IETF Logo Mail Archive

[TLS] Final (hopefully) issues with DTLS 1.2

Eric Rescorla <ekr@rtfm.com> Mon, 23 May 2011 13:19 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B2C07E07AC for <tls@ietfa.amsl.com>; Mon, 23 May 2011 06:19:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -101.925
X-Spam-Level:
X-Spam-Status: No, score=-101.925 tagged_above=-999 required=5 tests=[AWL=-1.052, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, FM_FORGED_GMAIL=0.622, HELO_MISMATCH_COM=0.553, RCVD_IN_DNSWL_LOW=-1, RDNS_NONE=0.1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oq2X2nqfUFyb for <tls@ietfa.amsl.com>; Mon, 23 May 2011 06:19:04 -0700 (PDT)
Received: from mail-iy0-f172.google.com (unknown [209.85.210.172]) by ietfa.amsl.com (Postfix) with ESMTP id 9AE05E079E for <tls@ietf.org>; Mon, 23 May 2011 06:19:04 -0700 (PDT)
Received: by iyn15 with SMTP id 15so6043735iyn.31 for <tls@ietf.org>; Mon, 23 May 2011 06:19:04 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.42.136.197 with SMTP id v5mr9131480ict.513.1306156744158; Mon, 23 May 2011 06:19:04 -0700 (PDT)
Received: by 10.42.239.7 with HTTP; Mon, 23 May 2011 06:19:04 -0700 (PDT)
Date: Mon, 23 May 2011 06:19:04 -0700
Message-ID: <BANLkTikjMZpYm4Maef1wqnmH4RJ02-6t1g@mail.gmail.com>
From: Eric Rescorla <ekr@rtfm.com>
To: tls@ietf.org
Content-Type: text/plain; charset="ISO-8859-1"
Subject: [TLS] Final (hopefully) issues with DTLS 1.2
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 23 May 2011 13:19:08 -0000

Following up on Prague, here is the new text for the 2MSL and the
record sequence number issues:



MSL:
4.1.
   Note that because DTLS records may be reordered, a record from epoch
   1 may be received after epoch 2 has begun. In general,
   implementations SHOULD discard packets from earlier epochs, but if
   packet loss causes noticeable problems MAY choose to retain keying
   material from previous epochs for up to the default MSL specified for
   TCP [TCP] to allow for packet reordering. (Note: the intention here
   is that implementors use the current guidance from the IETF for MSL,
   not that they attempt to interrogate the MSL the system TCP stack is
   using.)  Until the handshake has completed, implementations MUST
   accept packets from the old epoch.

   ...

4.2.4.
   In addition, for at least twice the default MSL defined for [TCP],
   when in the FINISHED state, the node which transmits the last flight
   (the server in an ordinary handshake or the client in a resumed
   handshake) MUST respond to a retransmit of the peer's last flight
   with a retransmit of the last flight. This avoids deadlock conditions




Record Sequence Number:
   When responding to a HelloVerifyRequest the client MUST use the same
   parameter values (version, random, session_id, cipher_suites,
   compression_method) as it did in the original ClientHello.  The
   server SHOULD use those values to generate its cookie and verify that
   they are correct upon cookie receipt.  The server MUST use the same
   version number in the HelloVerifyRequest that it would use when
   sending a ServerHello.  Upon receipt of the ServerHello, the client
   MUST verify that the server version values match. In order to avoid
   sequence number duplication in case of multiple HelloVerifyRequests,
   the server MUST use the record sequence number in the ClientHello as
   the record sequence number in the HelloVerifyRequest.

...

   When the second ClientHello is received, the server can verify that
   the Cookie is valid and that the client can receive packets at the
   given IP address.  In order to avoid sequence number duplication in
   case of multiple cookie exchanges, the server SHOULD use the record
   sequence number in the ClientHello as the record sequence number in
   its initial ServerHello. Subsequent ServerHellos will only be sent
   after the server has created state and MUST increment normally.

I believe this matches what I said in Prague, but any objections to
this in concept or the way I've written it up.


Finally, I've been rethinking the issue of the interaction of the
ChangeCipherSpec and the handshake sequence numbers. In Prague I
suggested not changing this and just putting a note in the spec that
one had to be careful, but at this point I am thinking it might be
better to simple suck up the change and put a message sequence number
in the CCS. This removes the need to consult the handshake state
machine in order to deal with reordering, though not in order to
determine whether the CCS is at the appropriate place in the handshake
(in order to detect misbehaving or malicious behavior early).  The
downside for this is that it's a difference from TLS, but it seems
like fairly easy code--though I admit I haven't tried to code it up. I
don't think either way represents a security issue, but doing it this
way means that we won't need to be as careful in the future about
having the state machine be completely deterministic prior to the CCS,
which seems like the Right Thing. Comments?

-Ekr

v2.23.0 | Report a Bug | By Email