Re: [TLS] DTLS 1.3 ACKs
Eric Rescorla <ekr@rtfm.com> Sun, 02 July 2017 19:30 UTC
Return-Path: <ekr@rtfm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 56866127136 for <tls@ietfa.amsl.com>; Sun, 2 Jul 2017 12:30:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gi-Z_5CVVCc9 for <tls@ietfa.amsl.com>; Sun, 2 Jul 2017 12:30:50 -0700 (PDT)
Received: from mail-yw0-x236.google.com (mail-yw0-x236.google.com [IPv6:2607:f8b0:4002:c05::236]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 514C0126DC2 for <tls@ietf.org>; Sun, 2 Jul 2017 12:30:50 -0700 (PDT)
Received: by mail-yw0-x236.google.com with SMTP id j11so64389813ywa.2 for <tls@ietf.org>; Sun, 02 Jul 2017 12:30:50 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=4HXJ9BvaX68DTGeG1z1cVpMlyHAwMuJ2gP2Lc7UGNks=; b=q2Eti3K0abmCMWbobKcpNyFyG8ZJugUpAlCiIcIaVJLnEYGrgCh7SMKDlXS2BDc/+h bPSu0IMzAi87YnwlbGCUJxRGTr1m/OFiXoaPY5uBbnIP1Y5n4HrQ0LNsgSq/vEdfsKdc flMmGuWJKVfoDagI241o3bWty/HCQXcDxNRi0OWnd37Wzs4G+jXjDcr/F5ovkiuYGuQ2 Rrsia7S6pZKxkl3KVTSiNnK3+L9wu+kOnM8Ay5nBpN6enF2DU3nduhUv5Ily9Ts77XLj +kpEnsR0NjvnUhNFYf2V/ThnmtaagBR628w/AiQ5Y98A2B23hs2/7XLZJe1c8jV6PcUK nXXQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=4HXJ9BvaX68DTGeG1z1cVpMlyHAwMuJ2gP2Lc7UGNks=; b=oooYu5fwxj6ors0UVWw8a7oKso5eA0whtCTMBZwvEhuVREhvbFXqod7dVRj+ac65pk cPPs+mtDpPbKDAQGJSFnDSNeW9OB84ZMCNzb7quCNyTvm5+2KDnSP7a7Pk3MPiRkD31j fevv90qazvGFeMm9yJ+7ESJT/q1w8vEAVFE8t+VM1RCryIdieqdo3QoC8h6aP77wONlF NR03G9NUjPRQd9JkdD3934y6RQgXul80yeYK2sY17VuvJ2CoCzzh2ocqVL1IM5mkp8wj vaYaQpIA05/3YBRZDrhSqqEZWXx9qLlDRwL3tteg52j+yYYGUebt2SwiK6Yl5ZO4v0pw WAbQ==
X-Gm-Message-State: AKS2vOwY7qPVfg97t3dSjtry7epbdSR25W39ZFuAB3xp5zrIHX4jPL35 M7KQg0/vEsYmP8krHiF4b6sMnGAnQ9A+v3o=
X-Received: by 10.129.109.206 with SMTP id i197mr17924258ywc.24.1499023849579; Sun, 02 Jul 2017 12:30:49 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.13.215.9 with HTTP; Sun, 2 Jul 2017 12:30:09 -0700 (PDT)
In-Reply-To: <20170702075416.7ozflgnxdo5k7gcd@LK-Perkele-VII>
References: <CABcZeBMpDLdrqaa7qEKyFFT8c-Qcodc01zDNqYcxmPp0qvi+pQ@mail.gmail.com> <20170624164749.bidmu2btsb6xsdjb@LK-Perkele-VII> <CABcZeBNkNUkgm9mrptgKO_+pkk2i9usYdGbmsFH762PhcVtFRw@mail.gmail.com> <20170701170103.htwyfrheq52pmm6l@LK-Perkele-VII> <CABcZeBMA3dUGKrk_V9EfYH1OtoD_JP+gTr8vf2+yq5Yaa-96vg@mail.gmail.com> <20170701210000.ppewrje6jcpy5w2b@LK-Perkele-VII> <CABcZeBNMwtExuep34WFp5r9phd94u7j_DvQdfeE3ha5TC0+7iQ@mail.gmail.com> <20170702075416.7ozflgnxdo5k7gcd@LK-Perkele-VII>
From: Eric Rescorla <ekr@rtfm.com>
Date: Sun, 02 Jul 2017 12:30:09 -0700
Message-ID: <CABcZeBNiW_8s2XNXv3Zgk1bpq7fKwXVDUdbs+b=UXKx3DL00_Q@mail.gmail.com>
To: Ilari Liusvaara <ilariliusvaara@welho.com>
Cc: "tls@ietf.org" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="001a114dd266107f1f05535ab006"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/hYXuBMg1_MbZBru4DnbWLNg7aQM>
Subject: Re: [TLS] DTLS 1.3 ACKs
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 02 Jul 2017 19:30:52 -0000
On Sun, Jul 2, 2017 at 12:54 AM, Ilari Liusvaara <ilariliusvaara@welho.com> wrote: > On Sat, Jul 01, 2017 at 03:52:37PM -0700, Eric Rescorla wrote: > > On Sat, Jul 1, 2017 at 2:00 PM, Ilari Liusvaara < > ilariliusvaara@welho.com> > > wrote: > > > > > On Sat, Jul 01, 2017 at 10:26:17AM -0700, Eric Rescorla wrote: > > > > On Sat, Jul 1, 2017 at 10:01 AM, Ilari Liusvaara < > > > ilariliusvaara@welho.com> > > > > wrote: > > > > > > > Just noticed that DTLS allows packing multiple independent fragments > > > into one record (and then multiple records into one packet). > > > > > > Which impiles that an implementation that only prcesses one message at > > > a time is not guaranteed to even be able to generate a valid list of > > > RSNs to ACK, in case the peer sends sufficiently twisted (but still > > > seemingly in-spec) input. > > > > > > > I'm not following how that's true. When you decrypt, you record the > received > > RSNs and when you send an ACK you send the entire list. Then when you > > finish a flight, you reset the list. Can you maybe show me a sequence of > > events that would cause an error here? > > I think I figured out a case that doesn't involve peer intentionally > generating very dubious input: > > > Suppose that certificate is rather big (needs spliting to four parts), > and: > > > * The server preprares its flight, giving: > > - RSN 2:0 -> EncryptedExtensions, Certificate part 1/4 > - RSN 2:1 -> Certificate part 2/4 > - RSN 2:2 -> Certificate part 3/4 > - RSN 2:3 -> Certificate part 4/4, CertificateVerify, Finished. > > * Now, RSNs 2:1, 2:3 disappear, 2:0 and 2:2 make it through. > > * Client ACKs RSNs 2:0 and 2:2. > > * Server sees the ACK, and re-encrypts the offending packets: > > - RSN 2:4 -> Certificate part 2/4 > - RSN 2:5 -> Certificate part 4/4, CertificateVerify, Finished. > > * Now, RSN 2:4 disappears, 2:5 makes it through. > > * Client is one-message at a time. It can't ACK anything new. RSNs 2:1, > 2:3 and 2:4 are lost. RSN 2:5 can not be ACKed, because that would > imply the client received CV and F, which it did not. Thanks for clarifying your case. I think what you're assuming here is that when the client receives out of order handshake messages, it discards them rather than buffering them. Is that correct? In that case, yes, it should pretend it didn't get the records as well, and I think the right answer would be to not generate a new ACK and rely on the server's retransmission timer (which needs to run anyway). -Ekr
- [TLS] DTLS 1.3 ACKs Eric Rescorla
- Re: [TLS] DTLS 1.3 ACKs Ilari Liusvaara
- Re: [TLS] DTLS 1.3 ACKs Eric Rescorla
- Re: [TLS] DTLS 1.3 ACKs Ilari Liusvaara
- Re: [TLS] DTLS 1.3 ACKs Eric Rescorla
- Re: [TLS] DTLS 1.3 ACKs Ilari Liusvaara
- Re: [TLS] DTLS 1.3 ACKs Eric Rescorla
- Re: [TLS] DTLS 1.3 ACKs Ilari Liusvaara
- Re: [TLS] DTLS 1.3 ACKs Eric Rescorla
- Re: [TLS] DTLS 1.3 ACKs Ilari Liusvaara
- Re: [TLS] DTLS 1.3 ACKs Eric Rescorla
- Re: [TLS] DTLS 1.3 ACKs Ilari Liusvaara