IETF Logo Mail Archive

Re: [TLS] Final (hopefully) issues with DTLS 1.2

Nikos Mavrogiannopoulos <nmav@gnutls.org> Fri, 03 June 2011 19:30 UTC

Return-Path: <n.mavrogiannopoulos@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9F238E07D9 for <tls@ietfa.amsl.com>; Fri, 3 Jun 2011 12:30:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.599
X-Spam-Level:
X-Spam-Status: No, score=-3.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ECIPDiEdcKz4 for <tls@ietfa.amsl.com>; Fri, 3 Jun 2011 12:30:14 -0700 (PDT)
Received: from mail-wy0-f172.google.com (mail-wy0-f172.google.com [74.125.82.172]) by ietfa.amsl.com (Postfix) with ESMTP id C73F8E07B7 for <tls@ietf.org>; Fri, 3 Jun 2011 12:30:13 -0700 (PDT)
Received: by wyb29 with SMTP id 29so1919965wyb.31 for <tls@ietf.org>; Fri, 03 Jun 2011 12:30:12 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:sender:message-id:date:from:user-agent :mime-version:to:cc:subject:references:in-reply-to :x-enigmail-version:openpgp:content-type:content-transfer-encoding; bh=YUsMivq3xT/JAlluBjgdvDl9/C+mOeMosTMKIVyheX4=; b=IvIxR64G9w5+logo/pOjpGXPgVxk9IbX+WQqvqcj2w7KP5M8gO6HoTM5CVS14QSzll LwCvZpecw4N/uMPtcXw3La2tdQeXxkXWKtPiyjNZu1b6M2amDUMDls7SI/rQGLiGTwOF 2SoJafWqip/ZLLb+0/TjhCqYMqwC1UgBToAtc=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=sender:message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:x-enigmail-version:openpgp:content-type :content-transfer-encoding; b=egYzumwbo/jOKBlGAspB/Sclp7lQ130HxnjfnfsTxyTg9OcIeL2RYL0zWL8srFQQ8T t42O8j2jkTC7X3drZnC0+e4EBZ0FvPvOtMqpg+jZX+wCFm84XGzssck2C2kCNErTQyRx 2ibhECjhnscZZZJzK9AvFwwfsyZLyyHqxUeuk=
Received: by 10.216.174.195 with SMTP id x45mr1102881wel.64.1307129412762; Fri, 03 Jun 2011 12:30:12 -0700 (PDT)
Received: from [10.100.2.14] (94-225-167-75.access.telenet.be [94.225.167.75]) by mx.google.com with ESMTPS id fm14sm1239373wbb.24.2011.06.03.12.30.10 (version=SSLv3 cipher=OTHER); Fri, 03 Jun 2011 12:30:10 -0700 (PDT)
Sender: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
Message-ID: <4DE93640.1030301@gnutls.org>
Date: Fri, 03 Jun 2011 21:30:08 +0200
From: Nikos Mavrogiannopoulos <nmav@gnutls.org>
User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.17) Gecko/20110424 Thunderbird/3.1.10
MIME-Version: 1.0
To: Eric Rescorla <ekr@rtfm.com>
References: <BANLkTikjMZpYm4Maef1wqnmH4RJ02-6t1g@mail.gmail.com> <4DDA70B6.9030203@gnutls.org> <BANLkTi=M2-qAmcDYb0zxucXFkaLgV+3KGQ@mail.gmail.com>
In-Reply-To: <BANLkTi=M2-qAmcDYb0zxucXFkaLgV+3KGQ@mail.gmail.com>
X-Enigmail-Version: 1.1.2
OpenPGP: id=96865171
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
Cc: tls@ietf.org
Subject: Re: [TLS] Final (hopefully) issues with DTLS 1.2
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 03 Jun 2011 19:30:14 -0000

On 05/30/2011 05:38 PM, Eric Rescorla wrote:

> The effect of this restriction is to require the client to send the
> same ClientHello
> (except with the cookie that he sent initially). This maps to the TLS semantics
> where there is only a single ClientHello message sent which is processed
> immediately. IMO this makes analysis easier since it makes DTLS behave
> more like TLS.
> There's no need for the server to do any negotiation at this point,
> it should simply generate a HelloVerifyRequest with the highest matching
> version (regardless of cipher suite considerations) and then process the
> ClientHello de novo [after checking for matching parameters.] Yes, this leaves
> open the possibility that the handshake will eventually negotiate to some yet
> lower TLS version, but that's what happens in one round trip with TLS. I
> would be happy to add a note to the effect that a yet lower version might
> be negotiated. Though note that it's arguable that RFC 5246 S 7.4.1.3
> prohibits conditioning version on ciphersuite even for TLS "This field
> will contain the lower of that suggested by the client
> in the client hello and the highest supported by the server.  For this
> version of the specification, the version is 3.3.  (See
> Appendix E for details about backward compatibility.)"

My implementation of this HelloVerifyRequest was made without using or
allocating server state. That means it doesn't even know which (DTLS)
protocols are enabled or not. It could even be implemented in a
totally different subsystem (a firewall) in front of the server. Thus it
might not know information the server knows. For me this packet
should be as simple as possible. Using a fixed DTLS version would
satisfy this goal. I see no benefit from doing the DTLS version number
negotiation at this "stateless" point.

regards,
Nikos

v2.23.0 | Report a Bug | By Email