Re: [TLS] extending the un-authenticated DTLS header

Martin Thomson <> Tue, 15 November 2016 00:10 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 7E9191294E7 for <>; Mon, 14 Nov 2016 16:10:43 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id BO_0W_MY7o4F for <>; Mon, 14 Nov 2016 16:10:42 -0800 (PST)
Received: from ( [IPv6:2607:f8b0:400d:c09::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 73E77126CD8 for <>; Mon, 14 Nov 2016 16:10:42 -0800 (PST)
Received: by with SMTP id q130so116878275qke.1 for <>; Mon, 14 Nov 2016 16:10:42 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=cXWBQFD750C2LT/mXVDR9RDUctVtZjcERjChU5a1ZfA=; b=Uyap0rJXymvcxkuKbUAU8HlyQOTXEFlL5b6ceAcXXquLh3vvjjBW/+w5cLp3Wd6a18 ztFJm/EzeqGalipfV+cT5/8NOuJ88EBzo+MPuhoJqEgcY3PNyAmlIB+vKJ/h0jvrrObX vyVt13WcmWjoW9xBCsAYUMNJ+MR71hpo0Bez3iIhpWPT0k+9iFJvegldmlG7LD1PPhUt YBnK6quQWgWqrodfmpbL63OgEbzj8m+sSKW56thFP1866mrZHVz7y2jtxPddFVZMFC66 s4BXfpwl3TfpOc/04aDFsMAiPKteuX6djoifMEHw+X+RkBW3fFszM8ytjJ4oz1KLK+6z WLOw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=cXWBQFD750C2LT/mXVDR9RDUctVtZjcERjChU5a1ZfA=; b=OdUqVErVZ2y4A5rr2wuMcteRNZC8+S+uI11lriuffnVNxAb3vLnqT+f6aRIEQMjQN0 n6wDuiGDbKKkQ2I8W9R8s2cJPZHTERNvF7j4EPh+8MTTotEH9n1/5qEZ64ivphDn0pLN XXV1hOvzQI1Z2iAWc+HyEe8SRDeqIGG6mp/fi6Udib02M1y+jRETN1ujbmddh4zrajgW 1of5RJZ6d7AvrSQTFH96vVYeIb6GOuUbkT0JrJ8tCS5ybYQ90QqMwqsFRbEa1S02yRF+ mcB6v695o4htsm6c3wWihB3JDGIjwh8Xg4bbt62/kM06vQu2jq4+ijOq0LkD0dYG2Gj5 SkQQ==
X-Gm-Message-State: ABUngvcEAUZ9tfh3Ym/dEtijykVJNKfm1oXU70CMEgFj1Uep14h0Eattq+rI7yjcL4+3vcTYRmVYoHwjXb5W/w==
X-Received: by with SMTP id h190mr21800562qke.202.1479168641595; Mon, 14 Nov 2016 16:10:41 -0800 (PST)
MIME-Version: 1.0
Received: by with HTTP; Mon, 14 Nov 2016 16:10:41 -0800 (PST)
In-Reply-To: <>
References: <>
From: Martin Thomson <>
Date: Tue, 15 Nov 2016 09:10:41 +0900
Message-ID: <>
To: Nikos Mavrogiannopoulos <>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <>
Cc: Hannes Tschofenig <>, "" <>
Subject: Re: [TLS] extending the un-authenticated DTLS header
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 15 Nov 2016 00:10:43 -0000

On 14 November 2016 at 21:58, Nikos Mavrogiannopoulos <> wrote:
>  For draft‐mavrogiannopoulos­‐dtls­‐cid­‐00 and we needed to extend the
> DTLS un-authenticated part of the DTLS record header with an additional
> field. That works well if this is the only draft ever extending the
> DTLS record header. If not, modification order would be undefined.

Where is this draft?

> Would it make sense to introduce an extension header for DTLS 1.3 in
> the lines of the IPv6 extension headers? That would allow TLS extension
> negotiation to add more items on the un-authenticated header, and
> potentially also remove redundant headers.

Without seeing the draft, I can't really say whether this is sensible,
but I've been working on trimming the DTLS 1.3 header down to
something sane.  That might be incompatible with any attempt to add
unauthenticated data to the header.