Re: [TLS] DTLS 1.3

"Fossati, Thomas (Nokia - GB)" <thomas.fossati@nokia.com> Fri, 08 July 2016 16:25 UTC

Return-Path: <thomas.fossati@nokia.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4BBA512D605 for <tls@ietfa.amsl.com>; Fri, 8 Jul 2016 09:25:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.396
X-Spam-Level:
X-Spam-Status: No, score=-5.396 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, SUBJ_ALL_CAPS=1.506] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YDQA2_qEyOFs for <tls@ietfa.amsl.com>; Fri, 8 Jul 2016 09:25:17 -0700 (PDT)
Received: from smtp-fr.alcatel-lucent.com (fr-hpida-esg-02.alcatel-lucent.com [135.245.210.21]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 37B9A12D59D for <tls@ietf.org>; Fri, 8 Jul 2016 09:25:14 -0700 (PDT)
Received: from fr712umx3.dmz.alcatel-lucent.com (unknown [135.245.210.42]) by Websense Email Security Gateway with ESMTPS id 2DAE68821709A; Fri, 8 Jul 2016 16:25:09 +0000 (GMT)
Received: from fr711usmtp1.zeu.alcatel-lucent.com (fr711usmtp1.zeu.alcatel-lucent.com [135.239.2.122]) by fr712umx3.dmz.alcatel-lucent.com (GMO-o) with ESMTP id u68GPBvt028277 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Fri, 8 Jul 2016 16:25:11 GMT
Received: from FR711WXCHHUB01.zeu.alcatel-lucent.com (fr711wxchhub01.zeu.alcatel-lucent.com [135.239.2.111]) by fr711usmtp1.zeu.alcatel-lucent.com (GMO) with ESMTP id u68GP9pE003428 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Fri, 8 Jul 2016 18:25:10 +0200
Received: from FR711WXCHMBA08.zeu.alcatel-lucent.com ([169.254.4.136]) by FR711WXCHHUB01.zeu.alcatel-lucent.com ([135.239.2.111]) with mapi id 14.03.0195.001; Fri, 8 Jul 2016 18:25:10 +0200
From: "Fossati, Thomas (Nokia - GB)" <thomas.fossati@nokia.com>
To: Ilari Liusvaara <ilariliusvaara@welho.com>, "Fossati, Thomas (Nokia - GB)" <thomas.fossati@nokia.com>
Thread-Topic: [TLS] DTLS 1.3
Thread-Index: AQHR1sQr+VI2HyMN6kSrh/Fh10M/0KAJwrEAgAK9LICAABd0AIAAJdUAgAABJwCAAWqLgP//8e2AgAAU6gD///EdgIAAF2WA///2kgAABJIYAAACww+AAAhbEAA=
Date: Fri, 08 Jul 2016 16:25:09 +0000
Message-ID: <D3A5887A.6C22C%thomas.fossati@alcatel-lucent.com>
References: <577E22DE.2060805@cs.tcd.ie> <1467892378.3426.41.camel@redhat.com> <577E4392.6060408@cs.tcd.ie> <D3A51FC1.6C049%thomas.fossati@alcatel-lucent.com> <1467967459.3009.7.camel@redhat.com> <D3A52886.6C06E%thomas.fossati@alcatel-lucent.com> <1467968753.3009.11.camel@redhat.com> <D3A52BC5.6C07C%thomas.fossati@alcatel-lucent.com> <1467971752.3009.22.camel@redhat.com> <D3A53771.6C0A5%thomas.fossati@alcatel-lucent.com> <20160708132549.GA14245@LK-Perkele-V2.elisa-laajakaista.fi>
In-Reply-To: <20160708132549.GA14245@LK-Perkele-V2.elisa-laajakaista.fi>
Accept-Language: en-GB, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/14.6.5.160527
x-originating-ip: [135.239.27.40]
Content-Type: text/plain; charset="us-ascii"
Content-ID: <76516F22D8EABA4C9814374AD97044C3@exchange.lucent.com>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/bS6JFXkc4psh13_nvaVgsyS5wQA>
Cc: tls <tls@ietf.org>
Subject: Re: [TLS] DTLS 1.3
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 08 Jul 2016 16:25:19 -0000

Hi Ilari,

On 08/07/2016 14:25, "ilariliusvaara@welho.com on behalf of Ilari
Liusvaara" <ilariliusvaara@welho.com> wrote:
>However, turns out this doesn't actually work as well as hoped in
>practice. The problem is that client can't really change address
>voluntarily
>(even if it is behind CGNAT, it probably can't change the outgoing address
>until CGNAT triggers involuntary rebinding, and client can't react to
>such rebindings fast enough.

You are right.  If client doesn't know that a re-bind has happened and
therefore sends data using the same Id, it's trackable.  In this case I
think the trade-off you are doing is letting the session survive even you
are potentially trackable.  This is probably Nikos' use case.

>So it would be limited to cases where the client has non-NAT connection
>and is renumbered. And such pretty rarely happens.

My use case is an IoT device that voluntarily (or better, knowingly)
migrates its attachment from IP to GSM-SMS and vice-versa and wants to
keep the (painfully) negotiated session open.  Here the client is in
complete control of the situation and can do the Id rollover at the right
point in time.