Re: [TLS] WGLC for draft-ietf-tls-dtls-connection-id-06

"Kraus Achim (INST/ECS4)" <Achim.Kraus@bosch-si.com> Tue, 16 July 2019 13:01 UTC

Return-Path: <Achim.Kraus@bosch-si.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2DFBB12041A for <tls@ietfa.amsl.com>; Tue, 16 Jul 2019 06:01:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.3
X-Spam-Level:
X-Spam-Status: No, score=-4.3 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=bosch-si.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0FRyWwyCWh6V for <tls@ietfa.amsl.com>; Tue, 16 Jul 2019 06:01:21 -0700 (PDT)
Received: from de-out1.bosch-org.com (de-out1.bosch-org.com [139.15.230.186]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BBE40120433 for <tls@ietf.org>; Tue, 16 Jul 2019 06:01:20 -0700 (PDT)
Received: from si0vm1948.rbesz01.com (unknown [139.15.230.188]) by fe0vms0187.rbdmz01.com (Postfix) with ESMTPS id 45p0rt4Nhvz1XLDQt; Tue, 16 Jul 2019 15:01:18 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=bosch-si.com; s=key1-intmail; t=1563282078; bh=x8wo1lfoCC9Z1cs/uJkF3BikIHtuS4sF3yjH8X609cU=; l=10; h=From:Subject:From:Reply-To:Sender; b=LkGdVFKi01tCuvxVPdhrCt/Ke01EdTu8PEv82iUfE2l+loiJ/ubcKv6OyCAEB7JFq Xy6k/nDxsSmXUaQudAvlvobEn7M1rRuxSO6zCrRBuvZqbYRbefvAuEtflgqcLp98l6 NppIC/l0BKwrFI4ATto48B3nNhbg2ulpyT27KjZc=
Received: from si0vm2082.rbesz01.com (unknown [10.58.172.176]) by si0vm1948.rbesz01.com (Postfix) with ESMTPS id 45p0rt44D1z487; Tue, 16 Jul 2019 15:01:18 +0200 (CEST)
X-AuditID: 0a3aad16-4cbff70000005941-df-5d2dca9ed09a
Received: from fe0vm1651.rbesz01.com ( [10.58.173.29]) (using TLS with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by si0vm2082.rbesz01.com (SMG Outbound) with SMTP id 05.A0.22849.E9ACD2D5; Tue, 16 Jul 2019 15:01:18 +0200 (CEST)
Received: from SI-MBX2033.de.bosch.com (si-mbx2033.de.bosch.com [10.3.230.36]) by fe0vm1651.rbesz01.com (Postfix) with ESMTPS id 45p0rt2KG1znqj; Tue, 16 Jul 2019 15:01:18 +0200 (CEST)
Received: from SI-MBX2033.de.bosch.com (10.3.230.36) by SI-MBX2033.de.bosch.com (10.3.230.36) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.1.1713.5; Tue, 16 Jul 2019 15:01:18 +0200
Received: from SI-MBX2033.de.bosch.com ([fe80::e8d2:d090:af15:3320]) by SI-MBX2033.de.bosch.com ([fe80::e8d2:d090:af15:3320%4]) with mapi id 15.01.1713.007; Tue, 16 Jul 2019 15:01:18 +0200
From: "Kraus Achim (INST/ECS4)" <Achim.Kraus@bosch-si.com>
To: Joseph Salowey <joe@salowey.net>, "<tls@ietf.org>" <tls@ietf.org>
Thread-Topic: [TLS] WGLC for draft-ietf-tls-dtls-connection-id-06
Thread-Index: AQHVOzGCGG9depotj0O986oGEurUyqbNMKgQ
Date: Tue, 16 Jul 2019 13:01:17 +0000
Message-ID: <b897df4eb63f4c3d8ed0f94b9f9b23e0@bosch-si.com>
References: <CAOgPGoDA8UAM2Jjm_ajE12gOQYCnPZdOtVY2hL92S0bLVBi8_g@mail.gmail.com>
In-Reply-To: <CAOgPGoDA8UAM2Jjm_ajE12gOQYCnPZdOtVY2hL92S0bLVBi8_g@mail.gmail.com>
Accept-Language: de-DE, en-US
Content-Language: de-DE
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.22.83.209]
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-Brightmail-Tracker: H4sIAAAAAAAAA21Tb0wTdxjmdz3or9XT47D0pciAi3ZRBmLVhOg0btkWs5nBkn1xyGYZBy1C C71itMkydJhl7eKUISlV0AgsGwRb0UAVBqyCCN3AuTHATMLUESDKwrLpyhzbHVdsP+zLm+d9 3nue98/dYRnjxBpsNFk5i0lfxEYpSeX2loTUusHUnHT/dFxGW2u3POP3YTvaTexpaAgQe/qv eeRZxDvKF/O4IuMhzrJp1wGl4Wb7vLykQn2445yHLEfeWDtSYKC3wpePm0k7UmKGdhLwt+tq MOlAMH/q40gpeYRgcPRplJT0IKhx3ZCL+ih6O1Sev76E19CvwlDlLZmIY+jd8PWnnZES/xKM td0lJKyDwMgjUsQkvR7anrqXMEXvgH/vdSARM3QWnKpuXPJU0G/B6LH+JS2iE8DjGV7yl9Fq aJ16EintQENDp8QDrYKZ+4tBPgkGhkRPLDy/AdzXNknSZKhy/CKX2kbDQM0D8iSKdYW5ukIK V5jCFaY4j8gmpOKN6YeKdekZujRLLsfb0jenvW8ubkXSC4r1osbBfB8iMPKhbZhgVdQNb2oO syrXnHfEoOcN71nKijie1VBrb72+n4l5RvNlucVGnjeaTT4EWMauoXb+mZLDUHn6IzbOYpZk PhSPSVZNFeDM/QxdoLdyBzmuhLMsV3dgzAKlHRAaRlu4Au5wvrHIulxmEygUERHBxIZXwtsS WOFDW/BKoXeXaEHxJfpi3lgQlMdJcmaZDUkHUTY+OVN7QYa/6asT4lygXoiXaxuF2CtGhjSZ TZxGTemEr5ehRQdDmenZZJq11BwlLKsKK4TcZ9E4woiNoZA41ErhjwjNBFS8eMboIBkS6RoF Df0rBvd9B4KzV8oJ8F65REDDQAsJzuaRKAicOSaHuZ9qMTQ7RjAcvXBCAdMTwwpwP/avgIut LRRUtMyugm/r+qJhYmg6Bn78qlYFFc11Khh7eF0Fzuov1LDgt8dB753LGrj0V+9zMDY5kgjO toeJ0D11MwkWnaeTofv0k2S4V3WchQftn6+D789OrYeFM+Na6Prohw2zwsEJ4eCJr2wUD27V W//n4EE2tJ2mHO3LvvvybNm72sLfDoDO9sLBntLbOzt2TVSkec2TXe2ZCxH2n9/+Z8snx1/L spXOaVP86sL5wv74TCdaZ9PW1zpWJ3Yn3fns9lZuG7nX4+p5Q766qQbT+ZXK6tGmN1Oqrj7f +12p/4+Zo4vuc519J/Y5JgPaHlK29yKb/WHn+IquD+pZkjfoN2+UWXj9f4rTtVirBAAA
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/8EAYDGU5RqVcH6POHFZg30wcUYE>
Subject: Re: [TLS] WGLC for draft-ietf-tls-dtls-connection-id-06
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 16 Jul 2019 13:01:24 -0000

Hello Joe,
Hello List,

with the issues https://github.com/tlswg/dtls-conn-id/issues/64 reported by Thomas Fossati, 
and the mail from Hannes Tschofenig  (see http://ietf.10.n7.nabble.com/draft-tschofenig-tls-dtls-rrc-00-DTLS-Return-Routability-Check-RRC-td599108.html), 
I’m not sure, what the intended scope of "draft-ietf-tls-dtls-connection-id-06.txt" according this issues should be.

I would prefer to have the basic advice, to apply some kind of filter against modified replay attacks (either the 
DTLS 1.2 Anti-Replay protection, https://tools.ietf.org/html/rfc6347#section-4.1.2.6, or other means, see
proposal https://github.com/tlswg/dtls-conn-id/issues/69 ) in the "draft-ietf-tls-dtls-connection-id", 
instead of including that to an additional RFC together with the more complex "on-path adversary" scenario.

"An on-path adversary can also black-hole traffic or create a reflection attack against third parties because a DTLS peer has no	
 means to distinguish a genuine address update event (for example, due	to a NAT rebinding) from one that is malicious.  
This attack is of	concern when there is a large asymmetry of request/response message	sizes."

I would prefer either to remove the "black-hole traffic", because that is not related to DTLS 1.2 CID, or extend it into a 
more general statement, which clarifies, that it's not related to CID.

Mit freundlichen Grüßen / Best regards 

Achim Kraus

Engineering Cloud Services 4 Bosch IoT Hub (INST/ECS4) 


Von: TLS <tls-bounces@ietf.org> Im Auftrag von Joseph Salowey
Gesendet: Montag, 15. Juli 2019 19:19
An: <tls@ietf.org> <tls@ietf.org>
Betreff: [TLS] WGLC for draft-ietf-tls-dtls-connection-id-06

This the working group last call for draft-ietf-tls-dtls-connection-id-06.  The diff between the version that was last called (-03) and the current version can be found here: https://tools.ietf.org/rfcdiff?url2=draft-ietf-tls-dtls-connection-id-06.txt&url1=draft-ietf-tls-dtls-connection-id-03

Please focus your review on the changes since the previous last call and send comments to the list by July 22, 2019.  

Thanks,

C,S & J