Re: [TLS] extending the un-authenticated DTLS header

Martin Thomson <martin.thomson@gmail.com> Tue, 15 November 2016 07:36 UTC

Return-Path: <martin.thomson@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 746C212950D for <tls@ietfa.amsl.com>; Mon, 14 Nov 2016 23:36:20 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5eNVD_e1o0Mi for <tls@ietfa.amsl.com>; Mon, 14 Nov 2016 23:36:19 -0800 (PST)
Received: from mail-qk0-x232.google.com (mail-qk0-x232.google.com [IPv6:2607:f8b0:400d:c09::232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2DB311294AD for <tls@ietf.org>; Mon, 14 Nov 2016 23:36:19 -0800 (PST)
Received: by mail-qk0-x232.google.com with SMTP id n21so125548944qka.3 for <tls@ietf.org>; Mon, 14 Nov 2016 23:36:19 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=GrtwkdXxuLiexFjeJVh/Ptr63SghjPqWOWue+W0bJr4=; b=Jitr+NTWXRnk1bZ4IoY5JZ7UtbojgHlysi7kz7Nb10u/Wo2me6XNqwO6dehqD03vlc aHtH8kXK0HJbHfqmSaLbsnII/hGFD07YcEkFblyGmtZE6Nu6xH68Z0a+G447N/G2Fd4W Gvi574ojnGgk+BelsXtMk/S8UuHMHuosWPM24IC/sVvM9FI0Lg1fxcU5CGHt7eCHyTiX CbPwfSqZJNCZdyCPi4TH1SEYAdP3b/cwDVtG+Tih2dUbjL+Zxq3hrKzV6czgFWyvud+k vwsMgyPS318Ad2iZl/fYyDZjXBA7PJuPvhUFq3tcveDf4rhr/ShkHBUzuu2FRI+WcnS5 Prdw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=GrtwkdXxuLiexFjeJVh/Ptr63SghjPqWOWue+W0bJr4=; b=I9pchJyMRAvSuDC3C6g2MRQCW2wpnnjCfeq0p4Ij7vLwrlDKXautLnmtTlADLn6y11 cZ4PND9c9cmDbSdo67yNugyFLiEfRq6GeKK7nbHEkwT65jD32P+dL2+4UIH/JPRckG14 V5WwZ/3wPLM1WqCBzH0YUVUxUb8+/2+kvL4Gt/DoE13rnFoLDX8VhvC1S2h7Fb7N9/WC jv9xUV4245mmwL8uAyq0mGrxp/5yxdaqFrtUhIijvqvMI5j2Kt5AEdu89VFL6Lm/umaL yPCUz8nUp5AI6ruitzdczSUR1WP7Uk3ql+cW8m4T1BBhu3c1edGpGdr4WLGr0Rcnos6t hKPg==
X-Gm-Message-State: ABUngvfpj+m5y0exUQ/7kLAbfq8Ur+y6JPqdJHBCA0RyKjV5MARgJ/HwDPTJ95RZ2GyViExXeIms4brM1jEfUw==
X-Received: by 10.55.150.131 with SMTP id y125mr20896277qkd.115.1479195378283; Mon, 14 Nov 2016 23:36:18 -0800 (PST)
MIME-Version: 1.0
Received: by 10.140.85.7 with HTTP; Mon, 14 Nov 2016 23:36:17 -0800 (PST)
In-Reply-To: <1479193977.12027.7.camel@redhat.com>
References: <1479128315.2624.62.camel@redhat.com> <058f1681-9ecf-22db-1b88-2313491c7b72@cs.tcd.ie> <1479193977.12027.7.camel@redhat.com>
From: Martin Thomson <martin.thomson@gmail.com>
Date: Tue, 15 Nov 2016 16:36:17 +0900
Message-ID: <CABkgnnU2s8R6UrP1yZnmAS7rhMnCza3qfVfPfoRtqAcXmBL9SA@mail.gmail.com>
To: Nikos Mavrogiannopoulos <nmav@redhat.com>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/_htA2QcoVv_bt7N1SaJmOQ_L5Q4>
Cc: Hannes Tschofenig <Hannes.Tschofenig@arm.com>, "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] extending the un-authenticated DTLS header
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 15 Nov 2016 07:36:20 -0000

On 15 November 2016 at 16:12, Nikos Mavrogiannopoulos <nmav@redhat.com> wrote:
> TLDR; the privacy offered by this extension is the same as the privacy
> of DTLS over UDP.

I disagree.  All the privacy considerations of the QUIC connection ID
apply here.  It would probably pay to follow that discussion.

If the intent of this is simply to deal with the NAT rebinding issue,
then I think that this is worth doing, but to say that this does not
have privacy issues would be overstating the case.