Re: [TLS] implementation of cookies in DTLS

Nikos Mavrogiannopoulos <nmav@gnutls.org> Sun, 13 March 2011 17:54 UTC

Return-Path: <n.mavrogiannopoulos@gmail.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id BA4F33A68C3 for <tls@core3.amsl.com>; Sun, 13 Mar 2011 10:54:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.67
X-Spam-Level:
X-Spam-Status: No, score=-3.67 tagged_above=-999 required=5 tests=[AWL=-0.071, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BLV+ipOuN-gG for <tls@core3.amsl.com>; Sun, 13 Mar 2011 10:54:26 -0700 (PDT)
Received: from mail-ew0-f44.google.com (mail-ew0-f44.google.com [209.85.215.44]) by core3.amsl.com (Postfix) with ESMTP id AE71F3A6A00 for <tls@ietf.org>; Sun, 13 Mar 2011 10:54:25 -0700 (PDT)
Received: by ewy19 with SMTP id 19so1690624ewy.31 for <tls@ietf.org>; Sun, 13 Mar 2011 10:55:47 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:sender:message-id:date:from:user-agent :mime-version:to:subject:references:in-reply-to:x-enigmail-version :openpgp:content-type:content-transfer-encoding; bh=//j0EvQyF96GGYShSIpwuczRyRgl06TnHqTZRafPFv0=; b=cCSjVw2tS4Nn8mllrCo81qql8T8T8ube7UoLrBTkJjM9lo3qTTYJt4qqHPYSEFydow XJcA/NAVBsVaaqXMcuM+9wrTt9PlTgAq4WTNL2tWOFt31TdRoxaxfciOciH8NTN8nVRY AU/3XsloXwIRY2RpoKLGXGwS7S6fwLTu9fmyE=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=sender:message-id:date:from:user-agent:mime-version:to:subject :references:in-reply-to:x-enigmail-version:openpgp:content-type :content-transfer-encoding; b=qewRb9HH7lkC4htSlTxWkSs3zgPvZQz+vcjeEqm1tyIKRwha4DnxLYYWEe0VUot9Vi uq9UspaknPdApOHCW/dvPht7eXfOslMClPDUzsTqFg9UNbvNxHFY/a6xf00JirokFSXX 2bRaiLYFqJ5lipGdBBFWdDNaj15z9nKjt6Jt8=
Received: by 10.213.34.209 with SMTP id m17mr2533013ebd.3.1300038947416; Sun, 13 Mar 2011 10:55:47 -0700 (PDT)
Received: from [10.100.2.14] (78-23-65-69.access.telenet.be [78.23.65.69]) by mx.google.com with ESMTPS id x54sm5248391eeh.23.2011.03.13.10.55.45 (version=SSLv3 cipher=OTHER); Sun, 13 Mar 2011 10:55:46 -0700 (PDT)
Sender: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
Message-ID: <4D7D0521.9030509@gnutls.org>
Date: Sun, 13 Mar 2011 18:55:45 +0100
From: Nikos Mavrogiannopoulos <nmav@gnutls.org>
User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.14) Gecko/20110223 Thunderbird/3.1.8
MIME-Version: 1.0
To: Eric Rescorla <ekr@rtfm.com>, "tls@ietf.org" <tls@ietf.org>
References: <4D7D0292.7080700@gnutls.org>
In-Reply-To: <4D7D0292.7080700@gnutls.org>
X-Enigmail-Version: 1.1.2
OpenPGP: id=96865171
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
Subject: Re: [TLS] implementation of cookies in DTLS
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 13 Mar 2011 17:54:26 -0000

On 03/13/2011 06:44 PM, Nikos Mavrogiannopoulos wrote:
> Hello, I've been reading the section "Denial of Service
> Countermeasures" of DTLS and as I understand it the proposed
> subsystem (client-hello and client-hello-verify-request) is expected
> to operate before allocating state for the session to discard
> requests from clients with forged addresses.

Moreover I think that the requirement that the version field
in Client Hello Verify request message, matches the version field
in the Server Hello is pretty awkward.  The Client Hello Verify request
is being sent by the server without allocating any state. Its
quite difficult to mandate that he makes the same decision as if
state was allocated. Requiring the version of DTLS 1.0 would
be more sensible there...

regards,
Nikos