Re: [TLS] Gaps in specification of DTLS 1.3 state machine

Hanno Becker <Hanno.Becker@arm.com> Thu, 02 April 2020 18:01 UTC

Return-Path: <Hanno.Becker@arm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B9FA93A1024 for <tls@ietfa.amsl.com>; Thu, 2 Apr 2020 11:01:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=armh.onmicrosoft.com header.b=PQmd/eH+; dkim=pass (1024-bit key) header.d=armh.onmicrosoft.com header.b=PQmd/eH+
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id p6WHR0iw7nK3 for <tls@ietfa.amsl.com>; Thu, 2 Apr 2020 11:01:09 -0700 (PDT)
Received: from EUR03-VE1-obe.outbound.protection.outlook.com (mail-eopbgr50049.outbound.protection.outlook.com [40.107.5.49]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6AE203A101E for <tls@ietf.org>; Thu, 2 Apr 2020 11:01:08 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=armh.onmicrosoft.com; s=selector2-armh-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=j7s8jSxOXyEEdemFexFokADuXpZi/nk3ZBzDqwxCopY=; b=PQmd/eH+V4QMLv5cImZiyQzOey3Jn1ZUmV6RhZjw5RE7U8PEssJ7Xq8NibPHJ6Jb4hwNOdF+mEe9Fy0UC6J8/4PUW/5sbNgtXnDRKxQN+tY0mdJHAo6eki6U98nIRo+/3BrKaDSVySu5lnoqChOboy7Rv032PRrDRiBNG2Kkf7g=
Received: from DB6P191CA0012.EURP191.PROD.OUTLOOK.COM (2603:10a6:6:28::22) by AM0PR08MB3617.eurprd08.prod.outlook.com (2603:10a6:208:db::12) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2878.16; Thu, 2 Apr 2020 18:01:04 +0000
Received: from DB5EUR03FT046.eop-EUR03.prod.protection.outlook.com (2603:10a6:6:28:cafe::40) by DB6P191CA0012.outlook.office365.com (2603:10a6:6:28::22) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2878.15 via Frontend Transport; Thu, 2 Apr 2020 18:01:04 +0000
Authentication-Results: spf=pass (sender IP is 63.35.35.123) smtp.mailfrom=arm.com; ietf.org; dkim=pass (signature was verified) header.d=armh.onmicrosoft.com;ietf.org; dmarc=bestguesspass action=none header.from=arm.com;
Received-SPF: Pass (protection.outlook.com: domain of arm.com designates 63.35.35.123 as permitted sender) receiver=protection.outlook.com; client-ip=63.35.35.123; helo=64aa7808-outbound-1.mta.getcheckrecipient.com;
Received: from 64aa7808-outbound-1.mta.getcheckrecipient.com (63.35.35.123) by DB5EUR03FT046.mail.protection.outlook.com (10.152.21.230) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2856.17 via Frontend Transport; Thu, 2 Apr 2020 18:01:04 +0000
Received: ("Tessian outbound e2c88df8bbbe:v50"); Thu, 02 Apr 2020 18:01:04 +0000
X-CheckRecipientChecked: true
X-CR-MTA-CID: 0b5432c01707f6e2
X-CR-MTA-TID: 64aa7808
Received: from f0c298653308.1 by 64aa7808-outbound-1.mta.getcheckrecipient.com id B8890249-B9B3-4A27-AA60-936FE76B5C94.1; Thu, 02 Apr 2020 18:00:59 +0000
Received: from EUR04-HE1-obe.outbound.protection.outlook.com by 64aa7808-outbound-1.mta.getcheckrecipient.com with ESMTPS id f0c298653308.1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384); Thu, 02 Apr 2020 18:00:59 +0000
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Zh3SQGksV+D7ZVia9Rh4e/pRewbIN9p2DtdbT5+p0Rt+fyART0Ld5A0Lxdw7BvC2l5weLT3ALXvS83nytDsrGAESTyAl3X2U0tYF7vqO8IPOgrEsaPhRjDGXwf57SY+HoBAzul5FPXN7fJ3MeOn9x3HZwrYLqE0/0HWNpIXFfA0HNs67cFOld0jg9wHxm4q+SQ+xQdUiK7y++YBbcauVTzXVg21a7WSIiZ22EUB2rFbTaC8QfU/VYhUr3AmHO24L3uqc1CIelgNDfXymwqDS7RZ0yNproYEInLvXNJ/yUsP0qxbZ862w/XqPhXSPbUFqU9/KKjQ+/D0z/bf/rZEGgg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=j7s8jSxOXyEEdemFexFokADuXpZi/nk3ZBzDqwxCopY=; b=jp8aKcnj/6Do55ASbd+cm2hCMJ/1Mke9XB1ZKnMR0aaJiG3cc69eceSvX3hLsEo44UPwcyTppWh4X/BG2CA6BQ1WmqzRYdp+J15s8mxWmM8oR6J1H+Wh3Z2vfuMN2xVAqm9zyVGNtuQggpa1rlmg04sTsjSbK9vLraPIkrKYsQFw6yunPZCK6GO91+57ZJnyinz9pV69CAacXOlk2tWA/wb6z23as/oKxURSozrGhlIjb9qo3tPvjSBFyK2y6jTohsr2J0feld4iNzJAcg+ikGSMFRK+4vra/CwQXJg7WTa/yvU5lMBoZ7z02XxKUBv3ear2mLfuoevR9Oi5mvBwlg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=arm.com; dmarc=pass action=none header.from=arm.com; dkim=pass header.d=arm.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=armh.onmicrosoft.com; s=selector2-armh-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=j7s8jSxOXyEEdemFexFokADuXpZi/nk3ZBzDqwxCopY=; b=PQmd/eH+V4QMLv5cImZiyQzOey3Jn1ZUmV6RhZjw5RE7U8PEssJ7Xq8NibPHJ6Jb4hwNOdF+mEe9Fy0UC6J8/4PUW/5sbNgtXnDRKxQN+tY0mdJHAo6eki6U98nIRo+/3BrKaDSVySu5lnoqChOboy7Rv032PRrDRiBNG2Kkf7g=
Received: from DB7PR08MB3324.eurprd08.prod.outlook.com (52.135.128.161) by DB7PR08MB3084.eurprd08.prod.outlook.com (52.135.128.159) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2856.20; Thu, 2 Apr 2020 18:00:57 +0000
Received: from DB7PR08MB3324.eurprd08.prod.outlook.com ([fe80::41f6:faee:c1f4:6abe]) by DB7PR08MB3324.eurprd08.prod.outlook.com ([fe80::41f6:faee:c1f4:6abe%6]) with mapi id 15.20.2856.019; Thu, 2 Apr 2020 18:00:57 +0000
From: Hanno Becker <Hanno.Becker@arm.com>
To: Christopher Wood <caw@heapingbits.net>, "tls@ietf.org" <tls@ietf.org>
Thread-Topic: [TLS] Gaps in specification of DTLS 1.3 state machine
Thread-Index: AQHV8i/kjOxEBgrL9k2vj+OAIfvymqg5FgqAgABtZ86AAJGZAIAJWxuAgAAL1jOAItCdUw==
Date: Thu, 02 Apr 2020 18:00:57 +0000
Message-ID: <DB7PR08MB332445AED53D8473FBAB5A389BC60@DB7PR08MB3324.eurprd08.prod.outlook.com>
References: <AM6PR08MB331811E58E80173B1D74D8349B1C0@AM6PR08MB3318.eurprd08.prod.outlook.com> <0287f75a-015e-49eb-a052-cf7a53f03035@www.fastmail.com> <AM6PR08MB33182017F0D9EA53A8B247DF9BE20@AM6PR08MB3318.eurprd08.prod.outlook.com> <CABcZeBMKAyTBNCpEMZksZxv5PeJZPPQzykhE7ZNeZ366zLYpYw@mail.gmail.com>, <f06035d2-5f46-4eed-95c4-88faf62f4253@www.fastmail.com>, <AM6PR08MB3318CDC2315FC9F074C8906B9BFC0@AM6PR08MB3318.eurprd08.prod.outlook.com>
In-Reply-To: <AM6PR08MB3318CDC2315FC9F074C8906B9BFC0@AM6PR08MB3318.eurprd08.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Authentication-Results-Original: spf=none (sender IP is ) smtp.mailfrom=Hanno.Becker@arm.com;
x-originating-ip: [217.140.99.251]
x-ms-publictraffictype: Email
X-MS-Office365-Filtering-HT: Tenant
X-MS-Office365-Filtering-Correlation-Id: 32bfb97a-a807-4831-031a-08d7d72fcfdd
x-ms-traffictypediagnostic: DB7PR08MB3084:|AM0PR08MB3617:
X-Microsoft-Antispam-PRVS: <AM0PR08MB3617EBEEBE105CB7A83CFAC29BC60@AM0PR08MB3617.eurprd08.prod.outlook.com>
x-checkrecipientrouted: true
nodisclaimer: true
x-ms-oob-tlc-oobclassifiers: OLM:10000;OLM:10000;
x-forefront-prvs: 0361212EA8
X-Forefront-Antispam-Report-Untrusted: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DB7PR08MB3324.eurprd08.prod.outlook.com; PTR:; CAT:NONE; SFTY:; SFS:(10009020)(4636009)(396003)(346002)(136003)(376002)(39860400002)(366004)(81166006)(110136005)(33656002)(8936002)(316002)(19627405001)(81156014)(53546011)(7696005)(6506007)(2906002)(76116006)(478600001)(5660300002)(9686003)(52536014)(66446008)(71200400001)(8676002)(55016002)(66946007)(64756008)(66476007)(186003)(966005)(86362001)(26005)(30864003)(66556008); DIR:OUT; SFP:1101;
received-spf: None (protection.outlook.com: arm.com does not designate permitted sender hosts)
X-MS-Exchange-SenderADCheck: 1
X-Microsoft-Antispam-Untrusted: BCL:0;
X-Microsoft-Antispam-Message-Info-Original: UOMc3BRwdrTyxuogrhZDj9QkSU5KWYMHyj5536D4+/PT/DWT3+OyMQdFow+uzlEtct+WoJmmmdhEP0siIUCH8U/0xG+xbsIrZ1dMAInHcbAfovDPJXOq+Cs5fYzK/CQYGDgp0fgne9ZjWf7Nu1eDo0Wa+eRM+wrSDEeHlNcj5tAbobybQhiqv2ADXHVXBVREr1vz9QE4UAKU+GyCHfidSvlVAzyu3VSvCN4PyDddwBgVPnCeppaN2LkZaUD0YDUKuF0xIEx/P2bsFdFJW1jReU0yqJsavBTCZxyHIbTBkO+2UXOKAVP+GoUy3wU8GgbIuB4JB1nBntienwzYdBh9R2EFrLD9DKxQs8yR4p4U5mEOcoapJ8+DI/QTe37DKHq2/Y+GjyHi4KCQdzIvlhK0HgNjDzlP6Ao5DZ47LjbbFeSLc16m8Rl34UTjwbvyWONTkmuTgwjeDOkgTCyPN3Gw8VlYAWzCj9IFf/xEAXWd/COAmTI6k2GnhsLJs2Kg3KTixYYbqGfoA+9LupSAM1XGOA==
x-ms-exchange-antispam-messagedata: U/hRBVd4X44jg8NvyZKkHSslL/4E3Y/897VZjFb6sGAmndah6CQn40/8vLZuqmj87f4MuZbsKxaRxtc2peku4pIf01dUA3h0B9NDI7DUo05fhvneEKpbiSQIKdWIxxkznHIWxWOuenS3qtphHZi/dg==
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_DB7PR08MB332445AED53D8473FBAB5A389BC60DB7PR08MB3324eurp_"
MIME-Version: 1.0
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB7PR08MB3084
Original-Authentication-Results: spf=none (sender IP is ) smtp.mailfrom=Hanno.Becker@arm.com;
X-EOPAttributedMessage: 0
X-MS-Exchange-Transport-CrossTenantHeadersStripped: DB5EUR03FT046.eop-EUR03.prod.protection.outlook.com
X-Forefront-Antispam-Report: CIP:63.35.35.123; CTRY:IE; LANG:en; SCL:1; SRV:; IPV:CAL; SFV:NSPM; H:64aa7808-outbound-1.mta.getcheckrecipient.com; PTR:ec2-63-35-35-123.eu-west-1.compute.amazonaws.com; CAT:NONE; SFTY:; SFS:(10009020)(4636009)(39860400002)(136003)(346002)(396003)(376002)(46966005)(186003)(478600001)(53546011)(47076004)(30864003)(5660300002)(81156014)(966005)(8936002)(26826003)(81166006)(110136005)(8676002)(19627405001)(7696005)(33656002)(336012)(6506007)(55016002)(52536014)(26005)(82740400003)(70586007)(70206006)(2906002)(356004)(316002)(9686003)(86362001)(579004); DIR:OUT; SFP:1101;
X-MS-Office365-Filtering-Correlation-Id-Prvs: 4a85f748-88ce-446e-1daa-08d7d72fcb72
X-Forefront-PRVS: 0361212EA8
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: ZN99kvCG6wgzZ2qjUbUAQTx3ZpU0uR91TgIIe7zzb5R3L7HElWD0qRLjctAj2OupQNt54SW7uOciKHeJZ/cKBjAXSYBeoo0WiNwj1OIcEWtSSEBiKTzEVgkRzsAWrG9J61ZfC6H4SAsvsgGnZMqZnMzd/BYMvM4W3OPumLh5VzrFBByPv53wKE5DVK22YKgASKzCf5jaaMb48NerU9q9CCR4K4U+dcYpuhftOJqgt+663YIP7zkk91CDuZb0/WtATwHhW0YNgd9okCAp+rHxZDVtLfOi9RgW5gN9HdtG4u8iUN10Y5hcZ/hm43SgYnt8K4Yz/XTeVme7nNWHYEXDvIwquamUvBTF3jc8j+mHIOerxTJpyqJiX4L6qjaxe9tbpGCLOAkZ2JOtC8kQbTQ/wtW/6fFMYEny1JhwQISg/UpVm2Q9Cd7kKvSOSutorrG6kNy0VJuXaVuYc5b19yC1/AcM6R1VjHBjvxVWAU+gJ1eLPYThUIPgYG2YJgkymz3jIjdVKSI68mnk1pnFoQ9cR+uH4At3/o2vpxpqTr5K9/jVWe/Y/Ah21fEFo4O/QRJxnRmGBqAEU9+BwLpVXopFjw==
X-OriginatorOrg: arm.com
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 02 Apr 2020 18:01:04.6957 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 32bfb97a-a807-4831-031a-08d7d72fcfdd
X-MS-Exchange-CrossTenant-Id: f34e5979-57d9-4aaa-ad4d-b122a662184d
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=f34e5979-57d9-4aaa-ad4d-b122a662184d; Ip=[63.35.35.123]; Helo=[64aa7808-outbound-1.mta.getcheckrecipient.com]
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM0PR08MB3617
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/Tht36MRvQLG2HkOFzexQfiwTikE>
Subject: Re: [TLS] Gaps in specification of DTLS 1.3 state machine
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 02 Apr 2020 18:01:20 -0000

Hi Ekr, Martin, Chris,

I have created https://github.com/tlswg/dtls13-spec/pull/137 as a first attempt to explicitly mention
that multiple post-handshake messages should be treated via independent state machines.

Let me know what you think.
________________________________
From: TLS <tls-bounces@ietf.org> on behalf of Hanno Becker <Hanno.Becker@arm.com>
Sent: Wednesday, March 11, 2020 2:36 PM
To: Christopher Wood <caw@heapingbits.net>; tls@ietf.org <tls@ietf.org>
Subject: Re: [TLS] Gaps in specification of DTLS 1.3 state machine

Thanks Eric, Martin and Chris for your input!

For the record: I withdraw my claim that there's an issue with handshake message reordering
and the transcript, as already pointed out by Eric and Chris. I also don't see any other issues
at the moment with what appears to be the preferred model of duplicated state machines
that would require technical changes to the specification.

However, I do believe that the duplication of state machines is non-trivial enough to merit
explicit mentioning in the specification. In particular, if I understand things correctly, it appears
that it increases the implicit interface between the handshake logic 'layer' (which should be
as similar to that for TLS 1.3 implementations as possible) and the underlying 'messaging' layer,
including the retransmission state machine: For example, the retransmission state machine cannot
infer which handshake message belongs to which state machine on its own on the basis of handshake
metadata. Instead, this information needs to be provided by the handshake logic after inspecting the
message content. As a concrete example, one can consider multiple CertificateRequest messages
being sent from Server to Client. When the Client responds to one of them, it is only on parsing
of the certificate request context that it becomes clear which state machine the message belongs to.
Hence, in a nutshell, while for the main handshake the signaling between handshake logic layer
and messaging layer is confined to indicating when a flight or handshake is over, the duplication
of state machines seems to add complexity by requiring to add a signal indicating which state
machine an incoming message belongs to. Similarly, when sending messages, it needs to be
indicated which state machine they belong to.

Overall, I believe that it would be beneficial if the abstract model for the retransmission state
machine - including the state machine duplication for post-handshake messages - received
some more attention and (potentially formal) analysis.

Cheers,
Hanno
________________________________
From: TLS <tls-bounces@ietf.org> on behalf of Christopher Wood <caw@heapingbits.net>
Sent: Wednesday, March 11, 2020 1:37 PM
To: TLS@ietf.org <tls@ietf.org>
Subject: Re: [TLS] Gaps in specification of DTLS 1.3 state machine

Thanks for raising this issue and for the discussion, folks!

Given that endpoints *process* handshake messages in sequence, thereby preventing any out-of-order processing issues raised earlier on this thread, the chairs think no further action is needed to address this comment.

Thanks,
Chris, on behalf of the chairs

On Thu, Mar 5, 2020, at 6:45 AM, Eric Rescorla wrote:
> Hanno,
>
> I do think you are overcomplicating things somewhat.
>
> You can't process handshake messages out of sequence even if they are
> received out of sequence (this is, of course, also the case in TLS,
> it's just that the resequencing happens at the TCP layer).. You have to
> either drop out of order messages or buffer them. Yes, this is
> somewhat irritating, but as you demonstrate below, it's inherent
> in the design of post-handshake messages even if each side is
> only allowed to initiate one transaction at a time.
>
> It might be useful to explain this in the text, but I don't think
> anything else is needed..
>
> -Ekr
>
> On Wed, Mar 4, 2020 at 11:00 PM Hanno Becker <Hanno.Becker@arm.com> wrote:
> > Thanks Martin for your thoughts.
> >
> > > It's unavoidable in any case. If you generate your own post-handshake message and
> > > then have to respond to post-handshake authentication, there will be two concurrent
> > > exchanges.
> >
> > Yes that's an instance of the second question b) which the post didn't further go into.
> >
> > I'm not yet convinced that this situation unavoidably creates the need for duplicating state machines, though, and think that if possible we should avoid it for the sake of implementation simplicity.
> >
> > Moreover, even if it is acceptable that state machines should be duplicated, it isn't clear (to me) how to logically separate them because they're all tied together by the use of the same global handshake sequence number. This creates non-trivial ambiguities like the following:
> >
> > Imagine after the handshake the server requests post-handshake authentication while, simultaneously, the client initiates a key update. When the server receives the KeyUpdate, it assumes from the handshake sequence number that it is the reply to his CertificateRequest, and only when inspecting the type of the handshake message it'll notice the mismatch. Usually, a type mismatch would be treated as a protocol violation and lead to failure of the connection, while here, we'd need the server to drop the message or notice that it should fork a new state machine.
> >
> > Note that this problem already exists, albeit in less prominent form, in DTLS 1.2, where both sides may simultaneously trigger a renegotiation.
> >
> > Thinking about it, it seems that the way to make this work is to segregate the part of the retransmission state machine which establishes in-order delivery via handshake sequence numbers, and to have the duplicated contexts one level higher. When a handshake message comes in, it would be trial-fed into all existing contexts, either until one of them accepts it after checking type and content, or potentially leading to the forking of a new context.
> >
> > However, this asynchronous nature of handling multiple post-handshake messages is in conflict with the serialized nature of the handshake transcript used e.g. in the CertificateVerify message:
> >
> > Imagine a post-handshake client authentication to happen interwoven with another post-handshake message from client to server. When the client writes the CertificateVerify, that would require the transcript of the entire handshake up until the CertificateVerify message. Assuming this should include all post-handshake messages, not just those belonging to the client authentication, this may lead to the situation where the server receives a CertificateVerify message with a transcript it cannot validate because it hasn't yet received all other authentication-independent post-handshake messages that went into the transcript.
> >
> > Maybe I'm overcomplicating things, but as it stands it seems to me that the above are serious issues to be further discussed and clarified even if we accept state machine duplication.
> >
> > Happy to hear your thoughts.
> >
> > Cheers,
> > Hanno
> > *From:* TLS <tls-bounces@ietf.org> on behalf of Martin Thomson <mt@lowentropy.net>
> > *Sent:* Wednesday, March 4, 2020 11:32 PM
> > *To:* tls@ietf.org <tls@ietf.org>
> > *Subject:* Re: [TLS] Gaps in specification of DTLS 1.3 state machine
> > Option A please. Multiple state machines.
> >
> >  It's unavoidable in any case. If you generate your own post-handshake message and then have to respond to post-handshake authentication, there will be two concurrent exchanges. We already require acknowledgment for both request and response in a two-way exchange. Since 2 is a member of the third class of numbers (0, 1, ∞), we might as well deal with the full implications of that.
> >
> >  Handling this is fairly simple though. We can recommend limiting to only one active transmission at a time. And if implementations have an especially low tolerance for concurrency they can close connections.
> >
> >  On Thu, Mar 5, 2020, at 01:19, Hanno Becker wrote:
> >  > Hi,
> >  >
> >  > [TL;DR]
> >  > The DTLS 1.3 spec (draft 34) doesn't fully describe the retransmission state
> >  > machine in the case of post-handshake messages, which requires clarification.
> >  > For example, is it allowed to send multiple post-handshake messages without
> >  > waiting for ACKs for the previous ones? If so, how is the retransmission
> >  > state machine modeled for sender and receiver in this case?
> >  > I'll describe and assess a few possible options, but I don't know the best
> >  > answer, and so this post is mostly a request for discussion, hopefully
> >  > resulting in some common understanding and clarification of the spec.
> >  >
> >  > Details:
> >  >
> >  > The following cases need addressing:
> >  > a) Is it allowed to send multiple post-handshake messages (e.g.,
> >  > multiple session
> >  > tickets) without waiting for ACKs for the previous ones? If so, how is
> >  > the
> >  > retransmission state machine modeled for sender and receiver in this
> >  > case?
> >  > b) How should simultaneous sending/receiving of post-handshake messages
> >  > be handled?
> >  > The current retransmission state machine doesn't allow sending and
> >  > receiving
> >  > at the same time.
> >  >
> >  > Some thoughts on a) first:
> >  >
> >  > The spec mentions that post-handshake messages are treated as
> >  > single-message flights.
> >  > As such, the sender would enter WAITING state after sending the
> >  > post-handshake message,
> >  > and move to FINISHED on receipt of the corresponding ACK. This,
> >  > however, forbids sending
> >  > another post-handshake message in between, since sending isn't allowed
> >  > in WAITING state.
> >  >
> >  > Option A: Fork state machine
> >  >
> >  > One could circumvent this by 'forking' the retransmission state machine
> >  > for post-handshake
> >  > messages, i.e. declaring their semantics as if there were multiple
> >  > independent state machines
> >  > for each outstanding post-handshake message. This essentially degrades
> >  > the DTLS' ACK scheme
> >  > to a per-message acknowledgement.
> >  >
> >  > I believe that such an approach is not in the spirit of the rest of the
> >  > protocol and moreover
> >  > significantly increases complexity and thereby comes at the danger of
> >  > slower adoption and/or bugs.
> >  > Moreover, it will significantly harden efforts for formal verification,
> >  > which should be considered
> >  > in light of previous efforts on TLS 1.3.
> >  >
> >  > Option B: Don't allow multiple post-handshake messages
> >  >
> >  > Forcing implementations to await an ACK before sending the next
> >  > post-handshake message is a theoretical
> >  > option which would allow to stick to the existing state machine.
> >  > However, this significantly increases
> >  > the latency of, say, the delivery of multiple session tickets, which is
> >  > a valid use case. This is therefore
> >  > not a convincing option, either.
> >  >
> >  > Option C: Merge consecutive post-handshake messages into a single flight.
> >  >
> >  > Another approach would be to treat multiple post-handshake messages as
> >  > a single flight on the sender.
> >  > That is, when the sender is in state WAITING after sending the first
> >  > post-handshake message, and the
> >  > user request to send another one, it moves into SENDING and then back
> >  > into WAITING as usual, appending
> >  > the new post-handshake message to the (so-far single-message) flight.
> >  >
> >  > How would that be handled on the receiver side?
> >  >
> >  > That's not entirely clear because a basic property of the TLS handshake
> >  > that DTLS leverages now no longer
> >  > holds: Namely, that both sides implicitly know and agree on the bounds
> >  > of flights. Here, multiple post-
> >  > handshake messages would be treated as a single flight on the sender,
> >  > but the receiver doesn't know
> >  > when the flight is over. How should this be handled?
> >  >
> >  > This is to be explored further. One way to address this would be the following:
> >  >
> >  > Option D: Add an 'end-of-flight' signal to handshake messages to allow
> >  > dynamic-length flights.
> >  >
> >  > Recall that the handshake logic must inform the retransmission state
> >  > machine about when a flight
> >  > is over in the main handshake, allowing the state machine to transition
> >  > accordingly. This signal,
> >  > however, isn't explicitly conveyed to the receiver, because the
> >  > receiver can figure it out for
> >  > himself.
> >  >
> >  > As mentioned, this isn't true anymore for batched post-handshake messages.
> >  >
> >  > One simple way to deal with is to add an explicit 'end-of-flight' bit
> >  > in the handshake header
> >  > which informs the receiver about when a flight is over, in those
> >  > situations where it's not
> >  > clear from the context.
> >  >
> >  > This would allow to keep a single retransmission state-machine as-is
> >  > while allowing for
> >  > batched post-handshake messages such as multiple session tickets.
> >  > Moreover, such a signal
> >  > would be trivial to implement because it's already implicit in the main
> >  > handshake.
> >  >
> >  > For the wire-format, we can discuss different options, but that's an
> >  > orthogonal question
> >  > to the issue of finding the correct conceptual approach.
> >  >
> >  >
> >  >
> >  > Happy to hear everyone's thoughts. It would be great if we could come
> >  > up with some
> >  > precise description of the state machine evolution for post-handshake
> >  > messages that
> >  > is both simple and supports batched post-handshake messages.
> >  >
> >  > Best,
> >  > Hanno
> >  > IMPORTANT NOTICE: The contents of this email and any attachments are
> >  > confidential and may also be privileged. If you are not the intended
> >  > recipient, please notify the sender immediately and do not disclose the
> >  > contents to any other person, use it for any purpose, or store or copy
> >  > the information in any medium. Thank you.
> >  > _______________________________________________
> >  > TLS mailing list
> >  > TLS@ietf.org
> >  > https://www.ietf..org/mailman/listinfo/tls <https://www.ietf.org/mailman/listinfo/tls>
> >  >
> >
> >  _______________________________________________
> >  TLS mailing list
> > TLS@ietf.org
> > https://www..ietf.org/mailman/listinfo/tls<https://www.ietf.org/mailman/listinfo/tls>
> >  IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.
> >  _______________________________________________
> >  TLS mailing list
> > TLS@ietf.org
> > https://www..ietf.org/mailman/listinfo/tls<https://www.ietf.org/mailman/listinfo/tls>
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf..org/mailman/listinfo/tls<https://www.ietf.org/mailman/listinfo/tls>
>

_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls
IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.
IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.