[TLS] John Scudder's Discuss on draft-ietf-tls-dtls13-41: (with DISCUSS and COMMENT)
John Scudder via Datatracker <noreply@ietf.org> Thu, 25 March 2021 02:18 UTC
Return-Path: <noreply@ietf.org>
X-Original-To: tls@ietf.org
Delivered-To: tls@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id D73E13A16D3; Wed, 24 Mar 2021 19:18:42 -0700 (PDT)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
From: John Scudder via Datatracker <noreply@ietf.org>
To: The IESG <iesg@ietf.org>
Cc: draft-ietf-tls-dtls13@ietf.org, tls-chairs@ietf.org, tls@ietf.org, Sean Turner <sean@sn3rd.com>, sean@sn3rd.com
X-Test-IDTracker: no
X-IETF-IDTracker: 7.27.0
Auto-Submitted: auto-generated
Precedence: bulk
Reply-To: John Scudder <jgs@juniper.net>
Message-ID: <161663872232.13687.13134368143187916628@ietfa.amsl.com>
Date: Wed, 24 Mar 2021 19:18:42 -0700
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/lEA4AmsJfHt3I5XxRNjXaygZS-8>
Subject: [TLS] John Scudder's Discuss on draft-ietf-tls-dtls13-41: (with DISCUSS and COMMENT)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 25 Mar 2021 02:18:43 -0000
John Scudder has entered the following ballot position for draft-ietf-tls-dtls13-41: Discuss When responding, please keep the subject line intact and reply to all email addresses included in the To and CC lines. (Feel free to cut this introductory paragraph, however.) Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html for more information about IESG DISCUSS and COMMENT positions. The document, along with other ballot positions, can be found here: https://datatracker.ietf.org/doc/draft-ietf-tls-dtls13/ ---------------------------------------------------------------------- DISCUSS: ---------------------------------------------------------------------- Section 4.5.2: Implementations which choose to generate an alert instead, MUST generate error alerts to avoid attacks where the attacker repeatedly probes the implementation to see how it responds to various types of error. Note that if DTLS is run over UDP, then any implementation I just don’t understand this, despite having hopped over to RFC 8446 Sections 6 and 6.2. Is the intention that “error alert” implies closure of the association? That doesn’t seem to be exactly what 8446 says — it says the receiver of the alert closes the connection, but it doesn’t mandate this for the sender (except in the case of “fatal alert” messages, where “fatal” seems like the exception that proves the rule). It may be that “everyone knows” an error alert is the same as termination, but it’s not obvious in the plain English of the text I reviewed. Or maybe I’m barking up the wrong tree and this isn't what the text quoted above is even driving at. ---------------------------------------------------------------------- COMMENT: ---------------------------------------------------------------------- Thanks for the well-written document. In particular I thought it was helpful that you noted important divergences from DTLS 1.2 in line and not just at the end. COMMENTS: Section 3.1: I found the explanatory text to be confusing. You start with a figure illustrating a lost HelloRetryRequest. Then you tell me the server maintains a rexmit timer: The server also maintains a retransmission timer and retransmits when that timer expires. But then you immediately tell me that it actually doesn’t: Note that timeout and retransmission do not apply to the HelloRetryRequest since this would require creating state on the server. The HelloRetryRequest is designed to be small enough that it will not itself be fragmented, thus avoiding concerns about interleaving multiple HelloRetryRequests. I presume that if I added some more words to this, your intent is that the server maintains a retransmission timer *for messages other than HelloRetryRequest*. As written, it gave me some whiplash. Section 4.2.1: In general, implementations SHOULD discard records from earlier epochs, but if packet loss causes noticeable problems implementations MAY choose to retain keying material from previous epochs for up to the default MSL specified for TCP [RFC0793] to allow for packet reordering. It seems to me as though “if packet loss causes noticeable problems” is saying either too much, or not enough. Not enough: problems for whom? Noticeable by whom? How is this determined? Do you really mean I’m supposed to work this out dynamically as the text sort-of implies? Too much: if you’re not going to answer the foregoing, maybe don’t taunt me, and omit the clause entirely? Or, possibly a less vague rewrite could be in the nature of “if providing service to an application that is especially sensitive to packet loss”. NITS: Section 2: “The reader is also as to be familiar” s/as/assumed/ Section 11: Although the cookie must allow the server to produce the right handshake transcript, they “It” not “they” (agreement in number) and DTLS with connection IDs allow for endpoint addresses to change during the association; “allows” not “allow” (agreement in number)
- [TLS] John Scudder's Discuss on draft-ietf-tls-dt… John Scudder via Datatracker
- Re: [TLS] John Scudder's Discuss on draft-ietf-tl… Eric Rescorla