Re: [TLS] Connection ID Draft
yinxinxing <yinxinxing@huawei.com> Fri, 03 November 2017 01:12 UTC
Return-Path: <yinxinxing@huawei.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1335813FAF1 for <tls@ietfa.amsl.com>; Thu, 2 Nov 2017 18:12:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.22
X-Spam-Level:
X-Spam-Status: No, score=-4.22 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7srWvAeGNXFy for <tls@ietfa.amsl.com>; Thu, 2 Nov 2017 18:12:40 -0700 (PDT)
Received: from lhrrgout.huawei.com (lhrrgout.huawei.com [194.213.3.17]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 00FDB13FAF3 for <tls@ietf.org>; Thu, 2 Nov 2017 18:12:39 -0700 (PDT)
Received: from 172.18.7.190 (EHLO lhreml702-cah.china.huawei.com) ([172.18.7.190]) by lhrrg02-dlp.huawei.com (MOS 4.3.7-GA FastPath queued) with ESMTP id DRX66209; Fri, 03 Nov 2017 01:12:37 +0000 (GMT)
Received: from DGGEML403-HUB.china.huawei.com (10.3.17.33) by lhreml702-cah.china.huawei.com (10.201.108.43) with Microsoft SMTP Server (TLS) id 14.3.361.1; Fri, 3 Nov 2017 01:12:37 +0000
Received: from DGGEML511-MBS.china.huawei.com ([169.254.4.204]) by DGGEML403-HUB.china.huawei.com ([fe80::74d9:c659:fbec:21fa%31]) with mapi id 14.03.0361.001; Fri, 3 Nov 2017 09:12:32 +0800
From: yinxinxing <yinxinxing@huawei.com>
To: Matt Caswell <matt@openssl.org>, Martin Thomson <martin.thomson@gmail.com>
CC: "tls@ietf.org" <tls@ietf.org>
Thread-Topic: [TLS] Connection ID Draft
Thread-Index: AdNUQFDyStmyp7iqRDGhOkJFQ/YFTQ==
Date: Fri, 03 Nov 2017 01:12:31 +0000
Message-ID: <DBDF9AE44733284D808F0E585E1919022D15451C@dggeml511-mbs.china.huawei.com>
Accept-Language: zh-CN, en-US
Content-Language: zh-CN
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.184.225.248]
Content-Type: text/plain; charset="gb2312"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-CFilter-Loop: Reflected
X-Mirapoint-Virus-RAPID-Raw: score=unknown(0), refid=str=0001.0A0B0204.59FBC286.0067, ss=1, re=0.000, recu=0.000, reip=0.000, cl=1, cld=1, fgs=0, ip=169.254.4.204, so=2013-06-18 04:22:30, dmn=2013-03-21 17:37:32
X-Mirapoint-Loop-Id: f4e239171d64f650785ae4a1845856df
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/u6LFiuNyf8ESdo-JZVsbqzgIBdE>
Subject: Re: [TLS] Connection ID Draft
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 03 Nov 2017 01:12:42 -0000
I agree with Matt. The port/IP could be reallocated to the peer that sends packets with connection ID. Yin Xinxing -----邮件原件----- 发件人: TLS [mailto:tls-bounces@ietf.org] 代表 Matt Caswell 发送时间: 2017年11月3日 0:32 收件人: tls@ietf.org 主题: Re: [TLS] Connection ID Draft On 17/10/17 22:35, Martin Thomson wrote: > On Tue, Oct 17, 2017 at 9:26 PM, Fossati, Thomas (Nokia - > GB/Cambridge, UK) <thomas.fossati@nokia.com> wrote: >> The following case (NAT box reboot) is problematic: >> >> 1. Application '1' on host A (A.1) uses DTLS+CID with application '1' on >> host B (B.1); >> 2. Application '2' on host A (A.2) uses plain-old DTLS with B.1; 3. >> The NAT box reboots (all previous 5-tuple mappings are lost); 4. B.1 >> receives a record from A.1 (whose 5-tuple has changed in the >> meanwhile); >> >> How is B.1 supposed to correctly interpret the bytes starting at >> offset >> +11? (For what it knows, it could be CID from A.1 or the length >> +field >> from A.2.) > > I don't think that this is a problem. > > connection = five_tuples.lookup(packet.five_tuple) > if (!connection) { > connection = > connection_ids.lookup(packet[connection_id_offset:connection_id_offset > +connection_id_length]) > } Just skimming this old thread...doesn't this fail in the case where the five tuple has been reused? In that case five_tuples.lookup will return an old stale connection which the server thinks is still valid so we never get to lookup the connection id. With an explicit marking we would not fail in this scenario. Matt _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
- [TLS] Connection ID Draft Eric Rescorla
- Re: [TLS] Connection ID Draft Martin Thomson
- Re: [TLS] Connection ID Draft Eric Rescorla
- Re: [TLS] Connection ID Draft Martin Thomson
- Re: [TLS] Connection ID Draft Eric Rescorla
- Re: [TLS] Connection ID Draft Martin Thomson
- Re: [TLS] Connection ID Draft Eric Rescorla
- Re: [TLS] Connection ID Draft Nikos Mavrogiannopoulos
- Re: [TLS] Connection ID Draft Fossati, Thomas (Nokia - GB/Cambridge, UK)
- Re: [TLS] Connection ID Draft yinxinxing
- Re: [TLS] Connection ID Draft Eric Rescorla
- Re: [TLS] Connection ID Draft Eric Rescorla
- Re: [TLS] Connection ID Draft Matt Caswell
- Re: [TLS] Connection ID Draft Stephen Farrell
- Re: [TLS] Connection ID Draft Eric Rescorla
- Re: [TLS] Connection ID Draft Stephen Farrell
- Re: [TLS] Connection ID Draft Eric Rescorla
- Re: [TLS] Connection ID Draft Stephen Farrell
- Re: [TLS] Connection ID Draft Hannes Tschofenig
- Re: [TLS] Connection ID Draft Eric Rescorla
- [TLS] 答复: Connection ID Draft yinxinxing
- [TLS] 答复: Connection ID Draft yinxinxing
- Re: [TLS] 答复: Connection ID Draft Eric Rescorla
- Re: [TLS] 答复: Connection ID Draft Eric Rescorla
- [TLS] 答复: Connection ID Draft yinxinxing
- Re: [TLS] 答复: Connection ID Draft Eric Rescorla
- [TLS] 答复: 答复: Connection ID Draft yinxinxing
- Re: [TLS] Connection ID Draft Benjamin Kaduk
- Re: [TLS] Connection ID Draft Eric Rescorla
- Re: [TLS] Connection ID Draft Fossati, Thomas (Nokia - GB/Cambridge, UK)
- Re: [TLS] Connection ID Draft Eric Rescorla
- Re: [TLS] Connection ID Draft Martin Thomson
- Re: [TLS] Connection ID Draft Christian Huitema
- Re: [TLS] Connection ID Draft Fossati, Thomas (Nokia - GB/Cambridge, UK)
- Re: [TLS] Connection ID Draft Martin Thomson
- Re: [TLS] Connection ID Draft Fossati, Thomas (Nokia - GB/Cambridge, UK)
- Re: [TLS] Connection ID Draft Fossati, Thomas (Nokia - GB/Cambridge, UK)
- Re: [TLS] Connection ID Draft Martin Thomson
- Re: [TLS] Connection ID Draft Nikos Mavrogiannopoulos
- Re: [TLS] Connection ID Draft Simon Bernard
- Re: [TLS] Connection ID Draft Eric Rescorla
- Re: [TLS] Connection ID Draft Fossati, Thomas (Nokia - GB/Cambridge, UK)
- Re: [TLS] Connection ID Draft yinxinxing
- Re: [TLS] Connection ID Draft Stephen Farrell
- Re: [TLS] Connection ID Draft Eric Rescorla
- Re: [TLS] Connection ID Draft Stephen Farrell
- Re: [TLS] Connection ID Draft yinxinxing
- Re: [TLS] Connection ID Draft Eric Rescorla
- Re: [TLS] Connection ID Draft Stephen Farrell
- Re: [TLS] Connection ID Draft Eric Rescorla
- Re: [TLS] Connection ID Draft Benjamin Kaduk
- Re: [TLS] Connection ID Draft Eric Rescorla
- Re: [TLS] Connection ID Draft yinxinxing
- Re: [TLS] Connection ID Draft Eric Rescorla
- Re: [TLS] Connection ID Draft yinxinxing
- Re: [TLS] Connection ID Draft Matt Caswell
- Re: [TLS] Connection ID Draft Martin Thomson
- Re: [TLS] Connection ID Draft yinxinxing
- Re: [TLS] Connection ID Draft Matt Caswell
- Re: [TLS] Connection ID Draft Martin Thomson
- Re: [TLS] Connection ID Draft Fossati, Thomas (Nokia - GB/Cambridge, UK)
- Re: [TLS] Connection ID Draft Matt Caswell
- Re: [TLS] Connection ID Draft Simon Bernard