Re: [tsvwg] sanity checking DTLS ICMP errors
Yoshifumi Nishida <nishida@sfc.wide.ad.jp> Thu, 22 January 2015 08:35 UTC
Return-Path: <nishida@sfc.wide.ad.jp>
X-Original-To: tsvwg@ietfa.amsl.com
Delivered-To: tsvwg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BB7E41A01EA for <tsvwg@ietfa.amsl.com>; Thu, 22 Jan 2015 00:35:00 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.221
X-Spam-Level: *
X-Spam-Status: No, score=1.221 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, HELO_EQ_JP=1.244, HOST_EQ_JP=1.265, HTML_MESSAGE=0.001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sJwqrH8RIQqC for <tsvwg@ietfa.amsl.com>; Thu, 22 Jan 2015 00:34:59 -0800 (PST)
Received: from mail.sfc.wide.ad.jp (shonan.sfc.wide.ad.jp [IPv6:2001:200:0:8803::53]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D85FD1A01D8 for <tsvwg@ietf.org>; Thu, 22 Jan 2015 00:34:58 -0800 (PST)
Received: from mail-we0-f171.google.com (mail-we0-f171.google.com [74.125.82.171]) by mail.sfc.wide.ad.jp (Postfix) with ESMTPSA id A2F7427818D for <tsvwg@ietf.org>; Thu, 22 Jan 2015 17:34:56 +0900 (JST)
Received: by mail-we0-f171.google.com with SMTP id q58so350687wes.2 for <tsvwg@ietf.org>; Thu, 22 Jan 2015 00:34:54 -0800 (PST)
MIME-Version: 1.0
X-Received: by 10.194.203.199 with SMTP id ks7mr241825wjc.105.1421915694335; Thu, 22 Jan 2015 00:34:54 -0800 (PST)
Received: by 10.194.187.48 with HTTP; Thu, 22 Jan 2015 00:34:54 -0800 (PST)
In-Reply-To: <372D50B7-4AF4-41EC-A6E8-97E00C4F5FE8@lurchi.franken.de>
References: <5FFBC79D-AE0A-4B44-B11F-7A2D6EA00347@cisco.com> <372D50B7-4AF4-41EC-A6E8-97E00C4F5FE8@lurchi.franken.de>
Date: Thu, 22 Jan 2015 00:34:54 -0800
Message-ID: <CAO249ycaf8Q-AyTcp4cx3xhocyNzPEZzVO148XQfBJwhiKjWSw@mail.gmail.com>
From: Yoshifumi Nishida <nishida@sfc.wide.ad.jp>
To: Michael Tuexen <Michael.Tuexen@lurchi.franken.de>
Content-Type: multipart/alternative; boundary="047d7b6d9bf2dc8fca050d398b4a"
Archived-At: <http://mailarchive.ietf.org/arch/msg/tsvwg/sT7-eg3v_eHDDyoW-GuvMhT-Gcc>
Cc: tsvwg <tsvwg@ietf.org>, Dan Wing <dwing@cisco.com>
Subject: Re: [tsvwg] sanity checking DTLS ICMP errors
X-BeenThere: tsvwg@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Transport Area Working Group <tsvwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tsvwg>, <mailto:tsvwg-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tsvwg/>
List-Post: <mailto:tsvwg@ietf.org>
List-Help: <mailto:tsvwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tsvwg>, <mailto:tsvwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 22 Jan 2015 08:35:00 -0000
On Mon, Jan 19, 2015 at 2:36 PM, Michael Tuexen < Michael.Tuexen@lurchi.franken.de> wrote: > > On 19 Jan 2015, at 20:43, 🔓Dan Wing <dwing@cisco.com> wrote: > > > > To reduce the attack surface, TCP implementations have been validating > ICMP error messages to be in-window (RFC5927). > > > > On a thread over on RTCWEB with Michael Tüxen, it seems DTLS-encrypted > packets might benefit from a similar validation. > Just to add some information: > Dan was asking why we couldn't just process incoming ICMP packets > indicating that a packet > sent was too big by SCTP when running over DTLS. My point was that we > can't the validation > of the verification tag as we do normally for SCTP. That is why we use > PMTUD as described > in RFC4821 for > http://tools.ietf.org/html/draft-ietf-tsvwg-sctp-dtls-encaps-08 Sorry if I miss something.. I'm just curious after reading the following texts. Incoming ICMP or ICMPv6 messages can't be processed by the SCTP layer, since there is no way to identify the corresponding association. If the socket used for UDP encap is connected and if only one SCTP association over DTLS is mapped to the socket, is it still impossible for SCTP layer to know if it receives ICMP errors? Thanks, -- Yoshi
- [tsvwg] sanity checking DTLS ICMP errors 🔓Dan Wing
- Re: [tsvwg] sanity checking DTLS ICMP errors Michael Tuexen
- Re: [tsvwg] sanity checking DTLS ICMP errors Yoshifumi Nishida
- Re: [tsvwg] sanity checking DTLS ICMP errors Michael Tuexen
- Re: [tsvwg] sanity checking DTLS ICMP errors Yoshifumi Nishida
- Re: [tsvwg] sanity checking DTLS ICMP errors Michael Tuexen