IETF Logo Mail Archive

Re: [TLS] Connection ID Draft

yinxinxing <yinxinxing@huawei.com> Fri, 13 October 2017 08:11 UTC

Return-Path: <yinxinxing@huawei.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id ABBF2126B7E for <tls@ietfa.amsl.com>; Fri, 13 Oct 2017 01:11:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.22
X-Spam-Level:
X-Spam-Status: No, score=-4.22 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Y6SLJQIFlD5T for <tls@ietfa.amsl.com>; Fri, 13 Oct 2017 01:11:49 -0700 (PDT)
Received: from lhrrgout.huawei.com (lhrrgout.huawei.com [194.213.3.17]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9C169126B71 for <tls@ietf.org>; Fri, 13 Oct 2017 01:11:45 -0700 (PDT)
Received: from 172.18.7.190 (EHLO LHREML711-CAH.china.huawei.com) ([172.18.7.190]) by lhrrg02-dlp.huawei.com (MOS 4.3.7-GA FastPath queued) with ESMTP id DQO33679; Fri, 13 Oct 2017 08:11:41 +0000 (GMT)
Received: from DGGEMI406-HUB.china.huawei.com (10.3.17.144) by LHREML711-CAH.china.huawei.com (10.201.108.34) with Microsoft SMTP Server (TLS) id 14.3.301.0; Fri, 13 Oct 2017 09:11:39 +0100
Received: from DGGEMI508-MBX.china.huawei.com ([169.254.4.186]) by dggemi406-hub.china.huawei.com ([10.3.17.144]) with mapi id 14.03.0301.000; Fri, 13 Oct 2017 16:11:38 +0800
From: yinxinxing <yinxinxing@huawei.com>
To: Eric Rescorla <ekr@rtfm.com>, "tls@ietf.org" <tls@ietf.org>
Thread-Topic: [TLS] Connection ID Draft
Thread-Index: AdND9UCTy0qV4eX+RfS1VDVqmNEmOw==
Date: Fri, 13 Oct 2017 08:11:37 +0000
Message-ID: <DBDF9AE44733284D808F0E585E1919022C7A77E2@dggemi508-mbx.china.huawei.com>
Accept-Language: zh-CN, en-US
Content-Language: zh-CN
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.184.225.248]
Content-Type: multipart/alternative; boundary="_000_DBDF9AE44733284D808F0E585E1919022C7A77E2dggemi508mbxchi_"
MIME-Version: 1.0
X-CFilter-Loop: Reflected
X-Mirapoint-Virus-RAPID-Raw: score=unknown(0), refid=str=0001.0A020204.59E0753F.0011, ss=1, re=0.000, recu=0.000, reip=0.000, cl=1, cld=1, fgs=0, ip=169.254.4.186, so=2013-06-18 04:22:30, dmn=2013-03-21 17:37:32
X-Mirapoint-Loop-Id: f4e239171d64f650785ae4a1845856df
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/_E0NvGrWPqdCqgqSQ8L7jRYcIiE>
Subject: Re: [TLS] Connection ID Draft
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 13 Oct 2017 08:11:52 -0000

Hi Ekr,

Thanks for your effort. The draft looks good. A few comments are listed below.


1.       Based on the draft, for either DTLS1.2 or 1.3, server can’t differentiate whether the packet from client is a “connection ID” packet or a standard DTLS 1.2/1.3 packet. (I saw Thomas Fossati and Nikos also introduced this problem)

Maybe we can add a new “ContentType” in the DTLS record format to help server identify the “connection ID” packet. In addition, you see the length of the record payload is limited by 2^14-1, this means the first two bits of “length” is zero. We could utilize this feature and set the first two bits or more bits of CID being one, e.g., 1111….(but the CID must be put between sequence number and length). When server finds 1111 after sequence number, it knows this is a “connection ID” packet. However, I don’t know whether it is proper to use such magic number. In my view, adding new contenttype may be a choice.



2.        For DTLS 1.2, there is no NewConnectionID and RequestConnectionID message. DTLS 1.2 server and client also has the requirement to request for a new CID, and at present, many products still use DTLS1.2 and I believe it will continue to be used for a long time even if TLS/DTLS1.3 is published. My point is that we need a corresponding method for updating CID for DTLS1.2 too.

I don’t quite understand the following sentences

“In DTLS 1.2, connection ids are exchanged at the beginning of the

   DTLS session only.  There is no dedicated "connection id update"

   message that allows new connection ids to be established mid-session,

   because DTLS 1.2 in general does not allow post-handshake messages

   that do not themselves begin other handshakes.”

Besides, for CID in DTLS1.3, I think the corresponding responding messages of  NewConnectionID and RequestConnectionID are also needed to ensure that the peer has received CID.


3.       We have a practical usecase in IoT. The IOT device, like intelligent water meter, sends one message per day, and goes to sleep. It wakes up in the second day and sends a message and then goes to sleep. If it always (or for a long time) use the same CID, there may be a risk of tracing IOT device or the owner of this device. Therefore, it is important to recommend user to update CID once it finishes sending message. For the CID in DTLS1.2, this becomes worse.



4.       The generation of CID should be more concrete. For example, using random number or a counter?


Regards,
Yin Xinxing

发件人: TLS [mailto:tls-bounces@ietf.org] 代表 Eric Rescorla
发送时间: 2017年10月13日 7:14
收件人: tls@ietf.org
主题: [TLS] Connection ID Draft

Hi folks,

I have just posted a first cut at a connection ID draft.
https://tools.ietf.org/html/draft-rescorla-tls-dtls-connection-id-00

Comments welcome.

-Ekr

v2.23.0 | Report a Bug | By Email