Re: [TLS] AD Evaluation of draft-ietf-tls-dtls13-39

Eric Rescorla <ekr@rtfm.com> Sun, 07 February 2021 20:45 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 013E43A1267 for <tls@ietfa.amsl.com>; Sun, 7 Feb 2021 12:45:54 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.896
X-Spam-Level:
X-Spam-Status: No, score=-1.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2pTjBCqAnxmx for <tls@ietfa.amsl.com>; Sun, 7 Feb 2021 12:45:51 -0800 (PST)
Received: from mail-lf1-x12d.google.com (mail-lf1-x12d.google.com [IPv6:2a00:1450:4864:20::12d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7D2B13A13B5 for <tls@ietf.org>; Sun, 7 Feb 2021 12:45:39 -0800 (PST)
Received: by mail-lf1-x12d.google.com with SMTP id m22so19157885lfg.5 for <tls@ietf.org>; Sun, 07 Feb 2021 12:45:39 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=IcOQGvXUlSpWj1jyZw1i+/1i7QYtUmOusr126HngRfU=; b=wl3nak+Q9Z1hsq3cZtSZt/f/zRAuA376jMipWtHZlomFott4aAD61GbpVMi3R+UDnz OBbzejf6w/q0/MNoqtkB3YThJxMEKLeOWHSrOJyb+Swd/rG4uz82m2GOuK+MrpULa4Cb Wk1b0SIgKxqAvit4jLPpBJt0yGws2fq2NtpHan5gVnzYzprdWmeuNf08puHy7o6h1CyE jZieC/vYgEPm8+AMXyy3XFn5BhJNhKcCnEOz5MK8LBVHL1BoXWKqtMJyU+8dxdrHP0bm TjxQqQupoxgCJgEL5roT2KJIvyakCPup2hHBG5todOKZi5XEv0Q+fo6IoqqJF8iSPt9f oX4A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=IcOQGvXUlSpWj1jyZw1i+/1i7QYtUmOusr126HngRfU=; b=TJ6WRW42+FZkXH2MUEG37fk+joXqwzUhqC992Ye27kDLvm0hjiryYi1i+XjdHO12sl zgRSHd5irU8yowhUuCzCQfWYCwHfftfbo2l0hGxR8gN41/Lw2Ihyz0vPwvrGrRnOnrzR L66f5MSFNsWg/CfZHBRaTpiwNgqDRiczLgd+cLK224tfOTca/M66YzIuNqzbkVf4W3lB DBk3Ybs7mwcIRkrq76tm1klFbcQ4U0mFAAKBgRPLDD8/tiZbRE0slTNa+AwuDxFn59UT O1GxPQ6D1xfJo8O+xScwqJnbrbEXRkd9IK6+unVJe+p4dLZ1RfT1Ad77EgshqpsFx22f KXmg==
X-Gm-Message-State: AOAM532hux0uv6MipGex1lORsHNGTDGVO2gT6rpHC57VzojEO9upGMCb b4EEdpUrgU5cmpez/TFBXmc4GHC5CrkZe63CEpuP4Q==
X-Google-Smtp-Source: ABdhPJwRwm3TfwRcJgpEwXqYAwkK08K78oXWk4+9CApOkl8L6sSyugLp92G2kabdcDYpNl+LvwQ34zThjBxy5eL+P4w=
X-Received: by 2002:a19:6447:: with SMTP id b7mr8274359lfj.206.1612730737498; Sun, 07 Feb 2021 12:45:37 -0800 (PST)
MIME-Version: 1.0
References: <20201113235134.GW39170@kduck.mit.edu> <CABcZeBMZR5hCpqBJFsdwMqYWn8fnR=2Ujxw4Y3Rt16MWeSJqsw@mail.gmail.com> <20210206011618.GM21@kduck.mit.edu> <CABcZeBNSOmAntPbwFDK3rc4kzjJ-d9754D=A7wjj5LCQskSM=A@mail.gmail.com>
In-Reply-To: <CABcZeBNSOmAntPbwFDK3rc4kzjJ-d9754D=A7wjj5LCQskSM=A@mail.gmail.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Sun, 7 Feb 2021 12:45:01 -0800
Message-ID: <CABcZeBM21dZ9XawA2Crf1muOdv-_=ovAJL8NuNPG6cjLRPUrcw@mail.gmail.com>
To: Benjamin Kaduk <kaduk@mit.edu>
Cc: draft-ietf-tls-dtls13.all@ietf.org, "<tls@ietf.org>" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000ba33b305bac522a2"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/1SnlAHNJk8gqo_5aib8Z05z-mNU>
Subject: Re: [TLS] AD Evaluation of draft-ietf-tls-dtls13-39
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 07 Feb 2021 20:45:54 -0000

I have posted -41, which I believe to be ready for IETF LC

-Ekr


On Sun, Feb 7, 2021 at 12:36 PM Eric Rescorla <ekr@rtfm.com> wrote:

>
>
> On Fri, Feb 5, 2021 at 5:16 PM Benjamin Kaduk <kaduk@mit.edu> wrote:
>
>> Hi Ekr,
>>
>> Thanks for all the updates, and sorry to have dropped the ball over the
>> holidays.
>>
>> The changes in the -40 are basically all good, and I filed several PRs to
>> cover a few nits and places where you asked for suggested text.  (I see
>> you
>> merged most of them already; thanks!)  For everybody not getting
>> notifications for the githb repo, those are:
>>
>> https://github.com/tlswg/dtls13-spec/pull/208 (general nits)
>> https://github.com/tlswg/dtls13-spec/pull/209 (implementation pitfalls)
>> https://github.com/tlswg/dtls13-spec/pull/210 (anti-replay window per
>> epoch)
>> https://github.com/tlswg/dtls13-spec/pull/211 (implicit ACK)
>> https://github.com/tlswg/dtls13-spec/pull/212 (more security
>> considerations)
>>
>
> Thanks. I have merged these.
>
> The only other comment I had on the -40 that I didn't make a PR for is that
>> (now that we have the automation working to generate appendixes for the
>> procotol-description language) we don't actually show the new value for
>> ACK
>> as a ContentType anywhere!  It seems like we'd have to stick that in
>> Figure
>> 2 if we put it anywhere, though that's admittedly a bit disjointed from
>> where we actually start talking about the message in question.
>>
>
> Yeah, I think we can take a pass on this, but if someone has a clever
> idea, I'll
> take a PR.
>
> >
>> > > Section 4.5.3
>> > >
>> > > As mentioned above, we might mention any reduced limits due to
>> > > sequence-number protection (e.g., with ChaCha20) here, if they exist.
>> >
>> > Filed an issue:
>> > https://github.com/tlswg/dtls13-spec/issues/167
>>
>> It looks like we were maybe going to add a note saying that we don't know
>> the confidentiality bounds for multiple applications of RNE, but I don't
>> think we necessarily need to hold up for that.
>>
>
> MT and I discussed this and came to the conclusion it was OK because the
> nonce is 128-bits long and the bounds are much lower.
>
> https://github.com/tlswg/dtls13-spec/issues/167
>
>
>> > > (I note that a bit further on we say
>> > > "MUST create a new ClientHello ... [following] Section 4.1.2 of
>> > > [TLS13]", which seems to be enough of a normative requirement that the
>> > > "MUST" may not be needed here.)
>> > >
>> > >    The cookie extension is defined in Section 4.2.2 of [TLS13].  When
>> > >
>> > > Do we want to add any discussion of what is stored in the cookie
>> (other
>> > > than the RFC 2522-like address+ports and the ClientHello1 hash that
>> > > [TLS13] mentions), as mentioned in the thread at
>> > >
>> https://mailarchive.ietf.org/arch/msg/tls/QbteFvnk1H2K9OjfHGosuG9e9Rk/ ?
>> > > I am somewhat amenable to the stance that it's more appropriately done
>> > > in 8446bis.
>> >
>> > Yes, I think so.
>> > https://github.com/tlswg/tls13-spec/issues/1206
>>
>> This is still open (on 8446bis), but maybe my
>> https://github.com/tlswg/dtls13-spec/pull/212 covers some of the key
>> points for this document.
>>
>
> I think it does.
>
>
>> > > Section 5.3
>> > >
>> > > [Discussing ServerHello here for want of a better location.]
>> > >
>> > > We specify a ClientHello.legacy_version = {254,253}, but we seem to be
>> > > inheriting the unmodified TLS 1.3 ServerHello, complete with
>> > > ServerHello.legacy_version = 0x0303.  That seems problematic, since
>> the
>> > > legacy DTLS 1.2 ServerHello would use the expected {254,253} like the
>> > > ClientHello.
>> >
>> > https://github.com/tlswg/dtls13-spec/issues/170
>> >
>> >
>> > > Similarly, we should probably specify whether the sentinel
>> > > downgrade-protection Random values are used as-is from TLS 1.3, or if
>> we
>> > > have new ones for DTLS.
>> > > [end ServerHello topics]
>> >
>> > I don't think we need new ones. Don't we just inherit it?
>>
>> I think inheriting the same ones should work, protocol-wise.
>> I was only asking about mentioning them specifically sinnce their stated
>> semantics are tied to "if negotiating TLS 1.2" and "if negotiating TLS 1.1
>> or below", and a literal reading of those requirements doesn't make sense
>> for DTLS versions.
>>
>
> https://github.com/tlswg/dtls13-spec/pull/213
>
> > I don't think I understand you. This is a lockstep protocol so if you
>> > are sending the next flight, then the previous flight must have
>> > been received. In the post-handshake, you can run concurrent
>> > state machines.
>>
>> This was just an editorial comment, that the parenthetical "emptying the
>> buffer first" seems pretty vague about what is supposed to happen (and if
>> the buffer that's getting emptied is the same one used for "buffers them
>> for transmission").  My understanding of what's supposed to happen in
>> practice matches my understanding of your description here.
>>
>
> I changed it to "transmission buffer"
>
>>
>> > > The wording here is a bit amusing, as "up to no less than the ...
>> > > maximum" is facially nonsensical, but the RFC 6298 setting is in fact
>> > > the floor for the implementation-defined maximum.  I don't have a
>> clever
>> > > wording suggestion, though.
>> >
>> > Hmm.... I don't think it's nonsensical, because we're not bound
>> > by 6298, so that's just explaining where 60s comes from. How
>> > about:
>> >
>> >      and double
>> >      the value at each retransmission, up to no less than 60 seconds
>> >      (the maximum defined in RFC 6298)
>> >
>> > How does that sound?
>>
>> That reads better to me, but it's totally editorial (so, your call).
>>
>
> Done.
>
>
>> > >       encrypted.  This may improve correlation of packets from a
>> single
>> > >       connection across different network paths.
>> > >
>> > > I feel like the small width of the epoch field mitigates this somewhat
>> > > (though not fully).
>> >
>> > Sure.
>> >
>> >
>> > > Section 12.  Changes to DTLS 1.2
>> > >
>> > > This section is about changes *since* DTLS 1.2 (and I propose some
>> > > wording tweaks in my editorial PR).  But I think we should also
>> consider
>> > > whether we do need a section on "changes to DTLS 1.2", or rather
>> > > "changes affecting DTLS 1.2 implementations, along the lines of
>> > > https://tools.ietf.org/html/rfc8446#section-1.3 ("Updates Affecting
>> TLS
>> > > 1.2").
>> >
>> > Do you have some proposed contents?
>>
>> Having not actually implemented it, not really :)
>>
>> But skimming through, it seems like maybe
>>
>> - the AEAD limits might be worth using for TLS 1.2 as well
>>
>
> We didn't do this in 1.3 I don't believe, so I would not do it here either.
>
>
> - you have to do the downgrade protection HRR random values
>>
>
> - [the things that TLS 1.3 changed in TLS 1.2 probably also apply
>>
>
> https://github.com/tlswg/dtls13-spec/pull/214
>
> -Ekr
>
>