On Thu, Oct 12, 2017 at 4:33 PM, Martin Thomson <martin.thom...@gmail.com> wrote: > > The example shows the connection ID only being used after the > handshake completes (that is, on epoch=3), but handshake records > (epoch=2) use the same record format and we already know the > preference of the peer when sending them. I can see why you opted for > this design (there is no way for the server to signal that it intends > to use the connection ID before it starts to send it), but that could > be addressed by moving the extension to the ServerHello. The value is > sent on every subsequent record, so there is no real gain in having > the extension in EncryptedExtensions. There is value in having record > construction be consistent. >
Oops. It *is* in the ServerHello. This is an inconsistency because an early draft had it in EncryptedExtensions and I just didn't update the example right. "enables encryption early in the handshake phase the connection ID will be enabled earlier. For this reason, the connection ID needs to go in the DTLS 1.3 ServerHello. " It's fixed in the draft. The design for new connection IDs is clearly to handle the linkability > issue, but the draft doesn't propose a solution for linking based on > the monotonic increase of sequence numbers, or acknowledge the > problem. > Sorry, that's a good point that somehow didn't make it from my head into the draft. In DTLS, it's actually pretty easy to handle this in DTLS b/c you don't need contiguous ranges except for anti-replay, so the sender can just jump forward and then the receiver can keep a per-connid table. I've filed https://github.com/ekr/dtls-conn-id/issues/2 to address this. We had comments about the length of the connection ID and the value > being used as a covert channel. That issue should at least be > addressed in the security considerations. > I filed: https://github.com/ekr/dtls-conn-id/issues/3 That said, I'm not sure that any plausible length CID can avoid this. -Ekr > > > On Fri, Oct 13, 2017 at 10:13 AM, Eric Rescorla <e...@rtfm.com> wrote: > > Hi folks, > > > > I have just posted a first cut at a connection ID draft. > > https://tools.ietf.org/html/draft-rescorla-tls-dtls-connection-id-00 > > > > Comments welcome. > > > > -Ekr > > > > > > > > > > _______________________________________________ > > TLS mailing list > > TLS@ietf.org > > https://www.ietf.org/mailman/listinfo/tls > > >
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
