[TLS] DTLS 1.3 sequence number lengths and lack of ACKs

David Benjamin <davidben@chromium.org> Fri, 12 April 2024 21:36 UTC

Return-Path: <davidben@google.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A5A77C14F703 for <tls@ietfa.amsl.com>; Fri, 12 Apr 2024 14:36:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -11.295
X-Spam-Level:
X-Spam-Status: No, score=-11.295 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-2.049, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.248, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=chromium.org
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id h5eaF9BpGO8q for <tls@ietfa.amsl.com>; Fri, 12 Apr 2024 14:36:35 -0700 (PDT)
Received: from mail-yw1-x112d.google.com (mail-yw1-x112d.google.com [IPv6:2607:f8b0:4864:20::112d]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 15A1AC14F6A9 for <tls@ietf.org>; Fri, 12 Apr 2024 14:36:35 -0700 (PDT)
Received: by mail-yw1-x112d.google.com with SMTP id 00721157ae682-618904450bfso4519057b3.1 for <tls@ietf.org>; Fri, 12 Apr 2024 14:36:35 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; t=1712957794; x=1713562594; darn=ietf.org; h=cc:to:subject:message-id:date:from:mime-version:from:to:cc:subject :date:message-id:reply-to; bh=SIVXeq+9Lqh21AttRii2T7+tsAhUHUznGfgIb4qwn+E=; b=c5dDHxsNA14juqSZEyUGKw2Gsn04RfFfbwUa/AyUM7xlUSG9b/ezfxOyJtOEkIdbhO da1OdghhF07r1w0lZcnxHe1XjUDEcNGu4JxsgpVyYpRqJG+N7rsTSpy5/9UVPLmSIqY7 gNfCZExs1p2mKkI6vf39PQBuVplKfYc07HpoE=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1712957794; x=1713562594; h=cc:to:subject:message-id:date:from:mime-version:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=SIVXeq+9Lqh21AttRii2T7+tsAhUHUznGfgIb4qwn+E=; b=jcUiKGsyY1ZKE59z81bG2ADfbylINYpvXKauSWwYDPSvP4W7LKP2mlrZ9+/WbtFTq8 8kKJyb3ZUzizSFjz4ul1W0tCtVr+XNgen66AyNylUJhsaTyfHyITkpZvmAyX74D5SLU/ aslEh/A6RYf+VMWtqjQAP9X79nezn7pRwNoaRkUppZtuvztaGE4iC5nYPz/RDEWtorRc aelzOg11LFIPdRgMFmX3XJwA9dfnjy6uZNQ4JOI9M9TquWA7B0udem1BiZwt3d7fjTrx E4nLhyAKWBXsltYv9XKb7f05cwfQ6fNEle4SfkrDpMQEPNqiY1YWaycZTgcz+qfsAnFO E45Q==
X-Gm-Message-State: AOJu0Yyq2ZjgLgIVDxHIE8gCrpg/U20tVF5JbTZrStm4cBnG7KIr1uzB a05FMbKNO/cvLcN83bxl4dUzUneTvQWixZvITTauGgkO1Fv4H06W5OUQM+4huA43c0fF0XWdJG1 5vWeXZESeErTjkpBlHWaF17JBl0zDOCZObl6S9M708Yanybrs3sE=
X-Google-Smtp-Source: AGHT+IHxDco/suXmVKOs5PDBserEBeZQ9wUYpyaIU4GWoErxQXZ/C+4zwMNqCBeaTmCUAqPxT8LH2PHK3lBUpqzTrCo=
X-Received: by 2002:a25:8506:0:b0:dc7:4265:1e92 with SMTP id w6-20020a258506000000b00dc742651e92mr3100676ybk.23.1712957793429; Fri, 12 Apr 2024 14:36:33 -0700 (PDT)
MIME-Version: 1.0
From: David Benjamin <davidben@chromium.org>
Date: Fri, 12 Apr 2024 17:36:15 -0400
Message-ID: <CAF8qwaAyDTwdT12zdo=PfRH=zwVU5rJGnsrSgWrk4F1JHyZtDg@mail.gmail.com>
To: "<tls@ietf.org>" <tls@ietf.org>
Cc: bbe@chromium.org, Nick Harper <nharper@chromium.org>
Content-Type: multipart/alternative; boundary="000000000000cb80910615ed1048"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/3IEIzc2ssdkZbyYEXIvz6t3ZhbI>
Subject: [TLS] DTLS 1.3 sequence number lengths and lack of ACKs
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 12 Apr 2024 21:36:39 -0000

Hi all,

Here's another issue we noticed with RFC 9147: (There's going to be a few
of these emails. :-) )

DTLS 1.3 allows senders to pick an 8-bit or 16-bit sequence number. But,
unless I missed it, there isn't any discussion or guidance on which to use.
The draft simply says:

> Implementations MAY mix sequence numbers of different lengths on the same
connection

I assume this was patterned after QUIC, but looking at QUIC suggests an
issue with the DTLS 1.3 formulation. QUIC uses ACKs to pick the minimum
number of bytes needed for the peer to recover the sequence number:
https://www.rfc-editor.org/rfc/rfc9000.html#packet-encoding

But the bulk of DTLS records, app data, are unreliable and not ACKed. DTLS
leaves all that to application. This means a DTLS implementation does not
have enough information to make this decision. It would need to be
integrated into the application-protocol-specific reliability story, if the
application protocol even maintains that information.

Without ACK feedback, it is hard to size the sequence number safely.
Suppose a DTLS 1.3 stack unconditionally picked the 1-byte sequence number
because it's smaller, and the draft didn't say not to do it. That means
after getting out of sync by 256 records, either via reordering or loss,
the connection breaks. For example, if there was a blip in connectivity and
you happened to lose 256 records, your connection is stuck and cannot
recover. All future records will be at higher and higher sequence numbers.
A burst of 256 lost packets seems within the range of situations one would
expect an application to handle.

(The 2-byte sequence number fails at 65K losses, which is hopefully high
enough to be fine?  Though it's far far less than what QUIC's 1-4-byte
sequence number can accommodate. It was also odd to see no discussion of
this anywhere.)

David