Re: [TLS] Gaps in specification of DTLS 1.3 state machine
Martin Thomson <mt@lowentropy.net> Wed, 04 March 2020 23:33 UTC
Return-Path: <mt@lowentropy.net>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 320873A0C31 for <tls@ietfa.amsl.com>; Wed, 4 Mar 2020 15:33:09 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.1
X-Spam-Level:
X-Spam-Status: No, score=-2.1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=lowentropy.net header.b=kGLxo6GI; dkim=pass (2048-bit key) header.d=messagingengine.com header.b=1/PURo5N
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rt28KxT-Au8j for <tls@ietfa.amsl.com>; Wed, 4 Mar 2020 15:33:07 -0800 (PST)
Received: from out5-smtp.messagingengine.com (out5-smtp.messagingengine.com [66.111.4.29]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 35C9D3A0C0B for <tls@ietf.org>; Wed, 4 Mar 2020 15:33:07 -0800 (PST)
Received: from compute2.internal (compute2.nyi.internal [10.202.2.42]) by mailout.nyi.internal (Postfix) with ESMTP id 6FC7621F15 for <tls@ietf.org>; Wed, 4 Mar 2020 18:33:06 -0500 (EST)
Received: from imap2 ([10.202.2.52]) by compute2.internal (MEProxy); Wed, 04 Mar 2020 18:33:06 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=lowentropy.net; h=mime-version:message-id:in-reply-to:references:date:from:to :subject:content-type:content-transfer-encoding; s=fm1; bh=Pd8N6 YpHCyerl9uXGT4YqrEe2lzrzU6MQIIfVcELnzU=; b=kGLxo6GIR9JBOxWV3y0nG FJWwo/Kdae+b43stPhJbehm883xS0Jycm2Y0NijE+L4go0mfueLZHYDoMJx+5p+W u3EGdwQdrIZ8qgUgM8CKoTS+tKFu0ntxxfD/rl1bF5blD917lg3lv3eEjoUUogWC youTrcfLfySOAO4nc3sGWk/H/3+QUAe8k8L8wVIj6TAaeC5/5CiCc8mElo2av9t7 bPFRWygoIn8Tz0LM7JUrVridzNJBPzlTRul2+zusmgyOfMW+0OcXu5mLRlqka7RC sitpwx2NOeLNzgDyU4TE+RKQYSkTiNHgEkU02GK8EJCBncpzhdUBsUrLjnSeuYqk A==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=content-transfer-encoding:content-type :date:from:in-reply-to:message-id:mime-version:references :subject:to:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender :x-sasl-enc; s=fm2; bh=Pd8N6YpHCyerl9uXGT4YqrEe2lzrzU6MQIIfVcELn zU=; b=1/PURo5NzE0BnUWLFQWx0NmLmEGIV/0n/85wmbJ+RXJynmkKa3l4DXaDZ nVGGDV6dnOCG5fnWNXljdAubWHiprcyX/OGzbGffneVjljYe0/XN1fy73jaxD7mT pK5756qKfnxxQqzRkOqshKl/afyhMFbT7O3oRNCkkeFZ+XcanPYETTmEXET+Anwe 6mDrJ7v6Sa9+VmPUDiVT8Rgpe0Ve2+BlxguMHBZ9gLjlzNyVbia0hBF3H3MmGNYB 1Up9j1U3AiMCZ94x0Ucr1YOgiJD68FNblDXJrXqs/lubhnobg9V5novcHVuIc6c6 DeI5NP3DbdPH0IgEkziYr1e2GDWaQ==
X-ME-Sender: <xms:sjpgXpS-zCznOap1Iu9w2c6ehuPa0I5dIAshy8NPu_IrFJIY7e95jg>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedugedruddtledguddtucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucenucfjughrpefofgggkfgjfhffhffvufgtgfesth hqredtreerjeenucfhrhhomhepfdforghrthhinhcuvfhhohhmshhonhdfuceomhhtsehl ohifvghnthhrohhphidrnhgvtheqnecuffhomhgrihhnpehivghtfhdrohhrghenucevlh hushhtvghrufhiiigvpedtnecurfgrrhgrmhepmhgrihhlfhhrohhmpehmtheslhhofigv nhhtrhhophihrdhnvght
X-ME-Proxy: <xmx:sjpgXoOybt_grkaVHi84IDFQEtrGBUlh_M0H_yTLFTvwp8C0U6PnBw> <xmx:sjpgXjnTTpTFhpj3yAJWT_LvUbii5S0Yy2JjFkQUftHTMlRbX3IM_g> <xmx:sjpgXh-OVGLwX0RC7jDDpu_eXwjHsJjyQ7UqVU4wnirREY_9E3kqkg> <xmx:sjpgXmrd3B7MORXw-hXucS-e6OQ1M0oY5vHne-wCci_k05jpv6Lohg>
Received: by mailuser.nyi.internal (Postfix, from userid 501) id 23422E00C4; Wed, 4 Mar 2020 18:33:06 -0500 (EST)
X-Mailer: MessagingEngine.com Webmail Interface
User-Agent: Cyrus-JMAP/3.1.7-986-gfc2d493-fmstable-20200304v3
Mime-Version: 1.0
Message-Id: <0287f75a-015e-49eb-a052-cf7a53f03035@www.fastmail.com>
In-Reply-To: <AM6PR08MB331811E58E80173B1D74D8349B1C0@AM6PR08MB3318.eurprd08.prod.outlook.com>
References: <AM6PR08MB331811E58E80173B1D74D8349B1C0@AM6PR08MB3318.eurprd08.prod.outlook.com>
Date: Thu, 05 Mar 2020 10:32:45 +1100
From: Martin Thomson <mt@lowentropy.net>
To: tls@ietf.org
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/4rQxlzqDEDaUUNxTUnPsizsJsxM>
Subject: Re: [TLS] Gaps in specification of DTLS 1.3 state machine
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 04 Mar 2020 23:33:16 -0000
Option A please. Multiple state machines. It's unavoidable in any case. If you generate your own post-handshake message and then have to respond to post-handshake authentication, there will be two concurrent exchanges. We already require acknowledgment for both request and response in a two-way exchange. Since 2 is a member of the third class of numbers (0, 1, ∞), we might as well deal with the full implications of that. Handling this is fairly simple though. We can recommend limiting to only one active transmission at a time. And if implementations have an especially low tolerance for concurrency they can close connections. On Thu, Mar 5, 2020, at 01:19, Hanno Becker wrote: > Hi, > > [TL;DR] > The DTLS 1.3 spec (draft 34) doesn't fully describe the retransmission state > machine in the case of post-handshake messages, which requires clarification. > For example, is it allowed to send multiple post-handshake messages without > waiting for ACKs for the previous ones? If so, how is the retransmission > state machine modeled for sender and receiver in this case? > I'll describe and assess a few possible options, but I don't know the best > answer, and so this post is mostly a request for discussion, hopefully > resulting in some common understanding and clarification of the spec. > > Details: > > The following cases need addressing: > a) Is it allowed to send multiple post-handshake messages (e.g., > multiple session > tickets) without waiting for ACKs for the previous ones? If so, how is > the > retransmission state machine modeled for sender and receiver in this > case? > b) How should simultaneous sending/receiving of post-handshake messages > be handled? > The current retransmission state machine doesn't allow sending and > receiving > at the same time. > > Some thoughts on a) first: > > The spec mentions that post-handshake messages are treated as > single-message flights. > As such, the sender would enter WAITING state after sending the > post-handshake message, > and move to FINISHED on receipt of the corresponding ACK. This, > however, forbids sending > another post-handshake message in between, since sending isn't allowed > in WAITING state. > > Option A: Fork state machine > > One could circumvent this by 'forking' the retransmission state machine > for post-handshake > messages, i.e. declaring their semantics as if there were multiple > independent state machines > for each outstanding post-handshake message. This essentially degrades > the DTLS' ACK scheme > to a per-message acknowledgement. > > I believe that such an approach is not in the spirit of the rest of the > protocol and moreover > significantly increases complexity and thereby comes at the danger of > slower adoption and/or bugs. > Moreover, it will significantly harden efforts for formal verification, > which should be considered > in light of previous efforts on TLS 1.3. > > Option B: Don't allow multiple post-handshake messages > > Forcing implementations to await an ACK before sending the next > post-handshake message is a theoretical > option which would allow to stick to the existing state machine. > However, this significantly increases > the latency of, say, the delivery of multiple session tickets, which is > a valid use case. This is therefore > not a convincing option, either. > > Option C: Merge consecutive post-handshake messages into a single flight. > > Another approach would be to treat multiple post-handshake messages as > a single flight on the sender. > That is, when the sender is in state WAITING after sending the first > post-handshake message, and the > user request to send another one, it moves into SENDING and then back > into WAITING as usual, appending > the new post-handshake message to the (so-far single-message) flight. > > How would that be handled on the receiver side? > > That's not entirely clear because a basic property of the TLS handshake > that DTLS leverages now no longer > holds: Namely, that both sides implicitly know and agree on the bounds > of flights. Here, multiple post- > handshake messages would be treated as a single flight on the sender, > but the receiver doesn't know > when the flight is over. How should this be handled? > > This is to be explored further. One way to address this would be the following: > > Option D: Add an 'end-of-flight' signal to handshake messages to allow > dynamic-length flights. > > Recall that the handshake logic must inform the retransmission state > machine about when a flight > is over in the main handshake, allowing the state machine to transition > accordingly. This signal, > however, isn't explicitly conveyed to the receiver, because the > receiver can figure it out for > himself. > > As mentioned, this isn't true anymore for batched post-handshake messages. > > One simple way to deal with is to add an explicit 'end-of-flight' bit > in the handshake header > which informs the receiver about when a flight is over, in those > situations where it's not > clear from the context. > > This would allow to keep a single retransmission state-machine as-is > while allowing for > batched post-handshake messages such as multiple session tickets. > Moreover, such a signal > would be trivial to implement because it's already implicit in the main > handshake. > > For the wire-format, we can discuss different options, but that's an > orthogonal question > to the issue of finding the correct conceptual approach. > > > > Happy to hear everyone's thoughts. It would be great if we could come > up with some > precise description of the state machine evolution for post-handshake > messages that > is both simple and supports batched post-handshake messages. > > Best, > Hanno > IMPORTANT NOTICE: The contents of this email and any attachments are > confidential and may also be privileged. If you are not the intended > recipient, please notify the sender immediately and do not disclose the > contents to any other person, use it for any purpose, or store or copy > the information in any medium. Thank you. > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls >
- [TLS] Gaps in specification of DTLS 1.3 state mac… Hanno Becker
- Re: [TLS] Gaps in specification of DTLS 1.3 state… Martin Thomson
- Re: [TLS] Gaps in specification of DTLS 1.3 state… Hanno Becker
- Re: [TLS] Gaps in specification of DTLS 1.3 state… Eric Rescorla
- Re: [TLS] Gaps in specification of DTLS 1.3 state… Christopher Wood
- Re: [TLS] Gaps in specification of DTLS 1.3 state… Hanno Becker
- Re: [TLS] Gaps in specification of DTLS 1.3 state… Hanno Becker