Re: [TLS] Last Call: <draft-ietf-tls-rfc4347-bis-04.txt> (Datagram Transport Layer Security version 1.2) to Proposed Standard

Florian Weimer <> Mon, 20 December 2010 14:48 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id C8B5F3A68B5; Mon, 20 Dec 2010 06:48:12 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.082
X-Spam-Status: No, score=-2.082 tagged_above=-999 required=5 tests=[AWL=0.167, BAYES_00=-2.599, HELO_EQ_DE=0.35]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id bKdK1GCaQWqn; Mon, 20 Dec 2010 06:48:11 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTP id 88F9E3A6897; Mon, 20 Dec 2010 06:48:10 -0800 (PST)
Received: from ([]) by with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) id 1PUh3o-0002Et-8l; Mon, 20 Dec 2010 14:50:00 +0000
Received: by with local id 1PUh3o-0003LK-45; Mon, 20 Dec 2010 14:50:00 +0000
To: Pekka Savola <>
References: <20101130132359.32419.3777.idtracker@localhost> <>
From: Florian Weimer <>
Date: Mon, 20 Dec 2010 14:50:00 +0000
In-Reply-To: <> (Pekka Savola's message of "Mon\, 20 Dec 2010 15\:15\:18 +0200 \(EET\)")
Message-ID: <>
MIME-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: quoted-printable
Subject: Re: [TLS] Last Call: <draft-ietf-tls-rfc4347-bis-04.txt> (Datagram Transport Layer Security version 1.2) to Proposed Standard
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 20 Dec 2010 14:48:12 -0000

* Pekka Savola:

>    If there is a transport protocol indication (either via ICMP or via a
>    refusal to send the datagram as in DCCP Section 14), then DTLS record
>    layer should inform the upper layer protocol of the error.
> .. is this too weak?  I've have thought that it would be natural that if
> DTSLS record layer gets this notification (which, in the case of ICMP and
> omitting information, is not necessarily given), it MUST pass this
> information up. Note that the refusal to send could also apply to UDP
> if packet is bigger than PMTU and DF bit is set or IPv6 is used.
> What is the alternative if it doesn't?  It would be fine if
> the alternative is that the DTLS record layer react to that information
> itself, but completely ignoring e.g. ICMP packet too big would lead to
> communication failure.

ICMP packet too big is typically handled by the stack, not the
application.  The stack updates the stored path MTU, the application
tries again, and this time, the stack produces smaller fragments.

AFAIUI, requiring ICMP processing in applications prescribes an
implementation model based on connected UDP sockets (in the
terminology of the BSD sockets API).  This is not always desirable or

Florian Weimer                <>
BFK edv-consulting GmbH
Kriegsstraße 100              tel: +49-721-96201-1
D-76133 Karlsruhe             fax: +49-721-96201-99