Re: [TLS] Martin Duke's No Objection on draft-ietf-tls-dtls-connection-id-11: (with COMMENT)

Hannes Tschofenig <Hannes.Tschofenig@arm.com> Tue, 04 May 2021 13:30 UTC

Return-Path: <Hannes.Tschofenig@arm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4B7103A0A4C; Tue, 4 May 2021 06:30:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=armh.onmicrosoft.com header.b=YNRt3cWS; dkim=pass (1024-bit key) header.d=armh.onmicrosoft.com header.b=YNRt3cWS
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8saI-_TsUpdU; Tue, 4 May 2021 06:30:38 -0700 (PDT)
Received: from EUR01-DB5-obe.outbound.protection.outlook.com (mail-eopbgr150083.outbound.protection.outlook.com [40.107.15.83]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 40A5D3A0A3F; Tue, 4 May 2021 06:30:38 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=armh.onmicrosoft.com; s=selector2-armh-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=g/ZuG4nYKYU3gEyfozyC+Kei0tt5/ugOlfauf/DEu0k=; b=YNRt3cWSaDrS3VXVdv2amyv0AZ9Nn6KgacntY+yH0JrpavqirsJwXBgkxUfEyXwWTB2tgM3vZ62STdFKjzN1wwo/rLii4ki8zxiz1LiJeusj+rxBSVZxUd0q8W3xt9Im+/0IzXw6G2hlvx3R1N/2UyzmXY0dQiCynzlFXCla17Q=
Received: from DBBPR09CA0014.eurprd09.prod.outlook.com (2603:10a6:10:c0::26) by PR3PR08MB5801.eurprd08.prod.outlook.com (2603:10a6:102:81::20) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4087.38; Tue, 4 May 2021 13:30:35 +0000
Received: from DB5EUR03FT022.eop-EUR03.prod.protection.outlook.com (2603:10a6:10:c0:cafe::a1) by DBBPR09CA0014.outlook.office365.com (2603:10a6:10:c0::26) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4087.27 via Frontend Transport; Tue, 4 May 2021 13:30:35 +0000
X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 63.35.35.123) smtp.mailfrom=arm.com; ietf.org; dkim=pass (signature was verified) header.d=armh.onmicrosoft.com;ietf.org; dmarc=pass action=none header.from=arm.com;
Received-SPF: Pass (protection.outlook.com: domain of arm.com designates 63.35.35.123 as permitted sender) receiver=protection.outlook.com; client-ip=63.35.35.123; helo=64aa7808-outbound-1.mta.getcheckrecipient.com;
Received: from 64aa7808-outbound-1.mta.getcheckrecipient.com (63.35.35.123) by DB5EUR03FT022.mail.protection.outlook.com (10.152.20.171) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4087.27 via Frontend Transport; Tue, 4 May 2021 13:30:35 +0000
Received: ("Tessian outbound 6c4b4bc1cefb:v91"); Tue, 04 May 2021 13:30:35 +0000
X-CR-MTA-TID: 64aa7808
Received: from bc3b469f2a91.1 by 64aa7808-outbound-1.mta.getcheckrecipient.com id 73DBF835-61A8-4A6D-819A-3F07AE3D347D.1; Tue, 04 May 2021 13:30:29 +0000
Received: from EUR04-VI1-obe.outbound.protection.outlook.com by 64aa7808-outbound-1.mta.getcheckrecipient.com with ESMTPS id bc3b469f2a91.1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384); Tue, 04 May 2021 13:30:29 +0000
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=mgZr79CZZqLusQ11GCr01L5CDKqP7Lz4Hz4WpqOOL4xQ9NEl2FNGSUm6/tI839iZJ/2Vl1t7pHBnWw+bgmJ4xZcuI8Vl9mrjvExYMWwZFhsKxUb25IqYEAlXSPFQa2dXr+rvdnzR+sPwFyt2LEJk+F34lpTJA3rJNc+0NBi2xxaCAvZU9lY0PNqGMjaARvhQs9Opv950wdsgrOiO3EhJbmZmSFR2GcDbLK1aq8hnJO3Mumj20YVBddeNX8kDOsVWDeUsHJq3QXb3LQuBp0s3WJfeGY7NlDvZklmqOyAEIFCCEaacFyaiokIyFeLSeM/7w0eYMWQ4l+eHlD4Pe22v/w==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=g/ZuG4nYKYU3gEyfozyC+Kei0tt5/ugOlfauf/DEu0k=; b=VaT1MUM9s/gPl6jV9CpiSp51KgT2DHoEo+DCbQr2WsmLWB31Pl817fspgUGULqQrCdlJ0g3UdZVNU4GtFNaYJMBWZR4Gji95PL9DWRFll+uAyRcv3UM0XeSqQeSKNZyeb8DYuXxWH+iCm7MC3IHKV1EKzjIEkSYjbSEnbIPbseBmp+mIjBFs3VE2oS7Robw1h7867uHgEt3pZCMSHaR17hXR/aySrS9A1gDgeSmDPTbYbE8Dd0+CpBI9JHZxg+Pm2jAiR/2n8sm36PcGFUxICSg1idJdrVEkT1xUw3DYI5DIqTtJhjb9FRkh6TUqv741M6XhnXSm4Pi/8K47bfNERg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=arm.com; dmarc=pass action=none header.from=arm.com; dkim=pass header.d=arm.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=armh.onmicrosoft.com; s=selector2-armh-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=g/ZuG4nYKYU3gEyfozyC+Kei0tt5/ugOlfauf/DEu0k=; b=YNRt3cWSaDrS3VXVdv2amyv0AZ9Nn6KgacntY+yH0JrpavqirsJwXBgkxUfEyXwWTB2tgM3vZ62STdFKjzN1wwo/rLii4ki8zxiz1LiJeusj+rxBSVZxUd0q8W3xt9Im+/0IzXw6G2hlvx3R1N/2UyzmXY0dQiCynzlFXCla17Q=
Received: from VI1PR08MB2639.eurprd08.prod.outlook.com (2603:10a6:802:25::13) by VI1PR08MB5469.eurprd08.prod.outlook.com (2603:10a6:803:132::23) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4087.40; Tue, 4 May 2021 13:30:27 +0000
Received: from VI1PR08MB2639.eurprd08.prod.outlook.com ([fe80::99ef:85aa:3465:475e]) by VI1PR08MB2639.eurprd08.prod.outlook.com ([fe80::99ef:85aa:3465:475e%7]) with mapi id 15.20.4087.044; Tue, 4 May 2021 13:30:27 +0000
From: Hannes Tschofenig <Hannes.Tschofenig@arm.com>
To: Martin Duke <martin.h.duke@gmail.com>, The IESG <iesg@ietf.org>
CC: "draft-ietf-tls-dtls-connection-id@ietf.org" <draft-ietf-tls-dtls-connection-id@ietf.org>, "tls-chairs@ietf.org" <tls-chairs@ietf.org>, "tls@ietf.org" <tls@ietf.org>, Joseph Salowey <joe@salowey.net>
Thread-Topic: Martin Duke's No Objection on draft-ietf-tls-dtls-connection-id-11: (with COMMENT)
Thread-Index: AQHXNh3xQjAR433mAEmzBLOs8ldD3qrTYkiA
Date: Tue, 4 May 2021 13:30:27 +0000
Message-ID: <VI1PR08MB2639A557022756B119EAB4EAFA5A9@VI1PR08MB2639.eurprd08.prod.outlook.com>
References: <161894801377.8373.6532898944771346676@ietfa.amsl.com>
In-Reply-To: <161894801377.8373.6532898944771346676@ietfa.amsl.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ts-tracking-id: 950D550971D1094DA0690945FBB8216C.0
x-checkrecipientchecked: true
Authentication-Results-Original: gmail.com; dkim=none (message not signed) header.d=none;gmail.com; dmarc=none action=none header.from=arm.com;
x-originating-ip: [80.92.115.3]
x-ms-publictraffictype: Email
X-MS-Office365-Filtering-Correlation-Id: a78e73a5-770b-4ae6-cad0-08d90f00ccbb
x-ms-traffictypediagnostic: VI1PR08MB5469:|PR3PR08MB5801:
X-Microsoft-Antispam-PRVS: <PR3PR08MB580125C22537D9DB99A0239CFA5A9@PR3PR08MB5801.eurprd08.prod.outlook.com>
x-checkrecipientrouted: true
nodisclaimer: true
x-ms-oob-tlc-oobclassifiers: OLM:10000;OLM:10000;
X-MS-Exchange-SenderADCheck: 1
X-Microsoft-Antispam-Untrusted: BCL:0;
X-Microsoft-Antispam-Message-Info-Original: HbQTGoD1SbRxU/yRsUsB7/e3HlWbCFl2DszQ1mdxvl0iK4eHXdgvcUMkyIG3XD7M6hDm73l3l0Qdrs0hvv2gkZ33hT9qFjcQSJ+bfblMIjhVKa4Vx+oqgsaSOeRfqzSydNb+646A1gFKpqQ9oZyqnb5gSACII0Jwr2kkqbzFhjmCCvn7R6Hoi1d2peFgrnfrJ7dpmW/PVLcBXk7QfP00Ltbza7Xobqhuj4nPqeTOQMo/g8jZIeZJV5ZZTN/ksg2WgU3igTiiuwAQPWoFfQeBMBvFcElufGyggopWlk2iKIs3ebQQh3pbgQ+uJ7SmcBe1CcU/QhksO6C2HNc5uGLdPksmApHiLGPUgjY1iY3kwVUAQJ9GisX3PoCZcsHJ0o9TIozsy+e9EL4ZNYNUiclvYTFOlqYrDLiwUwcW5HCfrp4n/B1dQlJQc0/3hZCqrKDwjmziTJuGklJR2jWgK8yZPb+CN+nKaJd1LqKXOeToSGutXEGrxzmXZPtBJXQd14KmFabS4QlGfWsw+g/gvdcBjCXXkwok5VuhzVAK+NW6YDF5tBxCS2RJ1PSQFOyFM/lb1VDtzJU3r37eYHsncUtN40UEx5MJcpiY4EKQA37rY6RIDnK0mXjsYuNxSw73Futo5BkmGWxD1jE31SUXvY2jnJC3xt4r3D7EFDr1fVr3z31TocWn3S7UKQz99d0KViww
X-Forefront-Antispam-Report-Untrusted: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:VI1PR08MB2639.eurprd08.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(366004)(39850400004)(136003)(346002)(376002)(396003)(83380400001)(66946007)(66446008)(2906002)(66574015)(71200400001)(478600001)(316002)(4326008)(966005)(8936002)(33656002)(9686003)(55016002)(122000001)(110136005)(26005)(186003)(86362001)(38100700002)(7696005)(53546011)(52536014)(6506007)(54906003)(5660300002)(8676002)(76116006)(66556008)(64756008)(66476007); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: =?utf-8?B?b3BvTU0rb0N2S2c4MUVGQm9XM0xDWUxLWmxnTzUxT1FkdHNiUFhQWXRwMG51?= =?utf-8?B?MXhLdjIrcjVnaVAxOXZlMWNvblRrdWhneVRBVG9xdkdDaEhOb3ZtMXFUZmpR?= =?utf-8?B?a0RocjU0RmZGRW5qUi9tMWpqRU1kOGZRK3Uyb3IrUzFkZW9RaHlVVUlldk5V?= =?utf-8?B?ZWNpbmlldHpMZTFOeHZjZEc2YjE4Qkxmc0tBbU9RVDVYRjdyeTY4dGNodVQz?= =?utf-8?B?aU8xNEcyY3YzRFVBaWpjRWZOLzNBL0U5ZDRrMGw3cHBCa0pRQlpPak0zZndT?= =?utf-8?B?YkMreHF3NHlNZXlTSGRIUjNsc0lMVjBIbWpIbXpQNGhQdENUVGR6Sm9wOTNo?= =?utf-8?B?VXRPUUJOdzFtSk9WSUtoc0sydzJNYWloeFRyVjllWG9HWWxnYXVYdkt2dysz?= =?utf-8?B?SHVSVElnZzg2UDA5SmF6d2pQZGtvcE5zZ2xmRGwwL2VlaGFJOUhvQUhwWk5K?= =?utf-8?B?NDBkM2VJN1ZIamEyL2Z6NFJJNTVKYzBvVjAzUEhDZGZqK3pWN0FLc1B5S0x4?= =?utf-8?B?eWQzTHFXN1FSdUowdStzUzZMQ0RGWlh5Z0M4Q01icUNzN3JpVzlGOUZkT2ZM?= =?utf-8?B?TktXRXN5QmovcEtKZlg2MzZMYVFndEtGemIrbEwyTEVLQjl0YTdiWlNpYmY1?= =?utf-8?B?c0xPcjlsbnBPNldhMVlmTGY1cjJFVXRMcFhaM2R2S3FhclZKeDQ5cWtJcW1o?= =?utf-8?B?ajlsd3liSXV6WFRLYjUxcFZRTmdWd0tDQ1AxZy9VT1pPZThEdmdqQ1ZXR1RM?= =?utf-8?B?emUxSnFuaktHanQxQmFsM1UzWW52bFZiQkpzT0daMlNiMVQ1eEJUMERYMS9Q?= =?utf-8?B?c21TL3ROL1h0UFVGY2I4eUlyL254Y2RScmd6YWxJZE1sSUdpWHdjTWlLRGcw?= =?utf-8?B?Ny9qM09RWGdaWGdvL0E2Z1RJWXVvcXFBS2xzRjBsVklZWnpwME9Eb0ZuczQx?= =?utf-8?B?clI2RHhHcHlzWWNva3B1bjdabWQ2dXNUbkJmTzZCTlZUR2xNYXlFVkVPNGY1?= =?utf-8?B?Tm1WeTh3T3M3RlhaN29tVnZGY3ZHaWx5aWVEU0drNjlTUjNTbWZnMHdPQ1hl?= =?utf-8?B?Ry9lUHQ4YUl0RlZDYVZGc3IwenQ4WlRTeDRLOFpwOGZCQUE5M25XTU8wS1hp?= =?utf-8?B?NWszSy9aZGpUaDRXb3NndTBWUlVQSVdZcEdENjErTjNRb3M0T3RyNGtZRFFD?= =?utf-8?B?djZPNXlaTTNKVFhoa3ZaaDdEeS9NSklVblg3Tm01M3lVaE1tdWhnRHdYdFUz?= =?utf-8?B?WGFZejBGVkhqOXdRb0dvVGhXaFM3UVUxcE1ndGVzaGZ6bTNUV1VlaUdzQU9V?= =?utf-8?B?SDNTSWE1dzZ2ZjdoSHdBbzc1UnF4bFBpSU5pb2VvUXgvYS9LN0tuZmNvRmMr?= =?utf-8?B?ZTdUa3lXTFJhMFhIWEdNT0M1REdtTDNHcndvSDZlejkwS1VmbDc5R0ZhZmNq?= =?utf-8?B?R2xOZE9Kc0hETDg4T2Y1VUJvRnFPNHlzMkNXR0hUNURjY0psTlNsMkRYM0Rz?= =?utf-8?B?WTk0QjBuYkhXWW4weDRoZ003Vi9TWjF0M1FweU9ndS9ERStpNlJjZkNud040?= =?utf-8?B?eWw2SnRQUUFRY3Q0S2FDL3U4eGp1ZzR2SEd5RXordTRtZUtxYXc0T3FiQUVp?= =?utf-8?B?cmp2K1RsWUI3dWlMcVRQeUNnNzFQRVR6SlVMS2tMWjBtcENnU1YyNDFEdk9u?= =?utf-8?B?WVNnS0FEMFN3TkVIbHJVSXhxa0ZFbkZrRSthbHIvUXc1OGJXSXlIelVhWllJ?= =?utf-8?Q?usju9q3WLjYZXAo+5U=3D?=
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-MS-Exchange-Transport-CrossTenantHeadersStamped: VI1PR08MB5469
Original-Authentication-Results: gmail.com; dkim=none (message not signed) header.d=none;gmail.com; dmarc=none action=none header.from=arm.com;
X-EOPAttributedMessage: 0
X-MS-Exchange-Transport-CrossTenantHeadersStripped: DB5EUR03FT022.eop-EUR03.prod.protection.outlook.com
X-MS-Office365-Filtering-Correlation-Id-Prvs: 98afcae2-bdc3-45df-bdcf-08d90f00c7d1
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: zkfKtdDpIoQjaqppvQfG0j/C0GEMQnQ0nEghWF4vNv54w1kyfRBMN9vr8WttgkmmfVyoqUWz+JhKH8l4VdjfttYSqmuMPonPYJ/npBR6rhB0xBucT9ZxsOPYqrdUs7Oe9Liok9JMyg+KnIByPXehsWkyA+YzKjP1sjlSnSDc//WwzKF4GB9nCCEDPjejJ1vRrRXGDSMERiU9VrK9roIzpzn0xFCd6Uyw99/dWT9+IMqp6f0bspSgrChkljZO/OUKNw58hJ1jLE3VbefGQaJ1ymHDXeCT0mnV7ldGbvlES/k5Vlx6+iKLlccmQAiTuccuFznTqOiVmjelcFWXfedBOrZktm8kiyKMH1ZoxuCFDtsWBlw38eYfN1bF2LT7fzqpax8/IRZORzQ8ttv8rnXvfg/FDVl8gd+ObAF7uKyuR1fWdSa78pCXn0q+pavKdOp+IxbstzeU+fLajnK1UUcnEa9XBJi7CTiPNYzyBaVtgYVLZy/vuWlRYWqPqDgcYHWvfhNUFAZgRZOs1JW0bptCT9jR6FtiWrlqcZ28B7O2qZ7ROzsYu39gAV455Bekmq0Os+THk/g9/cEZvU5AXvbHQRR2/RXjnkt39L/VI2ZpT8BNCOdH4z8jImLNWSuaX5BIUnXx8sEwrDgWXJDR+dMZKdabrlfDFxRm9SvP76V1C+WCSZ/pmXy0pSEAihgMapPh3bhqaZRaqdEGkH6yhU3AAq0s87v5en/rWxPmdIImTFM=
X-Forefront-Antispam-Report: CIP:63.35.35.123; CTRY:IE; LANG:en; SCL:1; SRV:; IPV:CAL; SFV:NSPM; H:64aa7808-outbound-1.mta.getcheckrecipient.com; PTR:ec2-63-35-35-123.eu-west-1.compute.amazonaws.com; CAT:NONE; SFS:(4636009)(396003)(376002)(136003)(346002)(39850400004)(36840700001)(46966006)(7696005)(316002)(478600001)(55016002)(356005)(8936002)(5660300002)(966005)(107886003)(4326008)(82310400003)(8676002)(450100002)(66574015)(2906002)(186003)(54906003)(110136005)(9686003)(81166007)(336012)(33656002)(70586007)(47076005)(6506007)(53546011)(70206006)(82740400003)(83380400001)(52536014)(86362001)(36860700001)(26005); DIR:OUT; SFP:1101;
X-OriginatorOrg: arm.com
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 04 May 2021 13:30:35.8776 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: a78e73a5-770b-4ae6-cad0-08d90f00ccbb
X-MS-Exchange-CrossTenant-Id: f34e5979-57d9-4aaa-ad4d-b122a662184d
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=f34e5979-57d9-4aaa-ad4d-b122a662184d; Ip=[63.35.35.123]; Helo=[64aa7808-outbound-1.mta.getcheckrecipient.com]
X-MS-Exchange-CrossTenant-AuthSource: DB5EUR03FT022.eop-EUR03.prod.protection.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: PR3PR08MB5801
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/IMcqlewlXs6ScrXO9K2cA-tU0xY>
Subject: Re: [TLS] Martin Duke's No Objection on draft-ietf-tls-dtls-connection-id-11: (with COMMENT)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 04 May 2021 13:30:43 -0000

Hi Martin,

The attack described in Section 9.3.3 of https://tools.ietf.org/html/draft-ietf-quic-transport-34#section-9.3.3 makes a lot of assumptions about the attacker.

I am not opposed to adding the recommendation but I want to understand it first since there is also a price to pay for it (in terms of complexity and performance). Like elsewhere there is no free lunch.

Reading through Section 9.3.3 "Off-Path Packet Forwarding", I noticed that the attacker needs to be able to
* observe the packets sent by DTLS endpoints in both directions, and
* replay the packets in such a way that they arrive faster than the original packets send by the DTLS endpoints, and
* re-write both source and destination IP address to appear like a NAT for both endpoints.

The last point is needed to ensure that the packet re-routing persists.

IMHO these assumptions hint to an on-path attacker. An on-path attacker (such as a router) can already today perform a denial of service attack on DTLS secured communication by dropping all packets.

Ciao
Hannes

-----Original Message-----
From: Martin Duke via Datatracker <noreply@ietf.org>
Sent: Tuesday, April 20, 2021 9:47 PM
To: The IESG <iesg@ietf.org>
Cc: draft-ietf-tls-dtls-connection-id@ietf.org; tls-chairs@ietf.org; tls@ietf.org; Joseph Salowey <joe@salowey.net>et>; joe@salowey.net
Subject: Martin Duke's No Objection on draft-ietf-tls-dtls-connection-id-11: (with COMMENT)

Martin Duke has entered the following ballot position for
draft-ietf-tls-dtls-connection-id-11: No Objection

When responding, please keep the subject line intact and reply to all email addresses included in the To and CC lines. (Feel free to cut this introductory paragraph, however.)


Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html
for more information about DISCUSS and COMMENT positions.


The document, along with other ballot positions, can be found here:
https://datatracker.ietf.org/doc/draft-ietf-tls-dtls-connection-id/



----------------------------------------------------------------------
COMMENT:
----------------------------------------------------------------------

Thanks for this document.

Section 9.3.3 of quic-transport, which deals with basically the same security model, also requires the receiving endpoint to probe the original address, not just the new one, to address a somewhat more difficult attack. It would be good to at least RECOMMEND this behavior for DTLS applications, and/or (repeat/informatively reference) the logic there.



IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.