Re: [TLS] Updated DTLS draft
Matt Caswell <frodo@baggins.org> Thu, 16 March 2017 23:58 UTC
Return-Path: <frodo@baggins.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 46432129A9B for <tls@ietfa.amsl.com>; Thu, 16 Mar 2017 16:58:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.1
X-Spam-Level:
X-Spam-Status: No, score=-2.1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_SORBS_SPAM=0.5] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xM__3-I1vdAs for <tls@ietfa.amsl.com>; Thu, 16 Mar 2017 16:58:56 -0700 (PDT)
Received: from mx496502.smtp-engine.com (mx496502.smtp-engine.com [IPv6:2001:8d8:968:7d00::19:7e53]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C3D43129717 for <tls@ietf.org>; Thu, 16 Mar 2017 16:58:56 -0700 (PDT)
Received: from mail-it0-f52.google.com (mail-it0-f52.google.com [209.85.214.52]) by mx496502.smtp-engine.com (Postfix) with ESMTPSA id A6B46B31 for <tls@ietf.org>; Thu, 16 Mar 2017 23:58:51 +0000 (GMT)
Received: by mail-it0-f52.google.com with SMTP id w124so6796885itb.1 for <tls@ietf.org>; Thu, 16 Mar 2017 16:58:51 -0700 (PDT)
X-Gm-Message-State: AFeK/H3ehrGZGVrt4hgtcujHM8Zow+6SrcKURsKHtyxIle2jLv6WKQUFl5NTEHwCQX0RMCY6Sh9A8sbNvAAJ/Q==
X-Received: by 10.36.59.7 with SMTP id c7mr413718ita.43.1489708730230; Thu, 16 Mar 2017 16:58:50 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.79.147.155 with HTTP; Thu, 16 Mar 2017 16:58:49 -0700 (PDT)
In-Reply-To: <CABcZeBPjry16=zpwajosiKtiA3ADeFsgZdkN+cFBdg6iTjQrfQ@mail.gmail.com>
References: <CABcZeBPjry16=zpwajosiKtiA3ADeFsgZdkN+cFBdg6iTjQrfQ@mail.gmail.com>
From: Matt Caswell <frodo@baggins.org>
Date: Thu, 16 Mar 2017 23:58:49 +0000
X-Gmail-Original-Message-ID: <CAMoSCWbtzm49uyg8qTgEnhcRox5Bx4vi=rQ56GcDG9fj_RmL8w@mail.gmail.com>
Message-ID: <CAMoSCWbtzm49uyg8qTgEnhcRox5Bx4vi=rQ56GcDG9fj_RmL8w@mail.gmail.com>
To: Eric Rescorla <ekr@rtfm.com>
Cc: "tls@ietf.org" <tls@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/6S3hZQg7I_OFMGhhF-XeE3UQeI8>
Subject: Re: [TLS] Updated DTLS draft
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 16 Mar 2017 23:58:58 -0000
On 13 March 2017 at 23:41, Eric Rescorla <ekr@rtfm.com> wrote: > I have just posted a new version of the DTLS 1.3 draft, updated for > draft-19. > It's still very rough with a lot of open issues (some of which are even > noted > in the draft), and no doubt contains egregious errors. > > https://tools.ietf.org/html/draft-rescorla-tls-dtls13-01 > > As usual, comments welcome. Section 5.1 The cookie mechanism is meant to be entirely stateless on the server side. However as it is currently specified it is not (and in fact DTLS1.2 suffers from the same issue). The problem is that the ClientHello may be fragmented. In order to reassemble it the server must allocate state. In OpenSSL 1.1.0 for DTLS1.2 we require that the cookie is entirely held within the first fragment of the ClientHello. This way the cookie can be validated without needing to fully reassemble the message (assuming the cookie validation function does not need any information contained within a later fragment). Only once the cookie is validated do we then attempt to reassemble the rest of the ClientHello. If the cookie is not held within the first fragment then we drop the packet. OpenSSL prior to 1.1.0 can't handle a fragmented DTLS ClientHello at all (when running in stateless mode - we have the option of running stateful which does work). We kind of get away with this for DTLS1.2. The cookie is relatively early in the CH message (i.e. prior to ciphersuites etc). So a CH would have to be fairly significantly fragmented for it to be a problem. In DTLS1.3 the cookie is now (potentially) much larger and appears much later in the ClientHello, making it much more likely that it will not fall fully within the first fragment. This could mean a fully stateless solution is impossible. Matt
- [TLS] Updated DTLS draft Eric Rescorla
- Re: [TLS] Updated DTLS draft Matt Caswell
- Re: [TLS] Updated DTLS draft Martin Thomson
- Re: [TLS] Updated DTLS draft Matt Caswell
- Re: [TLS] Updated DTLS draft Eric Rescorla
- Re: [TLS] Updated DTLS draft Ilari Liusvaara
- Re: [TLS] Updated DTLS draft Martin Thomson