IETF Logo Mail Archive

Re: [tsvwg] WGLC for draft-ietf-tsvwg-sctp-dtls-encaps: To End 28th February 2014

Michael Tuexen <Michael.Tuexen@lurchi.franken.de> Mon, 03 March 2014 14:25 UTC

Return-Path: <Michael.Tuexen@lurchi.franken.de>
X-Original-To: tsvwg@ietfa.amsl.com
Delivered-To: tsvwg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 68ED01A017E for <tsvwg@ietfa.amsl.com>; Mon, 3 Mar 2014 06:25:25 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_DE=0.35, RP_MATCHES_RCVD=-0.547, SPF_HELO_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1iHkWoCPqxxu for <tsvwg@ietfa.amsl.com>; Mon, 3 Mar 2014 06:25:22 -0800 (PST)
Received: from mail-n.franken.de (drew.ipv6.franken.de [IPv6:2001:638:a02:a001:20e:cff:fe4a:feaa]) by ietfa.amsl.com (Postfix) with ESMTP id 95F581A0126 for <tsvwg@ietf.org>; Mon, 3 Mar 2014 06:25:22 -0800 (PST)
Received: from dhcp-9fd9.meeting.ietf.org (dhcp-9fd9.meeting.ietf.org [31.133.159.217]) (Authenticated sender: macmic) by mail-n.franken.de (Postfix) with ESMTP id 14C071C104303; Mon, 3 Mar 2014 15:25:18 +0100 (CET)
Content-Type: text/plain; charset="iso-8859-1"
Mime-Version: 1.0 (Mac OS X Mail 7.2 \(1874\))
From: Michael Tuexen <Michael.Tuexen@lurchi.franken.de>
In-Reply-To: <531454EF.2090608@ericsson.com>
Date: Mon, 03 Mar 2014 14:25:17 +0000
Content-Transfer-Encoding: quoted-printable
Message-Id: <B5864301-427B-4467-86D6-1542AD7F65F5@lurchi.franken.de>
References: <52F51569.8020501@erg.abdn.ac.uk> <530EF3DB.9020303@ericsson.com> <8F68A39F-7E0C-495E-89D9-3AD38DE72572@lurchi.franken.de> <531454EF.2090608@ericsson.com>
To: Magnus Westerlund <magnus.westerlund@ericsson.com>
X-Mailer: Apple Mail (2.1874)
Archived-At: http://mailarchive.ietf.org/arch/msg/tsvwg/ryZhuHYq250g1UYrlQcAcJ8q7x8
Cc: tsvwg WG <tsvwg@ietf.org>
Subject: Re: [tsvwg] WGLC for draft-ietf-tsvwg-sctp-dtls-encaps: To End 28th February 2014
X-BeenThere: tsvwg@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Transport Area Working Group <tsvwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tsvwg>, <mailto:tsvwg-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tsvwg/>
List-Post: <mailto:tsvwg@ietf.org>
List-Help: <mailto:tsvwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tsvwg>, <mailto:tsvwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 03 Mar 2014 14:25:26 -0000

On 03 Mar 2014, at 10:09, Magnus Westerlund <magnus.westerlund@ericsson.com> wrote:

> Hi,
> 
> I removed things that don't additional follow up.
> 
> On 2014-02-28 21:24, Michael Tuexen wrote:
> 
>>> 
>>> 3) Section 4:
>>> 
>>>  The DTLS implementation MUST be based on [RFC6347].
>>> 
>>> What happens when RFC 6347 is obsoleted? And that obsoletion can be
>>> based on two cases, either the whole DTLS version is being replaced or
>>> the RFC just updated for the same DTLS version. The later case I
>>> definitely should be less locked in. For the DTLS version it is a
>>> question of interoperability. Thus I think one probably should word this as:
>>> 
>>>  The DTLS implementation MUST be based on DTLS 1.2 [RFC6347].
>>> 
>>> Then one could add supporting future versions of DTLS is RECOMMENDED if
>>> defined.
>> OK. The reads
>> 
>> <t>The DTLS implementation MUST be based on DTLS 1.2 <xref target='RFC6347'/>.
>> The support of future versions of DTLS is RECOMMENDED if defined</t>
> 
> I think that is okay.
OK.
> 
>> 
>>> 
>>> 4) Section 4:
>>> 
>>>  If path MTU discovery is performed by the DTLS layer, the method
>>>  described in [RFC4821] MUST be used.  For probe packets, the
>>>  extension defined in [RFC6520] MUST be used.
>>> 
>>>  If path MTU discovery is performed by the SCTP layer and IPv4 is used
>>>  as the network layer protocol, the DTLS implementation MUST allow the
>>>  DTLS user to enforce that the corresponding IPv4 packet is sent with
>>>  the DF bit set.
>>> 
>>> Although this is stated, there are no requirement that I find in the
>>> specification that says that you MUST implement a PMTUD method. My
>> 
>>> understanding is that IP/UDP/DTLS/SCTP is going to have a misserable
>>> time working if one ends up with IP fragments in other cases than for
>>> PMTUD probing packets. Thus, I think there needs to be a requirement on
>>> implementing some type of PMTUD method that works in this setting.
> 
>> It is stated in Section 5 of draft-ietf-rtcweb-data-channel that
>> PMTU discovery MUST be done by SCTP.
> 
> I think that is the wrong place. To my understanding the PMTUD is really
> important to get SCTP to behave well. Thus, this DTLS encapsulation can
> be used by other protocols than data channels, thus I think this is the
> document that should mandate the PMTUD discovery.
I added text that you MUST do PMTUD either in SCTP or DTLS.
draft-ietf-rtcweb-data-channel then nails this down to SCTP
MUST do this in the RTCWeb context. That should cover what you want,
right?
> 
> 
>>> 
>>> I propose:
>>> 
>>>  An implementation of SCTP over DTLS MUST implement and use a path
>>>  MTU discovery method that functions without ICMP to provide SCTP
>>>  with a MTU estimate. An implementation of "Packetization Layer Path
>>>  MTU Discovery" [RFC4821] either in SCTP or DTLS is RECOMMENDED.
>>> 
>>> I do note that this text is not suitable in any of the existing
>>> sections. Maybe a new section between 3 and 4 for general considerations.
>> Added exactly there...
>> 
>> I also added based on comments to one of the data channel documents:
>> 
>> <t>The DTLS implementation SHOULD allow the DTLS user to control the DSCP
>> value used for IP packets being sent.</t>
> 
> Also here I think it is a SCTP/DTLS issue, not a DATA-Channel/SCTP/DTLS
> issue.
And that is why I added it to draft-ietf-tsvwg-sctp-dtls-encaps. So I think we agree here,
or am I wrong?
> 
>>> 
>>> 5) Section 7.
>>> 
>>> It is not obvious that this do not create new security issues. To me an
>>> obvious candidate for causing potential issues is the requirement on
>>> SCTP to be able to function without ICMP. Are there behaviors introduced
>>> that are a result of not receiving ICMP because they are not provided to
>>> SCTP, which compared to SCTP over IP would not exist. At the same time I
>>> do realize that it protects the SCTP stack from some attack vectors
>>> through ICMP.
> 
>> The processing of ICMP is important to protect non-SCTP capable hosts.
>> But when using SCTP/DTLS, you are running about a connection oriented
>> protocol and therefore you can't just send SCTP packets to a host.
>> So I think this is very different. If you think these should be mentioned
>> explicitly, I can add such text.
> 
> Yes, I think that would be good.
OK. Added
<t>It should be noted that the inability to process ICMP or ICMPv6 messages
does not add any security issue. The processing of these messages for SCTP
carried over a connection-less lower layer like IP, IPv6 or UDP is required
to protect nodes not supporting SCTP. Since DTLS provides a connection-oriented
lower layer, this kind of protection is not necessary.</t>

OK?

Best regards
Michael
> 
> Thanks
> 
> Magnus Westerlund
> 
> ----------------------------------------------------------------------
> Services, Media and Network features, Ericsson Research EAB/TXM
> ----------------------------------------------------------------------
> Ericsson AB                 | Phone  +46 10 7148287
> Färögatan 6                 | Mobile +46 73 0949079
> SE-164 80 Stockholm, Sweden | mailto: magnus.westerlund@ericsson.com
> ----------------------------------------------------------------------
> 
>

v2.23.0 | Report a Bug | By Email