[TLS] draft-ietf-tls-dtls-connection-id-07 / IANA connection_id

Achim Kraus <achimkraus@gmx.net> Wed, 22 July 2020 06:53 UTC

Return-Path: <achimkraus@gmx.net>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 13F963A0E70 for <tls@ietfa.amsl.com>; Tue, 21 Jul 2020 23:53:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=gmx.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FjqTSTvi-zAC for <tls@ietfa.amsl.com>; Tue, 21 Jul 2020 23:53:27 -0700 (PDT)
Received: from mout.gmx.net (mout.gmx.net [212.227.15.19]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4D0523A0E6E for <tls@ietf.org>; Tue, 21 Jul 2020 23:53:27 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=gmx.net; s=badeba3b8450; t=1595400802; bh=gwBmAUyYXb6VLHj17tTwdYNHDpIHVYlecPALiDpA2nY=; h=X-UI-Sender-Class:To:From:Subject:Date; b=QKgt6azqVI9229l6JT2loPxu3I0fY+87NfJIyRZifS4v/g99JeHdV5G7Spj6V4pNc pUNHM6jLWFcazXo0xohT10yxdGiNfH6D80KnkbBvYJncjOMrhHUILfebzj2k1VoS7I TbnK3md8HmTtkTzXS3ED0jDqCZJnGICCn+UuE2RA=
X-UI-Sender-Class: 01bb95c1-4bf8-414a-932a-4f6e2808ef9c
Received: from [192.168.178.45] ([94.216.229.78]) by mail.gmx.com (mrgmx005 [212.227.17.190]) with ESMTPSA (Nemesis) id 1MQMuR-1kB0mh0tIP-00MMzb for <tls@ietf.org>; Wed, 22 Jul 2020 08:53:22 +0200
To: "tls@ietf.org" <tls@ietf.org>
From: Achim Kraus <achimkraus@gmx.net>
Message-ID: <ba076bb8-0aff-9847-1667-5fb6528be107@gmx.net>
Date: Wed, 22 Jul 2020 08:53:21 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.10.0
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Language: en-US
Content-Transfer-Encoding: quoted-printable
X-Provags-ID: V03:K1:0k/V8/sJSVZKMPb5e4OYncMnCFvf5DnWT1U7o4ahfPFAJWGgX4a RMzkhXMh3O0heFSxe4Dujqjh2tX6GnDjuOoBS4ldXQZmNgcMVxnLvDbPMYJbK6Q/0vSfYn9 9CJdvtlhT/jlxqvX8hpwW1zlnE4eMtFRRcqX9K8o9Tv4ANEVJkyQXm/4MnxssC2yQqic45r XS3Ivr5a0LCxSjeZQU6Ig==
X-UI-Out-Filterresults: notjunk:1;V03:K0:yboctqr3C00=:ZkFpLvArmzL5Oimxu3i4NW 9OF0+MolWYG32B5c00q7W00xC8Mq/m3/HxBQPj67LmjBzQUcvP5p0tDo6QyhoWPi0skGDJtye ZONWMC2TyeqcIznZuIkW6hF8OVSgHA/kYI2CQDXZeDrBNwCwG4KxjYsciAVqXiu55IC9BrvJJ icrjXHFqZmcNxsaeoTwqGglf7zFkbP11lNGHkxQxoGP6C/tzGxsZ+rEWFnyi1j0pKrW6YlcGL fsdWnNTeeNdiPL/dWtg+sKLAiQdkZmUSVwLxXGLqV1pUKRrTA7/Mjwm1qcQNRx1mLTf3JLRIG ndqxLmGWmpt2FyfpJbUd04Pp2RLUy7b0jgCUYEBQCmnxc4WF/l059CKJlr3a/J3iCU4eSzT5I TGJ+3fS2xtQL0J8HSYE6jtZBVF/qPqAKhbn3h9qT9ArCBa4LsE3kDpxUIkfLYs7w3d88nrHnZ yq/uHd2Pk9mSr6mNFhtg45qvCx0AUbD0q13CFonRDoIg69RMGEi40kqSMGED3loPTcXDAl7XK bHDo6cC28O0ycFe4HF2An4RvzA5ZRrQ2ysulK9WfMFk4k3btGqa4jC27y0yquaaefzmc/V0XK phKwdGLF9fPSpyALbTv3KzaIglscYUMpC5df2DAgIIOpFbJiW4QGHrQcZbt4oyrvAaetBkRsp 6MSBHJNHG9nJDlQfE5rZoFVRcx7jhnpNoQT2DtK7Fc6CFUvQK0qQdQ1HXqJ5aFV0YLrQPX0zT 4KKFAnZk1qPpemS+OuNdjWZubhyzrwrGoD7SKIC8Djs4JSD+K9LCCLAbHlc/kzemTfWWGgfaa yzY2T6SSjY1ow4Rq0a699toXdZRXLc+cmXTI7ToZY8+0OfTE6TRD0YwMxiJpB4DAIboWV1BYX zm+zmOm5J7pTTh2CKCRrENIf4QGM/X1kq7NTyEgtz9F4xgHjRrnTrQ41p8hNiHW4/tEI0i2rV 8vjboraTFZy1mdB24t5Cr2KvCqYyEDcCQmZ3cCon9AxaSLjp8PjmFFK6zGLN7/74ACm7MIOqL hIVVRoGiTShXYTSjy98vx2sNbrbQZ3Err9fG6fKPaZN5/Ly2rlL6qsLnKPEcJaLxXcE34EPKw EiOhhh1Cp6kwih1jsWeLutgjp4+ct5aHgPXA9PvxItVXRX7B+bW+3ndLRMbjeKjC4mARPNM8n cUnA4Dvih2NAkS/hmx3aC/mjKxrJVWaYUTyIeSBIOPY3qhA2WjEbt/vJlbrT+tlAS7lpBxktN IA0cTnYcmYRj9u0mBkR84w2ISj08BEKKcsJVntA==
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/jkizg3nRHgMQ1DYfi6h91KEnROc>
Subject: [TLS] draft-ietf-tls-dtls-connection-id-07 / IANA connection_id
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 22 Jul 2020 06:53:29 -0000

Dear list,

are there any news about the draft-ietf-tls-dtls-connection-id and the
IANA registration of the connection_id?

According
https://datatracker.ietf.org/doc/draft-ietf-tls-dtls-connection-id the
draft expired on April 23, 2020 and according
https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml
the assigned value expired on 2020-07-02.

I still very interested in this extension, it makes coap over dtls 1.2 a
very powerful technology for the cloud and NB IoT.

Currently two pending threats are discussed, see the PRs in
https://github.com/tlswg/dtls-conn-id .

One of both is in my opinion a general one using UDP, several
countermeasures are discussed, including RRC. Let me add, that in my
opinion, it's also about to chose cid for the right use-case, and not
generally. That would mostly eliminated the DDoS threat, if the use-case
doesn't offer an amplification.
The other one requires in my opinion a remark about not using the option
of RFC 6347 to generate an alert on invalid MACs, if the cid is used.
Potentially, if of any interest at all, an additional remark about
AES-CBC, the CID length and "lucky 13" maybe added, though the cid
changes the 13.

For me this looks much more, that the authors are too busy with other
work and not that this draft doesn't make sense anymore. Therefore I
would appreciate, if the temporary IANA registration for the
connection_id could be extended by an additional year.

Best regards
Achim Kraus