Re: [TLS] WG adoption call for draft-tschofenig-tls-dtls-rrc: redux

Russ Housley <housley@vigilsec.com> Tue, 04 May 2021 18:12 UTC

Return-Path: <housley@vigilsec.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7561E3A08F9 for <tls@ietfa.amsl.com>; Tue, 4 May 2021 11:12:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Level:
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BclLLUz9-96e for <tls@ietfa.amsl.com>; Tue, 4 May 2021 11:12:22 -0700 (PDT)
Received: from mail.smeinc.net (mail.smeinc.net [209.135.209.11]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4A0D33A0AB2 for <tls@ietf.org>; Tue, 4 May 2021 11:12:14 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mail.smeinc.net (Postfix) with ESMTP id 5D6ED300AB0 for <tls@ietf.org>; Tue, 4 May 2021 14:12:12 -0400 (EDT)
X-Virus-Scanned: amavisd-new at mail.smeinc.net
Received: from mail.smeinc.net ([127.0.0.1]) by localhost (mail.smeinc.net [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id 4ONgX-aNRJ10 for <tls@ietf.org>; Tue, 4 May 2021 14:12:07 -0400 (EDT)
Received: from a860b60074bd.fios-router.home (pool-141-156-161-153.washdc.fios.verizon.net [141.156.161.153]) by mail.smeinc.net (Postfix) with ESMTPSA id 1FDE1300BE0; Tue, 4 May 2021 14:12:07 -0400 (EDT)
Content-Type: text/plain; charset=utf-8
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.20\))
From: Russ Housley <housley@vigilsec.com>
In-Reply-To: <38D6F960-5D8D-4D66-AA75-91FA34CB93ED@sn3rd.com>
Date: Tue, 4 May 2021 14:12:07 -0400
Cc: IETF TLS <tls@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <812F61D4-F16F-4AA3-9B7E-C60AAFEBF5A1@vigilsec.com>
References: <38D6F960-5D8D-4D66-AA75-91FA34CB93ED@sn3rd.com>
To: Sean Turner <sean@sn3rd.com>
X-Mailer: Apple Mail (2.3445.104.20)
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/b8D4A1f7q4tArINn6ew9o3-o8mA>
Subject: Re: [TLS] WG adoption call for draft-tschofenig-tls-dtls-rrc: redux
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 04 May 2021 18:12:26 -0000

This document seems fine to me, but the first paragraph of Section 3 needs some work.  This can be sorted out after adoption.

Section 3 begins with:

   When a record with CID is received that has the source address of the
   enclosing UDP datagram different from the one previously associated
   with that CID, the receiver MUST NOT update its view of the peer's IP
   address and port number with the source specified in the UDP datagram
   before cryptographically validating the enclosed record(s) but
   instead perform a return routability check.

I agree that the return routability check should be performed before updating the peer's IP address and port number, but I the part about "before cryptographically validating the enclosed record" seems to open up some opportunities for trouble.

Russ


> On May 3, 2021, at 11:44 AM, Sean Turner <sean@sn3rd.com> wrote:
> 
> Hi!
> 
> We would like to re-run the WG adoption call for "Return Routability Check for DTLS 1.2 and DTLS 1.3”. Please state whether you support adoption of this draft as a WG item by posting a message to the TLS list by 2359 UTC 24 May 2021.  Please include any additional information that is helpful in understanding your position.
> 
> NOTES:
> 
> 1) We are re-running this WG adoption now that DTLS 1.3 [1] and Connection Identifiers for DTLS 1.2 [2] is done.
> 2) Here is a link to the original WG adoption call [3].
> 
> Thanks,
> Chris, Joe, and Sean
> 
> [1] https://datatracker.ietf.org/doc/draft-ietf-tls-dtls13/
> [2] https://datatracker.ietf.org/doc/draft-ietf-tls-dtls-connection-id/
> [3] https://mailarchive.ietf.org/arch/msg/tls/IJYqpTmSHsCkiMaUPt_AltvKbe8/
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls