IETF Logo Mail Archive

Re: [TLS] 2nd WG Last Call for draft-ietf-tls-dtls-rrc

Thomas Fossati <thomas.fossati@linaro.org> Tue, 03 October 2023 14:50 UTC

Return-Path: <thomas.fossati@linaro.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 888EAC1516E2 for <tls@ietfa.amsl.com>; Tue, 3 Oct 2023 07:50:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.106
X-Spam-Level:
X-Spam-Status: No, score=-7.106 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=linaro.org
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4BK8zKTtXCjh for <tls@ietfa.amsl.com>; Tue, 3 Oct 2023 07:50:07 -0700 (PDT)
Received: from mail-lj1-x232.google.com (mail-lj1-x232.google.com [IPv6:2a00:1450:4864:20::232]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A2991C15EB2E for <tls@ietf.org>; Tue, 3 Oct 2023 07:50:07 -0700 (PDT)
Received: by mail-lj1-x232.google.com with SMTP id 38308e7fff4ca-2c16757987fso12066761fa.3 for <tls@ietf.org>; Tue, 03 Oct 2023 07:50:07 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; t=1696344606; x=1696949406; darn=ietf.org; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=p+Sj6dub4QkWkpKhsjgcKsABea/oW38KpzMkJULFyVM=; b=oEPvgepwWR/sjezoB3eGAzmJK7kRDna6KtSITWGaMpLcC4qEXNrRwWMgbwpwHff81p cYgqPNhuj5VnOkNMtyX7WlYe9yFgVT3urTPcH7n/6bg3rLpOVOUlG9ll5mmZp5SKITRl DOs6UJmD+wFCZf9HMxSK2BG5MwNRqys+qH65mlWFYp2odSmQ155+Gh7ESP6Wkz3V5zQt AWL+mRhpruFRuXEshOa1g2Iu/ZvLFd/KgkUfs/1zhngeIXLoeAptWVnvc99S5a92/gi3 MFkFTjymh6qwTTkrR9H3zt5vQrdlfAUD4RlIWzgdsM5ZfzCLJlzrUEUTYKnp9h/hCXGb gxfw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1696344606; x=1696949406; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=p+Sj6dub4QkWkpKhsjgcKsABea/oW38KpzMkJULFyVM=; b=ZQHAnyUcZ1orcMOkC7XoOz03DtO+X7t/a62w97vHg7CyL2zFsi64Pft5RCInt7DlWp NopWqbsD55zBLU9XyfgIv0pFW9djitECcCYaOBonmimrXUTXaoQTHfjKK2HMZkrRxvMN 589/Na6QoSn/wzojiXx2U60SKjIFgN1jYFP0kp0k3t1JbHAaJ+JiS0fsX0BhtnzSNG5F Ek+hZmneErCfN2t2HJvs4/z9XXJVs9qs8Hs6BJPljcmd2IxvN2nEcgeWqaDqFb960QA3 4fdC2cgsTnWJcqGdFVNw0Dw9Y5niL+Gc4sRPCN/Jc9iqb4uBdkc/lVYEbYSB4cFvmdrx hWeA==
X-Gm-Message-State: AOJu0YwzMf24nowpMiEQ2jm511HovuWhjAzCeiZNwAdcnDBMNe8MqE/+ X2hyOxz795NfmEh2lsaH3Dl82qxiHGI3cxbQd5EWJ33xnNYRpwwg2UJr6g==
X-Google-Smtp-Source: AGHT+IGZIzHFNBtqFHEnFFO5gppRayyHMeVPPV6X8G+KC20wURGOwcpjQ3dGWlfI4QVPfo0+htuWoH1grIW/NkdPwbU=
X-Received: by 2002:a2e:7314:0:b0:2bd:1cd0:6041 with SMTP id o20-20020a2e7314000000b002bd1cd06041mr10877210ljc.0.1696344605563; Tue, 03 Oct 2023 07:50:05 -0700 (PDT)
MIME-Version: 1.0
References: <50990212-57EB-4228-A259-BB8FEA6AC364@sn3rd.com> <e72afcd5-d3bf-2d85-7cee-5f42684b9981@ri.se>
In-Reply-To: <e72afcd5-d3bf-2d85-7cee-5f42684b9981@ri.se>
From: Thomas Fossati <thomas.fossati@linaro.org>
Date: Tue, 03 Oct 2023 16:49:49 +0200
Message-ID: <CA+1=6yfCU5S1RvgXzh-HUxLnbv2g7muz3YXo8=Gqrk7o_hRWZg@mail.gmail.com>
To: Marco Tiloca <marco.tiloca=40ri.se@dmarc.ietf.org>
Cc: Sean Turner <sean@sn3rd.com>, TLS List <tls@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/u7VNFrtZwYAgjzLNLAy-rYEegYY>
Subject: Re: [TLS] 2nd WG Last Call for draft-ietf-tls-dtls-rrc
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 03 Oct 2023 14:50:11 -0000

Hi Marco,

Thanks very much for the thorough review.  Really appreciate it.

Your comments are tracked at https://github.com/tlswg/dtls-rrc/issues/62

Cheers, thank you!

On Tue, 3 Oct 2023 at 15:50, Marco Tiloca
<marco.tiloca=40ri.se@dmarc.ietf.org> wrote:
>
> Hi all,
>
> Thanks for this document! I think it's good and well written.
>
> Please see below some minor comments.
>
> Best,
> /Marco
>
> ====================
>
> [Section 1]
>
> * "selecting a security context of an incoming DTLS record"
>
>    I think you mean "selecting a security context for processing an incoming DTLS record"
>
> * I think that the text would read better if you swap the two following blocks of text:
>
>    "A CID is an identifier carried in ... for DTLS 1.3."
>
>    and
>
>    "Without CID, if the ... and negotiated"
>
>    hence introducing the concept of CID before using it.
>
> * "Section 6 of [RFC9146] describes how ..."
>
>    Aren’t such considerations applicable also to DTLS 1.3? If so, it’s worth mentioning.
>
> * "This is done in order to provide more confidence to the receiving peer that the sending peer is reachable at the indicated address and port."
>
>    I guess you mean: "the latest indicated address and port"
>
> * "that a peer is still in possession of its address"
>
>    Similar to the previous comment, this can be: "is still reachable to its last known address"
>
> * "if RRC has been successfully negotiated"
>
>    It should be: "if the use of RRC has been successfully negotiated", also consistent with the beginning of Section 3.
>
> * That last paragraph uses both "peer" and "endpoint", apparently interchangeably. Is there any reason to not use only one of the two words? Earlier in the section, only "peer" is used.
>
>    Later in the document, "endpoint" is also used. Maybe add a note in Section 2 about the equivalence of the two terms?
>
>
> [Section 4]
>
> * "Implementations MUST be able to parse and ignore messages with an unknown msg_type."
>
>    Right, at the same time the intention should be that, if a peer uses RRC, then it MUST support all the three message types defined in this document. It's worth stating it explicitly.
>
>
> [Section 5]
>
> * "that has the source address of the enclosing UDP datagram different from the one currently associated"
>
>    Couldn't (also) the source port number have changed? If so, I think you mean: "that has the source address and/or source port number of the enclosing UDP datagram different from what is currently associated"
>
> * "the receiver SHOULD perform a return routability check as described in Section 7, unless an application layer specific address validation mechanism can be triggered instead."
>
>    As an example of alternative mechanism that can be triggered, it's worth mentioning RFC 9175, which describes the exchange of a CoAP response and a follow-up CoAP request, both including a CoAP Echo option with value set by the server sending the response.
>
>    Besides allowing the server to assert the freshness of the follow-up request, this exchange provides validation of the claimed address of the client sending the request.
>
>
> [Section 6.1]
>
> * "(e.g., a CoAP server returning an MTU's worth of data from a 20-bytes GET request)
>
>    It's worth referring to RFC 7252 and to https://datatracker.ietf.org/doc/draft-irtf-t2trg-amplification-attacks/
>
>
> [Section 6.2]
>
> * In figure 5, the arrow for message 2 (path-drop) should not be bidirectional, but rather only from the sender to the receiver.
>
>
> [Sections 7.1 and 7.2]
>
> * s/The receiver creates/The receiver, i.e., the initiator creates
>
> * s/The peer endpoint/The other peer, i.e., the responder,
>
>
> [Section 7.4]
>
> * I think that another requirement should be that the initiator MUST NOT act on more than one valid path_response or path_drop message for each path_challenge message that it has sent.
>
>
> [Section 10]
>
> * You will need to add a new subsection that provides expert review instructions, for the Designated Experts assigned to the new subregistry defined in Section 10.3.
>
>
> [Nits]
>
> Section 1
> - s/i.e./i.e.,
> - s/a variety reasons/a variety of reasons
>
> Section 4
> - s/path_response and/path_response, and
> -s/a 8-byte/an 8-byte
>
> Section 6
> - s/Note that in general,/Note that, in general,
> - s/verification due to/verification, due to
> - s/Figure 2: Attackers capabilities/Figure 2: Attacker's capabilities
>
> Section 6.1
> - s/injecting and racing it/injecting, and racing it
>
> Section 7
> - s/concerns, the need/concerns, and the need
>
> Section 7.2
> - s/i.e./i.e.,
>
> Section 8
> - s/In the example/In the example of
> - s/as well as the RRC/as well as for the use of the RRC
> - s/been established the/been established, the
> - s/interaction the IP/interaction, the IP
>
>
> On 2023-09-18 23:03, Sean Turner wrote:
>
> This email starts the 2nd working group last call for "Return Routability Check for DTLS 1.2 and DTLS 1.3” I-D, located here:
>
> https://eur05.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdatatracker.ietf.org%2Fdoc%2Fdraft-ietf-tls-dtls-rrc%2F&data=05%7C01%7Cmarco.tiloca%40ri.se%7C0debb4c78dbe430d7e1c08dbb88ad9d4%7C5a9809cf0bcb413a838a09ecc40cc9e8%7C0%7C0%7C638306678725310227%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=SvzuTSLXUepdgCRou2%2FSpKIEEseKkgeW2FtxK2USDmU%3D&reserved=0
>
> The WG Last Call will end 3 October 2023 @ 2359 UTC.
>
> Please review the I-D and submit issues and pull requests via the GitHub repository that can be found at:
>
> https://eur05.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Ftlswg%2Fdtls-rrc&data=05%7C01%7Cmarco.tiloca%40ri.se%7C0debb4c78dbe430d7e1c08dbb88ad9d4%7C5a9809cf0bcb413a838a09ecc40cc9e8%7C0%7C0%7C638306678725310227%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=3oMiSlJbKPepw82mGmzWcCzevuMJcjmOotSu4c6k92c%3D&reserved=0
>
> Alternatively, you can also send your comments to tls@ietf.org.
>
> Thanks,
> Chris, Joe, & Sean
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://eur05.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Fmailman%2Flistinfo%2Ftls&data=05%7C01%7Cmarco.tiloca%40ri.se%7C0debb4c78dbe430d7e1c08dbb88ad9d4%7C5a9809cf0bcb413a838a09ecc40cc9e8%7C0%7C0%7C638306678725310227%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=OIpfBDR8I10rXFa6xzI3X%2FhqfTw10S1EDQGs%2BzuCJeY%3D&reserved=0
>
>
> --
> Marco Tiloca
> Ph.D., Senior Researcher
>
> Phone: +46 (0)70 60 46 501
>
> RISE Research Institutes of Sweden AB
> Box 1263
> 164 29 Kista (Sweden)
>
> Division: Digital Systems
> Department: Computer Science
> Unit: Cybersecurity
>
> https://www.ri.se
>
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls

v2.23.0 | Report a Bug | By Email