Re: [TLS] TLS1.2 vs TLS1.0
Eric Rescorla <ekr@rtfm.com> Tue, 21 May 2013 22:43 UTC
Return-Path: <ekr@rtfm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1970A21F8F0C for <tls@ietfa.amsl.com>; Tue, 21 May 2013 15:43:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -99.431
X-Spam-Level:
X-Spam-Status: No, score=-99.431 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FH_RELAY_NODNS=1.451, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RDNS_NONE=0.1, RELAY_IS_203=0.994, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jv-mKseAHzKi for <tls@ietfa.amsl.com>; Tue, 21 May 2013 15:43:13 -0700 (PDT)
Received: from mail-qc0-x22c.google.com (mail-qc0-x22c.google.com [IPv6:2607:f8b0:400d:c01::22c]) by ietfa.amsl.com (Postfix) with ESMTP id 888921F0D23 for <tls@ietf.org>; Tue, 21 May 2013 15:43:08 -0700 (PDT)
Received: by mail-qc0-f172.google.com with SMTP id z1so716832qcx.3 for <tls@ietf.org>; Tue, 21 May 2013 15:43:07 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:x-originating-ip:in-reply-to:references:from:date :message-id:subject:to:cc:content-type:x-gm-message-state; bh=3dIxBRNiYIAvaWRGOHUbn7VEA5ReKBz2pdXoFSHHkZw=; b=gW9n4yFRv5HXbIvXV6vihS/+qAWmIW29XOunsGcYl95Rp4OQJU2cJYd5JKeCB5l/Ww d4kDzBYeDjbZstsgZDTskcrf5c3fBkNk3sFvfWd8qVZcR4ZcFGMq+dRzfEpbphPxDzZj oSFDQafiTwrxJPr0ah2PoeiPdxjib3PZkJZ5PraGG3NPENm6UwKylT1wDKCwwgozx4+4 sjOaEGqfz5I71RYtufJkn9ESTzVbIWw5vzr8LC/CjrtgBwz4JQ+BgmjkBhUozr7rQqDV 0a68ulX0zRqtRdkRx79CthX1XnXxkqls5T0AawOfcS1+4QHrMii9Qynvo/Hh1mO1tEI1 XoVA==
X-Received: by 10.224.164.205 with SMTP id f13mr4579187qay.16.1369176187744; Tue, 21 May 2013 15:43:07 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.49.52.33 with HTTP; Tue, 21 May 2013 15:42:27 -0700 (PDT)
X-Originating-IP: [203.69.99.17]
In-Reply-To: <20130521143710.5B3E21A75A@ld9781.wdf.sap.corp>
References: <662E9209-1BE8-4403-BD6F-F502E0DDAC5B@rhul.ac.uk> <20130521143710.5B3E21A75A@ld9781.wdf.sap.corp>
From: Eric Rescorla <ekr@rtfm.com>
Date: Tue, 21 May 2013 15:42:27 -0700
Message-ID: <CABcZeBM+BpP8USk6MNMUp3NMYB8jgOcvB8+oKpQnte7AnFJAKQ@mail.gmail.com>
To: mrex@sap.com
Content-Type: multipart/alternative; boundary="089e0158bac24e44cd04dd422cd5"
X-Gm-Message-State: ALoCoQnp5TXErLZQU+FbgZJ5pwowAV28OmsunLnL036SWMfdq4cqHybOtVsaGLJMdH07mza16+7B
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] TLS1.2 vs TLS1.0
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 21 May 2013 22:43:17 -0000
On Tue, May 21, 2013 at 7:37 AM, Martin Rex <mrex@sap.com> wrote: > Paterson, Kenny wrote: > > Hi > > > > On 21 May 2013, at 14:47, Martin Rex wrote: > > > Datagram TLS (DTLS) is another can of worms, because it has an > unreasonable > > > requirement to ignore unlimited amounts of MAC-failing DTLS records on > a > > > DTLS connection, but that is a defect from which the stream-oriented > > > regular TLS protocols do not suffer. > > > > True. Though the spec for DTLS does allow DTLS implementations to > > terminate a connection in the event of errors. > > > > It's just that most (all?) implementations don't. > > > Now that you mention it, I hadn't noticed that DTLS gives actual two > _different_ guidances (MAY abort on MAC error and MUST discard records > with MAC error are mutually exclusive) > > http://tools.ietf.org/html/rfc4347#section-4.1.2.1 > > 4.1.2.1 MAC (last paragraph): > > In general, DTLS implementations SHOULD silently discard data with > bad MACs. If a DTLS implementation chooses to generate an alert when > it receives a message with an invalid MAC, it MUST generate > bad_record_mac alert with level fatal and terminate its connection > state. > > http://tools.ietf.org/html/rfc4347#section-4.1.2.5 > > 4.1.2.5 Anti-replay (last paragraph): > > If the received record falls within the window and is new, or if the > packet is to the right of the window, then the receiver proceeds to > MAC verification. If the MAC validation fails, the receiver MUST > discard the received record as invalid. The receive window is > updated only if the MAC verification succeeds. > Hmm.... I'm not sure these are contradictory. If you get a packet with a MAC error you MUST discard the packet (i.e., not process it.) You may either *silently* discard it (i.e.., proceed as if you had not received it) or terminate the connection with an alert. -Ekr
- Re: [TLS] TLS1.2 vs TLS1.0 Paul Duffy
- [TLS] TLS1.2 vs TLS1.0 Ulrich Herberg
- Re: [TLS] TLS1.2 vs TLS1.0 Robert Cragie
- Re: [TLS] TLS1.2 vs TLS1.0 Nikos Mavrogiannopoulos
- Re: [TLS] TLS1.2 vs TLS1.0 Hanno Böck
- Re: [TLS] TLS1.2 vs TLS1.0 David McGrew (mcgrew)
- Re: [TLS] TLS1.2 vs TLS1.0 Martin Rex
- Re: [TLS] TLS1.2 vs TLS1.0 Paterson, Kenny
- Re: [TLS] TLS1.2 vs TLS1.0 Martin Rex
- Re: [TLS] TLS1.2 vs TLS1.0 Ulrich Herberg
- Re: [TLS] TLS1.2 vs TLS1.0 Xiaoyong Wu
- Re: [TLS] TLS1.2 vs TLS1.0 Eric Rescorla
- Re: [TLS] TLS1.2 vs TLS1.0 Ulrich Herberg
- Re: [TLS] TLS1.2 vs TLS1.0 Ulrich Herberg
- Re: [TLS] TLS1.2 vs TLS1.0 Geoffrey Keating
- Re: [TLS] TLS1.2 vs TLS1.0 Martin Rex
- Re: [TLS] TLS1.2 vs TLS1.0 Martin Rex
- Re: [TLS] TLS1.2 vs TLS1.0 Martin Rex
- Re: [TLS] TLS1.2 vs TLS1.0 Eric Rescorla
- Re: [TLS] TLS1.2 vs TLS1.0 Kemp, David P.
- Re: [TLS] TLS1.2 vs TLS1.0 Peter Gutmann
- Re: [TLS] TLS1.2 vs TLS1.0 Simon Josefsson