IETF Logo Mail Archive

Re: [tsvwg] DTLS 1.3 over SCTP

Michael Tuexen <michael.tuexen@lurchi.franken.de> Mon, 17 July 2023 11:42 UTC

Return-Path: <michael.tuexen@lurchi.franken.de>
X-Original-To: tsvwg@ietfa.amsl.com
Delivered-To: tsvwg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4956EC151533 for <tsvwg@ietfa.amsl.com>; Mon, 17 Jul 2023 04:42:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.487
X-Spam-Level:
X-Spam-Status: No, score=-1.487 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, KHOP_HELO_FCRDNS=0.399, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_NONE=0.001, T_SPF_HELO_TEMPERROR=0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fh_pROXkICT7 for <tsvwg@ietfa.amsl.com>; Mon, 17 Jul 2023 04:42:06 -0700 (PDT)
Received: from drew.franken.de (drew.ipv6.franken.de [IPv6:2001:638:a02:a001:20e:cff:fe4a:feaa]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5C990C15107C for <tsvwg@ietf.org>; Mon, 17 Jul 2023 04:42:05 -0700 (PDT)
Received: from smtpclient.apple (unknown [IPv6:2a02:8109:1140:c3d:b088:3a87:69f3:571b]) (Authenticated sender: lurchi) by mail-n.franken.de (Postfix) with ESMTPSA id 7951B70D3C8C0; Mon, 17 Jul 2023 13:41:59 +0200 (CEST)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3731.600.7\))
From: Michael Tuexen <michael.tuexen@lurchi.franken.de>
In-Reply-To: <DU0PR07MB897089C304314A47B606EB82953BA@DU0PR07MB8970.eurprd07.prod.outlook.com>
Date: Mon, 17 Jul 2023 13:41:57 +0200
Cc: tsvwg IETF list <tsvwg@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <6D224418-07D8-467E-A67D-A40B223207EB@lurchi.franken.de>
References: <0C990143-D450-4288-9390-E06D3469FF1D@lurchi.franken.de> <DU0PR07MB8970107616BF8A5E9D05AF939534A@DU0PR07MB8970.eurprd07.prod.outlook.com> <25FD6896-90BA-4298-A5BE-DDD869A71C37@lurchi.franken.de> <DU0PR07MB897089C304314A47B606EB82953BA@DU0PR07MB8970.eurprd07.prod.outlook.com>
To: Magnus Westerlund <magnus.westerlund=40ericsson.com@dmarc.ietf.org>
X-Mailer: Apple Mail (2.3731.600.7)
Archived-At: <https://mailarchive.ietf.org/arch/msg/tsvwg/WEInETr-9q-LLLo90I6D7c90aKI>
Subject: Re: [tsvwg] DTLS 1.3 over SCTP
X-BeenThere: tsvwg@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Transport Area Working Group <tsvwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tsvwg>, <mailto:tsvwg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tsvwg/>
List-Post: <mailto:tsvwg@ietf.org>
List-Help: <mailto:tsvwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tsvwg>, <mailto:tsvwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 17 Jul 2023 11:42:12 -0000

> On 17. Jul 2023, at 11:33, Magnus Westerlund <magnus.westerlund=40ericsson.com@dmarc.ietf.org> wrote:
> 
> Hi,
>  Please see inline.
>  From: Michael Tuexen <michael.tuexen@lurchi.franken.de>
> Date: Sunday, 16 July 2023 at 19:52
> To: Magnus Westerlund <magnus.westerlund@ericsson.com>
> Cc: tsvwg IETF list <tsvwg@ietf.org>
> Subject: Re: [tsvwg] DTLS 1.3 over SCTP
> > On 14. Jul 2023, at 14:12, Magnus Westerlund <magnus.westerlund=40ericsson.com@dmarc.ietf.org> wrote:
> > 
> > Hi Michael,
> >  A question I don’t understand on what basis you managed to extend the TLS record size from from 2^14 to 2^16 bytes?
> >  When I read RFC 8449 it does not change the TLS underlying protocol limit which is 2^14 and depending on version what you need to account for in that limit.
> >  What I can see the following text from RFC 8449 applies:
> >     An endpoint that supports all record sizes can include any limit up
> >    to the protocol-defined limit for maximum record size.  For TLS 1.2
> >    and earlier, that limit is 2^14 octets.  TLS 1.3 uses a limit of
> >    2^14+1 octets.  Higher values are currently reserved for future
> >    versions of the protocol that may allow larger records; an endpoint
> >    MUST NOT send a value higher than the protocol-defined maximum record
> >    size unless explicitly allowed by such a future version or extension.
> Hi Magnus,
> 
> the idea is to make use of "unless explicitly allowed by such a future version or extension".
> The extension would be a flags extension that indicates that the value is raised.
> See https://www.ietf.org/archive/id/draft-ietf-tls-tlsflags-11.html
> Yes, I understand that the signaling is straight forward, and that TLS flag draft appears to be just an efficient way of not having to use full parameters when establishing the DTLS connection. 
> >  Are you attempting to define a (D)TLS extension here in TSVWG that changes the TLS record size to 2^16? I would think that would require some security analysis to determine that the usage of larger record doesn’t weaken the security due to the larger record sizes. I would think such changes should go through TLS WG and then be used by TSVWG.
> I'm open to that. We can do it from within the 6083-bis document in TSVWG or
> in the TLS WG in a separate document. I contacted Eric Rescorla, Martin Thomson,
> Hannes Tschofenig and a couple of other people. They agreed that bumping that
> limit should be possible. Actually, I could not figure out, why the limit of
> 2^14 exists at all.
> MW: It might be possible to raise without issues, however it would need analysis. What I think might be the large work here is to determine what ciphers can be used without security failures or to reduced security. Someone will have to do analysis to raise this limit. My opinion is that this work really needs to happen in TLS.
OK.
> 
> >  Otherwise, I think it is good that RFC 6083 are being fixed for its security issues unless completely replaces by a more capable solution. However, this draft it does not address all the requirements to our understanding that 3GPP has on a DTLS based security solution. The short-commings are the following:
> >  
> >     • Do not support sufficiently large protected message sizes. As discussed in this thread the theoretical maximum message sizes for some of 3GPP application protocols are above 144 kb and even as large as 500 kb.
> >     • Periodic re-authentication of the peer
> >     • Forward secrecy rekeying, like re-running differ-hellman exchange, which is not done by the DTLS 1.3 keyupdate mechanism. 
> 
> Any idea how that last two goals are achieved by using TLS 1.3 or DTLS 1.3? Or were these
> features just dropped when getting rid of re-negotiation?
> MW: TLS 1.3 dropped these capabilities when re-negotiation was removed. I think the main reason is that no one was there and pushing for long lived use cases. In the web world there are rarely any real issue with dropping the connection and forcing the client to reconnect if one runs into these needs. SCTP application clearly has other expectations, especially the applications 3GPP have for it.
> So those two later issues and the lack for any solution in DTLS 1.3 is why we defined the parallel DTLS Connection procedure.
Doesn't provide (D)TLS forward secrecy? Where are the requirements for re-negotiation coming from? Was there a liaison statement making that requirement clear?
> 
> >  Thus, I don’t see this draft as any replacement for the DTLS over SCTP work that 3GPP has requested. But it can ensure that we don’t have in non-deprecated that have known security issues.  Cheers
> I have a hard time to parse the last sentence.
> 
> MW: Sorry, the point being that doing a RFC6083bis without large message support is replacing the clearly broken RFC 6083 which would be good from an general perspective that we should not leave clearly broken things as standard tracks document.  
Great, we agree on this.

Best regards
Michael
> Cheers
> Magnus

v2.23.0 | Report a Bug | By Email