IETF Logo Mail Archive

Re: [tsvwg] WGLC for draft-ietf-tsvwg-sctp-dtls-encaps: To End 28th February 2014

Magnus Westerlund <magnus.westerlund@ericsson.com> Mon, 03 March 2014 10:10 UTC

Return-Path: <magnus.westerlund@ericsson.com>
X-Original-To: tsvwg@ietfa.amsl.com
Delivered-To: tsvwg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4405F1A0DFA for <tsvwg@ietfa.amsl.com>; Mon, 3 Mar 2014 02:10:31 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.851
X-Spam-Level:
X-Spam-Status: No, score=-3.851 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_SE=0.35, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 36JLjNQqT08z for <tsvwg@ietfa.amsl.com>; Mon, 3 Mar 2014 02:10:29 -0800 (PST)
Received: from mailgw1.ericsson.se (mailgw1.ericsson.se [193.180.251.45]) by ietfa.amsl.com (Postfix) with ESMTP id 85D811A0E14 for <tsvwg@ietf.org>; Mon, 3 Mar 2014 02:09:58 -0800 (PST)
X-AuditID: c1b4fb2d-b7f5d8e000002a7b-1e-531454f26804
Received: from ESESSHC022.ericsson.se (Unknown_Domain [153.88.253.124]) by mailgw1.ericsson.se (Symantec Mail Security) with SMTP id 96.39.10875.2F454135; Mon, 3 Mar 2014 11:09:55 +0100 (CET)
Received: from [127.0.0.1] (153.88.183.153) by smtp.internal.ericsson.com (153.88.183.86) with Microsoft SMTP Server id 14.2.347.0; Mon, 3 Mar 2014 11:09:54 +0100
Message-ID: <531454EF.2090608@ericsson.com>
Date: Mon, 03 Mar 2014 10:09:51 +0000
From: Magnus Westerlund <magnus.westerlund@ericsson.com>
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:24.0) Gecko/20100101 Thunderbird/24.3.0
MIME-Version: 1.0
To: Michael Tuexen <Michael.Tuexen@lurchi.franken.de>
References: <52F51569.8020501@erg.abdn.ac.uk> <530EF3DB.9020303@ericsson.com> <8F68A39F-7E0C-495E-89D9-3AD38DE72572@lurchi.franken.de>
In-Reply-To: <8F68A39F-7E0C-495E-89D9-3AD38DE72572@lurchi.franken.de>
X-Enigmail-Version: 1.6
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 8bit
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFprILMWRmVeSWpSXmKPExsUyM+Jvje7nEJFgg4fTeSwuNi1htDj25i6b A5PHkiU/mTw2tOxgCmCK4rJJSc3JLEst0rdL4MqYufYjS0GnUsXrJ1NZGxh/S3UxcnJICJhI LD29kRHCFpO4cG89WxcjF4eQwCFGiYeNv5khnGWMEtOvzGICqeIV0Ja4+Oc1M4jNIqAiMXvO YVYQm03AQuLmj0Y2EFtUIFhi54HfjBD1ghInZz5hAbFFBEwlDi6fB2YzC8hKfN37BKxXWCBG Yu+kV1DL2hgl9nxfzA6S4BRwlTj+4zDQIA6g88QlehqDIHr1JKZcbWGEsOUlmrfOBrtHCOi2 hqYO1gmMQrOQrJ6FpGUWkpYFjMyrGNlzEzNz0ssNNzECg/Xglt+6OxhPnRM5xCjNwaIkzvvh rXOQkEB6YklqdmpqQWpRfFFpTmrxIUYmDk6pBkapRItDUhyXd0tU6pvITfCIExE+n7hikeSb byKTtFyr1x9qlU9Yepi/Z01Me3z5hblcC6c8aUi54bFz658JHJd/iN+d/L6ng63jadvNlb++ 1nQs5LbIEE3eUjKlgbn71Mf7m0K9+uJX6ZgmX3nhFWkQ+LHd3arO/SrT7uV+qZ8PvGMQLM8Q M1JiKc5INNRiLipOBACPdl71JAIAAA==
Archived-At: http://mailarchive.ietf.org/arch/msg/tsvwg/UritY7vNSonktz8MNl-zPq07yWA
Cc: tsvwg WG <tsvwg@ietf.org>
Subject: Re: [tsvwg] WGLC for draft-ietf-tsvwg-sctp-dtls-encaps: To End 28th February 2014
X-BeenThere: tsvwg@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Transport Area Working Group <tsvwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tsvwg>, <mailto:tsvwg-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tsvwg/>
List-Post: <mailto:tsvwg@ietf.org>
List-Help: <mailto:tsvwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tsvwg>, <mailto:tsvwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 03 Mar 2014 10:10:31 -0000

Hi,

I removed things that don't additional follow up.

On 2014-02-28 21:24, Michael Tuexen wrote:

>>
>> 3) Section 4:
>>
>>   The DTLS implementation MUST be based on [RFC6347].
>>
>> What happens when RFC 6347 is obsoleted? And that obsoletion can be
>> based on two cases, either the whole DTLS version is being replaced or
>> the RFC just updated for the same DTLS version. The later case I
>> definitely should be less locked in. For the DTLS version it is a
>> question of interoperability. Thus I think one probably should word this as:
>>
>>   The DTLS implementation MUST be based on DTLS 1.2 [RFC6347].
>>
>> Then one could add supporting future versions of DTLS is RECOMMENDED if
>> defined.
> OK. The reads
> 
> <t>The DTLS implementation MUST be based on DTLS 1.2 <xref target='RFC6347'/>.
> The support of future versions of DTLS is RECOMMENDED if defined</t>

I think that is okay.

> 
>>
>> 4) Section 4:
>>
>>   If path MTU discovery is performed by the DTLS layer, the method
>>   described in [RFC4821] MUST be used.  For probe packets, the
>>   extension defined in [RFC6520] MUST be used.
>>
>>   If path MTU discovery is performed by the SCTP layer and IPv4 is used
>>   as the network layer protocol, the DTLS implementation MUST allow the
>>   DTLS user to enforce that the corresponding IPv4 packet is sent with
>>   the DF bit set.
>>
>> Although this is stated, there are no requirement that I find in the
>> specification that says that you MUST implement a PMTUD method. My
> 
>> understanding is that IP/UDP/DTLS/SCTP is going to have a misserable
>> time working if one ends up with IP fragments in other cases than for
>> PMTUD probing packets. Thus, I think there needs to be a requirement on
>> implementing some type of PMTUD method that works in this setting.

> It is stated in Section 5 of draft-ietf-rtcweb-data-channel that
> PMTU discovery MUST be done by SCTP.

I think that is the wrong place. To my understanding the PMTUD is really
important to get SCTP to behave well. Thus, this DTLS encapsulation can
be used by other protocols than data channels, thus I think this is the
document that should mandate the PMTUD discovery.


>>
>> I propose:
>>
>>   An implementation of SCTP over DTLS MUST implement and use a path
>>   MTU discovery method that functions without ICMP to provide SCTP
>>   with a MTU estimate. An implementation of "Packetization Layer Path
>>   MTU Discovery" [RFC4821] either in SCTP or DTLS is RECOMMENDED.
>>
>> I do note that this text is not suitable in any of the existing
>> sections. Maybe a new section between 3 and 4 for general considerations.
> Added exactly there...
> 
> I also added based on comments to one of the data channel documents:
> 
> <t>The DTLS implementation SHOULD allow the DTLS user to control the DSCP
> value used for IP packets being sent.</t>

Also here I think it is a SCTP/DTLS issue, not a DATA-Channel/SCTP/DTLS
issue.

>>
>> 5) Section 7.
>>
>> It is not obvious that this do not create new security issues. To me an
>> obvious candidate for causing potential issues is the requirement on
>> SCTP to be able to function without ICMP. Are there behaviors introduced
>> that are a result of not receiving ICMP because they are not provided to
>> SCTP, which compared to SCTP over IP would not exist. At the same time I
>> do realize that it protects the SCTP stack from some attack vectors
>> through ICMP.

> The processing of ICMP is important to protect non-SCTP capable hosts.
> But when using SCTP/DTLS, you are running about a connection oriented
> protocol and therefore you can't just send SCTP packets to a host.
> So I think this is very different. If you think these should be mentioned
> explicitly, I can add such text.

Yes, I think that would be good.

Thanks

Magnus Westerlund

----------------------------------------------------------------------
Services, Media and Network features, Ericsson Research EAB/TXM
----------------------------------------------------------------------
Ericsson AB                 | Phone  +46 10 7148287
Färögatan 6                 | Mobile +46 73 0949079
SE-164 80 Stockholm, Sweden | mailto: magnus.westerlund@ericsson.com
----------------------------------------------------------------------

v2.23.0 | Report a Bug | By Email