IETF Logo Mail Archive

[tsvwg] sanity checking DTLS ICMP errors

🔓Dan Wing <dwing@cisco.com> Mon, 19 January 2015 19:44 UTC

Return-Path: <dwing@cisco.com>
X-Original-To: tsvwg@ietfa.amsl.com
Delivered-To: tsvwg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 844901ACDEA for <tsvwg@ietfa.amsl.com>; Mon, 19 Jan 2015 11:44:17 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.211
X-Spam-Level:
X-Spam-Status: No, score=-14.211 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mp6lNy6wYlo3 for <tsvwg@ietfa.amsl.com>; Mon, 19 Jan 2015 11:44:14 -0800 (PST)
Received: from alln-iport-1.cisco.com (alln-iport-1.cisco.com [173.37.142.88]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 39C5C1B2C2D for <tsvwg@ietf.org>; Mon, 19 Jan 2015 11:44:14 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=1003; q=dns/txt; s=iport; t=1421696655; x=1422906255; h=from:content-transfer-encoding:subject:message-id:date: to:mime-version; bh=rcKxQ/GnYo4jC7v5kk+sZUOxuy0vpllgAZmSAgUb65Y=; b=N7fj4F7McNIc1TlkSz44626tI5apKA1NtT2dMCaZWizgQdXlzwRQ1Rcv 0NsPib0XIi9XTQb2RFcKxeKiVYGTOJh1tYt6ja9G7vzzE3ybaYphVJxWH KURoKhL2S3toNnOCc/V7GiXCGaHQKFjl8GX3RKNZcUN268qNi7NRNS2UJ w=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AhUFADpevVStJV2R/2dsb2JhbABbgwbPCEMBAQEBAX2PCasBo20LAQEBHpAWgwCBEwWJdY17hi+LeyKEDx2BNiSBGgEBAQ
X-IronPort-AV: E=Sophos;i="5.09,428,1418083200"; d="scan'208";a="114626358"
Received: from rcdn-core-9.cisco.com ([173.37.93.145]) by alln-iport-1.cisco.com with ESMTP; 19 Jan 2015 19:43:51 +0000
Received: from [10.24.238.22] ([10.24.238.22]) by rcdn-core-9.cisco.com (8.14.5/8.14.5) with ESMTP id t0JJhoeM031789 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NO) for <tsvwg@ietf.org>; Mon, 19 Jan 2015 19:43:51 GMT
From: 🔓Dan Wing <dwing@cisco.com>
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Message-Id: <5FFBC79D-AE0A-4B44-B11F-7A2D6EA00347@cisco.com>
Date: Mon, 19 Jan 2015 11:43:51 -0800
To: tsvwg@ietf.org
Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.6\))
X-Mailer: Apple Mail (2.1878.6)
Archived-At: <http://mailarchive.ietf.org/arch/msg/tsvwg/lZlK-rVhloqxY6Qx_MElwcnXhIk>
Subject: [tsvwg] sanity checking DTLS ICMP errors
X-BeenThere: tsvwg@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Transport Area Working Group <tsvwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tsvwg>, <mailto:tsvwg-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tsvwg/>
List-Post: <mailto:tsvwg@ietf.org>
List-Help: <mailto:tsvwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tsvwg>, <mailto:tsvwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 19 Jan 2015 19:44:17 -0000

To reduce the attack surface, TCP implementations have been validating ICMP error messages to be in-window (RFC5927).

On a thread over on RTCWEB with Michael Tüxen, it seems DTLS-encrypted packets might benefit from a similar validation.  There are some fields early in the packet that might be useful for such validation,

      struct {
        ContentType type;
        ProtocolVersion version;
        uint16 epoch;                                     // New field
        uint48 sequence_number;                           // New field
        uint16 length;
        select (CipherSpec.cipher_type) {
          case block:  GenericBlockCipher;
        } fragment;
      } DTLSCiphertext;

however, both the Epoch and Sequence Number start at zero (unlike TCP's initial sequence number which has been random for nearly 20 years).  


Do we want to validate ICMP error messages for DTLS packets?  If so, can DTLS have a randomized initial sequence number?

-d

v2.23.0 | Report a Bug | By Email