IETF Logo Mail Archive

Re: [tsvwg] DTLS 1.3 over SCTP

Magnus Westerlund <magnus.westerlund@ericsson.com> Fri, 14 July 2023 12:12 UTC

Return-Path: <magnus.westerlund@ericsson.com>
X-Original-To: tsvwg@ietfa.amsl.com
Delivered-To: tsvwg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 34F50C14CF12 for <tsvwg@ietfa.amsl.com>; Fri, 14 Jul 2023 05:12:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XCgah--NplQQ for <tsvwg@ietfa.amsl.com>; Fri, 14 Jul 2023 05:12:45 -0700 (PDT)
Received: from EUR04-HE1-obe.outbound.protection.outlook.com (mail-he1eur04on2078.outbound.protection.outlook.com [40.107.7.78]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3E466C14CEFD for <tsvwg@ietf.org>; Fri, 14 Jul 2023 05:12:45 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=gj7VewYJ1hjTcS0vnH3ULIvqEXSrNW9Ca9x0PpcVNaoghrcJMmzvWG7oLwogIU8djylNKuLbLh372GBC6O/w2pQyAphHeRJQQBwBYH1LBtEENOzhIJH8kIQIt8ZPuzwGuy6guEgkQxkZKBlgV15dlVkA3zqMjkRT1gm92aTsSrMS/AnST6xjwfxOqZczY+527Ycrpi6fj07d/4nnhZM1IjqjAi88FxanOMgBIF2jcWi5GBnHde+dpGdB3oFr+pMXfwhOGklp0N2Nc0nPBjwhJKcVnOmVPKhDoP9aBnH0/4SY5YZoKF4VW9stbqbyGezpNoCWgoU7BAKJO8uv1eVm4g==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=XTqoluFREnmIN81QFZbJzPJC1Y1dDc4kZ6H7JCvumBk=; b=S18bMtQMRuTtvfpkKHaPktSGuVtpkqJOtFXAP4uUpH0Mgm/mcZlw6BIpzSD707+MJBztIP9UJ5+hSLePZy8fq0A9CvbxYwT8Al8UZ0qY7/0NjBsqlwidtRPK2Exlw52j4OoCVjCWHohFlXRv6kD2J9MLA4RPSII9niDy8cPaODDsja6UcCDuE8tAu7KjrKdNlrtdKlVVRb9mUNVcsBPEgRmi/b6k3IDRL9v1g+yLuSFaq0FOZSVbgrZnoDiO8jzX/7Nb99Od+rltLb2cX2fugU5lu9bRE+ljmn9pH2Ey6f40fVla641PjmADF7Prr9v4eqycsgI8pte+7WplzG5Rjw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=XTqoluFREnmIN81QFZbJzPJC1Y1dDc4kZ6H7JCvumBk=; b=EM12OA4U7LHYWUy7krknsnhLt1bMvRBmg6LorQ4ckfklJyrw0/dZ+XysQcaA1zkWlD+cWGDIgzCEOBihMwxkAJoSCUmyQaxKLIGKkQ2zMeRqhjqbE7/RfBIqHBkdW0bc0V6EHaisQbDXyxgEFDuxgwudxfnL2XVg5P4dSnM8MHM=
Received: from DU0PR07MB8970.eurprd07.prod.outlook.com (2603:10a6:10:40e::17) by AM8PR07MB7571.eurprd07.prod.outlook.com (2603:10a6:20b:247::19) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6588.27; Fri, 14 Jul 2023 12:12:42 +0000
Received: from DU0PR07MB8970.eurprd07.prod.outlook.com ([fe80::38c7:d6ca:110a:abad]) by DU0PR07MB8970.eurprd07.prod.outlook.com ([fe80::38c7:d6ca:110a:abad%7]) with mapi id 15.20.6565.028; Fri, 14 Jul 2023 12:12:42 +0000
From: Magnus Westerlund <magnus.westerlund@ericsson.com>
To: Michael Tuexen <michael.tuexen@lurchi.franken.de>, tsvwg IETF list <tsvwg@ietf.org>
Thread-Topic: [tsvwg] DTLS 1.3 over SCTP
Thread-Index: AQHZtZdYZRa9TnJdh0CQUleZ9o+qW6+5J6wR
Date: Fri, 14 Jul 2023 12:12:42 +0000
Message-ID: <DU0PR07MB8970107616BF8A5E9D05AF939534A@DU0PR07MB8970.eurprd07.prod.outlook.com>
References: <0C990143-D450-4288-9390-E06D3469FF1D@lurchi.franken.de>
In-Reply-To: <0C990143-D450-4288-9390-E06D3469FF1D@lurchi.franken.de>
Accept-Language: en-US, sv-SE
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=ericsson.com;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: DU0PR07MB8970:EE_|AM8PR07MB7571:EE_
x-ms-office365-filtering-correlation-id: 521a6447-ffab-4e2f-68d2-08db84639ff2
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: 4e8yg3GRXEK/6K2CDbpaMMHg+JJdtpNuc/VFtaW6ux0XIo5FiVZnWAzYWSKOGwYy88uWJSlR6Zx2YA2Btub3Ou29OYg22QqtkwQD/QIf384HecJKn57Mv0JfSH5Tq6uw6Ti4fphUlhZ1UvJCkEYI6j+t9ekWLk/GrzFT8hWW+c0EM0s9vg6Tc6ovkR4DLYYLb88cNgnE2PBYlQbcXz50rIhaLdFK7IsWST/nGKOmS697UTJ7G9DTRv5/pXiQ69yqTEuB7qkx7d7lILXWRVq0GfULIjpqBfqtaF3dB/15c0JOGdlC5Cwz+V5kTicHUZroVaDL8X/tNyWLW+5+FI2X3/2DDjeFB/RCVFB0sauzqXJXDOx0ZwCGK8+INK6YwZypSdJhUCAqK/FuOBkwM48n86RtSP/BklNARJecupmRq30yeTf6qw8lYNL8lFuW791oTuj0aCQGGcez5sBvl8syyWcRTSuFKb4gNPATaQGG5/iG5sx4H66JaMVcOsPAFb5TCV/2uc4zquHO/sRxXGzksUYeEhxVatQj+kjTcu2FtYLYdH0YmV9f7zwoLaoCnTFBpuU8t5owtFLWvWc39A9iOlhZbO3JSor4FY8dVqZ6R1LvPf35OW3cAj2/dygFrehqhDs1Pts2sTnuYvpDZbuwBwSFWGxjtinQ8ve7pXS4nLl6QvrTcO0OlwvD1evCiATv
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DU0PR07MB8970.eurprd07.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230028)(4636009)(376002)(136003)(366004)(396003)(346002)(39860400002)(451199021)(38070700005)(38100700002)(82960400001)(122000001)(166002)(86362001)(33656002)(66899021)(55016003)(8936002)(6506007)(5660300002)(186003)(53546011)(41300700001)(26005)(44832011)(21615005)(52536014)(8676002)(110136005)(2906002)(66556008)(83380400001)(966005)(66946007)(91956017)(76116006)(478600001)(71200400001)(9686003)(316002)(7696005)(66476007)(66446008)(64756008); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: XCBllbvZcTuBgHFHI3RbjyBlEhQ2O1geJUYbiVILixDYyOeMV7l+p9qikmCQfKni/0FHrf8Oygihn2QE1/vTIBVsUYElbp2Ne0bSnTEkTZH+nFeGE48kvZ040uSpXQ2VvE0rx6ADeO3ScFnJbPsIqyiT3deuOPCtLfOriLi4do/66xtGWxq5einfpxnhrcTQ7Yer/HJu4+pWp81bZ0LGfQFJzWOdU0R28sdCgTwFSkSDOXeWEvrPbvp1If3aXoCJCm/7OQPlw6NVrkYeAy4pyFJS0gshpmkXGUVuaTw2ujzsMbUfwB5nCUW1zq1a5OAZdfE54s7g1YynXQDBsw5DyGjPrbVKqbaINhqehKzzVUHGSFmhqRQgqe1DanzYqAMAIVLs1HEZKu90X3EJkeuM8j3MSIgvk3FNNgCuGXluxmaBRXMovRkGbv3ZSrmIPz1kq7TGX5tD1N3DrtHA3dBuS2PCNy309oW01b050DtV2AuabAUkmUWbaTI9+ZhZWiG6kr2nflYvyI4NHAjSwun4NPiLZD0DT1MO/PNjws9wfjDbJuxjYdkJ1KcK0t6O0N/wfVRt59vFIZZJfTtNXWDmWacSyi4sh/unOmQ1mH8hOWBjWnavA55iMHRwoqraLFADoSwRPAZdtmfQdfYnhkp8sY63gu5LHt8nWoDCfCYp0cQm8H4cknL7I4VS2jdH+pvf8QsvIJNiDyjTVaByDAWlqjQk5eIC2bjWwzW2lVcpJiy8LBnHMDjZwB+g7/+MObcYz838UmUgIsw3qndH4JT+F7ns/0mxuwYVRFJBlJjkxA92XoTuBUifb0Y9FHwrD+9Pg+BCHKKz+G6YOY0dfiMW2dpR6X+ZSL/W6HEB5UTKmYHQ40fSPvz9/Vby1Y/64Df/Lb8AzpLfBY1XdCbWyEw347fVSHdj27LiMdMnOfZx3cRDx8EpWgL6o/Pv5YfPpG+vjHry4vMnPHv2TeYp3o8zmuOfbVVSnTFmyVUHBNFqVs2bllFvunzIUVeY4CeZkeYwHYraVUntNSnr/LkssRVkaj2h5o9z1hcjxrduENsz3dVlWACxHLQbx/Xif7JZH+nDaSCssPmNq3BTnrkjD9ziIMJ1xfisNhUT0kZ6QyM+lGiHbTPELslHf7PsV6eMNuoxHSDeRxAe9lBm2c/toAJ4mWEtgdyxbbNIVAxn8liDI6un/c9df+G+H/MbMqjKpGt6J8fhU5o6fcQ2/TC0ZpL5meVZm644e+Uv+n0PQy6YaYo4IaOKJcDGpVciuRtVIFnrq/T1mPjdhbfv61Zokjc2f2gcEpqoVzMGVn16LLg6e8crwDWCfXjbT6MEapsV/Wk5xAIvenzaH2mKFGMLSj3W/DP9fsX9Yih/asZf6T5q4Qr+RHaueWxxKY0q+ZmAciPRqIh59yJbzAVSnlVAoYljWNax06Z54LmB/7fRMjXPFmjRI7ggcaAamYYJYL4a7AyBPAcwZFfZCr2Jgg2wcbzSS40fCcH0H9Y6UPyH9dTGxHB3U1+WIyrL9kepIMHRe/F7LctIhPXU3b1Q1LEw9o2rgMiSrTrmRn9SeIni4kPaGFu0wL3oodwErxWxvA+x2S3jEA42CoIzlpJsj8E86PyB70u9IALzoe03THpLiQTQ97o=
Content-Type: multipart/alternative; boundary="_000_DU0PR07MB8970107616BF8A5E9D05AF939534ADU0PR07MB8970eurp_"
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: DU0PR07MB8970.eurprd07.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 521a6447-ffab-4e2f-68d2-08db84639ff2
X-MS-Exchange-CrossTenant-originalarrivaltime: 14 Jul 2023 12:12:42.2707 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: zbTU2awiC4JD7WQCqbYxwnb7muDYtQIyx+3kC5inj4hs0sJybc+JnYJx1mDDD/1EpHPvQEJ4hxqQELOo1TQOIW+KcAeUuR4bj/xDXq7YMpg=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM8PR07MB7571
Archived-At: <https://mailarchive.ietf.org/arch/msg/tsvwg/iuVndTElEphrCTK1wlvNpLrNnVI>
Subject: Re: [tsvwg] DTLS 1.3 over SCTP
X-BeenThere: tsvwg@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Transport Area Working Group <tsvwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tsvwg>, <mailto:tsvwg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tsvwg/>
List-Post: <mailto:tsvwg@ietf.org>
List-Help: <mailto:tsvwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tsvwg>, <mailto:tsvwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 14 Jul 2023 12:12:50 -0000

Hi Michael,

A question I don’t understand on what basis you managed to extend the TLS record size from from 2^14 to 2^16 bytes?

When I read RFC 8449 it does not change the TLS underlying protocol limit which is 2^14 and depending on version what you need to account for in that limit.

What I can see the following text from RFC 8449 applies:

   An endpoint that supports all record sizes can include any limit up
   to the protocol-defined limit for maximum record size.  For TLS 1.2
   and earlier, that limit is 2^14 octets.  TLS 1.3 uses a limit of
   2^14+1 octets.  Higher values are currently reserved for future
   versions of the protocol that may allow larger records; an endpoint
   MUST NOT send a value higher than the protocol-defined maximum record
   size unless explicitly allowed by such a future version or extension.

Are you attempting to define a (D)TLS extension here in TSVWG that changes the TLS record size to 2^16? I would think that would require some security analysis to determine that the usage of larger record doesn’t weaken the security due to the larger record sizes. I would think such changes should go through TLS WG and then be used by TSVWG.

Otherwise, I think it is good that RFC 6083 are being fixed for its security issues unless completely replaces by a more capable solution. However, this draft it does not address all the requirements to our understanding that 3GPP has on a DTLS based security solution. The short-commings are the following:


  *   Do not support sufficiently large protected message sizes. As discussed in this thread the theoretical maximum message sizes for some of 3GPP application protocols are above 144 kb and even as large as 500 kb.
  *   Periodic re-authentication of the peer
  *   Forward secrecy rekeying, like re-running differ-hellman exchange, which is not done by the DTLS 1.3 keyupdate mechanism.

Thus, I don’t see this draft as any replacement for the DTLS over SCTP work that 3GPP has requested. But it can ensure that we don’t have in non-deprecated that have known security issues.

Cheers

Magnus



From: tsvwg <tsvwg-bounces@ietf.org> on behalf of Michael Tuexen <michael.tuexen@lurchi.franken.de>
Date: Thursday, 13 July 2023 at 16:36
To: tsvwg IETF list <tsvwg@ietf.org>
Subject: [tsvwg] DTLS 1.3 over SCTP
Dear all,

Hannes Tschofenig and myself have submitted an ID for using DTLS 1.3 over SCTP:
https://www.ietf.org/archive/id/draft-tuexen-tsvwg-rfc6083-bis-02.html

This is an alternative to
https://www.ietf.org/archive/id/draft-ietf-tsvwg-dtls-over-sctp-bis-06.html

Our document is based on RFC 6083. The major differences are:
* Use DTLS 1.3 instead of DTLS 1.0
* Use key updates instead of renegotiation. This limits the number of
  rekeyings to 2^64, but that should not limit in real world scenarios.
* Bump the maximum user message size to 64KB by using RFC 8449.

Any comments welcome.

Best regards
Michael

v2.31.3 | Report a Bug | By Email | System Status