IETF Logo Mail Archive

Re: [TLS] John Scudder's No Objection on draft-ietf-tls-dtls-connection-id-11: (with COMMENT)

John Scudder <jgs@juniper.net> Tue, 20 April 2021 22:42 UTC

Return-Path: <jgs@juniper.net>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D01B13A20F2; Tue, 20 Apr 2021 15:42:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.862
X-Spam-Level:
X-Spam-Status: No, score=-0.862 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FAKE_REPLY_B=1.937, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=juniper.net header.b=OVFrZNfC; dkim=pass (1024-bit key) header.d=juniper.net header.b=I+nuPMYH
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id u4Fd42qv-XI0; Tue, 20 Apr 2021 15:42:34 -0700 (PDT)
Received: from mx0b-00273201.pphosted.com (mx0b-00273201.pphosted.com [67.231.152.164]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BD32B3A20F1; Tue, 20 Apr 2021 15:42:33 -0700 (PDT)
Received: from pps.filterd (m0108160.ppops.net [127.0.0.1]) by mx0b-00273201.pphosted.com (8.16.0.43/8.16.0.43) with SMTP id 13KMdZ1E003278; Tue, 20 Apr 2021 15:42:32 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=juniper.net; h=from : to : cc : subject : date : message-id : content-type : mime-version; s=PPS1017; bh=Eqef/Ri/5w/iPGbNmTkVxY9q7SmQnPL01UzAns1hH8o=; b=OVFrZNfCsSQ9YeoWGZh0IEk75QlBt9rAHNYelRbvGRW2/w/UXQZ8N7cQwuw/2HxoPVCv H4FL6pvR1neb/pFvQRkNYqvnOjHc9I/82jOEoaVarJLtwlufvX4KT8Q6Exge7ve3bX2G rbgrDTpL9z6U6t+Qc5hvb9EMZY6/mzKoOp4MCb/6zs+0UcrJ2hrTmC8pcMjzy8ggxq+h 81YXVBEtBu4C8N8c98vYqx1QGP9zXELnrGZ5xto0vQb5Riq+ZxBtEwDFruUXcSflNcjl nb1inThn02Oj12Ywu6L52tOTzgZrY4dlKFzfnKfArolIR7z+xrCdnJxBKFK8prW3FMq9 bA==
Received: from nam11-bn8-obe.outbound.protection.outlook.com (mail-bn8nam11lp2171.outbound.protection.outlook.com [104.47.58.171]) by mx0b-00273201.pphosted.com with ESMTP id 3824pw8bkb-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 20 Apr 2021 15:42:31 -0700
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=RioxNXERxruA8KeAd6h1R6xWWEYKu+Or7MxmdhCIyJjRSoe6pQgVjM141H9XXvxFc2ozxMBMmUQwWTGyFpzubRrn39r/9rLFxcYHtc9c9uGueDT5CGo8Wq17ZwbmheFfl1JbOd61KO9u+I1iOTiL5Q5usQVH+LzpFkJL/x4A6Ozt7KfHINm2gGIExqT/siKNonXtqKOGx1//r4lfPzakhoNiBJFIRFCz4UOgAqlt82I8Fek2HWyLBDKNd5l00NUFWnUxiMb/kGekKXvjNPKLGpyCLg0jIhdozjISqNJbFNEQQfkf/vMmKTmKc4FSiqJ39w4TXv4J8Tjou+oRGO9kEg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=Eqef/Ri/5w/iPGbNmTkVxY9q7SmQnPL01UzAns1hH8o=; b=JW7ifYkNYg54P8+Qe4RrEdM83ApSyGXDPmByC4VAlUVTUE7s0q2yC4gKopAfJgLnFxyO8hA/vHBP4PneREXTeNG/V1/Ht8a+VRP4XsXL6QQinLLSPTKhiKkjvW3IFb5z4TKgLjL0LJDYZltULCOhFrOpeRQx9IABMMgnBcSqbckHFtAn5UamVp/yi/Kuxzog7FoC04tslaSRCVe6zaVh6Jta7hk7WwYQox8V6/DGVQYiiSobb2j86jItG6zHBkOPXKyFgFzg9URph9v2+DzTHXdJaMjujrUUz+Z53tWBkP6s44dSPhjxlLKoFQth1P7ZP15ecm0RqESLm+Lh+bo+1A==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=juniper.net; dmarc=pass action=none header.from=juniper.net; dkim=pass header.d=juniper.net; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=juniper.net; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=Eqef/Ri/5w/iPGbNmTkVxY9q7SmQnPL01UzAns1hH8o=; b=I+nuPMYH4Qv0BQaaVajR2XpOBwYa7C8PEbWP15yRrBGkj7Kv3JNfJQZ68PfLoKHB/6s/qkpF0K1xOvp1J3EVZOjEVqxm50m62ZAGoi0WCnURP3cshge3S6f7OO2zYiHMXUbGp5rgB3ps1WTlnegDHZ2cCMuS4gbgSXXNZOh6JsU=
Received: from MN2PR05MB6109.namprd05.prod.outlook.com (2603:10b6:208:c4::20) by MN2PR05MB6349.namprd05.prod.outlook.com (2603:10b6:208:d8::33) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4065.6; Tue, 20 Apr 2021 22:42:27 +0000
Received: from MN2PR05MB6109.namprd05.prod.outlook.com ([fe80::3020:ac3:590d:83f1]) by MN2PR05MB6109.namprd05.prod.outlook.com ([fe80::3020:ac3:590d:83f1%5]) with mapi id 15.20.4065.019; Tue, 20 Apr 2021 22:42:27 +0000
From: John Scudder <jgs@juniper.net>
To: Eric Rescorla <ekr@rtfm.com>
CC: The IESG <iesg@ietf.org>, "draft-ietf-tls-dtls-connection-id@ietf.org" <draft-ietf-tls-dtls-connection-id@ietf.org>, tls-chairs <tls-chairs@ietf.org>, "tls@ietf.org" <tls@ietf.org>, Joseph Salowey <joe@salowey.net>
Thread-Topic: John Scudder's No Objection on draft-ietf-tls-dtls-connection-id-11: (with COMMENT)
Thread-Index: AQHXNjZwWIVloQQe0U6QWFeDi8kblQ==
Date: Tue, 20 Apr 2021 22:42:26 +0000
Message-ID: <DC7E046F-EDF9-4AFA-B3B7-D88DE0B51952@juniper.net>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-mailer: Apple Mail (2.3608.120.23.2.4)
authentication-results: rtfm.com; dkim=none (message not signed) header.d=none;rtfm.com; dmarc=none action=none header.from=juniper.net;
x-originating-ip: [162.225.191.192]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 4487ff72-0726-49df-0dc2-08d9044d92bf
x-ms-traffictypediagnostic: MN2PR05MB6349:
x-microsoft-antispam-prvs: <MN2PR05MB63495AAAC9583F822E7A367AAA489@MN2PR05MB6349.namprd05.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: Rqxp/7lC5KAOJxDjbP4PSG1wrzZonO28gsvlzXhXhDAstTTkfw04hN5QqDjFf4tm0lb4jJfCXS9NREYAua3FQmil0YfvNXV6pUKEb4zIaGByLy/fIE+6kAyyCMgOHPfojL9bQ2QzMIE3fyHugNDwIEIsDcbbaaj2kO+w4VW7Cy88LaeQZL3d2uc4gbHT5j6hKwy37FvPUQjkA6G6xOMt0YCFzHBNYGtY1m7pNNT1lE4CdWm6aVlFJzxnX30mMmp2DdYAy2wh5pfEjko5gxZClV3J0zmmm45QHK23HA4uYBJVwGnDmCA9Ts4FhzVk2KpO8bXgiHFDNzqdUtqNG+lDjRaSRL2bc1tOzojVw20fuhqwP6eaxyeuvHoXQfsYE+L8wW3vu6+rpA6/vqhrzsKjhcr5KWyssOf77NEE9koNOQvlt2cKHws8St5/aBWLx1X5boBRIf1vIih9m4IvQ/EbgK/2c2K3SdZXhWZD/IJgWQcJhDww4Nh8iQwHLxBFYSbHNA5m/OELynvlHAjBlBC8NEZd1YuBxul+qkahAm9C0iKNzuXQOgcv/mdVTGEW1LqaLbwzW6zsTni8Nnu1ymzFKUucmG/zTfNED2l/jbCRkXswCyeaXkADNacLMKGLWzI7vjUcdRB1qIHqCeyaTkbQLA04dd1Wf3iInv/3pMLmfiw=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:MN2PR05MB6109.namprd05.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(136003)(396003)(39860400002)(366004)(376002)(346002)(83380400001)(6506007)(54906003)(122000001)(4326008)(6916009)(186003)(6486002)(2906002)(26005)(66574015)(64756008)(478600001)(8676002)(53546011)(66556008)(86362001)(71200400001)(316002)(2616005)(6512007)(66476007)(66946007)(66446008)(36756003)(33656002)(76116006)(91956017)(5660300002)(38100700002)(8936002)(45980500001); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata: MZKPM8eOOPkw5d04J/hDMSckCR5AFuBulWOHAtCzYhGUWQzHmlW6zAUA6fCyzITk6yWgti1rVqyRl541vI2z7CIM675iBSQ2raIlwGHgi2GdD2DUtoL6noLFfEsy4Ti0mZ3W2GQNbbNrVSsp5LZAn19kfZafoHr9PkCkH7BLEJJxB3ey+H4tk/T0IEAVKinIrRQIubTcRv5XD10l2RO2qauG9r3VG2dCabbj8TsH5hqPUyzaNLsSK4a1DP5BvCVcPDGcYce1Q4JWVUxRGIZJR6ejJ3lZIrCt0hh2wTY28VSTOQRIukcbJY/jrfMVwx33Xb6FENNv2dq0/gLxR80L2mIu5z1EYPoQ0PgyrNS5Xp65eUaMBo9SKtI3n+t1jRciddODowoVSJfCU/krGoo/bSHR46F6h/pE2MQEW1qAfwHGAR4o7bu2warPtRv82W/wli00J4HubVDTY2Z6pDaIeSwaRl+cPpvcQLMzoPzUNXgYnerH6Zk/m83/deXcNigU/FTag/r1I9lk+GsSR0V1gzW1m24dtfMiv+/4/bo/N9M5CDXmfXUSG6kwqmNrfLX5a0eYevu7reDOpopKTgo79QEVH9xYgsM8EFjyPur1p/jlcdtBAlvSzTRQR4uAiuNR9eH7D/xAo7uZYhxxpBhQqa2ngYJ3u/utSr2KDgqVJAuBlQ/HnKYjeemOjxYYYi+mRAKDhEhV7jzt/RWYl59r1MdCvGDJeUO+Tt6qbo+a+758aZ17yvXvb6h+jbZLtmok0mbZqLLoyrL+e7ZmqvT22l6QZ4hXqpldvshv6+HwnVpv5RuLqyj4UkBrqLNt32c7Mw72GB790lqkAITW0RArHyJjUnwSy+6YovMV82a2yspJNbYm9TBeWwf9VPLrM6I2o4FQRie1Voth63S40SIoLv0Z4ZTxYuuA28qE8QLqMA3P/3+BxDCB7oD4MR2ixZzqV6/cKgFIOA9vwyD9zuhtwbxUlMFSnP9lFruvZ9vz8WveeNQwa3HVrXNTDwnfJwCcK+MVpeLnqj+w+odCaMBQ7QRqjC7TDyQ0mGheN2zZR8u+gcQayPnnw80K7N7pj072uEFgil+wpSi0ebPlrfntJGLAqLxQo9S7ORGWf2ZtkYOnn9FzTSAtiIZ87kW53rJ0Th+9hGfDsWq30uJbo6Of1UxvA0NqcQLxV34uBN0EUQ57Aj5xoYzvlSQi5DaDNFOKRRc33j6dR28EQzS7X5VSpHYx4WqPRzmUtiwUJUXrNHh4XtscNHPg6P027KiyQEwC1wEGTCveWUv081w4y4IKLfyK1YNsU4P0MzQ3RgCQg4bZmVRKHE3Z3bP5gF6T9PEgJkAhfAg1G9vv5cgG06czCg==
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_DC7E046FEDF94AFAB3B7D88DE0B51952junipernet_"
MIME-Version: 1.0
X-OriginatorOrg: juniper.net
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: MN2PR05MB6109.namprd05.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 4487ff72-0726-49df-0dc2-08d9044d92bf
X-MS-Exchange-CrossTenant-originalarrivaltime: 20 Apr 2021 22:42:26.8264 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: bea78b3c-4cdb-4130-854a-1d193232e5f4
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: 5Gh8bofpSzSrPnyHsrJo+B8otdsoqIFAkr9zcPzCP1OUBUkeuJjWy0uCpp6aNPhS
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MN2PR05MB6349
X-Proofpoint-GUID: TYRlSL0vx3ZIXQKQbgXbSCrindY7NOLY
X-Proofpoint-ORIG-GUID: TYRlSL0vx3ZIXQKQbgXbSCrindY7NOLY
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.391, 18.0.761 definitions=2021-04-20_11:2021-04-20, 2021-04-20 signatures=0
X-Proofpoint-Spam-Details: rule=outbound_spam_notspam policy=outbound_spam score=0 lowpriorityscore=0 mlxlogscore=885 priorityscore=1501 clxscore=1011 bulkscore=0 impostorscore=0 phishscore=0 mlxscore=0 spamscore=0 adultscore=0 malwarescore=0 suspectscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2104060000 definitions=main-2104200159
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/Lia5ce2C9ugGLgwj6KA769Cf0Bk>
Subject: Re: [TLS] John Scudder's No Objection on draft-ietf-tls-dtls-connection-id-11: (with COMMENT)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 20 Apr 2021 22:42:39 -0000

On Apr 20, 2021, at 5:32 PM, Eric Rescorla <ekr@rtfm.com<mailto:ekr@rtfm.com>> wrote:

This seems like a pretty basic assumption. These aren't just notational conventions
or pseudo-code. They're the protocol description language that TLS is defined in.
If one isn't familiar with how to read this syntax, then you really don't have much of
a hope of correctly implementing this specification.

Be that as it may, the point about courtesy to the naïve reader stands.

[*] By the way, why not just use “255” in the text instead of “2^8-1”? Eschew
obfuscation!

Which one of these is clearer seems like a question of taste, I should think.
It's worth noting that because the length prefix is determined by the ceiling,
arguably 2^8-1 is clearer.

I don’t follow your point, but suit yourself.

3. Section 6:

   *  There is a strategy for ensuring that the new peer address is able
      to receive and process DTLS records.  No such strategy is defined
      in this specification.

This is a little mind-boggling to me. I understand this to mean I can’t send
the new address a DTLS record unless I’ve already ensured it can receive and
process that record, right? This seems almost like a classic Catch-22. I feel
like I must be missing something.

This specification *only* allows you to mux, but doesn't allow you to migrate.
We could probably make this point clearer.

Yes, I think so. Various things led me to think this was supposed to be a feature. For starters, the abstract:


   A CID is an identifier carried in the record layer header that gives
   the recipient additional information for selecting the appropriate
   security association.  In "classical" DTLS, selecting a security
   association of an incoming DTLS record is accomplished with the help
   of the 5-tuple.  If the source IP address and/or source port changes
   during the lifetime of an ongoing DTLS session then the receiver will
   be unable to locate the correct security context.


It’s true the abstract doesn’t promise that I can migrate to the new address, but I felt led in that direction. But more to the point, §6 itself:


   When a record with a CID is received that has a source address
   different than the one currently associated with the DTLS connection,
   the receiver MUST NOT replace the address it uses for sending records
   to its peer with the source address specified in the received
   datagram unless the following three conditions are met:


If I understand your reply correctly, the quoted sentence could end “… unless the following three conditions are met (which will never happen):”. Since that seems both capricious and pointless, I still think I’m missing something. Is it that you envision a future specification that does define a strategy that will fulfill the third condition? That might be worth saying, if so.

Thanks,

—John

v2.23.0 | Report a Bug | By Email