Re: [TLS] DTLS 1.3 sequence number lengths and lack of ACKs

[David Benjamin <davidben@chromium.org>]

Regarding UTA or elsewhere, let's see how the buffered KeyUpdates issue
pans out. If I haven't missed something, that one seems severe enough to
warrants an rfc9147bis, or at least a slew of significant errata, in which
case we may as well put the fixups into the main document where they'll be
easier for an implementator to find.

Certainly, as someone reading the document now to plan an implementation, I
would have found it much, much less helpful to put crucial information like
this in a separate UTA document instead of the main one, as these details
influence how and whether to expose the 8- vs 16-bit choice to Applications
Using TLS at all.

David



On Tue, Apr 16, 2024, 05:17 Tschofenig, Hannes <
hannes.tschofenig@siemens.com> wrote:

> Hi David,
>
>
>
> thanks again for these comments.
>
>
>
> Speaking for myself, this exchange was not designed based on QUIC. I
> believe it pre-dated the corresponding work in QUIC.
>
>
>
> Anyway, there are different usage environments and, as you said, there is
> a difference in the amount of messages that may be lost. For some
> environments the loss 255 messages amounts to losing the message exchanges
> of several days, potentially weeks. As such, for those use cases the
> shorter sequence number space is perfectly fine. For other environments
> this is obviously an issue and you have to select the bigger sequence
> number space.
>
>
>
> More explanation about this aspect never hurts. Of course, nobody raised
> the need for such text so far and hence we didn’t add anything. As a way
> forward, we could add text to the UTA document. In the UTA document(s) we
> already talk about other configurable parameters, such as the timeout.
>
>
>
> Ciao
>
> Hannes
>
>
>
> *From:* TLS <tls-bounces@ietf.org> *On Behalf Of *David Benjamin
> *Sent:* Friday, April 12, 2024 11:36 PM
> *To:* <tls@ietf.org> <tls@ietf.org>
> *Cc:* Nick Harper <nharper@chromium.org>
> *Subject:* [TLS] DTLS 1.3 sequence number lengths and lack of ACKs
>
>
>
> Hi all,
>
>
>
> Here's another issue we noticed with RFC 9147: (There's going to be a few
> of these emails. :-) )
>
>
>
> DTLS 1.3 allows senders to pick an 8-bit or 16-bit sequence number. But,
> unless I missed it, there isn't any discussion or guidance on which to use.
> The draft simply says:
>
>
>
> > Implementations MAY mix sequence numbers of different lengths on the
> same connection
>
>
>
> I assume this was patterned after QUIC, but looking at QUIC suggests an
> issue with the DTLS 1.3 formulation. QUIC uses ACKs to pick the minimum
> number of bytes needed for the peer to recover the sequence number:
>
> https://www.rfc-editor.org/rfc/rfc9000.html#packet-encoding
>
>
>
> But the bulk of DTLS records, app data, are unreliable and not ACKed. DTLS
> leaves all that to application. This means a DTLS implementation does not
> have enough information to make this decision. It would need to be
> integrated into the application-protocol-specific reliability story, if the
> application protocol even maintains that information.
>
>
>
> Without ACK feedback, it is hard to size the sequence number safely.
> Suppose a DTLS 1.3 stack unconditionally picked the 1-byte sequence number
> because it's smaller, and the draft didn't say not to do it. That means
> after getting out of sync by 256 records, either via reordering or loss,
> the connection breaks. For example, if there was a blip in connectivity and
> you happened to lose 256 records, your connection is stuck and cannot
> recover. All future records will be at higher and higher sequence numbers.
> A burst of 256 lost packets seems within the range of situations one would
> expect an application to handle.
>
>
>
> (The 2-byte sequence number fails at 65K losses, which is hopefully high
> enough to be fine?  Though it's far far less than what QUIC's 1-4-byte
> sequence number can accommodate. It was also odd to see no discussion of
> this anywhere.)
>
>
>
> David
>