.35.123]; Helo=[64aa7808-outbound-1.mta.getcheckrecipient.com]
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM6PR08MB3862
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/9eZKjMZbr1PJtl3Jpu_b_rx7MN0>
Subject: Re: [TLS] DTLS 1.3 AEAD additional data
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 22 Apr 2020 16:23:38 -0000

Hi Ekr,

I still don't yet understand which concrete problems you see with
the proposed solution. In particular, as mentioned in the last mail, I don't think there
is a contradiction with any design choice for TLS 1.3 - in contrast, decoupling
record header compression from record protection aligns with how cTLS
proposes to compress TLS 1.3 without affecting any cryptographic computations
and hence hopefully easing carrying over the security analysis of TLS 1.3. This decoupling
doesn't hold for the current DTLS 1.3 draft, and we seem to agree that in the case of CIDs,
it has already led to one missing cryptographic binding.

Anyway, let's wait for more opinions.

Best,
Hanno

________________________________
From: Eric Rescorla <ekr@rtfm.com>
Sent: Wednesday, April 22, 2020 3:47 PM
To: Hanno Becker <Hanno.Becker@arm.com>
Cc: tls@ietf.org <tls@ietf.org>
Subject: Re: [TLS] DTLS 1.3 AEAD additional data



On Wed, Apr 22, 2020 at 7:31 AM Hanno Becker <Hanno.Becker@arm.com<mailto:Hanno.Becker@arm.com>> wrote:

Considering the effort spent on shaving off bytes in the DTLS header,
I think re-introducing the explicit CID should be avoided. It seems
perfectly acceptable to me to have implicit header data which is
protected via AAD.

This is only relevant if there is a common useful case in which you would need to put multiple
DTLS records in the same datagram. Are you aware of such a case?

I can see the following uses:
1) Replying to KeyUpdate with Ack;;KeyUpdate, or replying to RequestConnectionID with Ack;;NewConnectionId
2) Sending multiple (short) app records if the application protocol doesn't provide its own framing.

Neither of these seem particularly compelling to me. The first happens very infrequently, and I'm not really aware of a lot of cases of the second.



> 1. Cryptographically protect it as in https://github.com/tlswg/dtls13-spec/pull/143

This seems to be a mixture of logical and on-the-wire representation, which
moreover duplicates the CID in case it is explicitly present in the header.

Yes, so?

Isn't this less efficient

Trivially.


and undoes the arguable benefit of the current solution that there's
no need to piece together an AAD buffer manually, because now you'd have to?

 I don't recall making that argument.

-Ekr


Best,
Hanno


Looking forward to hearing other WG member's views,
Hanno
________________________________
From: Eric Rescorla <ekr@rtfm.com<mailto:ekr@rtfm.com>>
Sent: Wednesday, April 22, 2020 2:23 AM
To: Hanno Becker <Hanno.Becker@arm.com<mailto:Hanno.Becker@arm.com>>
Cc: tls@ietf.org<mailto:tls@ietf.org> <tls@ietf.org<mailto:tls@ietf.org>>
Subject: Re: [TLS] DTLS 1.3 AEAD additional data

I think there are two potential resolutions to your CID issue:

1. Cryptographically protect it as in https://github.com/tlswg/dtls13-spec/pull/143
2. Forbid implicit CIDs (my preference) see: https://github.com/tlswg/dtls13-spec/issues/144

Would like to hear what others in the WG think.

-Ekr


On Tue, Apr 21, 2020 at 10:59 AM Eric Rescorla <ekr@rtfm.com<mailto:ekr@rtfm.com>> wrote:


On Tue, Apr 21, 2020 at 8:39 AM Hanno Becker <Hanno.Becker@arm.com<mailto:Hanno.Becker@arm.com>> wrote:
Hi all,

To my understanding, DTLS 1.3 defines AEAD additional data for record protection
as the record header as seen on the wire. Quoting Draft 37, Section 4:

```
   The entire header value shown in Figure 4 (but prior to record number
   encryption) is used as as the additional data value for the AEAD
   function.  For instance, if the minimal variant is used, the AAD is 2
   octets long.  Note that this design is different from the additional
   data calculation for DTLS 1.2 and for DTLS 1.2 with Connection ID.
```

I would like to suggest that DTLS 1.3 uses a structured representation
of the record header instead, as do all other versions of [D]TLS as
far as I understand.

I am not in favor of this change as proposed. I think it is better to protect the data that is actually on the wire than to allow for changes in the on-the-wire representation that are not reflected in the integrity check.


The reasons for this are as follows, in decreasing order of
my perception of importance:

- Omission of Connection ID

  Regarding the presence of Connection IDs in multiple records within
  a single datagram, Draft 37 says:

```
   Implementations which send multiple records in the same datagram
   SHOULD omit the connection id from all but the first record;
   receiving implementations MUST assume that any subsequent records
   without connection IDs belong to the same assocatiation.
```

  This means that the Connection ID for non-initial records in a
  datagram containing multiple records is _not_ part of the AEAD
  additional data for those records, which seems wrong. Concretely,
  one could inject such non-initial records into other datagrams
  using different CIDs, and the record protection wouldn't notice it.

This seems like a reasonable point, though it's not clear to me that there is an actual problem here. I'd be in favor of explicitly including the CID in the AD as well as the header.


  One might argue that CID shouldn't be part of the AEAD in the first
  place, but in any case, I believe the treatment should be uniform
  and not distinguish between initial and non-initial records in
  a datagram.

We're not distinguishing it. The AD is protecting the record on the wire.


- Modularity

  Decoupling the wire-presentation of the record header from
  record protection allows to implement record protection and
  the choice of record header independently: One piece of
  the implementation can take care of record protection -
  using the structured presentation of the record header - while
  another takes care of the wire-encoding. It is even possible
  to change the record header format in transit.

This seems like a defect, not a feature.


- Simplicity

  At first it seems that using the record header as an
  unstructured binary blob for AEAD makes things simpler,
  but I don't think this is the case: Prior to record
  decryption, the record sequence number needs to be
  decrypted, and for that purpose, the record header already
  has to be parsed. Hence, at the time of record decryption,
  the record header is already be present a modified, structured
  form, and retaining the corresponding modified binary form
  appears to create additional complexity which would be
  avoided if record protection would use the structured
  header presentation.

I've implemented this for QUIC (I can't remember who at Mozilla did it for DTLS) and it's not particularly difficult.


- Uniformity with other [D]TLS versions

I don't find this argument at all persuasive. To the contrary: we should break with  DTLS 1.2 in any case where it's an improvement and not too onerous.

-Ekr




Let me know what you think,

Best,
Hanno

IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.
_______________________________________________
TLS mailing list
TLS@ietf.org<mailto:TLS@ietf.org>
https://www.ietf.org/mailman/listinfo/tls
IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.
IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.
IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.