IETF Logo Mail Archive

Re: [tsvwg] DTLS in SCTP solution

Michael Tuexen <michael.tuexen@lurchi.franken.de> Mon, 20 March 2023 22:39 UTC

Return-Path: <michael.tuexen@lurchi.franken.de>
X-Original-To: tsvwg@ietfa.amsl.com
Delivered-To: tsvwg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0888DC19E111 for <tsvwg@ietfa.amsl.com>; Mon, 20 Mar 2023 15:39:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.896
X-Spam-Level:
X-Spam-Status: No, score=-6.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_NONE=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Z26cyGk5W7JU for <tsvwg@ietfa.amsl.com>; Mon, 20 Mar 2023 15:39:38 -0700 (PDT)
Received: from drew.franken.de (drew.ipv6.franken.de [IPv6:2001:638:a02:a001:20e:cff:fe4a:feaa]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0A474C1907A6 for <tsvwg@ietf.org>; Mon, 20 Mar 2023 15:39:37 -0700 (PDT)
Received: from smtpclient.apple (unknown [IPv6:2a02:8109:1140:c3d:41f:355b:1473:a70a]) (Authenticated sender: lurchi) by drew.franken.de (Postfix) with ESMTPSA id 456EF71B784F7; Mon, 20 Mar 2023 23:39:30 +0100 (CET)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3731.400.51.1.1\))
From: Michael Tuexen <michael.tuexen@lurchi.franken.de>
In-Reply-To: <PA4PR07MB8414B23B0D6BF4F71CA52C5F95A09@PA4PR07MB8414.eurprd07.prod.outlook.com>
Date: Mon, 20 Mar 2023 23:39:29 +0100
Cc: tsvwg IETF list <tsvwg@ietf.org>, John Mattsson <john.mattsson@ericsson.com>
Content-Transfer-Encoding: quoted-printable
Message-Id: <42858D2B-F323-49E2-9722-B97C084994FA@lurchi.franken.de>
References: <PA4PR07MB8414B23B0D6BF4F71CA52C5F95A09@PA4PR07MB8414.eurprd07.prod.outlook.com>
To: Magnus Westerlund <magnus.westerlund=40ericsson.com@dmarc.ietf.org>
X-Mailer: Apple Mail (2.3731.400.51.1.1)
Archived-At: <https://mailarchive.ietf.org/arch/msg/tsvwg/EDmwiVpGcAGT6UkZ_5rotS-MeD8>
Subject: Re: [tsvwg] DTLS in SCTP solution
X-BeenThere: tsvwg@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Transport Area Working Group <tsvwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tsvwg>, <mailto:tsvwg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tsvwg/>
List-Post: <mailto:tsvwg@ietf.org>
List-Help: <mailto:tsvwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tsvwg>, <mailto:tsvwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 20 Mar 2023 22:39:42 -0000

> On 16. Feb 2023, at 10:36, Magnus Westerlund <magnus.westerlund=40ericsson.com@dmarc.ietf.org> wrote:
> 
> Hi,
>  We authors of DTLS/SCTP https://datatracker.ietf.org/doc/draft-ietf-tsvwg-dtls-over-sctp-bis/ have worked on two drafts that together forms what we consider a much better alternative for how to use DTLS to the current proposed solution that is based on SCTP.
>  The first draft is a general crypto chunk that can be used to protect the rest of the SCTP packet using a negotiated protection engine.https://datatracker.ietf.org/doc/draft-westerlund-tsvwg-sctp-crypto-chunk/
>  Then we have written a draft that defines how to use the above crypto chunk to integrate DTLS as the protection engine. Targeting the same goals as in DTLS/SCTP. Like mutual authentication, support for very long lived sessions. But in addition we get a lot of other benefits including a much lower bar on the DTLS implementation that is integrated. https://datatracker.ietf.org/doc/draft-westerlund-tsvwg-sctp-crypto-dtls/
>  The benefits as we see it are listed here: https://www.ietf.org/archive/id/draft-westerlund-tsvwg-sctp-crypto-dtls-00.html#name-benefits-compared-to-dtls-s
> The main benefits we see are the following:
>     • No dependency on SCTP-AUTH
>     • Much lower requirements on DTLS implementations when it comes to support of functionality
>     • Protection of the whole SCTP packet, preventing attacks on SCTP as well, not only on the user messages
>     • Much robuster when rekeying
>     • No limitation on user message size from this mechanism as it functions below SCTP’s DATA chunk message fragmentation mechanism.
>  We are working on getting our IPR disclosures submitted on draft-westerlund-tsvwg-sctp-crypto-dtls. We authors are currently not aware of any IPR that would apply on draft-westerlund-tsvwg-sctp-crypto-chunk.
>  We would like to ask the WG to consider this proposal as a replacement for DTLS/SCTP.
Hi Magnus,

I have read the two IDs you are referring to. I have a couple of questions/remarks/comments:

1. Why is not not allowed to bundle chunks with the CRYPTO chunk? I can understand that
   in ESTABLISHED, but not in the other states.
2. Why are you sending ABORT chunks followed by ERROR chunks? This does not make any
   sense to me. The receiver will process the ABORT chunk, kill the association, report
   that to the upper layer and then can't really process the ERROR chunk anymore.
3. I do understand how you use the CRYPTO chunk to protect an SCTP packet. It is
   similar to the AUTH chunk, just doing encryption. However, I do not understand how
   to use the CRYPTO chunk for DTLS messages. If I understand your proposal correctly,
   you will use DTLS retransmissions in case of packet loss, since you don't run
   a timer and loss recovery for CRYPTO chunks. But how is the path been chosen?
   How can you make use of multi-homing? DTLS does not know about this.
4. I can see how you can implement this using a userland SCTP stack and a DTLS stack.
   However, I have a hard time to see how to implement this in a kernel SCTP stack.
   I guess one would do the encrypt/decrypt part in the kernel and the DTLS negotiation
   in userland, but the required socket API is not clear to me.
   In my opinion, whatever solution is been worked on, it should work for userland and
   kernel stacks.

I really like the idea of an CRYPTO chunk. However, I would think of it more in the
lines of the AUTH chunk. You let the SCTP stack to the encrypt/decrypt stuff and
specify a socket API for delegating the credentials. This could be similar to kernel
TLS. However, I would also prefer to run the DTLS handshake messages as normal user
messages in DATA/I-DATA chunks and not change the SCTP state engine.
This way you can make use of the SCTP loss recovery and retransmission strategies
including multihoming.

If I'm reading section 1.3.1 of you DTLS document, I'm wondering why you do not consider
SCTP over DTLS. You can use that with an unmodified DTLS stack, you need to tweak the
SCTP stack a bit. The only thing which is missing right now is the support of multihoming.
But this can be worked on...

Best regards
Michael
>  Cheers
>  Magnus, John and Claudio.

v2.31.3 | Report a Bug | By Email | System Status