IETF Logo Mail Archive

[TLS] Re: draft-ietf-tls-dtls-rrc-14 ietf last call Secdir review

Thomas Fossati <thomas.fossati@linaro.org> Wed, 11 June 2025 07:35 UTC

Return-Path: <thomas.fossati@linaro.org>
X-Original-To: tls@mail2.ietf.org
Delivered-To: tls@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 9950B33863A8 for <tls@mail2.ietf.org>; Wed, 11 Jun 2025 00:35:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -2.1
X-Spam-Level:
X-Spam-Status: No, score=-2.1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=linaro.org
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BwlLBo8cqtIz for <tls@mail2.ietf.org>; Wed, 11 Jun 2025 00:35:25 -0700 (PDT)
Received: from mail-wr1-x436.google.com (mail-wr1-x436.google.com [IPv6:2a00:1450:4864:20::436]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id D971E338638B for <tls@ietf.org>; Wed, 11 Jun 2025 00:35:25 -0700 (PDT)
Received: by mail-wr1-x436.google.com with SMTP id ffacd0b85a97d-3a53359dea5so2744348f8f.0 for <tls@ietf.org>; Wed, 11 Jun 2025 00:35:25 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; t=1749627325; x=1750232125; darn=ietf.org; h=in-reply-to:content-transfer-encoding:content-disposition :mime-version:references:message-id:subject:cc:to:from:date:from:to :cc:subject:date:message-id:reply-to; bh=EQyZf/ZtjB+RTYfEc3Ws+6lapoTc/1IC+9+pYRzkiVA=; b=r2+Bz/mZqie0DxUVJOqMfu6DsLMdhzwUT1H3Ocq6MdQSibZV/E1BavTcvz04FmH9rD q8q5YXK1gbvlPe9jUCIJO05vuQH6jWkyxWErTwArcYWsUc0dcbvfsnjx3pOGPYa0tg8S IAoBVPY4CMf743olrQPea4skRfRFEAoV/xiu3K/Yx+OJcxAdt2WHsOBsQJ8I6OSzv90z X61x2vnJAuXFZY36aCdt7po3nxjDND98GDuzhHL0PmiJAJ1+4HdQ4z7ECe35Snhr5C9Y SRQ3Yfv1uwhY+FY/2ol/G5p6VTVwDyAzDeDddwh9MQ74NBF55tqVA1P1a9cOK1IuCWoX WeZw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1749627325; x=1750232125; h=in-reply-to:content-transfer-encoding:content-disposition :mime-version:references:message-id:subject:cc:to:from:date :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=EQyZf/ZtjB+RTYfEc3Ws+6lapoTc/1IC+9+pYRzkiVA=; b=KdFQM9SBmCpYFP8yvdEGzy4qferJPVapew36b+BFw/iNTSyExYm25xE6Lor771eP3G cpsUmh492GgRIsPWs6ouKh0Q2/z/vYQFw0eAMvw0xl5JqMPmDkwl84Ue3fOGFAK/eX5C I9QY1RB1Rri2+3BIZGYN0vlaO2Gi1hsngecvPDH1D4g0E6ufRMswkCROMXGCM5fa1V9/ KaeeoYRCh+ge54OQtFkPztEFxvKIOzseoU4GpDqacRMb4g64MBwZropJs8Xp73XCi1Xx 75Ri4V4a9uqr5aDJcYOKrnqha8fqAj0yi1NpTEsUbs4G17+r1mbChz2ywKh9Yft+7Twl GrPg==
X-Forwarded-Encrypted: i=1; AJvYcCWZyfvfposKTa+39I3RHjVb6DwK/cMGDW2YsxsEe+KSjl90f9HttieAGvRZnAealaZSB6g=@ietf.org
X-Gm-Message-State: AOJu0YzQC7u3LYXwo5AULiKImihvg71m9TZVRf+1YY2GqLybjvkrhG3m jprMZZvvRmH7Ok+CRbCbqwdsoLVZ+XfwFBHuuHAdfTU0rzfTozmffZtYPPTxGZd07jUwYLhykpG rT5PS
X-Gm-Gg: ASbGnctD7symLGYCrdl4VvCqhOBClaztrkR9882UL/E5c4wJc+QCMU+46Z+HWLM+xNP sfEuWMo37RRcavQNnIY9AvoY6c5J+0TWc1nLGGIb2r0C/5wCYYkKSqwCl/XSflUjpAO1aq5d+JQ u5lozv9r6Mi4xVEurlG3j17duVIT/a8vFmp6NY7PFlTvI5P4/wriVo/ertSaBIsD3CqZUg82e4b zu8TJAkUpgQBzX5Oiz0UBeH1mP358xerchNgqEz3qAr3qRWbM023QUkyFdTVbK28B7U/Q7b/92N dWk/t2+ObvCwmDB/kx8osqq4fgiLCN8uCdHO4IPPOZpPCGrbo2H6sqf2KIBwn9vRLW7YoeRB0e5 M2Mad/1vyhhnCYQ59
X-Google-Smtp-Source: AGHT+IGnw+baQ3gQOtGQENDsz6AKeYTcn22Mn7pV7DUDEY6o74Aok2aFx9UWDbFOnnAZ+VTgeBkC2g==
X-Received: by 2002:a05:6000:288c:b0:3a5:266f:e6fb with SMTP id ffacd0b85a97d-3a558a455acmr1622998f8f.44.1749627324642; Wed, 11 Jun 2025 00:35:24 -0700 (PDT)
Received: from tho-mbp.home ([2a02:1210:6ac5:f500:bdc9:8ce9:4198:5e40]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-3a532464e3csm14615536f8f.99.2025.06.11.00.35.23 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 11 Jun 2025 00:35:24 -0700 (PDT)
Date: Wed, 11 Jun 2025 09:35:22 +0200
From: Thomas Fossati <thomas.fossati@linaro.org>
To: Mike Ounsworth <mike@ounsworth.ca>
Message-ID: <lobgf25ccbuqjrpqxdxw33ws53v3i2ly7ngdj4arnv3j4kero2@qqeubblluqw2>
References: <174949511014.3608990.214324245158264124@dt-datatracker-59b84fc74f-84jsl> <hoinqbl42vqettbny6gbk3aqedeq7nyuocgvehwq74wcupdrkw@334645svlcrj> <jqANMp6haiPUMBZeHclPUYeaNnf8W8undD0OQlImnFofXzymKP4MFMRoROR8RBlq8po0L9_TWOZ4xYKSI6fqiYQppZDXIY_cttkRer9ABy0=@ounsworth.ca>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <jqANMp6haiPUMBZeHclPUYeaNnf8W8undD0OQlImnFofXzymKP4MFMRoROR8RBlq8po0L9_TWOZ4xYKSI6fqiYQppZDXIY_cttkRer9ABy0=@ounsworth.ca>
Message-ID-Hash: VKSJQFZ3C6RXRYCZRL5PYCW5GZ4RT5W7
X-Message-ID-Hash: VKSJQFZ3C6RXRYCZRL5PYCW5GZ4RT5W7
X-MailFrom: thomas.fossati@linaro.org
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-tls.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: secdir@ietf.org, draft-ietf-tls-dtls-rrc.all@ietf.org, last-call@ietf.org, tls@ietf.org
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [TLS] Re: draft-ietf-tls-dtls-rrc-14 ietf last call Secdir review
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/AVHE7FGfZPqMATRHtwx-i5mXNGc>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Owner: <mailto:tls-owner@ietf.org>
List-Post: <mailto:tls@ietf.org>
List-Subscribe: <mailto:tls-join@ietf.org>
List-Unsubscribe: <mailto:tls-leave@ietf.org>

Hi Mike,

We have implemented the changes we discussed and agreed on, and
published -15 [1].

Thanks for your help!

cheers, t

[1] https://author-tools.ietf.org/iddiff?url1=draft-ietf-tls-dtls-rrc-14&url2=draft-ietf-tls-dtls-rrc-15

On Tue, Jun 10, 2025 at 04:01:31PM +0100, Mike Ounsworth wrote:
>Hi Achim and Thomas,
>
>I should have numbered my comments for easier reference. Oh well.
>
>I think the suggestions you make below would be sufficient, thanks. Since my comments are about clarity and not content, I leave it up to you; I won't block the document either way.
>
>In my personal opinion, it would make the document easier to read if you inlined at least a summary of the relevant definitions from [RFC9146], [RFC9000], [Sect. 6 of this document] into the intro.
>
>This is personal style, but I think that anything that's core to understanding the main points of a document should be inlined, rather than forcing the user to go fishing in a half-dozen other documents. I like the phrase "blah blah from [RFCxxxx], which is reproduced here for clarity".
>
>-Mike
>"Knowing is a barrier which prevents learning" -- Frank Herbert, Dune.
>
>
>On Tuesday, June 10th, 2025 at 5:17 AM, Thomas Fossati <thomas.fossati@linaro.org> wrote:
>
>> Hi Mike,
>>
>
>> Thanks very much for the detailed review.
>>
>
>> On top of Achim's replay, see also a few other comments inline.
>>
>
>> On Mon, Jun 09, 2025 at 11:51:50AM +0100, Mike Ounsworth wrote:
>>
>
>> > [...]
>> > Naïve question (I am not a DTLS / routing expert). Does this spec
>> > introduce a new DDoS surface in the case that the new (preferred) path
>> > is longer, and therefore the connection will keep pausing to do this
>> > path-check? I expected to see somewhere a recommendation for a guard
>> > against that – only do this once per pair of paths, or something
>> > similar.
>>
>
>>
>
>> To trigger RRC you need to be able to send a "good" DTLS record,
>> otherwise, the receiver will drop it on the floor and continue as if
>> nothing happened. To do that, you either replay an old record and hope
>> the receiver doesn't have anti-replay on (at least in some form -- see
>> §6 of RFC9146), or you are racing a copy of an outstanding record over a
>> shorter/faster path. It is not possible to make the receiver start
>> doing RRC work otherwise, i.e., cheaply enough to introduce more DDoS
>> surface.
>>
>
>> > I would like to see the Introduction add a paragraph about
>> > mandatory-to-implement and interop implications of this draft; give a
>> > sense of whether this is a mandatory-to-implement extension to DTLS,
>> > or optional, and whether one side of the connection can perform this
>> > successfully even if the other end does not support it. I think the
>> > text I’m looking for is: “This specification defines a RECOMMENDED
>> > mechanism for DTLS 1.2 and 1.3. DTLS 1.2 and 1.3 implementations
>> > SHOULD implement this and include it in all DTLS ClientHellos, but
>> > note that no security value is obtained unless both parties support
>> > it”, but I’ll leave it to the experts to frame the correct wording.
>>
>
>>
>
>> OK, makes sense. Would something like the following work?
>>
>
>> A client offering the connection_id extension SHOULD also offer the
>> rrc extension, unless the application using DTLS has its own address
>> validation mechanism.
>>
>
>> > Intro needs more description of what the vulnerability is, and which
>> > party is gaining protection against which type of adversary by
>> > implementing this. You have this nicely and in great detail in Section
>> > 6, but I would pull a short summary up to the Intro. After reading
>> > section 6, I see that you are solving two problems:
>> > amplification-to-a-victim, and path-hijacking. You have some good
>> > sentences in Section 6 that you could pull up into a short summary of
>> > the issue and fix.
>>
>
>>
>
>> The intro defers to §6 of RFC9146 for providing the context and problem
>> description, and to §6 of RFCTHIS "to gain a detailed understanding of
>> the attacker model". IMHO we are good.
>>
>
>> > Nit: Section 4: “Future extensions to the Return Routability Check
>> > sub-protocol may define new message types.” … should that be a
>> > normative “MAY”?
>>
>
>>
>
>> I don't think tehre is anything normative in that sentecne.
>>
>
>> > Section 6: It would be nice if you synced up with the terminology for
>> > type of attack / attacker as defined in Section 3 of RFC3552. What you
>> > have is close to S. 3.2 of RFC3552; probably just needs a reference
>> > and a sentence “We extend the definitions of “on-path” and “off-path”
>> > attackers as given in [RFC3552] to more precisely fit the specifics
>> > addressed by this specification”. Could / should also site definitions
>> > in RFC 4949.
>>
>
>>
>
>> We could add:
>>
>
>> This definition differs from that of Section 3.5 of RFC3552 in that
>> an off-path attacker is able to observe packets.
>>
>
>> However, we already reference RFC9000, which makes the exact same point.
>>
>
>> Alternatively, to avoid repetition, we could refine the reference to
>> RFC9000 (adding §21.1).
>>
>
>> WDYT?
>>
>
>> > Section 6.1.1: “When receiving a packet with a known CID and a spoofed
>> > source address, an RRC-capable endpoint will…” Technically, the
>> > endpoint doesn’t know for a fact that it’s spoofed, right? I assume
>> > that the whole point of defining a challenge-response sub-protocol
>> > here is to distinguish the legitimate path-changes from attacks,
>> > right? I would say instead “When receiving a packet with a known CID
>> > and a source address that does not match, the RRC-capable endpoints
>> > will begin by assuming that it is spoofed and verify by …”
>>
>
>>
>
>> §6.1.1 needs to be read in the context established by §6.1 which
>> describes the amplification attack. In such context, the sender is
>> assumed to be the attacker that spoofs the source address to trick the
>> receiver.
>>
>
>> If that creates confusion, we could say instead:
>>
>
>> When receiving a packet with a known CID that has a source address
>> different from the one currently associated with the DTLS connection,
>> [...]
>>
>
>> It's slightly more clumsy but still readable.
>>
>
>> > Section 6: “The attack is more reliable if relatively few packets are
>> > sent or if packet loss coincides with the attempted attack.” I’m a
>> > little confused about the grammar of this sentence. I could see this
>> > meaning one of several things: That the attack is harder if the victim
>> > channel has some naturally-occuring (unrelated) packet loss that the
>> > attacker has no control over, but happens to coincide with the attack.
>> > That the attacker needs to induce packet loss in order to perform the
>> > attack, and this is easier if it’s an otherwise noise-free channel.
>> > That the off-path that the attacker is trying to migrate to should be
>> > noise-free. Either way, making this sentence more precise would help
>>
>
>>
>
>> The sentence says that the attacker has an easier life if:
>> 1. the application layer exchange is somewhat sparse, which can help
>> avoid dealing with the connection moving back to the legit path,
>> 2. packet loss on the legit path occurs simultaneously as the attacker
>> is executing the race, therefore increasing the chances of the attacker
>> winning the race.
>>
>
>> > Grammar: “In order to determine whether this path change was not
>> > triggered by an off-path attacker” In English, you don’t use the
>> > “whether … not” construction. I would suggest either: “... determine
>> > whether this path change was triggered by …” or “... determine that
>> > this path change was not triggered by …”
>>
>
>>
>
>> I like the second suggestion, thanks!
>>
>
>> > Joke: Figure 5 looks like what happens when I try to change my tax
>> > address with the government; and this triggers all sorts of paper mail
>> > to all my registered addresses.
>>
>
>>
>
>> :-)
>>
>
>> > You use language like “attacker trying to place itself on path”. Would
>> > it be more evocative to say “hijack the path”? Your described attack
>> > here seems to agree with the definition of “Hijack Attack” given in
>> > RFC 4949.
>>
>
>>
>
>> Maybe, but I am not sure. The attack as a whole is a combination of
>> active and passive wiretapping (in 4949 terms) whereas "hijack attack"
>> is defined as "A form of active wiretapping". So the match doesn't seem
>> perfect.
>>
>
>> > “If the path via the attacker is reliably faster than the old path
>> > despite multiple attempts to use that old path, it is not possible to
>> > distinguish between an attack and an improvement in routing.” This is
>> > funny. I am picturing a Wired.com article titled “Actor X hijacks the
>> > entire internet by providing faster, more reliable service”. Right.
>> > Hard to really call that an attack.
>>
>
>>
>
>> :-)
>>
>
>> > Section 7 intro: I feel like this needs some tie-back to the
>> > negotiation done during the ClientHello / ServerHello step.
>>
>
>>
>
>> We point to here in the forward direction (from §4):
>>
>
>> The RRC sub-protocol consists of three message types: path_challenge,
>> path_response and path_drop that are used for path validation and
>> selection as described in Section 7.
>>
>
>> I beelive this should be sufficient.
>>
>
>> > Like, the entirety of Section 7 only happens if this session
>> > negotiated to use RRC, right?
>>
>
>>
>
>> Yes
>>
>
>> > Section 7.2 / 7.3 is literally the first time in the document that the
>> > terms “Basic” / “Enhanced” appear. You at least need to introduce this
>> > at the top of section 7.
>>
>
>>
>
>> What about:
>>
>
>> It then initiates the return routability check. This document
>> describes two kinds of checks: basic (Section 7.2) and enhanced
>> (Section 7.1). The choice of one or the other depends on whether
>> the off-path attacker scenario described in Section 6.2 is to be
>> considered.
>>
>
>> > Basic vs Enhanced something that needs to be negotiated?
>> > Are these interop-equivalent and therefore implementer’s
>> > choice? … some introduction needed.
>>
>
>>
>
>> I believe these specific points are already discussed in §7.
>>
>
>> cheers, thanks!
>> t

v2.31.3 | Report a Bug | By Email | System Status