Re: [tsvwg] WGLC for draft-ietf-tsvwg-sctp-dtls-encaps: To End 28th February 2014
Magnus Westerlund <magnus.westerlund@ericsson.com> Mon, 03 March 2014 16:23 UTC
Return-Path: <magnus.westerlund@ericsson.com>
X-Original-To: tsvwg@ietfa.amsl.com
Delivered-To: tsvwg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3F3CD1A020D for <tsvwg@ietfa.amsl.com>; Mon, 3 Mar 2014 08:23:59 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MMrribeasyyu for <tsvwg@ietfa.amsl.com>; Mon, 3 Mar 2014 08:23:57 -0800 (PST)
Received: from sesbmg20.ericsson.net (sesbmg20.ericsson.net [193.180.251.56]) by ietfa.amsl.com (Postfix) with ESMTP id 71C2D1A0216 for <tsvwg@ietf.org>; Mon, 3 Mar 2014 08:23:56 -0800 (PST)
X-AuditID: c1b4fb38-b7f418e000001099-b0-5314ac985df2
Received: from ESESSHC009.ericsson.se (Unknown_Domain [153.88.253.124]) by sesbmg20.ericsson.net (Symantec Mail Security) with SMTP id 4C.08.04249.89CA4135; Mon, 3 Mar 2014 17:23:53 +0100 (CET)
Received: from [127.0.0.1] (153.88.183.153) by smtp.internal.ericsson.com (153.88.183.47) with Microsoft SMTP Server id 14.2.347.0; Mon, 3 Mar 2014 17:23:51 +0100
Message-ID: <5314AC92.1060404@ericsson.com>
Date: Mon, 03 Mar 2014 16:23:46 +0000
From: Magnus Westerlund <magnus.westerlund@ericsson.com>
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:24.0) Gecko/20100101 Thunderbird/24.3.0
MIME-Version: 1.0
To: Michael Tuexen <Michael.Tuexen@lurchi.franken.de>
References: <52F51569.8020501@erg.abdn.ac.uk> <530EF3DB.9020303@ericsson.com> <8F68A39F-7E0C-495E-89D9-3AD38DE72572@lurchi.franken.de> <531454EF.2090608@ericsson.com> <B5864301-427B-4467-86D6-1542AD7F65F5@lurchi.franken.de>
In-Reply-To: <B5864301-427B-4467-86D6-1542AD7F65F5@lurchi.franken.de>
X-Enigmail-Version: 1.6
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 8bit
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFprALMWRmVeSWpSXmKPExsUyM+Jvje7MNSLBBscPslhcbFrCaHHszV02 ByaPJUt+MnlsaNnBFMAUxWWTkpqTWZZapG+XwJWxb/MExoJv2hUfl/cxNjBOU+5i5OSQEDCR OH3oLQuELSZx4d56ti5GLg4hgSOMEse+v2UDSQgJLGOUaLiqDmLzCmhLNGyfBRZnEVCReLFy N1gzm4CFxM0fjWBxUYFgiZ0HfjNC1AtKnJz5BKxGRMBU4uDyeWA2s4CsxNe9T1hBbGGBGIm9 k14xQyy+zyix5kIb0CAODk4BV4m97dkgpoSAuERPYxBEq57ElKstjBC2vETz1tnMEGcCndbU wTqBUWgWks2zkLTMQtKygJF5FSNHcWpxUm66kcEmRmCoHtzy22IH4+W/NocYpTlYlMR5P751 DhISSE8sSc1OTS1ILYovKs1JLT7EyMTBKdXAqM4VZJQhXRPXGbk+453yw8b/62cWHmip+vSe 2WW6e/KR5zHeYf1vFk9ewn4s2HSCvv4Xr943OXdTtPaafNBplbincHByeCKL6qKMkOm1XE9X LEzQXpWqUTnFiVVnW8UPg20t88pO++8Mz9jpcUig39j58No/2p8i2x/53ci5NDNKRrF7slq9 EktxRqKhFnNRcSIABk2IMSMCAAA=
Archived-At: http://mailarchive.ietf.org/arch/msg/tsvwg/Ux7wNBQ24mv8eS56uKC-a7Kjes8
Cc: tsvwg WG <tsvwg@ietf.org>
Subject: Re: [tsvwg] WGLC for draft-ietf-tsvwg-sctp-dtls-encaps: To End 28th February 2014
X-BeenThere: tsvwg@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Transport Area Working Group <tsvwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tsvwg>, <mailto:tsvwg-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tsvwg/>
List-Post: <mailto:tsvwg@ietf.org>
List-Help: <mailto:tsvwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tsvwg>, <mailto:tsvwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 03 Mar 2014 16:23:59 -0000
On 2014-03-03 14:25, Michael Tuexen wrote: > On 03 Mar 2014, at 10:09, Magnus Westerlund <magnus.westerlund@ericsson.com> wrote: > >> Hi, >> >> I removed things that don't additional follow up. >> >> On 2014-02-28 21:24, Michael Tuexen wrote: >> >>>> >>>> 3) Section 4: >>>> >>>> The DTLS implementation MUST be based on [RFC6347]. >>>> >>>> What happens when RFC 6347 is obsoleted? And that obsoletion can be >>>> based on two cases, either the whole DTLS version is being replaced or >>>> the RFC just updated for the same DTLS version. The later case I >>>> definitely should be less locked in. For the DTLS version it is a >>>> question of interoperability. Thus I think one probably should word this as: >>>> >>>> The DTLS implementation MUST be based on DTLS 1.2 [RFC6347]. >>>> >>>> Then one could add supporting future versions of DTLS is RECOMMENDED if >>>> defined. >>> OK. The reads >>> >>> <t>The DTLS implementation MUST be based on DTLS 1.2 <xref target='RFC6347'/>. >>> The support of future versions of DTLS is RECOMMENDED if defined</t> >> >> I think that is okay. > OK. >> >>> >>>> >>>> 4) Section 4: >>>> >>>> If path MTU discovery is performed by the DTLS layer, the method >>>> described in [RFC4821] MUST be used. For probe packets, the >>>> extension defined in [RFC6520] MUST be used. >>>> >>>> If path MTU discovery is performed by the SCTP layer and IPv4 is used >>>> as the network layer protocol, the DTLS implementation MUST allow the >>>> DTLS user to enforce that the corresponding IPv4 packet is sent with >>>> the DF bit set. >>>> >>>> Although this is stated, there are no requirement that I find in the >>>> specification that says that you MUST implement a PMTUD method. My >>> >>>> understanding is that IP/UDP/DTLS/SCTP is going to have a misserable >>>> time working if one ends up with IP fragments in other cases than for >>>> PMTUD probing packets. Thus, I think there needs to be a requirement on >>>> implementing some type of PMTUD method that works in this setting. >> >>> It is stated in Section 5 of draft-ietf-rtcweb-data-channel that >>> PMTU discovery MUST be done by SCTP. >> >> I think that is the wrong place. To my understanding the PMTUD is really >> important to get SCTP to behave well. Thus, this DTLS encapsulation can >> be used by other protocols than data channels, thus I think this is the >> document that should mandate the PMTUD discovery. > I added text that you MUST do PMTUD either in SCTP or DTLS. > draft-ietf-rtcweb-data-channel then nails this down to SCTP > MUST do this in the RTCWeb context. That should cover what you want, > right? Yes. >> >> >>>> >>>> I propose: >>>> >>>> An implementation of SCTP over DTLS MUST implement and use a path >>>> MTU discovery method that functions without ICMP to provide SCTP >>>> with a MTU estimate. An implementation of "Packetization Layer Path >>>> MTU Discovery" [RFC4821] either in SCTP or DTLS is RECOMMENDED. >>>> >>>> I do note that this text is not suitable in any of the existing >>>> sections. Maybe a new section between 3 and 4 for general considerations. >>> Added exactly there... >>> >>> I also added based on comments to one of the data channel documents: >>> >>> <t>The DTLS implementation SHOULD allow the DTLS user to control the DSCP >>> value used for IP packets being sent.</t> >> >> Also here I think it is a SCTP/DTLS issue, not a DATA-Channel/SCTP/DTLS >> issue. > And that is why I added it to draft-ietf-tsvwg-sctp-dtls-encaps. So I think we agree here, > or am I wrong? Then we agree, I missunderstood that this addition was in the data-channel draft, not this one. >> >>>> >>>> 5) Section 7. >>>> >>>> It is not obvious that this do not create new security issues. To me an >>>> obvious candidate for causing potential issues is the requirement on >>>> SCTP to be able to function without ICMP. Are there behaviors introduced >>>> that are a result of not receiving ICMP because they are not provided to >>>> SCTP, which compared to SCTP over IP would not exist. At the same time I >>>> do realize that it protects the SCTP stack from some attack vectors >>>> through ICMP. >> >>> The processing of ICMP is important to protect non-SCTP capable hosts. >>> But when using SCTP/DTLS, you are running about a connection oriented >>> protocol and therefore you can't just send SCTP packets to a host. >>> So I think this is very different. If you think these should be mentioned >>> explicitly, I can add such text. >> >> Yes, I think that would be good. > OK. Added > <t>It should be noted that the inability to process ICMP or ICMPv6 messages > does not add any security issue. The processing of these messages for SCTP > carried over a connection-less lower layer like IP, IPv6 or UDP is required > to protect nodes not supporting SCTP. Since DTLS provides a connection-oriented > lower layer, this kind of protection is not necessary.</t> > Yes, assuming that you understand the motivation why this is true. I do, and I hope many others do. Cheers Magnus Westerlund ---------------------------------------------------------------------- Services, Media and Network features, Ericsson Research EAB/TXM ---------------------------------------------------------------------- Ericsson AB | Phone +46 10 7148287 Färögatan 6 | Mobile +46 73 0949079 SE-164 80 Stockholm, Sweden | mailto: magnus.westerlund@ericsson.com ----------------------------------------------------------------------
- [tsvwg] WGLC for draft-ietf-tsvwg-sctp-dtls-encap… Gorry Fairhurst
- Re: [tsvwg] WGLC for draft-ietf-tsvwg-sctp-dtls-e… Gorry Fairhurst
- Re: [tsvwg] WGLC for draft-ietf-tsvwg-sctp-dtls-e… Magnus Westerlund
- Re: [tsvwg] WGLC for draft-ietf-tsvwg-sctp-dtls-e… Irene Rüngeler
- Re: [tsvwg] WGLC for draft-ietf-tsvwg-sctp-dtls-e… Michael Tuexen
- Re: [tsvwg] WGLC for draft-ietf-tsvwg-sctp-dtls-e… Magnus Westerlund
- Re: [tsvwg] WGLC for draft-ietf-tsvwg-sctp-dtls-e… Michael Tuexen
- Re: [tsvwg] WGLC for draft-ietf-tsvwg-sctp-dtls-e… Magnus Westerlund
- Re: [tsvwg] WGLC for draft-ietf-tsvwg-sctp-dtls-e… Karen E. Egede Nielsen
- Re: [tsvwg] WGLC for draft-ietf-tsvwg-sctp-dtls-e… Michael Tuexen
- Re: [tsvwg] WGLC for draft-ietf-tsvwg-sctp-dtls-e… Karen E. Egede Nielsen