IETF Logo Mail Archive

Re: [TLS] DTLS 1.3

Ilari Liusvaara <ilariliusvaara@welho.com> Mon, 04 July 2016 21:18 UTC

Return-Path: <ilariliusvaara@welho.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DB2E212B036 for <tls@ietfa.amsl.com>; Mon, 4 Jul 2016 14:18:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.82
X-Spam-Level:
X-Spam-Status: No, score=-1.82 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-1.426, SUBJ_ALL_CAPS=1.506] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XRwjBnIlgX5t for <tls@ietfa.amsl.com>; Mon, 4 Jul 2016 14:18:10 -0700 (PDT)
Received: from welho-filter3.welho.com (welho-filter3.welho.com [83.102.41.25]) by ietfa.amsl.com (Postfix) with ESMTP id 7A95112B02F for <tls@ietf.org>; Mon, 4 Jul 2016 14:18:09 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by welho-filter3.welho.com (Postfix) with ESMTP id DA46A7E0F; Tue, 5 Jul 2016 00:18:07 +0300 (EEST)
X-Virus-Scanned: Debian amavisd-new at pp.htv.fi
Received: from welho-smtp1.welho.com ([IPv6:::ffff:83.102.41.84]) by localhost (welho-filter3.welho.com [::ffff:83.102.41.25]) (amavisd-new, port 10024) with ESMTP id DOLyQG4vj4Fx; Tue, 5 Jul 2016 00:18:07 +0300 (EEST)
Received: from LK-Perkele-V2 (87-100-177-32.bb.dnainternet.fi [87.100.177.32]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by welho-smtp1.welho.com (Postfix) with ESMTPSA id 6DCAEC4; Tue, 5 Jul 2016 00:18:07 +0300 (EEST)
Date: Tue, 05 Jul 2016 00:18:05 +0300
From: Ilari Liusvaara <ilariliusvaara@welho.com>
To: Eric Rescorla <ekr@rtfm.com>
Message-ID: <20160704211805.GC4837@LK-Perkele-V2.elisa-laajakaista.fi>
References: <577A38A2.2090209@gmx.net> <20160704140312.GC4287@LK-Perkele-V2.elisa-laajakaista.fi> <577ABCE2.9050409@gmx.net> <20160704204603.GA4837@LK-Perkele-V2.elisa-laajakaista.fi> <CABcZeBMYQ=SWfEwFVjpmO3Pzh78VTrdqXKF26TDnSA-nR-k=rQ@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
In-Reply-To: <CABcZeBMYQ=SWfEwFVjpmO3Pzh78VTrdqXKF26TDnSA-nR-k=rQ@mail.gmail.com>
User-Agent: Mutt/1.6.0 (2016-04-01)
Sender: ilariliusvaara@welho.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/UYD6HyWUuRSUaWes-UcZnLwurQE>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] DTLS 1.3
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 04 Jul 2016 21:18:12 -0000

On Mon, Jul 04, 2016 at 01:56:01PM -0700, Eric Rescorla wrote:
> On Mon, Jul 4, 2016 at 1:46 PM, Ilari Liusvaara <ilariliusvaara@welho.com>
> wrote:
> > I think the obvious way is:
> >
> > - Cookies from HelloVerifyRequest go to legacy cookie field.
> > - Cookies from HelloRetryRequest go to extension cookie field.
> >
> > If you don't do the first, you can't downnegotiate successfully. And
> > if you don't do the second, you would have to have special case with
> > cookie sizes (since HRR can transmit >255 byte cookie, which would be
> > too big for legacy cookie).
> >
> 
> IMO we should just forbid HVR for DTLS 1.3. I.e., you should just send
> HRR.

Yes, DTLS 1.3 servers can't send HVR, but that doesn't mean DTLS 1.3
clients can't receive HVR (and then need to handle it somehow).

And if downnegotiation is to be possible, then that way should be
compatible with DTLS 1.2 (sticking the cookie into legacy cookie
field and clearing the hash should be compatbile enough).

> > > - The handshake retransmit scheme doesn't seem to work that
> > > >   well with post-handshake auth, and even less well with
> > > >   session tickets.
> > > Why do you think so? Of course, unreliable transports creates
> > > inconvenience; is it that what you are referring to?
> >
> > DTLS assumes handshake messages are reliable, and that reliability is
> > implemented via handshake messages ACKing one another.
> >
> > - Session tickets have no ACK at all.
> >
> 
> DTLS 1.3 should add an ACK, IMO.
 
Yeah, not going to work without. And I presume something might be
needed for dynamic reauth too...
 
> > - CertificateRequest can have very slow ACK.
> > - KeyUpdate has no real ACK (and isn't idempotent either).
> >
> 
> Yes, I think we should remove KeyUpdate for DTLS 1.3 and just use epoch
> instead.

How many special epochs we need?

0 => Unencrypted messages
1 => 0-RTT control messages (just one finished[1]!)
2 => 0-RTT data messages
3 => primary handshake
4 => application data
5-N => rekey connection

Would that be enough?

Reserving epochs would clearly expose the 0-RTT records and the
handshake through. Would solve the reordering with 0-RTT tho.


And can epochs wrap around (this would not cause problems with nonce
reuse, since keys are not going to match)?



[1] Whereas in TLS 1.3 that finished seems pointless (you have a
MAC to check anyway), now in DTLS if there are no 0-RTT handshake
messages, there is no guarantee that any 0-RTT message is received,
resulting no MAC to check.



-Ilari

v2.14.0 | Report a Bug | By Email