Re: [TLS] [Syslog] Missing dead peer detection in DTLS
Michael Tuexen <tuexen@fh-muenster.de> Wed, 05 August 2009 12:35 UTC
Return-Path: <tuexen@fh-muenster.de>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id EFEFB3A6B84; Wed, 5 Aug 2009 05:35:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.169
X-Spam-Level:
X-Spam-Status: No, score=0.169 tagged_above=-999 required=5 tests=[AWL=-2.169, BAYES_00=-2.599, HOST_EQ_DIP_TDIAL=2.144, HOST_MISMATCH_NET=0.311, J_CHICKENPOX_35=0.6, RCVD_IN_PBL=0.905, RCVD_IN_SORBS_DUL=0.877, RDNS_DYNAMIC=0.1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9gOAb9nhQ9-O; Wed, 5 Aug 2009 05:35:13 -0700 (PDT)
Received: from mail-n.franken.de (drew.ipv6.franken.de [IPv6:2001:638:a02:a001:20e:cff:fe4a:feaa]) by core3.amsl.com (Postfix) with ESMTP id 9F7823A6B82; Wed, 5 Aug 2009 05:35:09 -0700 (PDT)
Received: from [192.168.1.100] (p508FD425.dip.t-dialin.net [80.143.212.37]) by mail-n.franken.de (Postfix) with ESMTP id 4919A1C0B4619; Wed, 5 Aug 2009 14:35:09 +0200 (CEST)
From: Michael Tuexen <tuexen@fh-muenster.de>
To: "tom.petch" <cfinss@dial.pipex.com>
In-Reply-To: <000201ca1352$42b53ba0$0601a8c0@allison>
X-Priority: 3
References: <4A6EB9BB.9040002@net.in.tum.de> <000401ca111a$3bb01da0$0601a8c0@allison> <EB76C973-49C7-494C-8281-52559BC61F40@fh-muenster.de> <000201ca1352$42b53ba0$0601a8c0@allison>
Message-Id: <2534D5E9-2595-427A-86FD-562890F0D74B@fh-muenster.de>
Content-Type: text/plain; charset="US-ASCII"; format="flowed"; delsp="yes"
Content-Transfer-Encoding: 7bit
Mime-Version: 1.0 (Apple Message framework v935.3)
Date: Wed, 05 Aug 2009 14:35:07 +0200
X-Mailer: Apple Mail (2.935.3)
X-Mailman-Approved-At: Wed, 05 Aug 2009 08:06:12 -0700
Cc: ipfix@ietf.org, Daniel Mentz <mentz@in.tum.de>, Gerhard Muenz <muenz@net.in.tum.de>, syslog <syslog@ietf.org>, tls@ietf.org
Subject: Re: [TLS] [Syslog] Missing dead peer detection in DTLS
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 05 Aug 2009 12:35:19 -0000
Hi Tom, understood. Thanks for the clarification. Best regards Michael On Aug 2, 2009, at 11:11 AM, tom.petch wrote: > Reply inline, twice > > Tom Petch > > ----- Original Message ----- > From: "Michael Tuexen" <tuexen@fh-muenster.de> > To: "tom.petch" <cfinss@dial.pipex.com> > Sent: Thursday, July 30, 2009 5:24 PM > > a question in-line. > > Michael > > On Jul 30, 2009, at 11:44 AM, tom.petch wrote: > >> Gerhard >> >> Thank you for pointing this out; it had escaped me. >> >> What I had thought though was that the lack of flow control with >> DTLS over UDP >> is a problem, and that the lack of this with syslog over UDP led the >> syslog RFC >> [RFC5424] to make syslog over TLS the RECOMMENDED transport, not, as >> might be >> expected, syslog over UDP. > > So I think it is actually congestion control what you are looking > for, which is provided by TCP when using SYSLOG/TLS/TCP/IP, right? > > <tp> > For myself, no, I was not looking for or caring about congestion > control, rather > security. > > But when the syslog I-D got to the IESG, they did care about > congestion, and so > the syslog I-D was modified to make syslog over TLS the RECOMMENDED > transport, > not because it might or might not improve security but because it > offered congestion control, which UDP by itself does not. > </tp> >> >> This in turn led me to expect that syslog over DTLS over UDP would >> not be >> acceptable to the IESG, rather that syslog over DTLS over SCTP would >> become the >> RECOMMENDED transport. > > This would mean, that > * SYSLOG/TLS/TCP/IP > * SYSLOG/DTLS/SCTP/IP > * SYSLOG/DTLS/DCCP/IP > are in principle acceptable, whereas > * SYSLOG/DTLS/UDP/IP > is not. > You would (from the congestion control perspective) have the same > classification when taking out the DTLS or TLS layer, right? > > <tp> > I am unclear about your second sentence, but the first one, yes, I > would expect > the first three to be acceptable to the IESG (which is rather > important if you > want an I-D to become an RFC) and the last one not to be. TLS (by > using TCP), > SCTP, DCCP have acceptable congestion control, DTLS and UDP do not. > > Tom Petch > >> So; several thoughts. >> >> This is an update to the extensions RFC, RFC4366, which itself is >> being updated >> by the TLS working group (hence my addition of them to the list) and >> I would >> much rather have one extensions RFC rather than several. This is a >> good concept >> and fills a need; perhaps the TLS working group would take this on. >> >> Flow control remains an issue which I do not think that this >> extension >> addresses. >> >> Is this a security exposure? or just, like syslog over UDP, an >> inconvenient >> truth? >> >> The petch-gerhards draft allows the recipient of the unidirectional >> flow to >> initiate the DTLS 'connection', and so enables it to re-establish >> the connection >> when anything goes wrong. This would seem an alternative to >> consider. >> >> Tom Petch > <snip> > >
- Re: [TLS] [Syslog] Missing dead peer detection in… tom.petch
- Re: [TLS] [Syslog] Missing dead peer detection in… Michael Tuexen
- Re: [TLS] [Syslog] Missing dead peer detection in… tom.petch
- Re: [TLS] [Syslog] Missing dead peer detection in… Michael Tuexen
- Re: [TLS] [Syslog] Missing dead peer detection in… Erick O
- Re: [TLS] [Syslog] Missing dead peer detection in… Michael Tuexen
- Re: [TLS] [Syslog] Missing dead peer detection in… Erick O
- Re: [TLS] [Syslog] Missing dead peer detection in… Erick O