[TLS] AD review of draft-ietf-tls-dtls-connection-id-07
Benjamin Kaduk <kaduk@mit.edu> Thu, 03 September 2020 23:02 UTC
Return-Path: <kaduk@mit.edu>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2421E3A133C; Thu, 3 Sep 2020 16:02:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id D1wKeF_TCi9q; Thu, 3 Sep 2020 16:02:33 -0700 (PDT)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3FF903A133B; Thu, 3 Sep 2020 16:02:32 -0700 (PDT)
Received: from kduck.mit.edu ([24.16.140.251]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by outgoing.mit.edu (8.14.7/8.12.4) with ESMTP id 083N2SvI015820 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 3 Sep 2020 19:02:31 -0400
Date: Thu, 03 Sep 2020 16:02:28 -0700
From: Benjamin Kaduk <kaduk@mit.edu>
To: draft-ietf-tls-dtls-connection-id@ietf.org
Cc: tls@ietf.org
Message-ID: <20200903230228.GQ16914@kduck.mit.edu>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
User-Agent: Mutt/1.12.1 (2019-06-15)
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/fuIKh0KLOBDxEHO14OloItd87o8>
Subject: [TLS] AD review of draft-ietf-tls-dtls-connection-id-07
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 03 Sep 2020 23:02:35 -0000
Hi all, Sorry for the slow processing time -- my queue is still longer than I am happy with. There's a few apparent inconsistencies that we'll need to tighten up, but I don't think there's anything particularly problematic. I made a PR for most of the editorial stuff: https://github.com/tlswg/dtls-conn-id/pull/75 And having pulled the github repo up, it looks like there's a few open issues and PRs still, there -- what's the status of those? I wonder whether, as a rhetorical device, it would be helpful to give the new record payload structure a new name (DTLSCIDCiphertext?) to distinguish it from the RFC 6347 DTLSCiphertext. Then we could write things like "in order to distinguish between DTLSCiphertext and DTLSCIDCiphertext", "the DTLSCIDCiphertext record format is only used once encryption is enabled", etc. Section 3 For sending, if a zero-length CID has been negotiated then the RFC 6347-defined record format and content type MUST be used (see Section 4.1 of [RFC6347]) else the new record layer format with the tls12_cid content type defined in Figure 3 MUST be used. I'm glad that we take a clear stance on what content-type to use for zero-length CIDs, though I forget what the reasoning was to fall this way vs requiring that the tls12_cid ContentType is used whenever CIDs are negotiated. I see how this approach makes some processing easier (there is always a CID present when the ContentType is used), but it does have the drawback of requiring use of actual CIDs in order to get encrypted content-type. If you could remind me why this approach was chosen, that will be helpful for subsequent discussions/IESG review/etc. For receiving, if the tls12_cid content type is set, then the CID is used to look up the connection and the security association. If the tls12_cid content type is not set, then the connection and security association is looked up by the 5-tuple and a check MUST be made to determine whether the expected CID value is indeed zero length. If the check fails, then the datagram MUST be dropped. I guess there's maybe a risk that an attacker sets up a CID-ful connection on a given 5-tuple and then disappears, thereby denying the target of the attack the ability to use a CID-less DTLS association on that 5-tuple. But it would be hard to swamp all the ports, so it's only likely to be an issue when fixed ports are used on both sides ... which is known to happen sometimes. Perhaps we should document this in the security considerations. When receiving a datagram with the tls12_cid content type, the new MAC computation defined in Section 5 MUST be used. When receiving a datagram with the RFC 6347-defined record format the MAC calculation defined in Section 4.1.2 of [RFC6347] MUST be used. I guess that "4.1.2" includes "4.1.2.5 New Cipher Suites", so this is not inadvertently closing off extensibility (not that we expect much in the way of new 1.2 ciphersuites)...right? Section 4 When CIDs are being used, the content to be sent is first wrapped along with its content type and optional padding into a DTLSInnerPlaintext structure. This newly introduced structure is Is it worth mentioning that this is anlogous to the TLS 1.3 TLSInnerPlaintext? (I do see that we have such a reference a couple paragraphs later in the context of the record padding functionality.) enc_content The encrypted form of the serialized DTLSInnerPlaintext structure. In Section 5.2 we refer to the DTLSCiphertext.enc_content as the intermediate encrypted stuff used as input to the MAC for Encrypt-then-MAC processing, which maps up well to this description, but is in conflict with DTLSCiphertext being the bits that actually go on the wire. So we seem to be internally inconsistent about whether enc_content includes the EtM MAC. Most likely it will be easiest to address this in Section 5.2, though. Section 5.x MAC(MAC_write_key, seq_num + The TLS 1.2 notation is "seq_num" for the implicit sequence number, but DTLS 1.2 says that the MAC input is the concatenation of the DTLS epoch and the DTLS (explicit) sequence number. I do not see this concatenation given the name "seq_num" anywhere, so I think we need to reformulate this expression. cid + cid_length + Does this construction preserve injectivity? It seems easier to reason about when the length of an element is always before or always after the element itself, but we put the length first for some of the other fields (that appear after these) so there seems to be some malleability. Section 6 - There is a strategy for ensuring that the new peer address is able to receive and process DTLS records. No such test is defined in this specification. [...] Application protocols that implement protection against these attacks depend on being aware of changes in peer addresses so that they can engage the necessary mechanisms. When delivered such an event, an application layer-specific address validation mechanism can be triggered, for example one that is based on successful exchange of minimal amount of ping-pong traffic with the peer. Alternatively, an DTLS-specific mechanism may be used, as described in [I-D.tschofenig-tls-dtls-rrc]. I feel like these are supposed to be talking about the same thing, but the first sentence of the latter paragraph leaves me confused. Is the idea that "application protocols that implement the functionality for ensuring that the peer can receive and process DTLS records" are what depend on being aware of the changes of address? Section 8 With multi-homing, a passive attacker is able to correlate the communication interaction over the two paths and the sequence number makes it possible to correlate packets across CID changes. The lack DTLS 1.2 CIDs don't have CID changes (other than by rehandshaking, which resets the sequence number space); the last clause seems stale from DTLS 1.3? Section 9 We may want to reference draft-gont-numeric-ids-sec-considerations as it relates to CID generation. An on-path adversary can create reflection attacks against third parties because a DTLS peer has no means to distinguish a genuine address update event (for example, due to a NAT rebinding) from one that is malicious. This attack is of concern when there is a large This is why we have the "[t]here is a strategy for ensuring that the new peer address is able to receive and process DTLS records" requirement, right? We should probably mention that (and that it's not perfect, since you have to send some records to the not-yet-verified peer address as part of the verification process). asymmetry of request/response message sizes. Is this just when the request is small and the response large, or is the reverse scenario also of concern? Section 10 connection_id(TBD1) as described in the table below. IANA is requested to add an extra column to the TLS ExtensionType Values registry to indicate whether an extension is only applicable to DTLS. Do we want a "DTLS-Only" column or a "DTLS/TLS" column that takes values "DTLS", "TLS", and "both"? IANA is requested to allocate tls12_cid(TBD2) in the "TLS ContentType Registry". The tls12_cid ContentType is only applicable to DTLS 1.2. We need a value for the "description" column, and should probably explicitly say that it has DTLS-OK "Y". Section 11.1 The way we refer to draft-tschofenig-tls-dtls-rrc does not actually seem to require it to be a normative reference. I'm sure we will catch some grief for normatively referring to both 5246 and 8446, but there's not really a way around it. Thanks, Ben
- [TLS] AD review of draft-ietf-tls-dtls-connection… Benjamin Kaduk
- Re: [TLS] AD review of draft-ietf-tls-dtls-connec… Achim Kraus
- Re: [TLS] AD review of draft-ietf-tls-dtls-connec… Benjamin Kaduk
- Re: [TLS] AD review of draft-ietf-tls-dtls-connec… Achim Kraus
- Re: [TLS] AD review of draft-ietf-tls-dtls-connec… Achim Kraus
- [TLS] Fwd: Re: AD review of draft-ietf-tls-dtls-c… Achim Kraus
- Re: [TLS] Fwd: Re: AD review of draft-ietf-tls-dt… Benjamin Kaduk
- Re: [TLS] AD review of draft-ietf-tls-dtls-connec… Benjamin Kaduk
- Re: [TLS] Fwd: Re: AD review of draft-ietf-tls-dt… Achim Kraus
- Re: [TLS] AD review of draft-ietf-tls-dtls-connec… Achim Kraus
- Re: [TLS] Fwd: Re: AD review of draft-ietf-tls-dt… Benjamin Kaduk
- Re: [TLS] Fwd: Re: AD review of draft-ietf-tls-dt… Achim Kraus
- Re: [TLS] Fwd: Re: AD review of draft-ietf-tls-dt… Michael D'Errico
- Re: [TLS] Fwd: Re: AD review of draft-ietf-tls-dt… Achim Kraus
- Re: [TLS] Fwd: Re: AD review of draft-ietf-tls-dt… Joseph Salowey
- Re: [TLS] Fwd: Re: AD review of draft-ietf-tls-dt… Achim Kraus
- Re: [TLS] Fwd: Re: AD review of draft-ietf-tls-dt… Watson Ladd
- Re: [TLS] Fwd: Re: AD review of draft-ietf-tls-dt… Ilari Liusvaara
- Re: [TLS] Fwd: Re: AD review of draft-ietf-tls-dt… Achim Kraus
- Re: [TLS] Fwd: Re: AD review of draft-ietf-tls-dt… Achim Kraus
- Re: [TLS] Fwd: Re: AD review of draft-ietf-tls-dt… Achim Kraus
- Re: [TLS] Fwd: Re: AD review of draft-ietf-tls-dt… Achim Kraus
- Re: [TLS] Fwd: Re: AD review of draft-ietf-tls-dt… antoine
- Re: [TLS] Fwd: Re: AD review of draft-ietf-tls-dt… antoine
- Re: [TLS] Fwd: Re: AD review of draft-ietf-tls-dt… Michael D'Errico
- Re: [TLS] Fwd: Re: AD review of draft-ietf-tls-dt… Achim Kraus
- Re: [TLS] Fwd: Re: AD review of draft-ietf-tls-dt… Benjamin Kaduk
- Re: [TLS] Fwd: Re: AD review of draft-ietf-tls-dt… Benjamin Kaduk
- Re: [TLS] Fwd: Re: AD review of draft-ietf-tls-dt… Benjamin Kaduk
- Re: [TLS] Fwd: Re: AD review of draft-ietf-tls-dt… Achim Kraus
- Re: [TLS] Fwd: Re: AD review of draft-ietf-tls-dt… Achim Kraus
- Re: [TLS] Fwd: Re: AD review of draft-ietf-tls-dt… Benjamin Kaduk
- Re: [TLS] Fwd: Re: AD review of draft-ietf-tls-dt… Benjamin Kaduk
- Re: [TLS] Fwd: Re: AD review of draft-ietf-tls-dt… Achim Kraus
- Re: [TLS] Fwd: Re: AD review of draft-ietf-tls-dt… Eric Rescorla
- Re: [TLS] Fwd: Re: AD review of draft-ietf-tls-dt… Benjamin Kaduk
- Re: [TLS] Fwd: Re: AD review of draft-ietf-tls-dt… Achim Kraus
- Re: [TLS] Fwd: Re: AD review of draft-ietf-tls-dt… Benjamin Kaduk
- Re: [TLS] Fwd: Re: AD review of draft-ietf-tls-dt… Achim Kraus
- Re: [TLS] Fwd: Re: AD review of draft-ietf-tls-dt… Eric Rescorla
- Re: [TLS] Fwd: Re: AD review of draft-ietf-tls-dt… Benjamin Kaduk
- Re: [TLS] Fwd: Re: AD review of draft-ietf-tls-dt… Eric Rescorla
- Re: [TLS] Fwd: Re: AD review of draft-ietf-tls-dt… Benjamin Kaduk
- Re: [TLS] Fwd: Re: AD review of draft-ietf-tls-dt… Achim Kraus
- Re: [TLS] Fwd: Re: AD review of draft-ietf-tls-dt… Peter Gutmann
- Re: [TLS] Fwd: Re: AD review of draft-ietf-tls-dt… Achim Kraus
- Re: [TLS] Fwd: Re: AD review of draft-ietf-tls-dt… Benjamin Kaduk
- Re: [TLS] Fwd: Re: AD review of draft-ietf-tls-dt… Achim Kraus
- Re: [TLS] Fwd: Re: AD review of draft-ietf-tls-dt… Benjamin Kaduk
- Re: [TLS] Fwd: Re: AD review of draft-ietf-tls-dt… Eric Rescorla