Re: [TLS] DTLS 1.3 ACKs
Ilari Liusvaara <ilariliusvaara@welho.com> Sat, 01 July 2017 21:00 UTC
Return-Path: <ilariliusvaara@welho.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CBBD9129AE8 for <tls@ietfa.amsl.com>; Sat, 1 Jul 2017 14:00:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, RP_MATCHES_RCVD=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Juod0RMdNYD9 for <tls@ietfa.amsl.com>; Sat, 1 Jul 2017 14:00:10 -0700 (PDT)
Received: from welho-filter1.welho.com (welho-filter1.welho.com [83.102.41.23]) by ietfa.amsl.com (Postfix) with ESMTP id 4C432124D6C for <tls@ietf.org>; Sat, 1 Jul 2017 14:00:09 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by welho-filter1.welho.com (Postfix) with ESMTP id EF24465537; Sun, 2 Jul 2017 00:00:07 +0300 (EEST)
X-Virus-Scanned: Debian amavisd-new at pp.htv.fi
Received: from welho-smtp3.welho.com ([IPv6:::ffff:83.102.41.86]) by localhost (welho-filter1.welho.com [::ffff:83.102.41.23]) (amavisd-new, port 10024) with ESMTP id Mz2DTJgOYhJB; Sun, 2 Jul 2017 00:00:03 +0300 (EEST)
Received: from LK-Perkele-VII (87-92-19-27.bb.dnainternet.fi [87.92.19.27]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by welho-smtp3.welho.com (Postfix) with ESMTPSA id EDCD72313; Sun, 2 Jul 2017 00:00:00 +0300 (EEST)
Date: Sun, 02 Jul 2017 00:00:00 +0300
From: Ilari Liusvaara <ilariliusvaara@welho.com>
To: Eric Rescorla <ekr@rtfm.com>
Cc: "tls@ietf.org" <tls@ietf.org>
Message-ID: <20170701210000.ppewrje6jcpy5w2b@LK-Perkele-VII>
References: <CABcZeBMpDLdrqaa7qEKyFFT8c-Qcodc01zDNqYcxmPp0qvi+pQ@mail.gmail.com> <20170624164749.bidmu2btsb6xsdjb@LK-Perkele-VII> <CABcZeBNkNUkgm9mrptgKO_+pkk2i9usYdGbmsFH762PhcVtFRw@mail.gmail.com> <20170701170103.htwyfrheq52pmm6l@LK-Perkele-VII> <CABcZeBMA3dUGKrk_V9EfYH1OtoD_JP+gTr8vf2+yq5Yaa-96vg@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
In-Reply-To: <CABcZeBMA3dUGKrk_V9EfYH1OtoD_JP+gTr8vf2+yq5Yaa-96vg@mail.gmail.com>
User-Agent: NeoMutt/20170609 (1.8.3)
Sender: ilariliusvaara@welho.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/xNmw8WPSg9xCd0Ybtdtlcx6k_Pc>
Subject: Re: [TLS] DTLS 1.3 ACKs
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 01 Jul 2017 21:00:13 -0000
On Sat, Jul 01, 2017 at 10:26:17AM -0700, Eric Rescorla wrote: > On Sat, Jul 1, 2017 at 10:01 AM, Ilari Liusvaara <ilariliusvaara@welho.com> > wrote: > > > On Sat, Jun 24, 2017 at 12:05:44PM -0700, Eric Rescorla wrote: > > > On Sat, Jun 24, 2017 at 9:47 AM, Ilari Liusvaara < > > ilariliusvaara@welho.com> > > > wrote: > > > > IMO, since handshake only occurs once per connection and DTLS needs to > > be implemented on all kinds of constrained devices (on both client and > > server sides), simplicity is more important than performance. Also, > > packet loss estimates do not seem useful: There are far too few packets > > to get useful statistics. > > > > I think we definitely want to allow acknowledgements of subcomponents of > messages, because otherwise you have to retransmit the entire message, > which is painful in the case of the obese messages. This seems to leave > one with the option of acknowledging either fragments (which we then > need to invent labels for) or records (which already have labels > but need a map of RSN to fragment). My feeling is that on balance the > latter is a better choice, but I'll have a better sense once we've > implemented.... Just noticed that DTLS allows packing multiple independent fragments into one record (and then multiple records into one packet). Which impiles that an implementation that only prcesses one message at a time is not guaranteed to even be able to generate a valid list of RSNs to ACK, in case the peer sends sufficiently twisted (but still seemingly in-spec) input. What's the alert code for dropping in-spec connection detected as attack traffic? :-) -Ilari
- [TLS] DTLS 1.3 ACKs Eric Rescorla
- Re: [TLS] DTLS 1.3 ACKs Ilari Liusvaara
- Re: [TLS] DTLS 1.3 ACKs Eric Rescorla
- Re: [TLS] DTLS 1.3 ACKs Ilari Liusvaara
- Re: [TLS] DTLS 1.3 ACKs Eric Rescorla
- Re: [TLS] DTLS 1.3 ACKs Ilari Liusvaara
- Re: [TLS] DTLS 1.3 ACKs Eric Rescorla
- Re: [TLS] DTLS 1.3 ACKs Ilari Liusvaara
- Re: [TLS] DTLS 1.3 ACKs Eric Rescorla
- Re: [TLS] DTLS 1.3 ACKs Ilari Liusvaara
- Re: [TLS] DTLS 1.3 ACKs Eric Rescorla
- Re: [TLS] DTLS 1.3 ACKs Ilari Liusvaara