[TLS]Re: DTLS 1.3 sequence number lengths and lack of ACKs
David Benjamin <davidben@chromium.org> Fri, 26 July 2024 05:24 UTC
Return-Path: <davidben@google.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9711AC169433 for <tls@ietfa.amsl.com>; Thu, 25 Jul 2024 22:24:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.404
X-Spam-Level:
X-Spam-Status: No, score=-14.404 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.148, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.25, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=chromium.org
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id My5-cg5RnW_I for <tls@ietfa.amsl.com>; Thu, 25 Jul 2024 22:24:54 -0700 (PDT)
Received: from mail-yb1-xb34.google.com (mail-yb1-xb34.google.com [IPv6:2607:f8b0:4864:20::b34]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5FE31C16942C for <tls@ietf.org>; Thu, 25 Jul 2024 22:24:54 -0700 (PDT)
Received: by mail-yb1-xb34.google.com with SMTP id 3f1490d57ef6-e0874f138aeso1604834276.2 for <tls@ietf.org>; Thu, 25 Jul 2024 22:24:54 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; t=1721971493; x=1722576293; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=oRaGETL8Yo4Z+yGUsiY2aQhpcgOP8+bEHxqSWHyki3E=; b=Q4EQUIqoW+FLPEjxR9KgA+Z3k7tuJolvwtQqasH2dXZpMTHfJ1WpqmshxUicmFHq0m kxclOKYp/HABNVYxGUB0Ctc+dwXcjpRsWVBdLFCwFBwBH6C+2gS96XeN1Uo69VQ/KoQj keRw9FQR0/YWn196ftwdU5nW+cSlNQrgwf8OE=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1721971493; x=1722576293; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=oRaGETL8Yo4Z+yGUsiY2aQhpcgOP8+bEHxqSWHyki3E=; b=iX5knR78dY9d539bWhVholMi2xwrv90HCfdRQP2zgrc6KlSZVgvQK6RKGdVCN7ArvE ZkEiQeFn4Vxs+ixPFs+MPyj7BP4HrJMieDEiTAy9bl2PwdCgjxITMgU+GRrrnIVs/dAH P0xRlBQwJ/TDoBJHR9fotvvKA5vOJzernJRKC3poEdQsftdsd5GnoMo5+dN5wp6pyBcs fIA0vivPzpBYUQrY8066h/H/IYvkowPj7cV4XwFgIxBasnGJhlyKhGrwkudJst2yluv7 KylitjVgqI2H4a6edx9XcRzXdU/1VBePk68BVNhrOKAm0JHQOsniZd1ilqhRn7soZQAx CwMg==
X-Gm-Message-State: AOJu0YzVAB8XYQG1cn/qo4RBYRwMxB3qO2z1qNGcTMP/Nldl523D41/S S0bscEBVX9HIuwPdTB+7Lc9sASLagIiMxK+AZLAiVEjtKmJM/6S7q3ePsDOGFQp0qVFaRzPKyfS Dnp40plJfY7x/geui9e69RmcV72S9zesipct01t3zjPGBdm4QlPM=
X-Google-Smtp-Source: AGHT+IEcRHfezCUiMDqjODYtCwScnjykpLMv4lSf/97SZKUxqqicdKNMp+poCXhWhQ8EQ6o/75yNimMy/FWGrhPPDbU=
X-Received: by 2002:a05:6902:1146:b0:dfb:538:df1e with SMTP id 3f1490d57ef6-e0b231f44ecmr6412949276.35.1721971492992; Thu, 25 Jul 2024 22:24:52 -0700 (PDT)
MIME-Version: 1.0
References: <CAF8qwaAyDTwdT12zdo=PfRH=zwVU5rJGnsrSgWrk4F1JHyZtDg@mail.gmail.com> <AS8PR10MB742794893207672B7C0F4079EE082@AS8PR10MB7427.EURPRD10.PROD.OUTLOOK.COM> <CAF8qwaDRnAp=nUXqi1C2kRtMSvF2W+F9rD5aK+vU4M1+tfoOwg@mail.gmail.com> <AS8PR10MB7427850B0EAF94D651EBE0C0EE082@AS8PR10MB7427.EURPRD10.PROD.OUTLOOK.COM>
In-Reply-To: <AS8PR10MB7427850B0EAF94D651EBE0C0EE082@AS8PR10MB7427.EURPRD10.PROD.OUTLOOK.COM>
From: David Benjamin <davidben@chromium.org>
Date: Thu, 25 Jul 2024 22:24:37 -0700
Message-ID: <CAF8qwaAN9ih-2qkM-f26E=UkSRjCakKZeFejWo7bUHoVUdygCQ@mail.gmail.com>
To: "Tschofenig, Hannes" <hannes.tschofenig@siemens.com>
Content-Type: multipart/alternative; boundary="00000000000027ae49061e1fbbac"
Message-ID-Hash: JSQ6PEFXWYDKHWED6CNMJX4KTSZFVLBQ
X-Message-ID-Hash: JSQ6PEFXWYDKHWED6CNMJX4KTSZFVLBQ
X-MailFrom: davidben@google.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-tls.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: "<tls@ietf.org>" <tls@ietf.org>, Nick Harper <nharper@chromium.org>
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [TLS]Re: DTLS 1.3 sequence number lengths and lack of ACKs
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/nFJdAku3Uhs9Nee42iNErqTxEJ4>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Owner: <mailto:tls-owner@ietf.org>
List-Post: <mailto:tls@ietf.org>
List-Subscribe: <mailto:tls-join@ietf.org>
List-Unsubscribe: <mailto:tls-leave@ietf.org>
Circling back here, what do we wish to do here? I went to file an erratum, but it wasn't clear to me what to put in here. Perhaps an extra paragraph in Section 4? Not sure what we should advise... certainly we should tell implementers about what happens if they pick an 8-bit one. Is it worth mentioning the possibility of application-mediated ACK feedback? It seems pretty unlikely to me that anyone would implement that. On Tue, Apr 16, 2024 at 6:46 AM Tschofenig, Hannes < hannes.tschofenig@siemens.com> wrote: > Fair enough. I don’t have a strong preference as long as we document it > somewhere. > > > > Ciao > Hannes > > > > *From:* David Benjamin <davidben@chromium.org> > *Sent:* Tuesday, April 16, 2024 3:18 PM > *To:* Tschofenig, Hannes (T CST SEA-DE) <hannes.tschofenig@siemens.com> > *Cc:* <tls@ietf.org> <tls@ietf.org>; Nick Harper <nharper@chromium.org> > *Subject:* Re: [TLS] DTLS 1.3 sequence number lengths and lack of ACKs > > > > Regarding UTA or elsewhere, let's see how the buffered KeyUpdates issue > pans out. If I haven't missed something, that one seems severe enough to > warrants an rfc9147bis, or at least a slew of significant errata, in which > case we may as well put the fixups into the main document where they'll be > easier for an implementator to find. > > > > Certainly, as someone reading the document now to plan an implementation, > I would have found it much, much less helpful to put crucial information > like this in a separate UTA document instead of the main one, as these > details influence how and whether to expose the 8- vs 16-bit choice to > Applications Using TLS at all. > > > > David > > > > > > > > On Tue, Apr 16, 2024, 05:17 Tschofenig, Hannes < > hannes.tschofenig@siemens.com> wrote: > > Hi David, > > > > thanks again for these comments. > > > > Speaking for myself, this exchange was not designed based on QUIC. I > believe it pre-dated the corresponding work in QUIC. > > > > Anyway, there are different usage environments and, as you said, there is > a difference in the amount of messages that may be lost. For some > environments the loss 255 messages amounts to losing the message exchanges > of several days, potentially weeks. As such, for those use cases the > shorter sequence number space is perfectly fine. For other environments > this is obviously an issue and you have to select the bigger sequence > number space. > > > > More explanation about this aspect never hurts. Of course, nobody raised > the need for such text so far and hence we didn’t add anything. As a way > forward, we could add text to the UTA document. In the UTA document(s) we > already talk about other configurable parameters, such as the timeout. > > > > Ciao > > Hannes > > > > *From:* TLS <tls-bounces@ietf.org> *On Behalf Of *David Benjamin > *Sent:* Friday, April 12, 2024 11:36 PM > *To:* <tls@ietf.org> <tls@ietf.org> > *Cc:* Nick Harper <nharper@chromium.org> > *Subject:* [TLS] DTLS 1.3 sequence number lengths and lack of ACKs > > > > Hi all, > > > > Here's another issue we noticed with RFC 9147: (There's going to be a few > of these emails. :-) ) > > > > DTLS 1.3 allows senders to pick an 8-bit or 16-bit sequence number. But, > unless I missed it, there isn't any discussion or guidance on which to use. > The draft simply says: > > > > > Implementations MAY mix sequence numbers of different lengths on the > same connection > > > > I assume this was patterned after QUIC, but looking at QUIC suggests an > issue with the DTLS 1.3 formulation. QUIC uses ACKs to pick the minimum > number of bytes needed for the peer to recover the sequence number: > > https://www.rfc-editor.org/rfc/rfc9000.html#packet-encoding > > > > But the bulk of DTLS records, app data, are unreliable and not ACKed. DTLS > leaves all that to application. This means a DTLS implementation does not > have enough information to make this decision. It would need to be > integrated into the application-protocol-specific reliability story, if the > application protocol even maintains that information. > > > > Without ACK feedback, it is hard to size the sequence number safely. > Suppose a DTLS 1.3 stack unconditionally picked the 1-byte sequence number > because it's smaller, and the draft didn't say not to do it. That means > after getting out of sync by 256 records, either via reordering or loss, > the connection breaks. For example, if there was a blip in connectivity and > you happened to lose 256 records, your connection is stuck and cannot > recover. All future records will be at higher and higher sequence numbers. > A burst of 256 lost packets seems within the range of situations one would > expect an application to handle. > > > > (The 2-byte sequence number fails at 65K losses, which is hopefully high > enough to be fine? Though it's far far less than what QUIC's 1-4-byte > sequence number can accommodate. It was also odd to see no discussion of > this anywhere.) > > > > David > >
- [TLS] DTLS 1.3 sequence number lengths and lack o… David Benjamin
- Re: [TLS] DTLS 1.3 sequence number lengths and la… Tschofenig, Hannes
- Re: [TLS] DTLS 1.3 sequence number lengths and la… David Benjamin
- Re: [TLS] DTLS 1.3 sequence number lengths and la… Tschofenig, Hannes
- [TLS]Re: DTLS 1.3 sequence number lengths and lac… David Benjamin