Re: [TLS] DTLS RRC and heartbeat
Achim Kraus <achimkraus@gmx.net> Thu, 21 October 2021 14:58 UTC
Return-Path: <achimkraus@gmx.net>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 032533A1771 for <tls@ietfa.amsl.com>; Thu, 21 Oct 2021 07:58:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, NICE_REPLY_A=-0.001, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=gmx.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Npwby0eEehhC for <tls@ietfa.amsl.com>; Thu, 21 Oct 2021 07:58:16 -0700 (PDT)
Received: from mout.gmx.net (mout.gmx.net [212.227.17.21]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E009E3A176D for <tls@ietf.org>; Thu, 21 Oct 2021 07:58:15 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=gmx.net; s=badeba3b8450; t=1634828291; bh=P6S+3uOHfHFk+ftXJiy+2pNUuHjolhb6MDbHU1DcMoo=; h=X-UI-Sender-Class:Subject:To:References:From:Date:In-Reply-To; b=EmEecFg9GwK1mXkKvqpwKS3JMGNrX2ItETE/H/VnmLwsHkXZmqPlajz6o6IZ001C4 GmwJ8s5nTx16bTUOdBHDB0H1LIpIZhZA+nW9QECu/QTiK6A/sHxy78x0RqS7TNH/ru 4grGuAf+J/ag4DmlQ7oo0e05AkFVnGA2XqQvUIJs=
X-UI-Sender-Class: 01bb95c1-4bf8-414a-932a-4f6e2808ef9c
Received: from [192.168.178.10] ([5.146.193.130]) by mail.gmx.net (mrgmx104 [212.227.17.168]) with ESMTPSA (Nemesis) id 1M4axq-1mfEDE440M-001gJn; Thu, 21 Oct 2021 16:58:11 +0200
To: Hanno Böck <hanno@hboeck.de>, tls@ietf.org
References: <CAObGJnObgKwJE6dHUE_bPOHAzYNgaSDguXCz6gZ1Ld9bVKfecg@mail.gmail.com> <20211021163027.2dd6c9a5@computer>
From: Achim Kraus <achimkraus@gmx.net>
Message-ID: <37bc833e-0a52-a275-7443-f11c60dae98f@gmx.net>
Date: Thu, 21 Oct 2021 16:58:09 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.13.0
MIME-Version: 1.0
In-Reply-To: <20211021163027.2dd6c9a5@computer>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Language: de-AT-frami
Content-Transfer-Encoding: quoted-printable
X-Provags-ID: V03:K1:rvXGpEbFItzkMiEvdTEoL6qfPEkQQQMZ3ByBTRg1YZ179mnclZV yGaDGi/o3YbOFesihmX+Cuf40tSo4zFGaqwnrLD6PZDuYyNFP5dfS5Q65sI0WmjnDF0o66L 6Azc4Vn8dG5c6QUsU0vEmSekLx1y3T/AXequs23aPnNS/jz171vJxlu90eguWg2UtYR3qvN cloSkww6xL8zc3y4k7Dqw==
X-UI-Out-Filterresults: notjunk:1;V03:K0:aCZWxPrzEkk=:V5Udm7JQ4cM+lt5m61LNn5 wNMCZh+i/alfVeqPLQmoBm1Sf3K1UcG/wCt8n+nbDcR9odEtGlIkXxvHwm/4g+CVxMI4rOZcV gGhHbNW/q6QnXNwqQHoiUYUcA3BC/qxegTVi2ISxmz0SIjSoOWN6w9fE2HNRPU9OjGWXRNCvK xR+oCnM3BiE/Qcw3v50O1rhD+mmzsg3xPtQvwOjXTaBOHKq+Nvoeu6o0tR3AMFOUbZ/nVSQDH 8Juzig+p2dwibRGFe74Xor61Mv1BR9pv3LxN54Bpx25ZOM4Rfxj+ceo5AFSbysKJc1sthIM+0 a3vu/9eTGPN6t3TOmFsAS6+qZ1iEufaedukbVIDNIZAK23vvoEFq+q31KCARkEeMqXEk3vACV KuO3Prmo9/01UcNcLWwvtgvnYdHddWlWv/BsnGuhxGE5OHjwiK30OZU6oK+mng6UDFwRLQkaR tn5NVXKYlqhcoggaEzHO7+BjHl48PmXox2/rPrNlSdADmlYZZZqVoJM73fyA1SZIxEVvzRuiE 4VRxAUs37B1XjJuBP+f6z6RR6BOujHfEL+lJ+9U3BpOQTsgAEWpQ8yT8/W2XNcPRfzLOSDzKn XJANvEAych14nRerh3h/GnnAG5qDz9PcaNNZYsNXhXTNwPnE6ZJm+YMuYAzG/3J0bkK37gjR9 djFelc+3/VGki/bwXWH1XPCVurMsD2AxYQ5u5ZCiQ8wimT1Rsx2gInFPQGijjpZs5vvOiH4+i aOy/KclAwywjp0XdEylpgr/tJjKt+AUnIRMREv9mGQkoQdihJYLGezPZBrg35ZHSTni5FWF9C 7zHHKFWR3nUbEdssY2ndQLhFqYp4kZPbWrQYqRs8QDYSUOe06MMh3ehDDu7tptoaH2GV3mlMb 7VU5dju8JdKc4Rb0XW2MRDtxyVhDARX/mVDnlWTmUSg5qOcwaWhRXYnTywR9vwX/V16mAFjqf ADb0hKFxWNTgJn2fwO3oYbSgutfe+HXySSwP/JDK73yNo0eJNZGXbhnva3/kBd3AwydgAt4AA A8igMYVpQd6JfSbVKlkGzcgpHVP193mg8lpi4nLf0KPFPJGvY0JaICBYPCCgtlSrrETlb41+2 xWwirp8DdfVrIU=
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/w50yi6ia7P-hseIHQ85LPr-zpro>
Subject: Re: [TLS] DTLS RRC and heartbeat
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 21 Oct 2021 14:58:22 -0000
Hi Hanno, thanks for your feedback. > I feel this may be enough justification to define a hearbeat-simplified > spec that doesn't have these problems. The point with that would be, that it requires a new code-point for the content-type https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-5 And we are not sure, if considering mainly implementation issues, will justify to allocate a new code-point. best regards Achim Kraus Am 21.10.21 um 16:30 schrieb Hanno Böck: > On Thu, 21 Oct 2021 10:35:54 +0100 > Thomas Fossati <tho.ietf@gmail.com> wrote: > >> One problem is - as Hannes put it - that heartbeat has a "somewhat >> tricky history", making its marketing a slightly intricate operation, >> and the code reuse story a bit more complicated than desired (see for >> example [3]). > > I think there were a few things that went spectacularly wrong with the > original heartbeat extension. Some of them are implementation issues > (like merging code without proper review and testing), but others are in > the spec itself. > > I think this boils down to two things that added unnecessary > complexity, which is always bad in security: > 1. The use cases were all UDP, but the extension was defined for both > UDP and TCP for no good reason. > 2. The extension contained a completely unnecessary length-encoded > message that was sent forth and back. That's a very risky > construction in terms of memory safety. > > I feel this may be enough justification to define a hearbeat-simplified > spec that doesn't have these problems. > If you decide to go with the old heartbeat extension then I'd still > wish you at least adress 1. I think many people have just compiled > openssl without heartbeat, which is a good thing as long as it's not > used anyway. If it gets used in DTLS then at least make sure that > doesn't mean it also has to be enabled in TCP-based normal TLS at the > same time. >
- [TLS] DTLS RRC and heartbeat Thomas Fossati
- Re: [TLS] DTLS RRC and heartbeat Hanno Böck
- Re: [TLS] DTLS RRC and heartbeat Mohit Sahni
- Re: [TLS] DTLS RRC and heartbeat Achim Kraus
- Re: [TLS] DTLS RRC and heartbeat Achim Kraus
- Re: [TLS] DTLS RRC and heartbeat Salz, Rich
- Re: [TLS] DTLS RRC and heartbeat Salz, Rich
- Re: [TLS] DTLS RRC and heartbeat Thomas Fossati
- Re: [TLS] DTLS RRC and heartbeat Salz, Rich