Re: [TLS] DTLS RRC and heartbeat
Mohit Sahni <mohit06jan@gmail.com> Thu, 21 October 2021 14:41 UTC
Return-Path: <mohit06jan@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7FB3E3A173B for <tls@ietfa.amsl.com>; Thu, 21 Oct 2021 07:41:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 2.484
X-Spam-Level: **
X-Spam-Status: No, score=2.484 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, FSL_BULK_SIG=1.774, HTML_MESSAGE=0.001, RAZOR2_CF_RANGE_51_100=1.886, RAZOR2_CHECK=0.922, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tgjrPgrbAwui for <tls@ietfa.amsl.com>; Thu, 21 Oct 2021 07:40:58 -0700 (PDT)
Received: from mail-lf1-x12f.google.com (mail-lf1-x12f.google.com [IPv6:2a00:1450:4864:20::12f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C10453A173F for <tls@ietf.org>; Thu, 21 Oct 2021 07:40:57 -0700 (PDT)
Received: by mail-lf1-x12f.google.com with SMTP id p16so2689880lfa.2 for <tls@ietf.org>; Thu, 21 Oct 2021 07:40:57 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=dqYyATJW2XCT5C41wYmpyg0L3lZsCFuQArgz6QvYJis=; b=jAt2U7aQY/4xMbFiG5KO9A3nFBR6iLn0jNV9gPYNmGGBYqLvJWl26QgTk1Coq+E9eU nHsoc3Uf+c1NuvlhZ0pfTlMAs0RQaHgQfiutR0obANkGCw/o/o/XG1mBgkfwzmMNXVgd 9vcaIM7MMKmOUlV2NOoaGIhjx5w3vxKMnNe48BVdtvKzA8kxp21a6jRVqfek7SprLpf9 AR0JFwnkBb05q0BOP95SPUJ6qve1BOfFQeRpb7R2qHLynVSDRQg1ZIrch8jcWryCrZBO aAk0YCd49QCPdg5zDdcQuGj+FkPVVJwGwb6BB9QtELf8WRZER8zl7JbbYtkvmIhKVBEL 0+hw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=dqYyATJW2XCT5C41wYmpyg0L3lZsCFuQArgz6QvYJis=; b=aR9KT7yt4mEaDsDV1tBcUJp2egmM3X4u4CYavnOKZiJSzCv+cA0x/iXoFjU3WGr0cS BzSi5voJ7tCt7/AwQC5sgTRe0EX4TE2lebaKcB1R6liYU2e+x2pl+3kGj0ULd5aC1bBR zaxKURvomcFZQcIycfKYRMUj3y/ExpCaAb+gqqnuw0CsA82Xsj5P+cBFw+uORJAaxjeJ KDS3vIj6jMiaMJNzNDTJqTm3v6Y9uR1i119jYf0OXw500bIJ96//N/JT1fhhJ+EtlD4y 5zRKkt+v6JZ7m69ctgmRSUF0rgQwIQd8pUKyxzbs/Xlrj9QfijSm08a7XJmOAm8MTsui 8QUA==
X-Gm-Message-State: AOAM5327pLfuqe63qUOT9W1QwXZNobUqqh0NgAY2Nqt7Ojl2gf8uKy51 VtL4U8hSjgHoYAvdfhOeLGZmQdbUdXcpy+h2guc=
X-Google-Smtp-Source: ABdhPJz5kWVsyLEQq7HCoP2KZuo7iSZfjsj3WUZQLWjYev701jWK1uyKAXfDYYCQ+amBcDRRSU6j1XptPz5ysH5A4SY=
X-Received: by 2002:a05:6512:33c3:: with SMTP id d3mr5430860lfg.182.1634827255662; Thu, 21 Oct 2021 07:40:55 -0700 (PDT)
MIME-Version: 1.0
References: <CAObGJnObgKwJE6dHUE_bPOHAzYNgaSDguXCz6gZ1Ld9bVKfecg@mail.gmail.com> <20211021163027.2dd6c9a5@computer>
In-Reply-To: <20211021163027.2dd6c9a5@computer>
From: Mohit Sahni <mohit06jan@gmail.com>
Date: Thu, 21 Oct 2021 07:40:44 -0700
Message-ID: <CAEpwuw2wwPu5rU-i0YcHFJyHhKsbx0S0DEoXn0JAk_W8Sti8gQ@mail.gmail.com>
To: Hanno Böck <hanno@hboeck.de>
Cc: tls@ietf.org
Content-Type: multipart/alternative; boundary="000000000000d7c9b805cedde13e"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/oI2Eggmgf8aoqzioFIVAxjfN8EQ>
Subject: Re: [TLS] DTLS RRC and heartbeat
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 21 Oct 2021 14:41:03 -0000
Just want to highlight one more issue with using the original extension, many network security devices have threat signatures to identify the heartbeat extension in packet streams and they will block the sessions that match the signatures. On Thu, Oct 21, 2021 at 7:31 AM Hanno Böck <hanno@hboeck.de> wrote: > On Thu, 21 Oct 2021 10:35:54 +0100 > Thomas Fossati <tho.ietf@gmail.com> wrote: > > > One problem is - as Hannes put it - that heartbeat has a "somewhat > > tricky history", making its marketing a slightly intricate operation, > > and the code reuse story a bit more complicated than desired (see for > > example [3]). > > I think there were a few things that went spectacularly wrong with the > original heartbeat extension. Some of them are implementation issues > (like merging code without proper review and testing), but others are in > the spec itself. > > I think this boils down to two things that added unnecessary > complexity, which is always bad in security: > 1. The use cases were all UDP, but the extension was defined for both > UDP and TCP for no good reason. > 2. The extension contained a completely unnecessary length-encoded > message that was sent forth and back. That's a very risky > construction in terms of memory safety. > > I feel this may be enough justification to define a hearbeat-simplified > spec that doesn't have these problems. > If you decide to go with the old heartbeat extension then I'd still > wish you at least adress 1. I think many people have just compiled > openssl without heartbeat, which is a good thing as long as it's not > used anyway. If it gets used in DTLS then at least make sure that > doesn't mean it also has to be enabled in TCP-based normal TLS at the > same time. > > -- > Hanno Böck > https://hboeck.de/ > > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls >
- [TLS] DTLS RRC and heartbeat Thomas Fossati
- Re: [TLS] DTLS RRC and heartbeat Hanno Böck
- Re: [TLS] DTLS RRC and heartbeat Mohit Sahni
- Re: [TLS] DTLS RRC and heartbeat Achim Kraus
- Re: [TLS] DTLS RRC and heartbeat Achim Kraus
- Re: [TLS] DTLS RRC and heartbeat Salz, Rich
- Re: [TLS] DTLS RRC and heartbeat Salz, Rich
- Re: [TLS] DTLS RRC and heartbeat Thomas Fossati
- Re: [TLS] DTLS RRC and heartbeat Salz, Rich