Re: [tsvwg] sanity checking DTLS ICMP errors
Michael Tuexen <Michael.Tuexen@lurchi.franken.de> Thu, 22 January 2015 20:04 UTC
Return-Path: <Michael.Tuexen@lurchi.franken.de>
X-Original-To: tsvwg@ietfa.amsl.com
Delivered-To: tsvwg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1319D1A8546 for <tsvwg@ietfa.amsl.com>; Thu, 22 Jan 2015 12:04:01 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.561
X-Spam-Level:
X-Spam-Status: No, score=-1.561 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_DE=0.35, SPF_HELO_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WRUKObTJsCXo for <tsvwg@ietfa.amsl.com>; Thu, 22 Jan 2015 12:03:59 -0800 (PST)
Received: from mail-n.franken.de (drew.ipv6.franken.de [IPv6:2001:638:a02:a001:20e:cff:fe4a:feaa]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D409A1A6F34 for <tsvwg@ietf.org>; Thu, 22 Jan 2015 12:03:58 -0800 (PST)
Received: from [192.168.1.200] (p508F118A.dip0.t-ipconnect.de [80.143.17.138]) (Authenticated sender: macmic) by mail-n.franken.de (Postfix) with ESMTP id 2CAAD1C0E985B; Thu, 22 Jan 2015 21:03:57 +0100 (CET)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 8.1 \(1993\))
From: Michael Tuexen <Michael.Tuexen@lurchi.franken.de>
In-Reply-To: <CAO249ycaf8Q-AyTcp4cx3xhocyNzPEZzVO148XQfBJwhiKjWSw@mail.gmail.com>
Date: Thu, 22 Jan 2015 21:03:56 +0100
Content-Transfer-Encoding: quoted-printable
Message-Id: <E49B9AC9-90F8-4158-9DFE-99B2ECCC1140@lurchi.franken.de>
References: <5FFBC79D-AE0A-4B44-B11F-7A2D6EA00347@cisco.com> <372D50B7-4AF4-41EC-A6E8-97E00C4F5FE8@lurchi.franken.de> <CAO249ycaf8Q-AyTcp4cx3xhocyNzPEZzVO148XQfBJwhiKjWSw@mail.gmail.com>
To: Yoshifumi Nishida <nishida@sfc.wide.ad.jp>
X-Mailer: Apple Mail (2.1993)
Archived-At: <http://mailarchive.ietf.org/arch/msg/tsvwg/aTPmh8_iIYoMCmqCQ_KDBnviD3M>
Cc: tsvwg <tsvwg@ietf.org>, Dan Wing <dwing@cisco.com>
Subject: Re: [tsvwg] sanity checking DTLS ICMP errors
X-BeenThere: tsvwg@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Transport Area Working Group <tsvwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tsvwg>, <mailto:tsvwg-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tsvwg/>
List-Post: <mailto:tsvwg@ietf.org>
List-Help: <mailto:tsvwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tsvwg>, <mailto:tsvwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 22 Jan 2015 20:04:01 -0000
> On 22 Jan 2015, at 09:34, Yoshifumi Nishida <nishida@sfc.wide.ad.jp> wrote: > > > On Mon, Jan 19, 2015 at 2:36 PM, Michael Tuexen <Michael.Tuexen@lurchi.franken.de> wrote: > > On 19 Jan 2015, at 20:43, 🔓Dan Wing <dwing@cisco.com> wrote: > > > > To reduce the attack surface, TCP implementations have been validating ICMP error messages to be in-window (RFC5927). > > > > On a thread over on RTCWEB with Michael Tüxen, it seems DTLS-encrypted packets might benefit from a similar validation. > Just to add some information: > Dan was asking why we couldn't just process incoming ICMP packets indicating that a packet > sent was too big by SCTP when running over DTLS. My point was that we can't the validation > of the verification tag as we do normally for SCTP. That is why we use PMTUD as described > in RFC4821 for > http://tools.ietf.org/html/draft-ietf-tsvwg-sctp-dtls-encaps-08 > > Sorry if I miss something.. > I'm just curious after reading the following texts. > > Incoming ICMP or ICMPv6 messages can't be processed by the SCTP > layer, since there is no way to identify the corresponding > association. > > > If the socket used for UDP encap is connected and if only one SCTP association over DTLS is mapped to the socket, is it still impossible for SCTP layer to know if it receives ICMP errors? Please note that the ICMP processing of SCTP requires to check the verification tag. Since we use DTLS, this is not present in cleartext in the ICMP message (if it is present at all). Best regards Michael > > Thanks, > -- > Yoshi
- [tsvwg] sanity checking DTLS ICMP errors 🔓Dan Wing
- Re: [tsvwg] sanity checking DTLS ICMP errors Michael Tuexen
- Re: [tsvwg] sanity checking DTLS ICMP errors Yoshifumi Nishida
- Re: [tsvwg] sanity checking DTLS ICMP errors Michael Tuexen
- Re: [tsvwg] sanity checking DTLS ICMP errors Yoshifumi Nishida
- Re: [tsvwg] sanity checking DTLS ICMP errors Michael Tuexen