Re: [TLS] [Syslog] Missing dead peer detection in DTLS

Erick O <ericko0@yahoo.com> Fri, 18 September 2009 14:39 UTC

Return-Path: <ericko0@yahoo.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 52CEC3A6948 for <tls@core3.amsl.com>; Fri, 18 Sep 2009 07:39:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.205
X-Spam-Level:
X-Spam-Status: No, score=-2.205 tagged_above=-999 required=5 tests=[AWL=-0.207, BAYES_00=-2.599, HTML_MESSAGE=0.001, J_CHICKENPOX_35=0.6]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tFch1sHQgpgN for <tls@core3.amsl.com>; Fri, 18 Sep 2009 07:39:23 -0700 (PDT)
Received: from web45505.mail.sp1.yahoo.com (web45505.mail.sp1.yahoo.com [68.180.197.89]) by core3.amsl.com (Postfix) with SMTP id 2C34A3A6894 for <tls@ietf.org>; Fri, 18 Sep 2009 07:39:23 -0700 (PDT)
Received: (qmail 12143 invoked by uid 60001); 18 Sep 2009 14:33:36 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s1024; t=1253284416; bh=lVozXTdlBLPkpbDDpLmxEPtffK+xfgF1EIC9zDHbS3I=; h=Message-ID:X-YMail-OSG:Received:X-Mailer:References:Date:From:Subject:To:Cc:In-Reply-To:MIME-Version:Content-Type; b=P1ohhFdpejNmntXUkmqjF3W+HlnIUuzQ1hiMubxc/pVZbAmiyUucXlBQqqPGRV1nQmHEoITTjjhtmc+XUmEtkVnuYSAz+dlfuAznyCl+eY4elwSRP9VNC/u8FZHH2T2fsAvPHIRCRGZISRK85gDSBDiEF/HivyFpLuhwvPCh3sY=
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=Message-ID:X-YMail-OSG:Received:X-Mailer:References:Date:From:Subject:To:Cc:In-Reply-To:MIME-Version:Content-Type; b=2jEgCsFPLj7VqqoE+Nxmoa90PRTWZP5hJCbTMDgf2ahGhFv0mIT8nkGqDJnNM0wV33ik/jVMdQ10rRdueeZ+FGkyECTMZsoIv9UR7mW04b42+VvFfN+Nbo8UGHwK2hBlMQFJDK7tNOv4PE6h+sV0hGYPo1IwI1P3sNe3oYhZs2I=;
Message-ID: <443305.4608.qm@web45505.mail.sp1.yahoo.com>
X-YMail-OSG: bS2GhIUVM1kVy.LhlrRoJDT8VgmWKcvgKPjKrTAo4vvD9INZp2ct_WTKM31dWxq.J1iB9wCKjziyqSjMld6NLpsRO54WaMreQ9xhypDvVDrythoBGx0BO9fcJnb1C1Tmogb_Zr931_CD2q9kGdJPKcfw847On9y0Tm6wY7879tbHv2gEd3f1.VGP1YQ9F2p__3vr.kFRA2Nrl_otFzu3np4684WJMUchwpnAPaxElpspXXVvKr0-
Received: from [68.106.217.192] by web45505.mail.sp1.yahoo.com via HTTP; Fri, 18 Sep 2009 07:33:36 PDT
X-Mailer: YahooMailRC/157.18 YahooMailWebService/0.7.347.2
References: <4A6EB9BB.9040002@net.in.tum.de> <000401ca111a$3bb01da0$0601a8c0@allison> <587230.84105.qm@web45508.mail.sp1.yahoo.com> <FB2DBF35-3F62-4557-90C3-1B917FF09CC8@fh-muenster.de>
Date: Fri, 18 Sep 2009 07:33:36 -0700
From: Erick O <ericko0@yahoo.com>
To: Michael Tuexen <tuexen@fh-muenster.de>
In-Reply-To: <FB2DBF35-3F62-4557-90C3-1B917FF09CC8@fh-muenster.de>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="0-1490659396-1253284416=:4608"
Cc: ipfix@ietf.org, Daniel Mentz <mentz@in.tum.de>, Gerhard Muenz <muenz@net.in.tum.de>, syslog@ietf.org, tls@ietf.org
Subject: Re: [TLS] [Syslog] Missing dead peer detection in DTLS
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 18 Sep 2009 14:39:23 -0000





________________________________
From: Michael Tuexen <tuexen@fh-muenster.de>
To: Erick O <ericko0@yahoo.com>
Cc: tom.petch <cfinss@dial.pipex.com>; Gerhard Muenz <muenz@net.in.tum.de>; syslog@ietf.org; ipfix@ietf.org; tls@ietf.org; Daniel Mentz <mentz@in.tum.de>
Sent: Thursday, September 17, 2009 11:59:06 PM
Subject: Re: [TLS] [Syslog] Missing dead peer detection in DTLS

Hi Eric,

See a comment in-line.

Best regards
Michael

On Sep 18, 2009, at 7:34 AM, Erick O wrote:

> 
> 
> From: tom.petch <cfinss@dial.pipex.com>
> To: Gerhard Muenz <muenz@net.in.tum.de>; syslog@ietf.org; ipfix@ietf.org; tls@ietf.org
> Cc: Michael Tuexen <tuexen@fh-muenster.de>; Daniel Mentz <mentz@in.tum.de>
> Sent: Thursday, July 30, 2009 2:44:11 AM
> Subject: Re: [TLS] [Syslog] Missing dead peer detection in DTLS
> 
> Gerhard
> 
> Thank you for pointing this out; it had escaped me.
> 
> What I had thought though was that the lack of flow control with DTLS over UDP
> is a problem, and that the lack of this with syslog over UDP led the syslog RFC
> [RFC5424] to make syslog over TLS the RECOMMENDED transport, not, as might be
> expected, syslog over UDP.
> 
> This in turn led me to expect that syslog over DTLS over UDP would not be
> acceptable to the IESG, rather that syslog over DTLS over SCTP would become the
> RECOMMENDED transport.
> 
> So; several thoughts.
> 
> This is an update to the extensions RFC, RFC4366, which itself is being updated
> by the TLS working group (hence my addition of them to the list) and I would
> much rather have one extensions RFC rather than several.  This is a good concept
> and fills a need; perhaps the TLS working group would take this on.
> 
> Flow control remains an issue which I do not think that this extension
> addresses.
There can be only one HB in flight, so this extension neither overloads
the receiver nor the network. Times are exponentially back offed.
So for the messages introduced in this ID, we have a simple congestion
and flow control.
> 
> Is this a security exposure? or just, like syslog over UDP, an inconvenient
> truth?
> 
> The petch-gerhards draft allows the recipient of the unidirectional flow to
> initiate the DTLS 'connection', and so enables it to re-establish the connection
> when anything goes wrong.  This would seem an alternative to consider.
> 
> Tom Petch
> 
> ----- Original Message -----
> From: "Gerhard Muenz" <muenz@net.in.tum.de>
> To: <syslog@ietf.org>; <ipfix@ietf.org>
> Cc: "Michael Tuexen" <tuexen@fh-muenster.de>; "Robin Seggelmann"
> <seggelmann@fh-muenster.de>; "Daniel Mentz" <mentz@in.tum.de>
> Sent: Tuesday, July 28, 2009 10:41 AM
> Subject: [Syslog] Missing dead peer detection in DTLS
> 
> 
> Hi,
> 
> This mail goes to the ipfix and syslog mailing lists in order to
> summarize the common issues regarding DTLS.
> 
> IPFIX specifies support of DTLS as mandatory for transport over UDP and
> SCTP in RFC5101. In SYSLOG, it is intended to standardize DTLS for
> transport over UDP.
> 
> In IPFIX, we have a first implementation of IPFIX-over-DTLS/UDP, and we
> will have a first implementation of IPFIX-over-DTLS/SCTP very soon.
> During this implementation effort, we found that the current
> specification of DTLS/UDP has a severe flaw when used with
> unidirectional protocols (like IPFIX): The sender cannot recognize if
> the receiver has crashed and lost the DTLS state.
> 
> We discuss this issue in a draft:
> http://tools.ietf.org/html/draft-mentz-ipfix-dtls-recommendations-00
> http://www.ietf.org/proceedings/75/slides/ipfix-6.pdf
> 
> I've had a look at draft-feng-syslog-transport-dtls-01 and
> draft-petch-gerhards-syslog-transport-dtls-02. It seems that this
> problem has not yet been covered, although the problem should be the
> same for SYSLOG.
> 
> As a solution, the DTLS Heartbeat Extension has been proposed very recently:
> http://tools.ietf.org/html/draft-seggelmann-tls-dtls-heartbeat-00
> A feature patch for OpenSSL is available:
> http://sctp.fh-muenster.de/dtls-patches.html#features
> 
> So, I think that we should support this standardization initiative as it
> solves our problem. For IPFIX and SYSLOG over DTLS/UDP, we then can
> specify that the DTLS Heartbeat Extension MUST be implemented.
> 
> Dan suggested to have a single document solving the DTLS issues
> regarding unidirectional protocols. I think that such a document is not
> needed if we have DTLS Heartbeat Extension.
> 
> Regards,
> Gerhard
> 
> Dipl.-Ing. Gerhard Münz
> Chair for Network Architectures and Services (I8)
> Department of Informatics
> Technische Universität München
> Boltzmannstr. 3, 85748 Garching bei München, Germany
> Phone:  +49 89 289-18008      Fax: +49 89 289-18033
> E-mail: muenz@net.in.tum.de    WWW: http://www.net.in.tum.de/~muenz
> 
> 
> 
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls
> 
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls