IETF Logo Mail Archive

Re: [TLS] Connection ID Draft

Matt Caswell <matt@openssl.org> Thu, 02 November 2017 16:32 UTC

Return-Path: <matt@openssl.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 72E0B13F5BA for <tls@ietfa.amsl.com>; Thu, 2 Nov 2017 09:32:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.9
X-Spam-Level:
X-Spam-Status: No, score=-6.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fT-gLNa91sB2 for <tls@ietfa.amsl.com>; Thu, 2 Nov 2017 09:32:23 -0700 (PDT)
Received: from mta.openssl.org (mta.openssl.org [IPv6:2001:608:c00:180::1:e6]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 59DB413B262 for <tls@ietf.org>; Thu, 2 Nov 2017 09:32:22 -0700 (PDT)
Received: from [10.51.10.6] (unknown [104.238.169.120]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mta.openssl.org (Postfix) with ESMTPSA id 0A7BAE66A4 for <tls@ietf.org>; Thu, 2 Nov 2017 16:32:19 +0000 (UTC)
To: tls@ietf.org
References: <CABcZeBPXB6cOSztzDHtKSWUCJrgET+9cF_rAiiE8CYCUSY_uLA@mail.gmail.com> <CABkgnnXT7nv9aNQh12deeitF1CurENpxgUicn9GHjMbojcEvJg@mail.gmail.com> <D0524862-083C-4576-98B8-6D8A4825D458@nokia.com> <CABkgnnW4d=H5RZ0E+Hwo4jQptDpshVVuFtD-xQudJzxLXyReAQ@mail.gmail.com>
From: Matt Caswell <matt@openssl.org>
Message-ID: <4833b54e-880b-c2c4-99ed-4dde0c96fc5c@openssl.org>
Date: Thu, 02 Nov 2017 16:32:18 +0000
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.4.0
MIME-Version: 1.0
In-Reply-To: <CABkgnnW4d=H5RZ0E+Hwo4jQptDpshVVuFtD-xQudJzxLXyReAQ@mail.gmail.com>
Content-Type: text/plain; charset="utf-8"
Content-Language: en-GB
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/2yCE5Hfyox4i3MxobSUEZsMSW2A>
Subject: Re: [TLS] Connection ID Draft
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 02 Nov 2017 16:32:25 -0000


On 17/10/17 22:35, Martin Thomson wrote:
> On Tue, Oct 17, 2017 at 9:26 PM, Fossati, Thomas (Nokia -
> GB/Cambridge, UK) <thomas.fossati@nokia.com> wrote:
>> The following case (NAT box reboot) is problematic:
>>
>> 1. Application '1' on host A (A.1) uses DTLS+CID with application '1' on
>>    host B (B.1);
>> 2. Application '2' on host A (A.2) uses plain-old DTLS with B.1;
>> 3. The NAT box reboots (all previous 5-tuple mappings are lost);
>> 4. B.1 receives a record from A.1 (whose 5-tuple has changed in the
>>    meanwhile);
>>
>> How is B.1 supposed to correctly interpret the bytes starting at offset
>> +11?  (For what it knows, it could be CID from A.1 or the length field
>> from A.2.)
> 
> I don't think that this is a problem.
> 
> connection = five_tuples.lookup(packet.five_tuple)
> if (!connection) {
>   connection = connection_ids.lookup(packet[connection_id_offset:connection_id_offset+connection_id_length])
> }

Just skimming this old thread...doesn't this fail in the case where the
five tuple has been reused? In that case five_tuples.lookup will return
an old stale connection which the server thinks is still valid so we
never get to lookup the connection id. With an explicit marking we would
not fail in this scenario.

Matt

v2.23.0 | Report a Bug | By Email