IETF Logo Mail Archive

Re: [TLS] John Scudder's No Objection on draft-ietf-tls-dtls-connection-id-11: (with COMMENT)

John Scudder <jgs@juniper.net> Wed, 21 April 2021 00:07 UTC

Return-Path: <jgs@juniper.net>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4816C3A086E; Tue, 20 Apr 2021 17:07:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=juniper.net header.b=xiwTEmh8; dkim=pass (1024-bit key) header.d=juniper.net header.b=iHcaMNp7
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lZvMyXzJ_c75; Tue, 20 Apr 2021 17:07:21 -0700 (PDT)
Received: from mx0b-00273201.pphosted.com (mx0b-00273201.pphosted.com [67.231.152.164]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4E6A43A0843; Tue, 20 Apr 2021 17:07:21 -0700 (PDT)
Received: from pps.filterd (m0108163.ppops.net [127.0.0.1]) by mx0b-00273201.pphosted.com (8.16.0.43/8.16.0.43) with SMTP id 13L040sX009325; Tue, 20 Apr 2021 17:07:20 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=juniper.net; h=from : to : cc : subject : date : message-id : references : in-reply-to : content-type : mime-version; s=PPS1017; bh=Q0nC53pMrzn67PKEdnhen5GxX8khWTmwZDk7KYhbPrw=; b=xiwTEmh8t0/oIEqJ7AqkEidKimfIhdXaxcdpSLmUmZP/JfwzcNdduF/9JOzH2BmIrJ7f G4BOEPw1Bq270Tj3YKDhR9eUOFsTe31jDjXpCWnnM3xVMGnqOjEpJDhJ5Syy4bMWt++P H4K8BkQCBrVqr98Du4oQPKbDKLay81qT8maVldoLK9n7i4sUFYLCRDGcqhqmJIz8UsZy u21DcymAyBzukHSO4qPwyK+bAjgVP7aEqd7DIZ6RUY9iM65YCemDBPOQH2vK4LUSsPN2 nI+yXySF2mgR0KS1HsWL7XH1EHAUB6yUEsqeRCtP1YR9xuHC/jtuQCrsLHsgqrwm0aHM Fg==
Received: from nam10-bn7-obe.outbound.protection.outlook.com (mail-bn7nam10lp2106.outbound.protection.outlook.com [104.47.70.106]) by mx0b-00273201.pphosted.com with ESMTP id 3820q211kb-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 20 Apr 2021 17:07:19 -0700
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=bQ3yzkVPqnD4L9Oj1/RgHVdKzQHuFc1FUTLvaV0E6Yob1PNBIQOsPa9z3G8GGxYQmrioE5kR6ASacFwTl4wusT6jBqBm5lJ6ZKlYz+yUIUWulkLGIqhRplWtP97w1KvG2txHglT/5fBj6N8KuPsDLdLXu3TF6+XQbuqrb80DjGTwyOTkeYSz0CsfjtkXi2yYMc5zgXPfIaVS+hocvXmqh/rJqIWF6nhm0FHssyBFphdArtQohBqi1mqH5NjKEtPAqTYd7dP7ztZoCeAf2EWZOqBZK93ap3x76080IEWAflhAidHUENOG4Hz2t+9sSr7tVPTdNop50grM6NissQABAA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=Q0nC53pMrzn67PKEdnhen5GxX8khWTmwZDk7KYhbPrw=; b=Fqmu7DlfvMrAXTCnqO/n6LPMSD3koIeMPqvrFnnLxKzl/bHEjQrM5YvwSePSvmZuh5w6mdlbHWZbKBiWkMztn6bFvHllqB+V1hm9bV87ottgjfjmpEyXkM2EJIE1S1DbrkK//dJtZu3jrsIgmJi+Vf3YRmFHONrAAc+c8uWx18FLHlfYXUfEfp7i4DLU5Bk1IJe0UPmQpWa7FL2NTX8caMlDoyhwFS+4Q6YRhMrsYM1z+T1Nek5ASvlvvo17KIV26WJau3cto3ksHAaPYR7pc8GZDeqAozPrNhxacnun9Oi5aOY7qGpULljz557L5hRnkNqUYVPC7GZVEkGGPb32dA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=juniper.net; dmarc=pass action=none header.from=juniper.net; dkim=pass header.d=juniper.net; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=juniper.net; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=Q0nC53pMrzn67PKEdnhen5GxX8khWTmwZDk7KYhbPrw=; b=iHcaMNp77HvZJZflpcjunCsGFqQrO5eFCucGFTZthNK8aaJukvQqPhR+jPV9I0rTTwdnG4Q53HuG7/iMNUvXqFuB1XfrPw4T1vLE1zxumaMBWRqXiIo/o6jKUaNahy9D/dSdAbSt9WJLu9ZXmOfuhWi9udxXOZbG1va4Le8WtRc=
Received: from MN2PR05MB6109.namprd05.prod.outlook.com (2603:10b6:208:c4::20) by MN2PR05MB6704.namprd05.prod.outlook.com (2603:10b6:208:e5::28) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4065.7; Wed, 21 Apr 2021 00:07:16 +0000
Received: from MN2PR05MB6109.namprd05.prod.outlook.com ([fe80::3020:ac3:590d:83f1]) by MN2PR05MB6109.namprd05.prod.outlook.com ([fe80::3020:ac3:590d:83f1%5]) with mapi id 15.20.4065.019; Wed, 21 Apr 2021 00:07:16 +0000
From: John Scudder <jgs@juniper.net>
To: Eric Rescorla <ekr@rtfm.com>
CC: The IESG <iesg@ietf.org>, "draft-ietf-tls-dtls-connection-id@ietf.org" <draft-ietf-tls-dtls-connection-id@ietf.org>, tls-chairs <tls-chairs@ietf.org>, "tls@ietf.org" <tls@ietf.org>, Joseph Salowey <joe@salowey.net>
Thread-Topic: John Scudder's No Objection on draft-ietf-tls-dtls-connection-id-11: (with COMMENT)
Thread-Index: AQHXNjZvWIVloQQe0U6QWFeDi8kblaq+C/cAgAAMLqQ=
Date: Wed, 21 Apr 2021 00:07:15 +0000
Message-ID: <8AF84651-A0A2-4065-8858-5D69C047DD9A@juniper.net>
References: <DC7E046F-EDF9-4AFA-B3B7-D88DE0B51952@juniper.net>, <CABcZeBPcmjnHNZkFpqVkMER110LXuXh0iRyi7KUJ6GjU2jM5pQ@mail.gmail.com>
In-Reply-To: <CABcZeBPcmjnHNZkFpqVkMER110LXuXh0iRyi7KUJ6GjU2jM5pQ@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: ietf.org; dkim=none (message not signed) header.d=none;ietf.org; dmarc=none action=none header.from=juniper.net;
x-originating-ip: [162.225.191.192]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 0afaaae7-003d-4b45-343e-08d904596c3a
x-ms-traffictypediagnostic: MN2PR05MB6704:
x-microsoft-antispam-prvs: <MN2PR05MB6704BC9A0E73921251679DCCAA479@MN2PR05MB6704.namprd05.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:9508;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: h8vNQJzmTsXjnjEcZ2Q0x9DP4R64aqTv+WiMiwlpFc/hCDbn8nbAlHLzkD+HVgniYBYQPKllhG4tNnD3gAnw8CWwXqNt/uL3tGcyR6+3FRvWeHyx2diGwVooVmhtQeYWCNhW51LaOv1VDyCkuYPBR4BqKhRfVMp6nnxA6yZPWidpatZBDLX6xMhEXT5PphBBuyZXzY/lhECsFwm2jXk5YDukV7YNjLSUsk4wbN7mjkdaOCCUU0jlp1d3YXXTQPOfewSD00P6DDxwPmiyDc/51+ersIYDRk0SP3lm/0jUBO97XSan5UoV9IsIDfEjyAl687SEW8b5iRep8SVcVcDbqxhUSoWLb6mYJxJoy9g1GA3PRG8ZNhUoV5064buLGtFHEmfwFmedLOhMml7+qm5ry58bKgXRfGOLUm9nhHIHVmjYqISEMxyU+wfgztkAOCmZEdeJJc//zCQEd9du5OSXVDdh4QaEBqbclbMfPOFOdqu8Z+zrjMtt3ll6IfcvzDx1x/HuM6blywWr9LG+3nNETM0zRyjTXnN97JtQOPD2gVbmh4+42fuxHSc7kbDe5bI3/GPnxxOgiAawiw99wsBYufNeAjRffSSLHSo+3FaBR8CMlVo8/TH+diu7nRMGsg4vI7DGIr2rdD9kJ2/c72v4qPMnz297OvR1/1GbVJSNxIk=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:MN2PR05MB6109.namprd05.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(136003)(346002)(39860400002)(376002)(396003)(366004)(33656002)(6512007)(66946007)(91956017)(4326008)(26005)(2616005)(5660300002)(86362001)(38100700002)(8676002)(6486002)(8936002)(2906002)(6916009)(186003)(36756003)(6506007)(478600001)(76116006)(316002)(66476007)(54906003)(83380400001)(71200400001)(66446008)(64756008)(122000001)(66556008)(53546011)(45980500001); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata: 5O1v7svI0xqbCB3RkmH4YGvs2SgpVUbdWmExXlIpI6aey7s6Dk66CIhqU+DnZE9txh7ZYh3JLAac1q1ai76y+4G0ZAT6KvCdcNlTjLOfXfCixcI1AeqFOOI0JvrPcMUxIEm7cZJDsBeHImfP13r2xdw4lJRmQ/y+68MV7dGm5oXwgPoNDJhKjlpbtmuB1VJ6+cHt3umTqxOLH0K+OtJaq5Fjr3NP59OvBkfvBaJ5ARjOj3j7/fMhpdT/fAGMuNSoinPf7t/spMgCMhyaZQfl58ArGlQxlUeNlfWqNoiKFgLelJvAnggz2pr/RXad1gMoR9y/z/MOPZFQuu6IK3grb/VMIQK28XVlkPsp6bARzaALmbxv6WlhCcI7XQ6Oj6mHdxVb0o9M6W8GIkj0csjH8EG8pYMy3XsFSHEIm2cm0BZcZ1J/KMlwLNiaZjUhBt5hkWUkzAmpnefWULTZlMWd6XMzOLSr5OIenuG5Ux4s99mUxr2QHr8aTjN7mC+e2ZKmcY/o96cdlzNVkkiccisziBBWYZxcw9s8LMxAYsfGv5L7YTugC0mJiskQ9rJByfOXEUelnuBeYA8/nATGNyVyiUY+iA+Yv6zxoSGC1BY5g3UqxRLzf7+nKJhhvrVtEhwFz46sF/Oms8kCnWjdeaXP2fLRzILySZKOkpa3FcbuxWpjHGSeq709OoosmvUAz4VtB3+UmoGF7B8aMa32gz1WYEWgTUCpVPLb90qQ3DzAYCWTOgZscbeNGjo8XbU49zf+0IVGT8bVICAhav6BtEdARKn11+1WnGWllDTSxO7y6nL29vzZB01Kvnihsr18i2T89Eg9QUUvPQKZKrSz6zUY/GS3E04Jb7YBqUWY/tduOT9Xi74xKSkZWYP4cJJj0y8uh/EQ4uq8oijHCzPb5othgsGIetMUmbEgZ7g2SpLlnMfjo6lMWRgdI5GNjvhcYWhG4fBq+p/zzUx9SLIrEbtLZg6c94hEsZP+YCkAliMAdOg+aI6OVXTjjxJsX52MF0U6a82V/cbABR3QLAIE5Sx9tGv1dhx0dgWe9udtPhXLWVtsrXnjYk0n3s3P1ooQ3SAs+0zs84YnEIwZQ9uoELkSN8Uzg+wuME/oTz2RsCLy4nE0ZDNIo2CMCm6Irf04MxzcXim2FEWAsHK5JIIx3ccHK8DRmwxIdZ2IWbui9FJQNnK3W5w+NR1WLl78xvRFCg/cf81uzILdCjYQelKZvoLsJeiS8KpaO/V3R0FaEfKUWXTxDNuxue6+Xhn955S6fl5O9IlnaFr3WROw1fMALD2p4TAhC+tTaujvBHMcYxbigQfUvo/5XDeSL4FCrpM2EVF3
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_8AF84651A0A2406588585D69C047DD9Ajunipernet_"
MIME-Version: 1.0
X-OriginatorOrg: juniper.net
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: MN2PR05MB6109.namprd05.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 0afaaae7-003d-4b45-343e-08d904596c3a
X-MS-Exchange-CrossTenant-originalarrivaltime: 21 Apr 2021 00:07:15.8992 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: bea78b3c-4cdb-4130-854a-1d193232e5f4
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: qxisIh+kFKqQlIl8q3dsi16LW7KpSLsZd+/ZeGrOHjyn4aRL9W1LsRVCRsgQ6QuZ
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MN2PR05MB6704
X-Proofpoint-GUID: lOC67tARrAsNqteY8YByEy5UpS7_jI-g
X-Proofpoint-ORIG-GUID: lOC67tARrAsNqteY8YByEy5UpS7_jI-g
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.391, 18.0.761 definitions=2021-04-20_11:2021-04-20, 2021-04-20 signatures=0
X-Proofpoint-Spam-Details: rule=outbound_spam_notspam policy=outbound_spam score=0 bulkscore=0 priorityscore=1501 phishscore=0 adultscore=0 mlxlogscore=629 suspectscore=0 impostorscore=0 malwarescore=0 clxscore=1015 mlxscore=0 lowpriorityscore=0 spamscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2104060000 definitions=main-2104200171
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/njmLKoa_taUEvUjIoapPcpxs8Gc>
Subject: Re: [TLS] John Scudder's No Objection on draft-ietf-tls-dtls-connection-id-11: (with COMMENT)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 21 Apr 2021 00:07:27 -0000

On Apr 20, 2021, at 7:24 PM, Eric Rescorla <ekr@rtfm.com> wrote:

On Tue, Apr 20, 2021 at 3:42 PM John Scudder <jgs@juniper.net<mailto:jgs@juniper.net>> wrote:
On Apr 20, 2021, at 5:32 PM, Eric Rescorla <ekr@rtfm.com<mailto:ekr@rtfm.com>> wrote:
3. Section 6:

   *  There is a strategy for ensuring that the new peer address is able
      to receive and process DTLS records.  No such strategy is defined
      in this specification.

This is a little mind-boggling to me. I understand this to mean I can’t send
the new address a DTLS record unless I’ve already ensured it can receive and
process that record, right? This seems almost like a classic Catch-22. I feel
like I must be missing something.

This specification *only* allows you to mux, but doesn't allow you to migrate.
We could probably make this point clearer.

Yes, I think so. Various things led me to think this was supposed to be a feature. For starters, the abstract:


   A CID is an identifier carried in the record layer header that gives
   the recipient additional information for selecting the appropriate
   security association.  In "classical" DTLS, selecting a security
   association of an incoming DTLS record is accomplished with the help
   of the 5-tuple.  If the source IP address and/or source port changes
   during the lifetime of an ongoing DTLS session then the receiver will
   be unable to locate the correct security context.


It’s true the abstract doesn’t promise that I can migrate to the new address, but I felt led in that direction. But more to the point, §6 itself:


   When a record with a CID is received that has a source address
   different than the one currently associated with the DTLS connection,
   the receiver MUST NOT replace the address it uses for sending records
   to its peer with the source address specified in the received
   datagram unless the following three conditions are met:


If I understand your reply correctly, the quoted sentence could end “… unless the following three conditions are met (which will never happen):”. Since that seems both capricious and pointless, I still think I’m missing something. Is it that you envision a future specification that does define a strategy that will fulfill the third condition?

Yes.

Got it, thanks. In that case I think it brings us back to your earlier “we could probably make this point clearer”.

—John

v2.23.0 | Report a Bug | By Email