Re: [tsvwg] WGLC for draft-ietf-tsvwg-sctp-dtls-encaps: To End 28th February 2014
Michael Tuexen <Michael.Tuexen@lurchi.franken.de> Mon, 03 March 2014 14:25 UTC
Return-Path: <Michael.Tuexen@lurchi.franken.de>
X-Original-To: tsvwg@ietfa.amsl.com
Delivered-To: tsvwg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 68ED01A017E for <tsvwg@ietfa.amsl.com>; Mon, 3 Mar 2014 06:25:25 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_DE=0.35, RP_MATCHES_RCVD=-0.547, SPF_HELO_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1iHkWoCPqxxu for <tsvwg@ietfa.amsl.com>; Mon, 3 Mar 2014 06:25:22 -0800 (PST)
Received: from mail-n.franken.de (drew.ipv6.franken.de [IPv6:2001:638:a02:a001:20e:cff:fe4a:feaa]) by ietfa.amsl.com (Postfix) with ESMTP id 95F581A0126 for <tsvwg@ietf.org>; Mon, 3 Mar 2014 06:25:22 -0800 (PST)
Received: from dhcp-9fd9.meeting.ietf.org (dhcp-9fd9.meeting.ietf.org [31.133.159.217]) (Authenticated sender: macmic) by mail-n.franken.de (Postfix) with ESMTP id 14C071C104303; Mon, 3 Mar 2014 15:25:18 +0100 (CET)
Content-Type: text/plain; charset="iso-8859-1"
Mime-Version: 1.0 (Mac OS X Mail 7.2 \(1874\))
From: Michael Tuexen <Michael.Tuexen@lurchi.franken.de>
In-Reply-To: <531454EF.2090608@ericsson.com>
Date: Mon, 03 Mar 2014 14:25:17 +0000
Content-Transfer-Encoding: quoted-printable
Message-Id: <B5864301-427B-4467-86D6-1542AD7F65F5@lurchi.franken.de>
References: <52F51569.8020501@erg.abdn.ac.uk> <530EF3DB.9020303@ericsson.com> <8F68A39F-7E0C-495E-89D9-3AD38DE72572@lurchi.franken.de> <531454EF.2090608@ericsson.com>
To: Magnus Westerlund <magnus.westerlund@ericsson.com>
X-Mailer: Apple Mail (2.1874)
Archived-At: http://mailarchive.ietf.org/arch/msg/tsvwg/ryZhuHYq250g1UYrlQcAcJ8q7x8
Cc: tsvwg WG <tsvwg@ietf.org>
Subject: Re: [tsvwg] WGLC for draft-ietf-tsvwg-sctp-dtls-encaps: To End 28th February 2014
X-BeenThere: tsvwg@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Transport Area Working Group <tsvwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tsvwg>, <mailto:tsvwg-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tsvwg/>
List-Post: <mailto:tsvwg@ietf.org>
List-Help: <mailto:tsvwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tsvwg>, <mailto:tsvwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 03 Mar 2014 14:25:26 -0000
On 03 Mar 2014, at 10:09, Magnus Westerlund <magnus.westerlund@ericsson.com> wrote: > Hi, > > I removed things that don't additional follow up. > > On 2014-02-28 21:24, Michael Tuexen wrote: > >>> >>> 3) Section 4: >>> >>> The DTLS implementation MUST be based on [RFC6347]. >>> >>> What happens when RFC 6347 is obsoleted? And that obsoletion can be >>> based on two cases, either the whole DTLS version is being replaced or >>> the RFC just updated for the same DTLS version. The later case I >>> definitely should be less locked in. For the DTLS version it is a >>> question of interoperability. Thus I think one probably should word this as: >>> >>> The DTLS implementation MUST be based on DTLS 1.2 [RFC6347]. >>> >>> Then one could add supporting future versions of DTLS is RECOMMENDED if >>> defined. >> OK. The reads >> >> <t>The DTLS implementation MUST be based on DTLS 1.2 <xref target='RFC6347'/>. >> The support of future versions of DTLS is RECOMMENDED if defined</t> > > I think that is okay. OK. > >> >>> >>> 4) Section 4: >>> >>> If path MTU discovery is performed by the DTLS layer, the method >>> described in [RFC4821] MUST be used. For probe packets, the >>> extension defined in [RFC6520] MUST be used. >>> >>> If path MTU discovery is performed by the SCTP layer and IPv4 is used >>> as the network layer protocol, the DTLS implementation MUST allow the >>> DTLS user to enforce that the corresponding IPv4 packet is sent with >>> the DF bit set. >>> >>> Although this is stated, there are no requirement that I find in the >>> specification that says that you MUST implement a PMTUD method. My >> >>> understanding is that IP/UDP/DTLS/SCTP is going to have a misserable >>> time working if one ends up with IP fragments in other cases than for >>> PMTUD probing packets. Thus, I think there needs to be a requirement on >>> implementing some type of PMTUD method that works in this setting. > >> It is stated in Section 5 of draft-ietf-rtcweb-data-channel that >> PMTU discovery MUST be done by SCTP. > > I think that is the wrong place. To my understanding the PMTUD is really > important to get SCTP to behave well. Thus, this DTLS encapsulation can > be used by other protocols than data channels, thus I think this is the > document that should mandate the PMTUD discovery. I added text that you MUST do PMTUD either in SCTP or DTLS. draft-ietf-rtcweb-data-channel then nails this down to SCTP MUST do this in the RTCWeb context. That should cover what you want, right? > > >>> >>> I propose: >>> >>> An implementation of SCTP over DTLS MUST implement and use a path >>> MTU discovery method that functions without ICMP to provide SCTP >>> with a MTU estimate. An implementation of "Packetization Layer Path >>> MTU Discovery" [RFC4821] either in SCTP or DTLS is RECOMMENDED. >>> >>> I do note that this text is not suitable in any of the existing >>> sections. Maybe a new section between 3 and 4 for general considerations. >> Added exactly there... >> >> I also added based on comments to one of the data channel documents: >> >> <t>The DTLS implementation SHOULD allow the DTLS user to control the DSCP >> value used for IP packets being sent.</t> > > Also here I think it is a SCTP/DTLS issue, not a DATA-Channel/SCTP/DTLS > issue. And that is why I added it to draft-ietf-tsvwg-sctp-dtls-encaps. So I think we agree here, or am I wrong? > >>> >>> 5) Section 7. >>> >>> It is not obvious that this do not create new security issues. To me an >>> obvious candidate for causing potential issues is the requirement on >>> SCTP to be able to function without ICMP. Are there behaviors introduced >>> that are a result of not receiving ICMP because they are not provided to >>> SCTP, which compared to SCTP over IP would not exist. At the same time I >>> do realize that it protects the SCTP stack from some attack vectors >>> through ICMP. > >> The processing of ICMP is important to protect non-SCTP capable hosts. >> But when using SCTP/DTLS, you are running about a connection oriented >> protocol and therefore you can't just send SCTP packets to a host. >> So I think this is very different. If you think these should be mentioned >> explicitly, I can add such text. > > Yes, I think that would be good. OK. Added <t>It should be noted that the inability to process ICMP or ICMPv6 messages does not add any security issue. The processing of these messages for SCTP carried over a connection-less lower layer like IP, IPv6 or UDP is required to protect nodes not supporting SCTP. Since DTLS provides a connection-oriented lower layer, this kind of protection is not necessary.</t> OK? Best regards Michael > > Thanks > > Magnus Westerlund > > ---------------------------------------------------------------------- > Services, Media and Network features, Ericsson Research EAB/TXM > ---------------------------------------------------------------------- > Ericsson AB | Phone +46 10 7148287 > Färögatan 6 | Mobile +46 73 0949079 > SE-164 80 Stockholm, Sweden | mailto: magnus.westerlund@ericsson.com > ---------------------------------------------------------------------- > >
- [tsvwg] WGLC for draft-ietf-tsvwg-sctp-dtls-encap… Gorry Fairhurst
- Re: [tsvwg] WGLC for draft-ietf-tsvwg-sctp-dtls-e… Gorry Fairhurst
- Re: [tsvwg] WGLC for draft-ietf-tsvwg-sctp-dtls-e… Magnus Westerlund
- Re: [tsvwg] WGLC for draft-ietf-tsvwg-sctp-dtls-e… Irene Rüngeler
- Re: [tsvwg] WGLC for draft-ietf-tsvwg-sctp-dtls-e… Michael Tuexen
- Re: [tsvwg] WGLC for draft-ietf-tsvwg-sctp-dtls-e… Magnus Westerlund
- Re: [tsvwg] WGLC for draft-ietf-tsvwg-sctp-dtls-e… Michael Tuexen
- Re: [tsvwg] WGLC for draft-ietf-tsvwg-sctp-dtls-e… Magnus Westerlund
- Re: [tsvwg] WGLC for draft-ietf-tsvwg-sctp-dtls-e… Karen E. Egede Nielsen
- Re: [tsvwg] WGLC for draft-ietf-tsvwg-sctp-dtls-e… Michael Tuexen
- Re: [tsvwg] WGLC for draft-ietf-tsvwg-sctp-dtls-e… Karen E. Egede Nielsen