Re: [TLS] Working group last call for draft-ietf-tls-rfc4347-bis-03.txt

"Joseph Salowey (jsalowey)" <jsalowey@cisco.com> Wed, 28 October 2009 17:06 UTC

Return-Path: <jsalowey@cisco.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id D71253A6841 for <tls@core3.amsl.com>; Wed, 28 Oct 2009 10:06:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.599
X-Spam-Level:
X-Spam-Status: No, score=-6.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BsTH5mcfHnXb for <tls@core3.amsl.com>; Wed, 28 Oct 2009 10:06:02 -0700 (PDT)
Received: from sj-iport-4.cisco.com (sj-iport-4.cisco.com [171.68.10.86]) by core3.amsl.com (Postfix) with ESMTP id 056F23A6833 for <tls@ietf.org>; Wed, 28 Oct 2009 10:06:01 -0700 (PDT)
Authentication-Results: sj-iport-4.cisco.com; dkim=neutral (message not signed) header.i=none
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: ApoEANYW6EqrR7Ht/2dsb2JhbADCOJgxhD8E
X-IronPort-AV: E=Sophos;i="4.44,640,1249257600"; d="scan'208";a="47261914"
Received: from sj-core-1.cisco.com ([171.71.177.237]) by sj-iport-4.cisco.com with ESMTP; 28 Oct 2009 17:06:15 +0000
Received: from xbh-sjc-211.amer.cisco.com (xbh-sjc-211.cisco.com [171.70.151.144]) by sj-core-1.cisco.com (8.13.8/8.14.3) with ESMTP id n9SH6HsB020833; Wed, 28 Oct 2009 17:06:17 GMT
Received: from xmb-sjc-225.amer.cisco.com ([128.107.191.38]) by xbh-sjc-211.amer.cisco.com with Microsoft SMTPSVC(6.0.3790.3959); Wed, 28 Oct 2009 10:06:17 -0700
X-MimeOLE: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Date: Wed, 28 Oct 2009 10:06:16 -0700
Message-ID: <AC1CFD94F59A264488DC2BEC3E890DE508FCE486@xmb-sjc-225.amer.cisco.com>
In-Reply-To: <4AE1311E.5080508@pobox.com>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: [TLS] Working group last call for draft-ietf-tls-rfc4347-bis-03.txt
Thread-Index: AcpTmUll1ZXB520xTd6aaL55T31yQgEVIT/g
References: <AC1CFD94F59A264488DC2BEC3E890DE508E1B2D8@xmb-sjc-225.amer.cisco.com> <4AE1311E.5080508@pobox.com>
From: "Joseph Salowey (jsalowey)" <jsalowey@cisco.com>
To: "Michael D'Errico" <mike-list@pobox.com>, <tls@ietf.org>
X-OriginalArrivalTime: 28 Oct 2009 17:06:17.0151 (UTC) FILETIME=[F66BD4F0:01CA57F0]
Subject: Re: [TLS] Working group last call for draft-ietf-tls-rfc4347-bis-03.txt
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 28 Oct 2009 17:06:02 -0000

Hi Mike,

Thanks for looking at the document.  I think that an extension to tell
the client to switch ports or protocols is beyond the scope of the
current work item.  It would be best covered as a separate new work item
if the working group thinks it is useful.  Perhaps it is related to the
proposal on next protocol negotiation that was sent to the list (it
might not be, I haven't had a chance to read it yet).  I'll open an
issue for your other comments.

Thanks,

Joe


> The link appears to go to the correct version of the draft, 
> but the header of each page says it is draft -00 dated June 2008.
> 
> Overall the draft seems to be good, but one thing I think is 
> missing is for the server to be able to somehow tell the 
> client to switch to a different port for DTLS over UDP (I 
> don't know about other types of transports).  The simplest 
> scheme I can envision is that the HelloVerifyRequest and 
> ServerHello messages would be sent from the port the client 
> initially contacted.  The ServerHello would contain a 
> DTLS_PortChange extension listing the new port number.  The 
> remainder of the handshake and subsequent data transfer would 
> occur on this new port.
> 
> Comments on the draft:
> 
> In section 3. Overview of DTLS, it says:
> 
>      1. TLS's traffic encryption layer does not allow independent
>      decryption of individual records.  If record N is not received,
>      then record N+1 cannot be decrypted.
> 
> I don't believe this is always true -- if a block cipher is 
> used, then since there is an explicit IV given, you can 
> decrypt the record.
> The MAC, however, will not calculate correctly due to the 
> wrong sequence number, so the missing record will be 
> detected.  Stream (and AEAD?) ciphers would fail to decrypt as stated.
> 
> Near the top of page 9, the abbreviation CSS is used.  I 
> think that should have been CCS, but I would suggest spelling 
> out ChangeCipher Spec rather than abbreviating.
> 
> At the very end of section 4.2.1 (top of page 17) it mentions 
> a HelloVerify message (not HelloVerifyRequest).  Should that 
> be a ClientHello message (with cookie)?
> 
> Typos:
> 
>    - last line of page 3: "they typically requires" strike the s.
>    - section 4.1.1 second line, "that clients" remove "that"
>    - top of page 14 - "forget" should be "forgery"
> 
> Mike
> 
> 
> Joseph Salowey (jsalowey) wrote:
> > This is an announcement for working group last call on DTLS 
> 1.2 (RFC 
> > 4347-bis).  The document is available here:
> > 
> > http://tools.ietf.org/html/draft-ietf-tls-rfc4347-bis-03
> > 
> > Please send any comments to the list by October 26, 2009.  It is 
> > useful to send an indication to the list if you have read 
> the document 
> > and think it is ready for publication even if you don't 
> have specific 
> > comments.
> > 
> > Thanks,
> > 
> > Joe
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls
>