Re: [TLS] [Syslog] Missing dead peer detection in DTLS

Michael Tuexen <tuexen@fh-muenster.de> Wed, 05 August 2009 12:35 UTC

Return-Path: <tuexen@fh-muenster.de>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id EFEFB3A6B84; Wed, 5 Aug 2009 05:35:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.169
X-Spam-Level:
X-Spam-Status: No, score=0.169 tagged_above=-999 required=5 tests=[AWL=-2.169, BAYES_00=-2.599, HOST_EQ_DIP_TDIAL=2.144, HOST_MISMATCH_NET=0.311, J_CHICKENPOX_35=0.6, RCVD_IN_PBL=0.905, RCVD_IN_SORBS_DUL=0.877, RDNS_DYNAMIC=0.1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9gOAb9nhQ9-O; Wed, 5 Aug 2009 05:35:13 -0700 (PDT)
Received: from mail-n.franken.de (drew.ipv6.franken.de [IPv6:2001:638:a02:a001:20e:cff:fe4a:feaa]) by core3.amsl.com (Postfix) with ESMTP id 9F7823A6B82; Wed, 5 Aug 2009 05:35:09 -0700 (PDT)
Received: from [192.168.1.100] (p508FD425.dip.t-dialin.net [80.143.212.37]) by mail-n.franken.de (Postfix) with ESMTP id 4919A1C0B4619; Wed, 5 Aug 2009 14:35:09 +0200 (CEST)
From: Michael Tuexen <tuexen@fh-muenster.de>
To: "tom.petch" <cfinss@dial.pipex.com>
In-Reply-To: <000201ca1352$42b53ba0$0601a8c0@allison>
X-Priority: 3
References: <4A6EB9BB.9040002@net.in.tum.de> <000401ca111a$3bb01da0$0601a8c0@allison> <EB76C973-49C7-494C-8281-52559BC61F40@fh-muenster.de> <000201ca1352$42b53ba0$0601a8c0@allison>
Message-Id: <2534D5E9-2595-427A-86FD-562890F0D74B@fh-muenster.de>
Content-Type: text/plain; charset="US-ASCII"; format="flowed"; delsp="yes"
Content-Transfer-Encoding: 7bit
Mime-Version: 1.0 (Apple Message framework v935.3)
Date: Wed, 05 Aug 2009 14:35:07 +0200
X-Mailer: Apple Mail (2.935.3)
X-Mailman-Approved-At: Wed, 05 Aug 2009 08:06:12 -0700
Cc: ipfix@ietf.org, Daniel Mentz <mentz@in.tum.de>, Gerhard Muenz <muenz@net.in.tum.de>, syslog <syslog@ietf.org>, tls@ietf.org
Subject: Re: [TLS] [Syslog] Missing dead peer detection in DTLS
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 05 Aug 2009 12:35:19 -0000

Hi Tom,

understood. Thanks for the clarification.

Best regards
Michael

On Aug 2, 2009, at 11:11 AM, tom.petch wrote:

> Reply inline, twice
>
> Tom Petch
>
> ----- Original Message -----
> From: "Michael Tuexen" <tuexen@fh-muenster.de>
> To: "tom.petch" <cfinss@dial.pipex.com>
> Sent: Thursday, July 30, 2009 5:24 PM
>
> a question in-line.
>
> Michael
>
> On Jul 30, 2009, at 11:44 AM, tom.petch wrote:
>
>> Gerhard
>>
>> Thank you for pointing this out; it had escaped me.
>>
>> What I had thought though was that the lack of flow control with
>> DTLS over UDP
>> is a problem, and that the lack of this with syslog over UDP led the
>> syslog RFC
>> [RFC5424] to make syslog over TLS the RECOMMENDED transport, not, as
>> might be
>> expected, syslog over UDP.
>
> So I think it is actually congestion control what you are looking
> for, which is provided by TCP when using SYSLOG/TLS/TCP/IP, right?
>
> <tp>
> For myself, no, I was not looking for or caring about congestion  
> control, rather
> security.
>
> But when the syslog I-D got to the IESG, they did care about  
> congestion, and so
> the syslog I-D was modified to make syslog over TLS the RECOMMENDED  
> transport,
> not because it might or might not improve security but because it
> offered congestion control, which UDP by itself does not.
> </tp>
>>
>> This in turn led me to expect that syslog over DTLS over UDP would
>> not be
>> acceptable to the IESG, rather that syslog over DTLS over SCTP would
>> become the
>> RECOMMENDED transport.
>
> This would mean, that
> * SYSLOG/TLS/TCP/IP
> * SYSLOG/DTLS/SCTP/IP
> * SYSLOG/DTLS/DCCP/IP
> are in principle acceptable, whereas
> * SYSLOG/DTLS/UDP/IP
> is not.
> You would (from the congestion control perspective) have the same
> classification when taking out the DTLS or TLS layer, right?
>
> <tp>
> I am unclear about your second sentence, but the first one, yes, I  
> would expect
> the first three to be acceptable to the IESG (which is rather  
> important if you
> want an I-D to become an RFC) and the last one not to be.  TLS (by  
> using TCP),
> SCTP, DCCP have acceptable congestion control, DTLS and UDP do not.
>
> Tom Petch
>
>> So; several thoughts.
>>
>> This is an update to the extensions RFC, RFC4366, which itself is
>> being updated
>> by the TLS working group (hence my addition of them to the list) and
>> I would
>> much rather have one extensions RFC rather than several.  This is a
>> good concept
>> and fills a need; perhaps the TLS working group would take this on.
>>
>> Flow control remains an issue which I do not think that this  
>> extension
>> addresses.
>>
>> Is this a security exposure? or just, like syslog over UDP, an
>> inconvenient
>> truth?
>>
>> The petch-gerhards draft allows the recipient of the unidirectional
>> flow to
>> initiate the DTLS 'connection', and so enables it to re-establish
>> the connection
>> when anything goes wrong.  This would seem an alternative to  
>> consider.
>>
>> Tom Petch
> <snip>
>
>