Re: [tsvwg] DTLS 1.3 over SCTP
Michael Tuexen <michael.tuexen@lurchi.franken.de> Sun, 16 July 2023 17:51 UTC
Return-Path: <michael.tuexen@lurchi.franken.de>
X-Original-To: tsvwg@ietfa.amsl.com
Delivered-To: tsvwg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5322AC151AEF for <tsvwg@ietfa.amsl.com>; Sun, 16 Jul 2023 10:51:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.895
X-Spam-Level:
X-Spam-Status: No, score=-6.895 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lSdnpMo_frQc for <tsvwg@ietfa.amsl.com>; Sun, 16 Jul 2023 10:51:54 -0700 (PDT)
Received: from drew.franken.de (drew.ipv6.franken.de [IPv6:2001:638:a02:a001:20e:cff:fe4a:feaa]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6B498C1519B2 for <tsvwg@ietf.org>; Sun, 16 Jul 2023 10:51:53 -0700 (PDT)
Received: from smtpclient.apple (unknown [IPv6:2a02:8109:1140:c3d:b088:3a87:69f3:571b]) (Authenticated sender: lurchi) by mail-n.franken.de (Postfix) with ESMTPSA id 200DF71D8A746; Sun, 16 Jul 2023 19:51:48 +0200 (CEST)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3731.600.7\))
From: Michael Tuexen <michael.tuexen@lurchi.franken.de>
In-Reply-To: <DU0PR07MB8970107616BF8A5E9D05AF939534A@DU0PR07MB8970.eurprd07.prod.outlook.com>
Date: Sun, 16 Jul 2023 19:51:47 +0200
Cc: tsvwg IETF list <tsvwg@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <25FD6896-90BA-4298-A5BE-DDD869A71C37@lurchi.franken.de>
References: <0C990143-D450-4288-9390-E06D3469FF1D@lurchi.franken.de> <DU0PR07MB8970107616BF8A5E9D05AF939534A@DU0PR07MB8970.eurprd07.prod.outlook.com>
To: Magnus Westerlund <magnus.westerlund=40ericsson.com@dmarc.ietf.org>
X-Mailer: Apple Mail (2.3731.600.7)
Archived-At: <https://mailarchive.ietf.org/arch/msg/tsvwg/2OctZvvsmusi8Nsh18Yo1KJCC60>
Subject: Re: [tsvwg] DTLS 1.3 over SCTP
X-BeenThere: tsvwg@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Transport Area Working Group <tsvwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tsvwg>, <mailto:tsvwg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tsvwg/>
List-Post: <mailto:tsvwg@ietf.org>
List-Help: <mailto:tsvwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tsvwg>, <mailto:tsvwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 16 Jul 2023 17:51:56 -0000
> On 14. Jul 2023, at 14:12, Magnus Westerlund <magnus.westerlund=40ericsson.com@dmarc.ietf.org> wrote: > > Hi Michael, > A question I don’t understand on what basis you managed to extend the TLS record size from from 2^14 to 2^16 bytes? > When I read RFC 8449 it does not change the TLS underlying protocol limit which is 2^14 and depending on version what you need to account for in that limit. > What I can see the following text from RFC 8449 applies: > An endpoint that supports all record sizes can include any limit up > to the protocol-defined limit for maximum record size. For TLS 1.2 > and earlier, that limit is 2^14 octets. TLS 1.3 uses a limit of > 2^14+1 octets. Higher values are currently reserved for future > versions of the protocol that may allow larger records; an endpoint > MUST NOT send a value higher than the protocol-defined maximum record > size unless explicitly allowed by such a future version or extension. Hi Magnus, the idea is to make use of "unless explicitly allowed by such a future version or extension". The extension would be a flags extension that indicates that the value is raised. See https://www.ietf.org/archive/id/draft-ietf-tls-tlsflags-11.html > Are you attempting to define a (D)TLS extension here in TSVWG that changes the TLS record size to 2^16? I would think that would require some security analysis to determine that the usage of larger record doesn’t weaken the security due to the larger record sizes. I would think such changes should go through TLS WG and then be used by TSVWG. I'm open to that. We can do it from within the 6083-bis document in TSVWG or in the TLS WG in a separate document. I contacted Eric Rescorla, Martin Thomson, Hannes Tschofenig and a couple of other people. They agreed that bumping that limit should be possible. Actually, I could not figure out, why the limit of 2^14 exists at all. > Otherwise, I think it is good that RFC 6083 are being fixed for its security issues unless completely replaces by a more capable solution. However, this draft it does not address all the requirements to our understanding that 3GPP has on a DTLS based security solution. The short-commings are the following: > > • Do not support sufficiently large protected message sizes. As discussed in this thread the theoretical maximum message sizes for some of 3GPP application protocols are above 144 kb and even as large as 500 kb. > • Periodic re-authentication of the peer > • Forward secrecy rekeying, like re-running differ-hellman exchange, which is not done by the DTLS 1.3 keyupdate mechanism. Any idea how that last two goals are achieved by using TLS 1.3 or DTLS 1.3? Or were these features just dropped when getting rid of re-negotiation? > Thus, I don’t see this draft as any replacement for the DTLS over SCTP work that 3GPP has requested. But it can ensure that we don’t have in non-deprecated that have known security issues. Cheers I have a hard time to parse the last sentence. However, the goal of draft-tuexen-tsvwg-rfc6083-bis is to replace RFC 6083. It might not cover all requirements from 3GPP, but should describe how to use DTLS 1.3 over SCTP, since RFC 6083 only cover DTLS 1.2 and lower. Best regards Michael > Magnus > From: tsvwg <tsvwg-bounces@ietf.org> on behalf of Michael Tuexen <michael.tuexen@lurchi.franken.de> > Date: Thursday, 13 July 2023 at 16:36 > To: tsvwg IETF list <tsvwg@ietf.org> > Subject: [tsvwg] DTLS 1.3 over SCTP > Dear all, > > Hannes Tschofenig and myself have submitted an ID for using DTLS 1.3 over SCTP: > https://www.ietf.org/archive/id/draft-tuexen-tsvwg-rfc6083-bis-02.html > > This is an alternative to > https://www.ietf.org/archive/id/draft-ietf-tsvwg-dtls-over-sctp-bis-06.html > > Our document is based on RFC 6083. The major differences are: > * Use DTLS 1.3 instead of DTLS 1.0 > * Use key updates instead of renegotiation. This limits the number of > rekeyings to 2^64, but that should not limit in real world scenarios. > * Bump the maximum user message size to 64KB by using RFC 8449. > > Any comments welcome. > > Best regards > Michael
- [tsvwg] DTLS 1.3 over SCTP Michael Tuexen
- Re: [tsvwg] DTLS 1.3 over SCTP Claudio Porfiri
- Re: [tsvwg] DTLS 1.3 over SCTP Michael Tuexen
- Re: [tsvwg] DTLS 1.3 over SCTP Claudio Porfiri
- Re: [tsvwg] DTLS 1.3 over SCTP Michael Tuexen
- Re: [tsvwg] DTLS 1.3 over SCTP Claudio Porfiri
- Re: [tsvwg] DTLS 1.3 over SCTP Michael Tuexen
- Re: [tsvwg] DTLS 1.3 over SCTP Claudio Porfiri
- Re: [tsvwg] DTLS 1.3 over SCTP Michael Tuexen
- Re: [tsvwg] DTLS 1.3 over SCTP Magnus Westerlund
- Re: [tsvwg] DTLS 1.3 over SCTP Michael Tuexen
- Re: [tsvwg] DTLS 1.3 over SCTP Magnus Westerlund
- Re: [tsvwg] DTLS 1.3 over SCTP Michael Tuexen
- Re: [tsvwg] DTLS 1.3 over SCTP Magnus Westerlund
- Re: [tsvwg] DTLS 1.3 over SCTP Michael Tuexen
- Re: [tsvwg] DTLS 1.3 over SCTP Magnus Westerlund
- Re: [tsvwg] DTLS 1.3 over SCTP Michael Tuexen
- Re: [tsvwg] DTLS 1.3 over SCTP Magnus Westerlund
- Re: [tsvwg] DTLS 1.3 over SCTP Michael Tuexen
- Re: [tsvwg] DTLS 1.3 over SCTP Magnus Westerlund
- Re: [tsvwg] DTLS 1.3 over SCTP Michael Tuexen