IETF Logo Mail Archive

Re: [TLS] Working group last call for draft-ietf-tls-dtls-heartbeat-02

Michael Tüxen <Michael.Tuexen@lurchi.franken.de> Mon, 22 August 2011 09:45 UTC

Return-Path: <Michael.Tuexen@lurchi.franken.de>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 52B1021F85A4 for <tls@ietfa.amsl.com>; Mon, 22 Aug 2011 02:45:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.3
X-Spam-Level:
X-Spam-Status: No, score=-2.3 tagged_above=-999 required=5 tests=[AWL=-0.000, BAYES_00=-2.599, MIME_8BIT_HEADER=0.3]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RBbXtE78QmoT for <tls@ietfa.amsl.com>; Mon, 22 Aug 2011 02:45:17 -0700 (PDT)
Received: from mail-n.franken.de (drew.ipv6.franken.de [IPv6:2001:638:a02:a001:20e:cff:fe4a:feaa]) by ietfa.amsl.com (Postfix) with ESMTP id 8A52421F84D8 for <tls@ietf.org>; Mon, 22 Aug 2011 02:45:16 -0700 (PDT)
Received: from [192.168.1.103] (p5481B166.dip.t-dialin.net [84.129.177.102]) (Authenticated sender: macmic) by mail-n.franken.de (Postfix) with ESMTP id BE19A1C0C0BD8; Mon, 22 Aug 2011 11:46:18 +0200 (CEST)
Mime-Version: 1.0 (Apple Message framework v1084)
Content-Type: text/plain; charset="us-ascii"
From: Michael Tüxen <Michael.Tuexen@lurchi.franken.de>
In-Reply-To: <4E520063.7020206@gnutls.org>
Date: Mon, 22 Aug 2011 11:46:17 +0200
Content-Transfer-Encoding: quoted-printable
Message-Id: <B07FDAE5-4AB4-4277-8F0A-EA0A190280E1@lurchi.franken.de>
References: <67629EB8-CDF5-47B3-BC6E-C1A76E08C294@cisco.com> <4E520063.7020206@gnutls.org>
To: Nikos Mavrogiannopoulos <nmav@gnutls.org>
X-Mailer: Apple Mail (2.1084)
Cc: tls@ietf.org
Subject: Re: [TLS] Working group last call for draft-ietf-tls-dtls-heartbeat-02
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 22 Aug 2011 09:45:28 -0000

On Aug 22, 2011, at 9:08 AM, Nikos Mavrogiannopoulos wrote:

> On 08/22/2011 07:07 AM, Joe Salowey wrote:
>> This announcement is for the working group last call of 
>> draft-ietf-tls-dtls-heartbeat-02.  Please send comments to the list 
>> by September 09, 2011.
> 
> As I understand the draft this extension is 2 things:
> 1. A keepalive ping for TLS and DTLS
Correct.
> 2. PMTU discovery mechanism for DTLS
Incorrect. It provides a test message mechanism which can be
used for path MTU discovery as described in
http://tools.ietf.org/html/rfc4821
> 
> My unanswered comments on a previous post [0] still stand.
> I expand below.
> 
> I believe more rationale is needed in the draft on _why_ should
> these issues be solved at TLS or DTLS level.
> For (1), TCP has a keepalive mechanism, so reintroducing it at TLS
> doesn't make much sense, and UDP throws the burden to user protocol. So
> why not throw the burden on the protocol above?
> 
> The only discussion on text is:
>  "Sending HeartbeatRequest messages allows the sender to make sure that
>   it can reach the peer and the peer is alive.  Even in case of TLS/TCP
>   this allows this check at a much higher rate than the TCP keepalive
>   feature would allow."
> So is this just a high-rate TCP keepalive? Why do we need that at the
> security layer? Why not propose a high-rate TCP keepalive?
Regarding the keepalive feature:
Our main motivation is not TCP keepalives. The point is that there
are application protocols running over UDP which do not have a
mechanism in the app protocol to do this. This is fine when running
over UDP since the lower layer does not have any state. However,
when the lower layer becomes DTLS instead of UDP, there is state,
and it is not a good idea to keep this state there forever.
So having a way for DTLS to detect that the peer is gone, helps.
> 
> 
> About (2) Both TCP and UDP don't bother with a special PMTU discovery
> mechanism. Why should DTLS or TLS provide it? Are there advantages on
> making a PMTU discovery at this level?
Where else? TLS has no problem since TCP segments user messages. DTLS
running over UDP can not rely on it. That is why DTLS should determine
the PMTU. For doing this, it needs some messages for testing, preferable
not app data which might et lost during the testing.
Using the HB, you have a tool to do this without relying on ICMP
message.
> 
> 
> Note that I am not opposing to the idea of providing those, if there is
> a good reason, but I don't see that now.
I don't know how you can do
* path MTU discovery for DTLS/UDP with having some messages like the HB messages.
* how to detect your peer is gone in case of DTLS/UDP where the
  app protocol provides no mechanism (which is fine for UDP, since there is no state). 
  If I remember correctly, IPFIX is an example for this.
When having this, it makes sense to provide this also for TLS, since you can
use it to tune your liveliness check without relying on the transport stack being
changed. This might also help for keeping NAT state around...
> 
> regards,
> Nikos
> 
> [0]. http://www.ietf.org/mail-archive/web/tls/current/msg07580.html
As said above: the main difference is that UDP does not need any
state (assuming you use non-connected UDP sockets), DTLS does.

Best regards
Michael
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls
>

v2.23.0 | Report a Bug | By Email