[TLS] (TLS) RFC5246 - 7.2.1. Closure Alerts - Applied to (DTLS) RFC 6347

Achim Kraus <achimkraus@gmx.net> Tue, 06 July 2021 14:33 UTC

Return-Path: <achimkraus@gmx.net>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2ACA23A29D9 for <tls@ietfa.amsl.com>; Tue, 6 Jul 2021 07:33:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.096
X-Spam-Level:
X-Spam-Status: No, score=-2.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=gmx.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TJaJ-fS5-uwS for <tls@ietfa.amsl.com>; Tue, 6 Jul 2021 07:33:38 -0700 (PDT)
Received: from mout.gmx.net (mout.gmx.net [212.227.15.15]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DB60D3A29D8 for <tls@ietf.org>; Tue, 6 Jul 2021 07:33:37 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=gmx.net; s=badeba3b8450; t=1625582014; bh=Ba1TPY80kO2CbHYwgLj4l6zAi57QhTtpo+120v9zfzg=; h=X-UI-Sender-Class:To:From:Subject:Date; b=lL55y6ASfLDm74ZQbZqCAqfRa0Sh94BNOUJAW33QVE6B+U7CNmk1uXqJvmVdEfg3r eJmSfgP/GxeN7AOPaiPH1aSv/5f7lxFXyHwDUaa6ALUbEb8AOkdSPeK/OR01+6x/e/ 616OsfHfXfsFzX2xHMrvnctNiALUAtm80jyMRhmM=
X-UI-Sender-Class: 01bb95c1-4bf8-414a-932a-4f6e2808ef9c
Received: from [192.168.178.10] ([88.152.185.165]) by mail.gmx.net (mrgmx005 [212.227.17.190]) with ESMTPSA (Nemesis) id 1Mk0Ne-1lL4WU2cPI-00kLlv for <tls@ietf.org>; Tue, 06 Jul 2021 16:33:34 +0200
To: "tls@ietf.org" <tls@ietf.org>
From: Achim Kraus <achimkraus@gmx.net>
Message-ID: <67b202fe-5f31-f7af-121c-48d68ff8f90d@gmx.net>
Date: Tue, 6 Jul 2021 16:33:34 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.11.0
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Language: en-US
Content-Transfer-Encoding: quoted-printable
X-Provags-ID: V03:K1:31WT8JucHJef68OUJA26u0V5TGBnLF8wY5sGGgKPChKh5e8aecp oF6YQjhfm09Kw5GiXF/ZTKW42a66BJBOtuR/QnEvcva2Cks7ONCDht0aiOeQrejhazp61p/ +owK9h3YvrYTOONIJah+w4/XL8hySq2MSRHXQ2ssE6EIhgwLzoI85y3b0aLImNzOdbs8hhj MeduYprzxmtEO9+m9i4iA==
X-UI-Out-Filterresults: notjunk:1;V03:K0:e6/qZ+QKw6Y=:WKNxPPhUz6w5GKQg24Yrim RFwSZaZPJjGvjd9D5nSMSxjazsSsnKTf++C6KIXCCeDnzIGnuIPAmXWC/8fUJ6gaJ6PAiR24U p/QHjTwF2hQB75yZOHyZbKfDCYqnQCOZzjsT3TIjB6bz25COot/E2bv9KkYjyAlAL77eughxg XMe8lbGNKk1vNRM5WsIPfQRjVSAmQao+ZX4+d3Y9DYWJj1/puUF4wuTFm2SYxZIUVvoGyVHND 7r2DRIRbxRNejhHxoEEOCF+NxAWfgD5xJLznDAqDM3/ZOCOBuuZ1HlZKRmFdsvphXa6Xr2gg9 4S10VTdxa2yCm1JVNmbO2SvbeQ5ynyYR/DSUgUOTwFvWkekrwbP1yXMVBX25DQQui3JaqIpTD x9hc60H1veL/9m9+o2/lnZXoZd187vhdgSlg2vjFeaM0C4EHwphceyKkX85jiqKxmIb8hERHT Tw7E+HZ98L5TetOGoDPPz/ScmlSavtF6Lu9qXS2L22TVlegFeTr6TzeFjtqS1J3UlWU37lnYI wGgJlvYu7Wx+9+mWC0bsIxRTWuRzdQafbd8Q1Abagp9z5JK3kLjYx30Fop3h4us+IJ6KiS2Or s20+F+61eKwbsPAb6eQhNKzuaokJZQqGO+aZp4yon+uH/vOYZG/E7GagZqRiSjKWWSLB+hiQD uXMnKWK/1QOPryyRweiBrA69+mEl1OyWSjiHgrw26un3mJkPpthqePvut9daBuJil5TY5/aRg NnJbITSZj8+9sc4PeyXVdWuL3Gf65jso9JZqaqEU4CTJ2fKqz9rK+sP+TCQuaqcqy3RZzgS5Z 0lvO8K0+tywD+aYOnAdDQ/AiNam0/Zd+OcYNvSeJWkDuEOzL2OisSxFFbOVXylDc1/fzGNZAk 9WeVhAYgVlYmfRrrADwMhVof66GIajCKWO8pxlhXhbaHG8X1Ah8CMMLnbMH/LTMJ5I8RCN6Og sfkoj2n/+0gmrN/lWvRCbrnQIVCzfDCIuJuQSrVxJ8JiBtm3C26+tHDQoroIUl1Thx/TDN+Xj b8vPkUBF3jREJ8fGOD4cxjLvZGuH5MnNddZT/mqF142/CjzPDQZ1sIDw8glRg/+yzwGa+YEgv Ae72g6TBMnpZXFIt6EBucXkgVAm9R59fWWk
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/kH2_0vqS_lZgbQfhFtrNARyK6BI>
Subject: [TLS] (TLS) RFC5246 - 7.2.1. Closure Alerts - Applied to (DTLS) RFC 6347
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 06 Jul 2021 14:33:44 -0000

Hi List,

I currently try to get some clarity about usage of DTLS 1.2.

One topic, which comes across, is the

(TLS) RFC5246 - 7.2.1.  Closure Alerts:

 > The client and the server must share knowledge that the connection is
ending in order to avoid a truncation attack.

AFAIK, the protection of the "close_notify" is build on the grants of
TCP. On receiving the "close_notify" in the TLS layer, TCP ensures that
all data before was also passed to TLS. If something would be missing,
the "close_notify" will not be passed to TLS.
(e.g.
https://www.usenix.org/system/files/conference/woot13/woot13-smyth.pdf)

Applying this mechanism to DTLS and UDP, seems for me breaking that
protection. UDP doesn't grant the order nor the completeness and so the
"close_notify" mechanism stops working.

So, are there considerations, if/how a "close_notify" can provide that
protection for DTLS as it does for TLS?
It's not about to protect DTLS in general against message loss (for me,
that must be addressed in the layers above), it's about, how a
"close_notify" can provide that protection, or not.

I found:
https://mailarchive.ietf.org/arch/msg/tls/VNrSd7gv7uFjJNZH6frBt5lb57A/
https://mailarchive.ietf.org/arch/msg/tls/FJM6OHfvLJP_pF5uUcR86pzrdYo/

But I miss a explicit statement about the "truncation attack".
Or is that too obvious?

best regards
Achim Kraus