Re: [tsvwg] Two comments about removing the 16 kB limitation in draft-ietf-tsvwg-dtls-over-sctp-bis-02
Magnus Westerlund <magnus.westerlund@ericsson.com> Tue, 11 January 2022 15:09 UTC
Return-Path: <magnus.westerlund@ericsson.com>
X-Original-To: tsvwg@ietfa.amsl.com
Delivered-To: tsvwg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 048673A1434 for <tsvwg@ietfa.amsl.com>; Tue, 11 Jan 2022 07:09:26 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.676
X-Spam-Level:
X-Spam-Status: No, score=-2.676 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.576, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JTd6ugkF1D45 for <tsvwg@ietfa.amsl.com>; Tue, 11 Jan 2022 07:09:21 -0800 (PST)
Received: from EUR03-DB5-obe.outbound.protection.outlook.com (mail-eopbgr40058.outbound.protection.outlook.com [40.107.4.58]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E63B93A1437 for <tsvwg@ietf.org>; Tue, 11 Jan 2022 07:09:20 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Jvek/mm+ojrCG9DlJOhUg9b9KfWYmqMyUo6u3V0uFG3BDJsNZQONAW0o2A4LKc7Kgp2JZZUBdDVUzcCxuSsUFUn2D7TNT8D5oIEZZJkI7dfznfopfwfmruQ+jwaDnV3FIeMQD1Z/xwy3T/jCDlCAZWStTBJqrUkIIXBp8rmlueJ/dcA3A+VajhbonFIA4TOZyfzaYI2zIP+3GJLaT0ZkAHwfQiIfsdVsBeGEIoF6O9IYhNhEu791JuXoFRp8bW3z0npVk0VdekghpWUdG7GEOfzlOi0MieJs2gUL0V4xVmsaxWXC0L6Pn+CJer+fZVT8fnn4+dJm3H1Sv3OttE8lyw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=CIiDPRi3nbjshhExvQQEqKS/eJkBtPCUSRPFIOw8P5Y=; b=cj9vIdnyqG3Lmapy5Q8G0UAFQMzgdxostdQrSihyp98cmmc8+qci8DKaShnTSpkmJcxPfxyf4No+CrLne/v52Fwpnw69htQDiZrL+A4vlEealciRGFcM4nyNu0L8+9gwFGmmw0en8Svvc1IcmbTGQsdyp8dQnnmDPWHUVQAnt+wcPYaaY6C/acfg8qTzJtB3wDVbESAZ+V5FXGOoBYu02rh8cBVW9uxmKGn2N1DMXklDMP7Igk4e+yyUpK+RDgYbndt4yA+19Jx9o1iOgcIDKpwETyKvgVSmcRLqo8BrZentjDq8OOQz1Hm4Ny9wk4QScE44c/g4Plde/xEkXJMsIw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=CIiDPRi3nbjshhExvQQEqKS/eJkBtPCUSRPFIOw8P5Y=; b=V+f9J4cgWhv8EaKycmdUrA7C34bls7iUAm6mAvDZda0fcsxZQq3Q3gGjHnTmx4okqRLymTDhsTyjUoKzqH974DAPskd5SaeqYr52i6Z5+8sNr/vlM4ha4KbzU7MBqIO7bqe2QCiGmyXpwewpIdwvI9LnUq7qXGU2PnfvnUUz1ng=
Received: from HE1PR0702MB3772.eurprd07.prod.outlook.com (2603:10a6:7:8e::14) by HE1PR0701MB2185.eurprd07.prod.outlook.com (2603:10a6:3:2a::21) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4888.7; Tue, 11 Jan 2022 15:09:15 +0000
Received: from HE1PR0702MB3772.eurprd07.prod.outlook.com ([fe80::6087:9d92:e938:9702]) by HE1PR0702MB3772.eurprd07.prod.outlook.com ([fe80::6087:9d92:e938:9702%5]) with mapi id 15.20.4888.008; Tue, 11 Jan 2022 15:09:15 +0000
From: Magnus Westerlund <magnus.westerlund@ericsson.com>
To: "tsvwg@ietf.org" <tsvwg@ietf.org>, "li.yan18@zte.com.cn" <li.yan18@zte.com.cn>
CC: "zhou.xingyue@zte.com.cn" <zhou.xingyue@zte.com.cn>, "li.meng5@zte.com.cn" <li.meng5@zte.com.cn>, "ma.jun3@zte.com.cn" <ma.jun3@zte.com.cn>, "deng.zhiren@zte.com.cn" <deng.zhiren@zte.com.cn>
Thread-Topic: Two comments about removing the 16 kB limitation in draft-ietf-tsvwg-dtls-over-sctp-bis-02
Thread-Index: AQHYBpCYX+W7/QIxIUe5HBbUIMzoFaxd7TyA
Date: Tue, 11 Jan 2022 15:09:15 +0000
Message-ID: <5e87677924d85eb0e593185fdccfef108831a515.camel@ericsson.com>
References: <202201111011108579872@zte.com.cn>
In-Reply-To: <202201111011108579872@zte.com.cn>
Accept-Language: en-US, sv-SE
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-mailer: Evolution 3.28.5-0ubuntu0.18.04.2
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=ericsson.com;
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 1e4896b6-291b-4e2b-5c27-08d9d5145541
x-ms-traffictypediagnostic: HE1PR0701MB2185:EE_
x-microsoft-antispam-prvs: <HE1PR0701MB218500367B252508F7DB901D95519@HE1PR0701MB2185.eurprd07.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: OTKeFu9G9m7ZuRGr9BV5QTBgNAEXA/ZdPwLznUvpwQ1vjRvfeR5QVkYUgqOXrTW3KeTv/KpsYVXcpomL5zS8ZNJOJMHu2aK+2Rcdc8myNqVAw446YeIcRg4D8mtkp3Adud7CmG71OHhbl5jY0EgIg+SsyYu9B9rvVL6uhbjiSDx04kqetbdO25OGxjoMC6gPx4GxR482tukQBhAuP9cltsoQ5Ywdkgl1S3xnYiLtGImHJgaUOJNugfNgufMTno6RMsjhn+fK1oC8ezMRtahlIiqbdokZrihwWRjzqRgh5DY42Cac1D/27JjLOpSecvMbQiHAfWMNM0uuZI6eteOF8SblczwGsx/QP6wEioS8l3ociD4fd4MYtIe+10U8qVtOVLKxWPlJSKyz3pRbnCL1PJcpIivZW+wqR1/OJIVCLUAPQPfDjS1J4L2cRN6LL7TJYnt7QnJRcrthEGvkSpJEywL4uJO5wCwQIPLBot9O0AmhHGiyCHaNO7Z0QCeHse/G1LxB/2MZUtwn2uZ4TUbdRCgivBpH5pGezj8sJYUQX9E2nWq9rrv6Kkp3yUpyT5Dz2dw/KOiEyeeOfkgLcKwrYYZ+HWV9H30d9gp0jDDNurvTCS3PSlMHesV9G4K2L4miE6DyHZNze6QtF11Ux6n3+eXDutqxOOE8PPX8F5pAzDPoENeeljKfyErXUwJLnN2qISPf4aQ8CN4Jyt8PF6FX9LzkRKpES3VuvNkPjK6reBoUYPzasQw/9xTkksODu56dkivRAg0D0BVsIQqN/AT8qY6hc4t3FVue92sgJ/QPzw2VcORewaFA5Cuqma4ipvTei+ONyJk2oogAleyFtiOZuqKUjwSWGCD3owpOzGv8s52fpJBY4hkWQH5EZ+LZB/UUxjDZ6k9K/zRM33zmYl4jUQ==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:HE1PR0702MB3772.eurprd07.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230001)(4636009)(366004)(5660300002)(166002)(38070700005)(2906002)(122000001)(44832011)(64756008)(99936003)(82960400001)(66476007)(66556008)(8936002)(4326008)(38100700002)(36756003)(8676002)(66446008)(71200400001)(966005)(66946007)(83380400001)(2616005)(110136005)(54906003)(6486002)(86362001)(316002)(91956017)(26005)(186003)(508600001)(6506007)(6512007)(76116006)(99106002)(20210929001); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: U5ScZnnniJFw0NITrXmV0iuOIgSoG/YSg3cA1D/qXmeSLhoClJVJwCR59RzRc/dE8IYHvsdtbOkNPaTYHnbKT0tJ657m2nMGUXZ4Ga53GLP9Q1El6qcTzjVagS2P8aQKEYX61UWNpBvDeu02g1Md1mPMArUqUehIHYUwT7rHIeAkmmFJy68kpNpcVXUpgdLUv8jQEuej3aReL5d6uz5k/u5tViy04kDOGrKf+YvxmHK/k+eHx1tMKqPjXyIJeydBdjbbcBL/iRW126zHj0lzL1yr42Cl3DDlNh5Jf3Mk+fgJUNj2gJXASDp53wqhrCoWk9DLXGI5OoEOTdDbXbnhvE7pLDI58xPf7Rz+2KpYRwOeD6OOP0J8C1vU/JM+6k6MUZI1130Tw7B1gZkT9oQ3sR7+mOFTGqdonbZcdfgPm+7LuxulnMA5FKeacOfxbC5yP7VHm/KWcwv386FfTf14qRQS7yV8N8FmVVBhbY8z6KxWYlYIqrotofhJsx4WhHrSPGSUJsU9kDXI9Wlf6ZvcPM8kNjwNWtTq7H7vA+EhSCyNVP6JfYUOXML6jRy5IJF352KdYkhdYHRlVaLfbEHMrCQCcA0jQfrYtGTUotvKimPQ0ujTWytU6pqpaQuROBD4ZbB8dXBzUvhhNd7L+uhp7tE7LdQ5uFh7o5/wraADyZPtuqOtFZ9CrpMOiK0L7wq73v/Rt1BIS5WWyCoT07pQEQLOzQBm78CI7iF0o1CbnqdzF4+IzGwU0uaZoMRcF3FmuwEzPTutmIT6LKkyMdgXA1CwVcM1kH5gwJ4yxCWKB2HCnDIbLo/wWRL3tiSvgTsBbj/AaetXet08kSzTuRVPGG7KW1xYMv/gRziyS27Pm//JmdIy2tVPMJqp+f8lXyoY1hOKHumPMT9c3OaTPABiN/9om1ulycVkyWvL19q4mHRVWdYEBf0eJ3mAbAWeUVcwzkmbSE4igtcuBznplPok1XbtQ7QgucISrMvQbNvRHJ9mhe7h7tWMqtL//kpGfPugNKB7FAamCeELyGnN4xi5brm4LSHfjmha8EuN58PErf4h89U83UQ+5ClU+eY1TX6oonQBwmJIfyArIXosRUQLrjEXRodymmTpnCsa5MtIxwCbrn7bu+3JuoKibNUyyXveZ0DHtfqbGBikB0+K6lZkw3AWUOJmuGyUHWJs6XRVjUg6HXitgiQ2XYP3EPGFPWKUlVuYyzf5p31eob6AwdeE0844rsTZVqCK9as829/URRcrUiDp7nSGnpYLXdvdlHZWcon5NisYjHHcai2Iem+ey/X+fpH0/OLPOgLl2YazWZSw+T1aMboigih3Ip6eMP919AgYoLF1urCwB4yKEjaJYSPTsJWCp/nM95Yatp8JcRTXGlwDXjF338xmfB+lNbZb5uaOSZeacOtFdyUTSILE9cf1vbVrXI9p7uCnkYnRGcaZ49A5xmRVG3kRVQzPqWI5hiY3iazjywJAJ9z4uWL7SNl8ZhqPKTqgbBQqtdBsUxFyAAtwBLy0ZFeaGkOOKPwffwfmrJXVtiErxE0M4z2ceE3qC6kpuo3c90y09Q5n6mAG/Ua/E8w7zn7/Regx7LbGo/Y0XHxCSmn3/GFHEY2c71WmrpX0uOLlUgFJlf+rIN2R9i11sBxmWHd65/FSPrJCiTtHeIUVr8Ry0NeRqP++K2vljBjOciURfsKYWqJr4A0=
Content-Type: multipart/signed; micalg="sha-256"; protocol="application/x-pkcs7-signature"; boundary="=-VCNYvNnKRWZqB2DraCkd"
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: HE1PR0702MB3772.eurprd07.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 1e4896b6-291b-4e2b-5c27-08d9d5145541
X-MS-Exchange-CrossTenant-originalarrivaltime: 11 Jan 2022 15:09:15.4482 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: nA1DeVuy32fP2+InscnJkKfZlg7i5T+aryfA4agbP/zvNPr7rGWHukjzDT+TLMsWOLyjNj/tBDWqJxOfJmE9kHX4qkoElNu59cEcft+M4u4=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: HE1PR0701MB2185
Archived-At: <https://mailarchive.ietf.org/arch/msg/tsvwg/CmYxXwAOwUeM5D8fhRDZsr89OPo>
Subject: Re: [tsvwg] Two comments about removing the 16 kB limitation in draft-ietf-tsvwg-dtls-over-sctp-bis-02
X-BeenThere: tsvwg@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Transport Area Working Group <tsvwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tsvwg>, <mailto:tsvwg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tsvwg/>
List-Post: <mailto:tsvwg@ietf.org>
List-Help: <mailto:tsvwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tsvwg>, <mailto:tsvwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 11 Jan 2022 15:09:26 -0000
Hi Yan, Thanks a lot for the feedback. Please see inline for comments and response. On Tue, 2022-01-11 at 10:11 +0800, li.yan18@zte.com.cn wrote: > Dear tsvwg members, > Happy new year! > > > About the current version of draft-ietf-tsvwg-dtls-over-sctp-bis- > 02, ZTE has two comments as below: > 1. Supplementary Note on Fragment reassembly > It is better to add more description in section 4.1 in the current > draft. > The description about how to reassemble the fragemented user message > in the DTLS layer is not clear enough, and may cause confusion for > readers.It is recommended to add further description about it. > For example: > On the receiving side, after getting the user_message’ from SCTP, > DTLS makes use of the length field in the DTLS record header to > decrypt the content of the first DTLS record to get m0, then m1...... > The length field in DTLS record header is very import for decryption > of each DTLS record.According to the length field, the receiving side > knows the end of decryption of one DTLS record and the start of the > next DTLS record. > Detemining which DTLS record is the last one needs to use the overall > length of the user_message’ from SCTP to minus the lenght of each > DTLS record. > After the last DTLS record is decrypted, the user_message is > reassembled: user_message = m0 | m1 | m2...... I have created a github issue for this: https://github.com/gloinul/draft-westerlund-tsvwg-dtls-over-sctp-bis/issues/82 Yes, I spending a bit more descriptive text on how the receiver can reverse the process would improve clarity. The length field is as you write required and that is why we later have this normative statement to ensure that it is in place: "If DTLS 1.3 is used, the length field in the record layer MUST be included." And thanks for proposing text, that makes it clearer what type of aspects you want included. > > 2. Consideration of backward compatibility > The issue of backward compatibility needs to be considered, for > example,if the server side supports DTLS without user message size > limitation, while the client has message size limitation, packet loss > may occur on the client side. Therefore, a mechanism is needed to > identify whether the peer has the requirement of user message size > limitation. So true backwards compatility is not really possible, what we have is the possibility to do a fallback to RFC 6083 behavior at SCTP association init. I think all the mechanisms for fallback is in place but maybe the text needs to be improved to make it clearer for how it works. So lets walk through how it is intended to function. An SCTP/DTLS client following this specification will in its initial message include a couple of things. It will include SCTP-AUTH necessary chunks including offering SHA-256 (as required by this spec) preferred over SHA-1 (as required by RFC 4895 for common interoperability), it will also include a SCTP adaptation layer indication chunk to negotiate the adapatation layer that is DTLS/SCTP per this specification. If the SCTP server supports this specification it will respond indicating the DTLS/SCTP adaptation layer is supported and SCTP-AUTH will use SHA-256. If the SCTP server is not supporting this and only RFC 6083, it will not understand the SCTP Adapation layer indication parameter or even if it supports the parameter it will not understand the particular value and not reflect it back to the client. Also, depending on support in SCTP-AUTH it will pick the hashing algorithm of either of the offered (SHA-1 or SHA-256). When the client receives the response it will know from the lack of adapation layer but with support for SCTP-AUTH that it is likely speaking with an RFC 6083 capable server. Based on applicaiton and security policy the client can determine if that is acceptable or not. And if not it terminate the SCTP association. A client only supporting RFC 6083 will simularly not offer the SCTP adaptation layer indication for DTLS/SCTP and include SCTP-AUTH, potentially with only SHA-1. Thus the SCTP server can make a decision based on server instance and upper layer protocols if there are services that can run with RFC 6083 and if the security policy allows it, then the server responds per RFC 6083. I hope the above is clear enough that there are potential for fallback when it is possible. However, if the upper layer application can't be constrained to below 16k byte messages it doesn't help. And in addition there are some difference in security properties that also need to be considered. I have created an issue for this: https://github.com/gloinul/draft-westerlund-tsvwg-dtls-over-sctp-bis/issues/81 Cheers Magnus Westerlund
- [tsvwg] Two comments about removing the 16 kB lim… li.yan18
- Re: [tsvwg] Two comments about removing the 16 kB… Magnus Westerlund
- Re: [tsvwg] Two comments about removing the 16 kB… li.yan18