Hi David, thanks again for these comments.
Speaking for myself, this exchange was not designed based on QUIC. I believe it pre-dated the corresponding work in QUIC. Anyway, there are different usage environments and, as you said, there is a difference in the amount of messages that may be lost. For some environments the loss 255 messages amounts to losing the message exchanges of several days, potentially weeks. As such, for those use cases the shorter sequence number space is perfectly fine. For other environments this is obviously an issue and you have to select the bigger sequence number space. More explanation about this aspect never hurts. Of course, nobody raised the need for such text so far and hence we didn’t add anything. As a way forward, we could add text to the UTA document. In the UTA document(s) we already talk about other configurable parameters, such as the timeout. Ciao Hannes From: TLS <tls-boun...@ietf.org> On Behalf Of David Benjamin Sent: Friday, April 12, 2024 11:36 PM To: <tls@ietf.org> <tls@ietf.org> Cc: Nick Harper <nhar...@chromium.org> Subject: [TLS] DTLS 1.3 sequence number lengths and lack of ACKs Hi all, Here's another issue we noticed with RFC 9147: (There's going to be a few of these emails. :-) ) DTLS 1.3 allows senders to pick an 8-bit or 16-bit sequence number. But, unless I missed it, there isn't any discussion or guidance on which to use. The draft simply says: > Implementations MAY mix sequence numbers of different lengths on the same > connection I assume this was patterned after QUIC, but looking at QUIC suggests an issue with the DTLS 1.3 formulation. QUIC uses ACKs to pick the minimum number of bytes needed for the peer to recover the sequence number: https://www.rfc-editor.org/rfc/rfc9000.html#packet-encoding But the bulk of DTLS records, app data, are unreliable and not ACKed. DTLS leaves all that to application. This means a DTLS implementation does not have enough information to make this decision. It would need to be integrated into the application-protocol-specific reliability story, if the application protocol even maintains that information. Without ACK feedback, it is hard to size the sequence number safely. Suppose a DTLS 1.3 stack unconditionally picked the 1-byte sequence number because it's smaller, and the draft didn't say not to do it. That means after getting out of sync by 256 records, either via reordering or loss, the connection breaks. For example, if there was a blip in connectivity and you happened to lose 256 records, your connection is stuck and cannot recover. All future records will be at higher and higher sequence numbers. A burst of 256 lost packets seems within the range of situations one would expect an application to handle. (The 2-byte sequence number fails at 65K losses, which is hopefully high enough to be fine? Though it's far far less than what QUIC's 1-4-byte sequence number can accommodate. It was also odd to see no discussion of this anywhere.) David
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
