[TLS] Re: draft-ietf-tls-dtls-rrc-14 ietf last call Secdir review
Achim Kraus <achimkraus@gmx.net> Tue, 10 June 2025 06:43 UTC
Return-Path: <achimkraus@gmx.net>
X-Original-To: tls@mail2.ietf.org
Delivered-To: tls@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 8D9163303739; Mon, 9 Jun 2025 23:43:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -2.795
X-Spam-Level:
X-Spam-Status: No, score=-2.795 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=gmx.net
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id C3FviUEgtPiU; Mon, 9 Jun 2025 23:43:36 -0700 (PDT)
Received: from mout.gmx.net (mout.gmx.net [212.227.17.20]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id E696B3303731; Mon, 9 Jun 2025 23:43:35 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmx.net; s=s31663417; t=1749537814; x=1750142614; i=achimkraus@gmx.net; bh=xALpvzmxV+wZlGCtVnoau7j+THCSSXODQIpLUeWh5P8=; h=X-UI-Sender-Class:Message-ID:Date:MIME-Version:Subject:To:Cc: References:From:In-Reply-To:Content-Type: Content-Transfer-Encoding:cc:content-transfer-encoding: content-type:date:from:message-id:mime-version:reply-to:subject: to; b=W7phRk4RM+p0+CdPKelb8MaWiqzY2s+COF96uG7giqtfjeq3wzUtjGaAUrHcBw0z 2kqILJHxKf/ViaB7tuTHQe8/HCaeF1383T+tb8uvtaEH0MNo8LvFrBVhEFmfV/VqH Cu88SBhsc+AoF5L/wHxcq0Adrqv97ChTfVvnueFSPkONbZTmANDHKNXMTSRIqB14B CHIwURF+hhZkhzXUKZ9z9saA//UotvfpIZ3jS681Q64GEq8TliG0hNkDzpl93LVH4 Tdf9mCZbp6dFUVDzp4WJdEQQFNtYU9bKF3HWnS+192qv8xGx7R7LfzYZSrGSY3r+8 YKYu0/0fQsIfSUNnHg==
X-UI-Sender-Class: 724b4f7f-cbec-4199-ad4e-598c01a50d3a
Received: from [192.168.178.10] ([5.146.193.180]) by mail.gmx.net (mrgmx104 [212.227.17.168]) with ESMTPSA (Nemesis) id 1MHG8m-1uc67i2Paa-00BJ26; Tue, 10 Jun 2025 08:43:34 +0200
Message-ID: <811132a7-8324-40eb-86a1-e7419b45d9e1@gmx.net>
Date: Tue, 10 Jun 2025 08:43:34 +0200
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
To: Mike Ounsworth <mike@ounsworth.ca>
References: <174949511014.3608990.214324245158264124@dt-datatracker-59b84fc74f-84jsl>
Content-Language: de-AT-frami, en-US
From: Achim Kraus <achimkraus@gmx.net>
In-Reply-To: <174949511014.3608990.214324245158264124@dt-datatracker-59b84fc74f-84jsl>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: quoted-printable
X-Provags-ID: V03:K1:eTIEABaJbTvPObQu0UIXw8QLgOfojzvLWq7pTjSogHyOKp0WYKp ypDjaejYQJVzb5jOpPL15q477deEkpb9f46E+sjWl+uW0WTLonk1mydrXxUtvcTZ2UZT2Av riRxGUzG0atbT/7GGESFonHb9fluKy1uO0sOjer6nWGZMkJaKdHhFIqaRrJykhn3mMqbs1A OG+o757zBQQn6U7SLGxEQ==
UI-OutboundReport: notjunk:1;M01:P0:S8HIcOFzZrQ=;Hcxc5IfOMnPIBybziTE51/MLjCX bltlFLyN0DkDjlE3A0UZ6a3Ggm2OI7ZifjC7AWTaQ3zl57XYWSZSONjmLBUqbn6ZJK1CLoj3b sAQW56Qz5++Pnpj/ystdT336r+Oj20ehs5gaN9dGlMoOwbheak/Ed/Xv25rg89P5ZATKNb4qj vfK/AbbsHRG6Q6rJUCdv73wfP+riuxPjOIbwumnyFtPSix8ntCkVoZR/YcycgWzZNPqdkuaQF fY/5LKRYsyjfg0EQiQJr8G1RJCnUcN1g9xZa5Aiz0xzZxXFIAvztP6mgOxXBJfoZWZbdW7AyK je6Hsr8+HiZI/TpP0jCZZW+Cx3bNCSGZuXpopfHepXe4TKA+64j6v6npYh8tUoeoPQ8D0L8xU ToftrGJ2PQtfWOb51rgya3Uuy/oXKPdPO320lJiFmRY//jeXMdhdKCXDV9/NVV4s9uke6s8pV YnK/20Q7VkuGQMJQiN2O3hHgcMywjToz4EJZ8AjjWOh9r7IUiFVwYjo82KNaSOrG6Ay6vXsbk ia4UQEUCAJGeYqw17wHnF32Nj/OPYBxq/6NPTQzl26BKGjSoUjVW4iCC329SABB9k9yIpY62/ ey3KYOPiGnOtSugKtedjBAjXsZkK1WoVCKinCu16rNvFp4Efu1HjLidBUvIijdcCGq0AuI2wl wgRnfo/JV6uTNt9ApvSznORBEFKDWi6N8FXhHOgE1LF5zI/sA6bTIFC6e1/Johzj8eW52ptO6 af4gyzMFCa4mEpwum3vf4VB/Qusvt/BQeQZ+rNtObkbsfaGHZbQzbzKXk3eBDx9nlhvz5xVFM fxHxTumVuSmNs+7ICmMrK6GohSYKlapYSnPUM+3gU01/q9LL7xM5K59xBfw39cEIkR1WJkXl5 /wSfeBFdaCIK6mcjxhS9H7jGh2J5QBzkV+GbgqIcsEUKOg0TfLHTHv2XW6O9giEQDmiJQgv4M JSpiGOfY/5Mw6e+X5joSUquR6KmbK2cg6+cpFV4+/H9LO+r4HmPfA8boXqLgPo3m8BhLFsuyp P88uNX8ayuTYPc/9ljR/xsfVT9Yhb5TNNKB2T59H5/FItF82doU5+nBmJq5v71uJhsWeQtPbl eKFXNYN/Ws/mo2psYO2Z8QnT9p7ZvTIdg3KZ3txpK2TLsDcqkdukjHrcmVBOF6KboLVW1ELKh Ydi0LVU/wCb4EQbx39pMnV/lN5gcs1yyNS//6ZFhURCTafmlp9WPQCL6CKTzkVJocKf07ZOL5 jWYGfQ1V4hcnPBzwOUilPp4uaMQRg9XWydYP9VNd7kd+heYEHTHQwxBqiINFfHeSy7A3860zO w3gzQBDPsVqEl8jdCgUuqdoYNTu06eEWepKdhUgWYPY0rX6y73o7wiX8nXW046IhdN9pca2at npgerIeqgbdow6Q+SAqZHk67dITl63EkWtDGNb9fQguZ3W16xc8UByAX0X7tvbUIp28CYAB0O ldwWi/NJCOjehkpjDuTjHaRA7lKwWAe/KaIKToFrVH0BnuyuIOFKLOZKmD4FyV3bI4gMh4POb 4wPRclgp+bI++6drJFvkfflp2JDojXgII3c0SQyBu9Souc4kZl3Ho8xSd0PBFdTbKr6ip0K5M Y8TMGbOHC0S61dxgcJDRjGnslo/ifabJ9dOVQ5QklVakjBD3WMNFRpVjpVvWk6yaNXgLKbfm9 kp7XdVozvwH7lr6rjQApOE6JpRT7jTMUAhuGqq6eV19Kilv8t/oEYcXjaeaEnBp4DvbsfWhTr 5JvzqcrXjdcKra5NT+oxpUDOliNaXIzqIp1y4q51m+zZYprH14o4WK+LBuKO0SrPEM+MJweKP rU8dkR6dR2QswAx4H3yPP7yGkrOr7BOqbUoksMt1Nq1XmGttzkN/+L8vX7I8cRUF/3mBbHFGc 1MhwiRiM9SQpEABO1p22tWSK7jaHKRhAFBvIiEiEID8h9ubOhfmuynYNaOlm44yl3KfSVzhDu JPSK63CUIYDzD5G1K8jTfqdRh9kUOIygNNHnKGivYqga0sjEFMda/msBBmGZkFVeZYhxbgMHN IHTXL0oANXCNrBrOm6l8TjWWRW1qYxnsyaC+rK5YeDG5bbl26LjKZe/rRlOx+uqr5puHp+ZFF 666FNJCBagD/xQyOJm3Rl7nsCAEQMPaN5E8Qj3o52ifyIQpS4NQscL+QbsHbzrzPmhFABVtKt 8jmIhWi5uvEFpdM25/iG10Xa9tK7JPGSoIQ/keKwToCg3gFBY/bPH9HGfFLgh1jhY3E2ysnDE v7ugUDckMANQV/kRV5IBr6okQqABP5zroKYnW4Nfq+dXaMG/YvUtYubPDIZpws+publrwTvpb dINHwYRWvjrC29ad21RiB7VUk8bMZyUIfYbieTTbdisYqMcd5FyGGdtsQrR8AEdZZnpKhA2Fi lFLyLiJZ7H4vHJkUNBqPAq4z4n0MVypki6QJZu5Y9NsZijlL3CxKOBghlBF8ycoBZ6Z+LHRaC mA6OoTgpXWg9sPzFErXUMXlC43jono60LcpiWQsgtt3aQM2ItJwofLiiGc+AQvXE66ZO+S5PK 5fZYv94wZchweWKfTFwnZNsBO0A2X3GpVdy2BaVFnrwQo1ZNqzyOVYN5urx+FoXRCUDaILRkd GdYvW4i7IW/jAWvkMR67j+hs6bpso+GO6K30g5vOGfCmg5cBlCiX64mWAF1fLgaN8wvy0fsBU bPHknU84VdfIDITPipRvfzaeWhSM5A73NjW+vO/JoOKqjIVwtGIhrzCA8LvraHnz9u3eQPbnd 6sTbBA8lp6w+4NlgF+NxKjNNsFyO65tgF7oQon51c/DgM4UpPkAnD/rYH609b9jxlvOr4uVm4 M2N24TdDK7lPYl1nWrTXnUITQx4ZDsEuDKP8DYO3SqD5uKft/u2E5qzekQspLIYmXXSbZRahx E2TnH4OHPaVk1wrcBcUGGQv7fxemRBVWIlF1QKEvc8+uInAYHaOUaDKFvU6vIefivhp3PpahP PlHSCUVRmw5ztNxSBiBbpkafhTyawLvH6/JnE+qNKznJKCHETle0wd0UlSRo0+rXUc2XVz8ce zwHidI8YjCTt4g8yX78mFClPqBXnQbGtNOIVOUL8a94qAfsJzK30bfgD+/TZ2nbMjycPopc/F sjw6F9E6zm93KSln2CcN4JHCefC2w/jTX4w/nFsZTV01+pQ/XPomTgWm/OzhGA7oDuKRZly/O kRwKZ2muuj9uJ8ubniwuLpk0O9yWiorJAaQDqRh5CJdq1Rw==
Message-ID-Hash: PVTYKA65SUE5WXNIATSO6ETYGAAW2OH6
X-Message-ID-Hash: PVTYKA65SUE5WXNIATSO6ETYGAAW2OH6
X-MailFrom: achimkraus@gmx.net
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-tls.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: draft-ietf-tls-dtls-rrc.all@ietf.org, last-call@ietf.org, tls@ietf.org, secdir@ietf.org
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [TLS] Re: draft-ietf-tls-dtls-rrc-14 ietf last call Secdir review
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/cyKBnZxC-k9E-Crd1IvVnB6BjZE>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Owner: <mailto:tls-owner@ietf.org>
List-Post: <mailto:tls@ietf.org>
List-Subscribe: <mailto:tls-join@ietf.org>
List-Unsubscribe: <mailto:tls-leave@ietf.org>
Hi Mike, > > Naïve question (I am not a DTLS / routing expert). Does this spec introduce a > new DDoS surface in the case that the new (preferred) path is longer, and > therefore the connection will keep pausing to do this path-check? I expected to > see somewhere a recommendation for a guard against that – only do this once per > pair of paths, or something similar. > At least, as any other additional message exchange, it will add some latency to the original message exchange. Such an (additional) RRC exchange is only applied, if the source address is changing (e.g. NAT timeout) and the response comes with an amplification. In my experience, it is very common that a first message after a quiet phase takes anyway a little longer, as well as a GET with larger response also may take some more time. So for me it doesn't add something new, but it enlarges it a little. br Achim
- [TLS] draft-ietf-tls-dtls-rrc-14 ietf last call S… Mike Ounsworth via Datatracker
- [TLS] Re: draft-ietf-tls-dtls-rrc-14 ietf last ca… Achim Kraus
- [TLS] Re: draft-ietf-tls-dtls-rrc-14 ietf last ca… Thomas Fossati
- [TLS] Re: draft-ietf-tls-dtls-rrc-14 ietf last ca… Mike Ounsworth
- [TLS] Re: draft-ietf-tls-dtls-rrc-14 ietf last ca… Thomas Fossati
- [TLS] Re: draft-ietf-tls-dtls-rrc-14 ietf last ca… Mike Ounsworth
- [TLS] Re: draft-ietf-tls-dtls-rrc-14 ietf last ca… Mike Ounsworth