IETF Logo Mail Archive

Re: [TLS] Connection ID Draft

Martin Thomson <martin.thomson@gmail.com> Tue, 17 October 2017 21:35 UTC

Return-Path: <martin.thomson@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CD409132939 for <tls@ietfa.amsl.com>; Tue, 17 Oct 2017 14:35:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id azIiOj1Ffjax for <tls@ietfa.amsl.com>; Tue, 17 Oct 2017 14:35:41 -0700 (PDT)
Received: from mail-oi0-x231.google.com (mail-oi0-x231.google.com [IPv6:2607:f8b0:4003:c06::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1137613209C for <tls@ietf.org>; Tue, 17 Oct 2017 14:35:41 -0700 (PDT)
Received: by mail-oi0-x231.google.com with SMTP id c202so5597500oih.9 for <tls@ietf.org>; Tue, 17 Oct 2017 14:35:41 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=LZE+rSzmhwLGNjGiXEpG/ADdLJ+XcW7MT707M2LsypU=; b=GhtNwYAkLqZ470WaZSTjfkmwg8oXd/zM/1KR9HBscXipn7lXo9pz5ct0U+R8//or9k lBrWX2Vm4kb4vnyGDCXQIsaD/fFPhBBfCtSn1r+na42kuioGR0NGG+t7kiw8EwUNVVdq YQra4PGMj9cM3nwVpQ6SmpdAmRjbGXLuJul1KTbYxBsLTIg4vUGfzFyoMUtdYH7SAnes gqP0yQJKEY6yFMDYIiOnUbNeRfN/ywd04LOp3b/5skM8lPo85PWJCx24eFgjRpHNSXV5 Wfalgrs0/cTjs6Op/AHVy8XoW3l9DcVKXf+uU4FFBHDqnUIk5KtsU0h7pk9QR6PVH8cv UBKQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=LZE+rSzmhwLGNjGiXEpG/ADdLJ+XcW7MT707M2LsypU=; b=ibIDgDjN5DrDwKgNtqqQnU95KRhyTTPuAknVBPSNf+aN+2UvB7rxXrE+jrEQ/2tR8D Eq0AJJFFbuWn3OpdJAJ+qJQFQUPAROxJH/G4d2bRKVyKSfSL5y7h8pW/cdaield12FL1 hK5W8IOdqeOUTdkfA9jXojxt/GaDNgd/QE3jD6G5yAPn+exE1QkHQ1rbPCYq0LU2DZzy AhxoDgVXjqgvXvLXfyA+WOEZfzutMX7G2TfRldvgtY4isRJTbi2PDC9Cc/9u/RgzwaH/ izNLZ7IcLrXtMz41YpWRulXsBKl0LcgNtMaKRPwW6PWXoe8kZzrpeS5zqfNxlg+2SV36 Iv2A==
X-Gm-Message-State: AMCzsaV+znhQkNrGnhiATc1vYVhUU/5HybvqtAb8WVXTiWHb/fLN3NRZ qIDBisv6GyLloTlqKGr0Rdtr0In6t0ZwgEJpIJs=
X-Google-Smtp-Source: ABhQp+T4BxGpVA8qrW5Uksp0LWqABmRG3olM2xefAX7YSPKQdT1pjkDF43ljNeTa5qf+lDhflR2NdZY382K88hFiEDo=
X-Received: by 10.202.67.135 with SMTP id q129mr7198392oia.390.1508276140367; Tue, 17 Oct 2017 14:35:40 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.157.72.178 with HTTP; Tue, 17 Oct 2017 14:35:39 -0700 (PDT)
In-Reply-To: <D0524862-083C-4576-98B8-6D8A4825D458@nokia.com>
References: <CABcZeBPXB6cOSztzDHtKSWUCJrgET+9cF_rAiiE8CYCUSY_uLA@mail.gmail.com> <CABkgnnXT7nv9aNQh12deeitF1CurENpxgUicn9GHjMbojcEvJg@mail.gmail.com> <D0524862-083C-4576-98B8-6D8A4825D458@nokia.com>
From: Martin Thomson <martin.thomson@gmail.com>
Date: Wed, 18 Oct 2017 08:35:39 +1100
Message-ID: <CABkgnnW4d=H5RZ0E+Hwo4jQptDpshVVuFtD-xQudJzxLXyReAQ@mail.gmail.com>
To: "Fossati, Thomas (Nokia - GB/Cambridge, UK)" <thomas.fossati@nokia.com>
Cc: Eric Rescorla <ekr@rtfm.com>, "tls@ietf.org" <tls@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/9WTsIvlnM0-P1gulpgYxM0rsLsI>
Subject: Re: [TLS] Connection ID Draft
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 17 Oct 2017 21:35:44 -0000

On Tue, Oct 17, 2017 at 9:26 PM, Fossati, Thomas (Nokia -
GB/Cambridge, UK) <thomas.fossati@nokia.com> wrote:
> The following case (NAT box reboot) is problematic:
>
> 1. Application '1' on host A (A.1) uses DTLS+CID with application '1' on
>    host B (B.1);
> 2. Application '2' on host A (A.2) uses plain-old DTLS with B.1;
> 3. The NAT box reboots (all previous 5-tuple mappings are lost);
> 4. B.1 receives a record from A.1 (whose 5-tuple has changed in the
>    meanwhile);
>
> How is B.1 supposed to correctly interpret the bytes starting at offset
> +11?  (For what it knows, it could be CID from A.1 or the length field
> from A.2.)

I don't think that this is a problem.

connection = five_tuples.lookup(packet.five_tuple)
if (!connection) {
  connection = connection_ids.lookup(packet[connection_id_offset:connection_id_offset+connection_id_length])
}
if (!connection) {
  // is this a ClientHello?  otherwise drop it
}

Of course this doesn't help you with A.2, but that's why this draft exists.

If the server can insist on connection IDs from all clients (in the
far future perhaps, or for an entirely new protocol), then the code is
more simply:

connection = connection_ids.lookup(packet[connection_id_offset:connection_id_offset+connection_id_length])
if (!connection) {
  // is this a ClientHello?  otherwise drop it
}

> I might be missing something fundamental here, but isn't the length
> encoded in the CID field on the wire?

Not by my understanding.  There isn't any need (the intent is to have
the CID only consumable by the entity that created it, and any others
that it collaborates with, like a load balancer).

v2.23.0 | Report a Bug | By Email