IETF Logo Mail Archive

Re: [TLS] Last Call: <draft-ietf-tls-dtls-connection-id-10.txt> (Connection Identifiers for DTLS 1.2) to Proposed Standard

tom petch <daedulus@btconnect.com> Fri, 12 March 2021 17:28 UTC

Return-Path: <daedulus@btconnect.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 66E3E3A180E; Fri, 12 Mar 2021 09:28:57 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, MSGID_FROM_MTA_HEADER=0.001, NICE_REPLY_A=-0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=btconnect.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UFOVRnT7ifYi; Fri, 12 Mar 2021 09:28:54 -0800 (PST)
Received: from EUR04-VI1-obe.outbound.protection.outlook.com (mail-eopbgr80113.outbound.protection.outlook.com [40.107.8.113]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 65CC13A1808; Fri, 12 Mar 2021 09:28:53 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=FUmvbXEt0k13px58tsTmOgLQFu3KSQk7zPnGHIugGG3Aluqf5Pq1VZw1Ej074K1lMHUpMVkhnXlKjVXqhR+i99GnBVqpM7AkXjNKThTLNhvMIwWiwCNkiP9uVIlq/1hdzq3+hWBVs97HLaRr2yesKOJCOCZCSZUkTA0dZeofbfcBGQpqb/no645pJIp/zwfjdCshinzdwGcVkexlbx6KileXcU83YsaMhJ92YloRISpJ8Fd94qdrrnYG4l6yzO9LuaoBEpqTUHebHwZZnZZaKILOVzY1Wx//6aQlFWaSZxzcVTTum4nNdMxg5Dyo9yopwTe9UrTm/h9nKntDh9XmgA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=GyrZJ1g6eo+BZ/hnLWAM3x8zSDaqXsYYyvT7OBhxfWc=; b=N09b4dvHd12qovQidMvD0x47rAwSk6Bwgyf7NjRVRuVEmm4D1R4JaCfp5vjQSGidZEgh5YLmNwCZA4w2SwsotXyWNNkhTlABPFTyv1uZGUOBe15taCXoKNFaUU/MDWM+rKCeuJaGmwPofuSqMsqbseCMJ7vwy4ApR1/9UjXfgO3gyCSk1IatFePUublFDdDd/qI6FTE3MPjQsCEjWvhWz3tigOg8z6PABJnrpHaGMGNgz6dWJMDZ8hC5U0LhtgHan5NrqAq7xvXn+3zkfMOf8jr9XovQm+sibs5+R51e1LVipx9HHtez1yJKcxTipxY/jCaLH7Q1ziDpIei7Hzo1XA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=btconnect.com; dmarc=pass action=none header.from=btconnect.com; dkim=pass header.d=btconnect.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=btconnect.onmicrosoft.com; s=selector2-btconnect-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=GyrZJ1g6eo+BZ/hnLWAM3x8zSDaqXsYYyvT7OBhxfWc=; b=Q1ruHXJn69iB8/A99KRlIxy6nguWSEkUZrOhdOrWbcoIFne9DOUvvxrP+akAtC0KNRNeknWNbdRSkzBR2zIgZaHKJCwlxvt01if9Rsad0PUkMXeNIDm82xzi/0FjVW9onUdfp9z4HMDqrxPuTQZDp+4mmprEdjP17yDJe1VyRko=
Authentication-Results: ietf.org; dkim=none (message not signed) header.d=none;ietf.org; dmarc=none action=none header.from=btconnect.com;
Received: from VI1PR07MB6704.eurprd07.prod.outlook.com (2603:10a6:800:18b::8) by VI1PR0701MB2399.eurprd07.prod.outlook.com (2603:10a6:800:6e::10) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3955.10; Fri, 12 Mar 2021 17:28:51 +0000
Received: from VI1PR07MB6704.eurprd07.prod.outlook.com ([fe80::95a0:b8b0:8c8c:1fea]) by VI1PR07MB6704.eurprd07.prod.outlook.com ([fe80::95a0:b8b0:8c8c:1fea%7]) with mapi id 15.20.3933.029; Fri, 12 Mar 2021 17:28:51 +0000
To: Achim Kraus <achimkraus@gmx.net>, Hannes Tschofenig <Hannes.Tschofenig@arm.com>, Thomas Fossati <Thomas.Fossati@arm.com>, "last-call@ietf.org" <last-call@ietf.org>
References: <161520236528.11780.2852731535612070466@ietfa.amsl.com> <604B44A4.6070400@btconnect.com> <94E09812-812E-4373-A2DC-ECF489F0C5FF@arm.com> <VI1PR08MB26399313BD59836403213536FA6F9@VI1PR08MB2639.eurprd08.prod.outlook.com> <32ed5871-b315-de65-ec58-a5e67176f133@gmx.net>
Cc: "draft-ietf-tls-dtls-connection-id@ietf.org" <draft-ietf-tls-dtls-connection-id@ietf.org>, "tls@ietf.org" <tls@ietf.org>, "tls-chairs@ietf.org" <tls-chairs@ietf.org>
From: tom petch <daedulus@btconnect.com>
Message-ID: <604BA4CA.8040502@btconnect.com>
Date: Fri, 12 Mar 2021 17:28:42 +0000
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:38.0) Gecko/20100101 Thunderbird/38.5.0
In-Reply-To: <32ed5871-b315-de65-ec58-a5e67176f133@gmx.net>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Originating-IP: [86.146.121.140]
X-ClientProxiedBy: LO2P265CA0105.GBRP265.PROD.OUTLOOK.COM (2603:10a6:600:c::21) To VI1PR07MB6704.eurprd07.prod.outlook.com (2603:10a6:800:18b::8)
MIME-Version: 1.0
X-MS-Exchange-MessageSentRepresentingType: 1
Received: from [192.168.1.65] (86.146.121.140) by LO2P265CA0105.GBRP265.PROD.OUTLOOK.COM (2603:10a6:600:c::21) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.20.3912.26 via Frontend Transport; Fri, 12 Mar 2021 17:28:50 +0000
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: 87df7788-7c8d-4582-7ebf-08d8e57c4d63
X-MS-TrafficTypeDiagnostic: VI1PR0701MB2399:
X-Microsoft-Antispam-PRVS: <VI1PR0701MB2399FA2DA8B6B741D16B6B92C66F9@VI1PR0701MB2399.eurprd07.prod.outlook.com>
X-MS-Oob-TLC-OOBClassifiers: OLM:6108;
X-MS-Exchange-SenderADCheck: 1
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: ElC2wC/Gt/zAA3f3zwgaztTN5tGcw9bC8BDbQfeGf5fKqlq3BHFX/4PCxJ4OyIrTtvm6BomprfNhX3Sgi6ayCfp6jOo/Po+jERRHfdz73BAnMJoIucvgcQsjizrKd1d+Fz3fVe8jcco8sT1fWU9NdkYFZJv5iXyZwqOPg6SjSy5Ea2AY8xGM193JrPGaZqNFhRgBM/PcrikV9SkiNsmn9KorZGv68dAeyG9+EHraqXz5i+5c5ernqqrSJvZdVRLibIsM+WdaH9id1E2qFMW2xGf92q4xyHN2LCcPAfritX0/BNHz0F8fiqvg9bFdhcSNaG9K7C9rBI6b8vYUiutmHjIMNYU4cHtf+0kccfqPz/rZlH9ypqEsNXm3hNBpYCpNPHlG/6sniW3r3T3kbd+kN3lY8Zt2x/1sT0woMDs15aUkfVIpuH8eNr6o1harLeJek3giHHEMufTmngA5zhYeUvykA0pU8jrYKXOlfq7FAE9PIGCMqghOR2t38g2Ndyyhih8D1PzdF14nSt/GKA8O2/BlrfoRhVgZsegeXO6mPg7W23k2xEm5Sxwi7gIA384MD7cKLiddatb5eiEmVTje8V+VyKYH+a02ieuVYszQkcyKD2guWqLe/01r4rIc1vyi
X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:VI1PR07MB6704.eurprd07.prod.outlook.com; PTR:; CAT:NONE; SFS:(39860400002)(366004)(396003)(136003)(376002)(346002)(86362001)(83380400001)(33656002)(4326008)(966005)(66946007)(2906002)(478600001)(6486002)(8676002)(5660300002)(110136005)(66556008)(87266011)(53546011)(8936002)(54906003)(36756003)(52116002)(186003)(956004)(6666004)(16526019)(2616005)(26005)(16576012)(316002)(66476007); DIR:OUT; SFP:1102;
X-MS-Exchange-AntiSpam-MessageData: tNtQxS9ofpj0rgfGo4DvPsER+9wtNzSwrA1fjei47kp8QB2SiFzuTimt5E87JzS4oAXgB5OmLRKXzbw0540BPLhHFaJzArrm6P2ugLzSEuulORMcCUHLmR+qat93GqOONyH4+fLEayBdlt7j8Io78kkauEwZf1aiHKWhb/hmnM1A8b98b6dwjSz+GynSkwR04EQsOJXvDDTeXJrYppHRqpgxMHrzDhuD8uf2EpC3awARpuoZQtGyHCi0t0/KwvABdzxp4IYGOeKnDMMrPSpzeM9ksnfBjfBgqMeM71ewn1oUKU6EgqF7L4oOhE+HtbdoII8+us7Gakwah7CBPyRfPjmwgiwph7rafvk+Y3MxVpA4WfbqXuD3UgbNdh5LTYq73Wt2+4jFv81kfIRwCLmTIx1wXd9GInOeWV+YlZ4Q0a5XkjY2jZ8/Cax6fbnJKB2IMYnrVwrfy217CRMMNw36sbrSYfR6CY6ENctfMYkH0Wa03AhCHhDxsiTnLrW8tFQOv9DkbNQ8S9xAKFSTFgu2qv6Swl6ti/jMA38VZVDHKVQObEXJFuV4ECN7HFcPbpKSfE3/LKO2CnRZQ8f1ste1bwx8+dQ0LobQmxZEo24zKC46btgHoRoolY2uwkrhdoBIm3cqfIuT5zB9YhSxfhdO0WCHwRDmQS15IjB6cs0kBgdYUqsz8sNrv9vijh1mHq22t8/VHXYiE5dfAPbkrV5zqGzQE0h42E4enPbK2TmuqlKyoqhYN5VxfaCkMaDsJ/DPuUgLEHHqd3imuTEMFuEOmJ9NXMtgw7hDQ5i0gLaEkfJZylbyJVJoNVzOq34JLwYeDIDHziav1drU80EsYLCETuPL43j7gWRodlh/juuSGmGeqZTEZCdkN/faltBU/RgHcTrPJJytGQjG3Jiml+EgwUaaLrRuTUO7pQDcFouoyYbR1XS6841XY7TONuLJXRgD2gPkMq3D+nU+kizbBZBhFdXJpViN3aS3IWQShR78XG31Ne5fBU3+twn2HNW5wvoDmVnx0RG2qRlpZaqQu18XDsOSfHc+x/uyevfmYVHTMiNiqB35y+FnP6zSTK1y4d3m0uxgwCBQKOhZ14AROckGIKmVkOc6C6YYwQWRZRy2hZ6mWsADaBPb6DLIdfe6voXkmgAA4j1X2oRGzXnBvMlxRHNoaGroLLZMyBypx994WSOe/RQV/pElEIJrqDKReBZ2rT+D6w9LGXQkLrvlmw3yZ1rXdL93JZFB/cQMqTCXe+nh5oemMUfvZN11hs9xNhBi9BtZtpYL8TEtubA5AbFsl65PjNqBoV1UbZ9yNze0dUKrysqOxRLzHcavALGlgGTv
X-OriginatorOrg: btconnect.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 87df7788-7c8d-4582-7ebf-08d8e57c4d63
X-MS-Exchange-CrossTenant-AuthSource: VI1PR07MB6704.eurprd07.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 12 Mar 2021 17:28:51.2236 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: cf8853ed-96e5-465b-9185-806bfe185e30
X-MS-Exchange-CrossTenant-MailboxType: HOSTED
X-MS-Exchange-CrossTenant-UserPrincipalName: +T0GhSQXJL86LgA1FW1lhSbIj3kzpdvYXF9bcygqJJ2ZCUc1dsn21INrD6WhnJ1hJdC+eTEUR5sJkkcOazaq8A==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: VI1PR0701MB2399
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/BuSrUXV6EGVk6puQm73VIm85CGU>
Subject: Re: [TLS] Last Call: <draft-ietf-tls-dtls-connection-id-10.txt> (Connection Identifiers for DTLS 1.2) to Proposed Standard
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 12 Mar 2021 17:28:58 -0000

On 12/03/2021 16:18, Achim Kraus wrote:
> Hi Tom, Hannes, Thomas,
>
> "A zero-length value indicates that the server will send with the
> client's CID but does not wish the client to include a CID (or again,
> alternately, to use a zero-length CID)."
>
> My feeling is, the text in the paragraphs following that seems to
> introduce first the idea of a "zero-length CID", and later use that only
> to negate the use of tls_cid record. It may be more straight forward, if
> the use of a "zero-length CID" is limited to the ClientHello and the
> ServerHello extensions. And later the use of a tls_cid record is then
> only for negotiated non-empty CID.
>
> WDYT?

I think that I cannot make sense of that 'alternately'.  The subsequent 
paragraphs seem to rule it out as an option.  On a first read I thought 
that a zero length CID was a valid option for Application Data and 
wanted to know which form of header and MAC was appropriate but my 
understanding of the later paragraphs became that a zero length CID can 
only appear in Hello; but I do think that this needs fixing.

I did track the WG discussion last October and did not see anything very 
clear then.

Tom Petch


> best regards
> Achim Kraus
>
>
> Am 12.03.21 um 12:58 schrieb Hannes Tschofenig:
>> Hi Tom,
>>
>> I added a few PRs to address your review (see
>> https://github.com/tlswg/dtls-conn-id/pulls).
>>
>> Regarding the zero-length CID I believe the current version in the
>> repo at https://github.com/tlswg/dtls-conn-id might have already
>> address your remark.
>>
>> In general, the zero-length CID in the ClientHello / ServerHello
>> allows us to use CIDs unidirectionally.
>>
>> Ciao
>> Hannes
>>
>> -----Original Message-----
>> From: TLS <tls-bounces@ietf.org> On Behalf Of Thomas Fossati
>> Sent: Friday, March 12, 2021 11:58 AM
>> To: tom petch <daedulus@btconnect.com>; last-call@ietf.org
>> Cc: tls@ietf.org; tls-chairs@ietf.org;
>> draft-ietf-tls-dtls-connection-id@ietf.org
>> Subject: Re: [TLS] Last Call:
>> <draft-ietf-tls-dtls-connection-id-10.txt> (Connection Identifiers for
>> DTLS 1.2) to Proposed Standard
>>
>> Hi Tom,
>>
>> Thanks very much!
>>
>> Your review is tracked in the issues below.
>>
>> On 12/03/2021, 10:39, "tom petch" <daedulus@btconnect.com> wrote:
>>>
>>> Some editorial quirks
>>>
>>> s.2
>>> lacks the boiler plate of RFC8174
>>
>> https://github.com/tlswg/dtls-conn-id/issues/88
>>
>>> s.3
>>> I found this unclear until I had understood it all (or perhaps I do
>>> not understand it)
>>>
>>> "...or again, alternately, to use a zero-length CID)."
>>> This suggests that a zero length CID is valid in Application Data
>>> which later text seems to contradict; otherwise I cannot see what
>>> this is saying.
>>>
>>> "  If DTLS peers have negotiated the use of a CIDs using the
>>> ClientHello and the ServerHello messages "
>>> arguably sending a zero CID and receiving a zero CID is a successful
>>> Hello negotiation perhaps " If DTLS peers have negotiated the use of a
>>> non-zero CID in at least one direction, using the ClientHello and the
>>> ServerHello messages"
>>>
>>> "The DTLS peers determine whether incoming and outgoing messages need.."
>>> seems not to cater for unidirectional CIDs; perhaps "The DTLS peers
>>> determine whether incoming or outgoing, or both, messages need.. "
>>
>> https://github.com/tlswg/dtls-conn-id/issues/89
>>
>>> s.4
>>> /always recieve CIDs/always receive CIDs/
>>>
>>>
>>> s.5.1
>>> "the with Encrypt-then-MAC processing described in [RFC7366]."
>>> I do not understand why 'with' is needed
>>>
>>> s.5.2
>>> ditto
>>>
>>> s.8
>>> /this aspects SHOULD refuse/these aspects SHOULD refuse/
>>
>> https://github.com/tlswg/dtls-conn-id/issues/90
>>
>>> s.10
>>> I would find this clearer as three sections for the three IANA actions
>>> 10.1 new column for ExtensionType
>>> 10.2 new value for ExtensionType
>>> 10.3 new value for ContentType
>>>
>>> "   IANA is requested to allocate an entry to the existing TLS
>>>      "ExtensionType Values" registry, defined in [RFC5246],.."
>>> well no; whatever you think of RFC8447 the name has changed
>>> "   IANA is requested to allocate an entry to the existing "TLS
>>>      ExtensionType Values" registry, defined in [RFC5246],.."
>>> or, if you are picky (which I am not),
>>>      IANA is requested to allocate an entry to the existing "TLS
>>>      "ExtensionType Values" registry, defined in [RFC5246], and
>>>      renamed by RFC8447
>>>
>>> An extra column is added but I cannot see what value should be placed
>>> in that column for existing entries.
>>>
>>> "The tls12_cid ContentType is only applicable to DTLS 1.2."
>>> Good information but I struggle to see what IANA will do with it; I
>>> see nowhere for it to go.
>>
>> https://github.com/tlswg/dtls-conn-id/issues/91
>>
>>
>> cheers, t
>>
>>> Tom Petch
>>>
>>>
>>> On 08/03/2021 11:19, The IESG wrote:
>>>
>>>
>>>>
>>>> The IESG has received a request from the Transport Layer Security WG
>>>> (tls) to consider the following document: - 'Connection Identifiers
>>>> for DTLS 1.2'
>>>>     <draft-ietf-tls-dtls-connection-id-10.txt> as Proposed Standard
>>>>
>>>> The IESG plans to make a decision in the next few weeks, and
>>>> solicits final comments on this action. Please send substantive
>>>> comments to the last-call@ietf.org mailing lists by 2021-03-28.
>>>> Exceptionally, comments may be sent to iesg@ietf.org instead. In
>>>> either case, please retain the beginning of the Subject line to
>>>> allow automated sorting.
>>>>
>>>> Abstract
>>>>
>>>>
>>>>      This document specifies the Connection ID (CID) construct for the
>>>>      Datagram Transport Layer Security (DTLS) protocol version 1.2.
>>>>
>>>>      A CID is an identifier carried in the record layer header that
>>>> gives
>>>>      the recipient additional information for selecting the appropriate
>>>>      security association.  In "classical" DTLS, selecting a security
>>>>      association of an incoming DTLS record is accomplished with the
>>>> help
>>>>      of the 5-tuple.  If the source IP address and/or source port
>>>> changes
>>>>      during the lifetime of an ongoing DTLS session then the
>>>> receiver will
>>>>      be unable to locate the correct security context.
>>>>
>>>>
>>>>
>>>>
>>>> The file can be obtained via
>>>> https://datatracker.ietf.org/doc/draft-ietf-tls-dtls-connection-id/
>>>>
>>>>
>>>>
>>>> No IPR declarations have been submitted directly on this I-D.
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> IETF-Announce mailing list
>>>> IETF-Announce@ietf.org
>>>> https://www.ietf.org/mailman/listinfo/ietf-announce
>>>> .
>>>>
>>>
>>
>> IMPORTANT NOTICE: The contents of this email and any attachments are
>> confidential and may also be privileged. If you are not the intended
>> recipient, please notify the sender immediately and do not disclose
>> the contents to any other person, use it for any purpose, or store or
>> copy the information in any medium. Thank you.
>> _______________________________________________
>> TLS mailing list
>> TLS@ietf.org
>> https://www.ietf.org/mailman/listinfo/tls
>> IMPORTANT NOTICE: The contents of this email and any attachments are
>> confidential and may also be privileged. If you are not the intended
>> recipient, please notify the sender immediately and do not disclose
>> the contents to any other person, use it for any purpose, or store or
>> copy the information in any medium. Thank you.
>>
>> _______________________________________________
>> TLS mailing list
>> TLS@ietf.org
>> https://www.ietf.org/mailman/listinfo/tls
>>
>
> .
>

v2.23.0 | Report a Bug | By Email