IETF Logo Mail Archive

Re: [TLS] DTLS record layer processing

Michael Tüxen <Michael.Tuexen@lurchi.franken.de> Tue, 30 June 2009 18:34 UTC

Return-Path: <Michael.Tuexen@lurchi.franken.de>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 9904628C212 for <tls@core3.amsl.com>; Tue, 30 Jun 2009 11:34:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.131
X-Spam-Level:
X-Spam-Status: No, score=-0.131 tagged_above=-999 required=5 tests=[AWL=-2.169, BAYES_00=-2.599, HOST_EQ_DIP_TDIAL=2.144, HOST_MISMATCH_NET=0.311, MIME_8BIT_HEADER=0.3, RCVD_IN_PBL=0.905, RCVD_IN_SORBS_DUL=0.877, RDNS_DYNAMIC=0.1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PUI6rA1EKwRV for <tls@core3.amsl.com>; Tue, 30 Jun 2009 11:34:11 -0700 (PDT)
Received: from mail-n.franken.de (drew.ipv6.franken.de [IPv6:2001:638:a02:a001:20e:cff:fe4a:feaa]) by core3.amsl.com (Postfix) with ESMTP id 81B1E3A67FF for <tls@ietf.org>; Tue, 30 Jun 2009 11:33:41 -0700 (PDT)
Received: from [192.168.1.100] (p508FD1FD.dip.t-dialin.net [80.143.209.253]) by mail-n.franken.de (Postfix) with ESMTP id AEF611C0B4619; Tue, 30 Jun 2009 20:33:58 +0200 (CEST)
Message-Id: <E7927ECD-3437-4A08-9CF6-62DF74030B95@lurchi.franken.de>
From: Michael Tüxen <Michael.Tuexen@lurchi.franken.de>
To: Eric Rescorla <ekr@networkresonance.com>
In-Reply-To: <20090630162443.D51561C5ED3@kilo.networkresonance.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"; delsp="yes"
Content-Transfer-Encoding: quoted-printable
Mime-Version: 1.0 (Apple Message framework v935.3)
Date: Tue, 30 Jun 2009 20:33:57 +0200
References: <C80DFD9E-9192-46CF-A1F0-C890DF53B2FF@lurchi.franken.de> <20090630162443.D51561C5ED3@kilo.networkresonance.com>
X-Mailer: Apple Mail (2.935.3)
Cc: tls@ietf.org
Subject: Re: [TLS] DTLS record layer processing
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 30 Jun 2009 18:34:30 -0000

On Jun 30, 2009, at 6:24 PM, Eric Rescorla wrote:

> At Mon, 29 Jun 2009 16:49:44 +0200,
> Michael Tüxen wrote:
>>
>> Dear all,
>>
>> when DTLS receives a packet is has to do input validation on
>> the version number and the length given in the record header
>> and the actual length of the UDP packet.
>>
>> When should this be done and what should be the action taken
>> when the checks fail?
>
> It should discard the datagram.
Silently, I assume. Should this be specified somewhere?

http://www.ietf.org/rfc/rfc5246.txt says:

    record_overflow
       A TLSCiphertext record was received that had a length more than
       2^14+2048 bytes, or a record decrypted to a TLSCompressed record
       with more than 2^14+1024 bytes.  This message is always fatal and
       should never be observed in communication between proper
       implementations (except when messages were corrupted in the
       network).

Maybe people use this TLS based procedure also for DTLS (like  
OpenSSL)...
>
>
>> There is an implementation out, which considers a version
>> mismatch or a length given in the record layer which is
>> larger than allowed by the protocol a fatal error.
>> This might be OK for TLS, but I think is inacceptable for
>> DTLS. An attacker only needs to guess the UDP port numbers
>> and IP addresses and can craft a UDP packet with an illegal
>> record length field and the DTLS connection is gone.
>
> I agree, that that's not how implementations should behave.
>
>
>> Also
>> http://www.ietf.org/internet-drafts/draft-ietf-tls-rfc4347-bis-02.txt
>> states
>>
>>    In general, DTLS implementations SHOULD silently discard data with
>>    bad MACs.  If a DTLS implementation chooses to generate an alert
>> when
>>    it receives a message with an invalid MAC, it MUST generate a
>>    bad_record_mac alert with level fatal and terminate its connection
>>    state.
>>
>> If I understand things correctly, this means that as an attacker
>> I need only to send a UDP packet with a wrong MAC to perform
>> a DOS attack.
>>
>> Am I wrong? Any suggestions?
>
> I don't read the text that way. Rather, I think it says:
>
> If you receive a packet with a bad MAC, you must either:
>
> (a) Silently discard    [Preferred]
> (b) Generate a bad_record_mac alert and terminate the connection.
I agree, but my point is:
If an implementation chooses (b), you can just send a malicious
packet and the connection is gone. Or am I missing something?
>
> What you must not do is generate any other alert and continue
> the connection.
Understood.
>
> This was designed to avoid attacks where the attacker repeatedly
> probed the victim implementation to see which error it generated.
Understood, but I think (b) is bad in any case for DTLS. So why
not get rid of it and just require that implementation MUST
use (a), or at least SHOULD. At least for DTLS/UDP.

For DTLS/SCTP it is OK to send an alert since an attacker can
not insert packets because they are protected also with SCTP-AUTH.
>
> -Ekr
>

v2.23.0 | Report a Bug | By Email