Re: [tsvwg] sanity checking DTLS ICMP errors
Yoshifumi Nishida <nishida@sfc.wide.ad.jp> Fri, 23 January 2015 07:40 UTC
Return-Path: <nishida@sfc.wide.ad.jp>
X-Original-To: tsvwg@ietfa.amsl.com
Delivered-To: tsvwg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BE7571A036F for <tsvwg@ietfa.amsl.com>; Thu, 22 Jan 2015 23:40:17 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 2.215
X-Spam-Level: **
X-Spam-Status: No, score=2.215 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, HELO_EQ_JP=1.244, HOST_EQ_JP=1.265, HTML_MESSAGE=0.001, RELAY_IS_203=0.994, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2bseqHm3NmLz for <tsvwg@ietfa.amsl.com>; Thu, 22 Jan 2015 23:40:15 -0800 (PST)
Received: from mail.sfc.wide.ad.jp (shonan.sfc.wide.ad.jp [203.178.142.130]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9AE0F1A01F4 for <tsvwg@ietf.org>; Thu, 22 Jan 2015 23:40:15 -0800 (PST)
Received: from mail-we0-f169.google.com (mail-we0-f169.google.com [74.125.82.169]) by mail.sfc.wide.ad.jp (Postfix) with ESMTPSA id 0BD1C2781F2 for <tsvwg@ietf.org>; Fri, 23 Jan 2015 16:40:13 +0900 (JST)
Received: by mail-we0-f169.google.com with SMTP id u56so6014512wes.0 for <tsvwg@ietf.org>; Thu, 22 Jan 2015 23:40:10 -0800 (PST)
MIME-Version: 1.0
X-Received: by 10.194.93.5 with SMTP id cq5mr4642010wjb.84.1421998810777; Thu, 22 Jan 2015 23:40:10 -0800 (PST)
Received: by 10.194.187.48 with HTTP; Thu, 22 Jan 2015 23:40:10 -0800 (PST)
In-Reply-To: <E49B9AC9-90F8-4158-9DFE-99B2ECCC1140@lurchi.franken.de>
References: <5FFBC79D-AE0A-4B44-B11F-7A2D6EA00347@cisco.com> <372D50B7-4AF4-41EC-A6E8-97E00C4F5FE8@lurchi.franken.de> <CAO249ycaf8Q-AyTcp4cx3xhocyNzPEZzVO148XQfBJwhiKjWSw@mail.gmail.com> <E49B9AC9-90F8-4158-9DFE-99B2ECCC1140@lurchi.franken.de>
Date: Thu, 22 Jan 2015 23:40:10 -0800
Message-ID: <CAO249ye9mQtLLuFJzvBOuzXxehKVmRB6C4enPVPT33TjRT_zDw@mail.gmail.com>
From: Yoshifumi Nishida <nishida@sfc.wide.ad.jp>
To: Michael Tuexen <Michael.Tuexen@lurchi.franken.de>
Content-Type: multipart/alternative; boundary="047d7bb04da6fcd289050d4ce5be"
Archived-At: <http://mailarchive.ietf.org/arch/msg/tsvwg/Tjqw7mvdDhhGW86n3X4MKrtKal0>
Cc: tsvwg <tsvwg@ietf.org>, Dan Wing <dwing@cisco.com>
Subject: Re: [tsvwg] sanity checking DTLS ICMP errors
X-BeenThere: tsvwg@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Transport Area Working Group <tsvwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tsvwg>, <mailto:tsvwg-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tsvwg/>
List-Post: <mailto:tsvwg@ietf.org>
List-Help: <mailto:tsvwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tsvwg>, <mailto:tsvwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 23 Jan 2015 07:40:18 -0000
Hi Michael, On Thu, Jan 22, 2015 at 12:03 PM, Michael Tuexen < Michael.Tuexen@lurchi.franken.de> wrote: > > > On 22 Jan 2015, at 09:34, Yoshifumi Nishida <nishida@sfc.wide.ad.jp> > wrote: > > > > > > On Mon, Jan 19, 2015 at 2:36 PM, Michael Tuexen < > Michael.Tuexen@lurchi.franken.de> wrote: > > > On 19 Jan 2015, at 20:43, 🔓Dan Wing <dwing@cisco.com> wrote: > > > > > > To reduce the attack surface, TCP implementations have been validating > ICMP error messages to be in-window (RFC5927). > > > > > > On a thread over on RTCWEB with Michael Tüxen, it seems DTLS-encrypted > packets might benefit from a similar validation. > > Just to add some information: > > Dan was asking why we couldn't just process incoming ICMP packets > indicating that a packet > > sent was too big by SCTP when running over DTLS. My point was that we > can't the validation > > of the verification tag as we do normally for SCTP. That is why we use > PMTUD as described > > in RFC4821 for > > http://tools.ietf.org/html/draft-ietf-tsvwg-sctp-dtls-encaps-08 > > > > Sorry if I miss something.. > > I'm just curious after reading the following texts. > > > > Incoming ICMP or ICMPv6 messages can't be processed by the SCTP > > layer, since there is no way to identify the corresponding > > association. > > > > > > If the socket used for UDP encap is connected and if only one SCTP > association over DTLS is mapped to the socket, is it still impossible for > SCTP layer to know if it receives ICMP errors? > Please note that the ICMP processing of SCTP requires to check the > verification tag. Since we use DTLS, this > is not present in cleartext in the ICMP message (if it is present at all). > What I meant was that an SCTP association might be able to know if it receives ICMP errors, even though it cannot examine it. I just felt that the texts "there is no way to identify the corresponding association" might be a bit ambiguous expression. Sorry for picking up a minor point. Thanks, -- Yoshi
- [tsvwg] sanity checking DTLS ICMP errors 🔓Dan Wing
- Re: [tsvwg] sanity checking DTLS ICMP errors Michael Tuexen
- Re: [tsvwg] sanity checking DTLS ICMP errors Yoshifumi Nishida
- Re: [tsvwg] sanity checking DTLS ICMP errors Michael Tuexen
- Re: [tsvwg] sanity checking DTLS ICMP errors Yoshifumi Nishida
- Re: [tsvwg] sanity checking DTLS ICMP errors Michael Tuexen