Re: [TLS] DTLS 1.3 rekeying and the use of epoch values

Ilari Liusvaara <ilariliusvaara@welho.com> Sat, 09 July 2016 16:05 UTC

Return-Path: <ilariliusvaara@welho.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A007512D56C for <tls@ietfa.amsl.com>; Sat, 9 Jul 2016 09:05:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.326
X-Spam-Level:
X-Spam-Status: No, score=-3.326 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-1.426] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4mhLIT2CpAq5 for <tls@ietfa.amsl.com>; Sat, 9 Jul 2016 09:05:48 -0700 (PDT)
Received: from welho-filter1.welho.com (welho-filter1.welho.com [83.102.41.23]) by ietfa.amsl.com (Postfix) with ESMTP id 70FA812D1A1 for <tls@ietf.org>; Sat, 9 Jul 2016 09:05:48 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by welho-filter1.welho.com (Postfix) with ESMTP id BCB79899; Sat, 9 Jul 2016 19:05:46 +0300 (EEST)
X-Virus-Scanned: Debian amavisd-new at pp.htv.fi
Received: from welho-smtp3.welho.com ([IPv6:::ffff:83.102.41.86]) by localhost (welho-filter1.welho.com [::ffff:83.102.41.23]) (amavisd-new, port 10024) with ESMTP id CxM3_IUfYycg; Sat, 9 Jul 2016 19:05:46 +0300 (EEST)
Received: from LK-Perkele-V2 (87-100-177-32.bb.dnainternet.fi [87.100.177.32]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by welho-smtp3.welho.com (Postfix) with ESMTPSA id 8CD642315; Sat, 9 Jul 2016 19:05:46 +0300 (EEST)
Date: Sat, 09 Jul 2016 19:05:43 +0300
From: Ilari Liusvaara <ilariliusvaara@welho.com>
To: Hannes Tschofenig <hannes.tschofenig@gmx.net>
Message-ID: <20160709160543.GA21163@LK-Perkele-V2.elisa-laajakaista.fi>
References: <577FB6EA.4070101@gmx.net>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
In-Reply-To: <577FB6EA.4070101@gmx.net>
User-Agent: Mutt/1.6.0 (2016-04-01)
Sender: ilariliusvaara@welho.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/6if9TaNT3eadL9_BNoDnRsKHI9Q>
Cc: "<tls@ietf.org>" <tls@ietf.org>
Subject: Re: [TLS] DTLS 1.3 rekeying and the use of epoch values
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 09 Jul 2016 16:05:51 -0000

On Fri, Jul 08, 2016 at 04:21:30PM +0200, Hannes Tschofenig wrote:
> Hi all,
> 
> based on the feedback from Ilari this week I have drafted initial text
> that talks about rekeying and the use of the epoch value.

One maybe workable scheme that occurs to me is: Outside special
epoches reserved for TLS handshaking itself (the first 4?), Both
sides send using the highest epoch they have seen successful
deprotection for or one bigger (both sides start at 4 at end of
handshake).

That would severly limit the frequency of rekeyings in fully
asynchronous usage tho (but fully asynchronous usage of UDP or anything
similar is probably a Bad Idea).

Also, the epoch use window would be sufficiently small to allow epoch
number on wire to wrap around (obviously the actual epoch number would
not wrap. That is, peer that has seen epoch 65535 (0xFFFF) from peer
can send at epoch 65536 (0x0000), which then can be bumped to 65537
(0x0001). 




-Ilari