[TLS] Re: DTLS DoS (Re: DTLS 1.3 ACKs near the version transition)

Tue, 24 Sep 2024 09:39:46 -0700 

On Tue, Sep 24, 2024, 12:35 David Benjamin <david...@chromium.org> wrote:

> On Tue, Sep 24, 2024, 12:12 Martin Thomson <m...@lowentropy.net> wrote:
>
>> On Thu, Sep 12, 2024, at 13:31, David Benjamin wrote:
>> > 1. If a DTLS 1.2 (i.e. does not implement RFC 9147 at all)
>> > implementation receives an ACK record for whatever reason, what
>> > happens? This decision we don't get to change. Rather, it is a design
>> > constraint. Both OpenSSL and BoringSSL treat unexpected record types as
>> > a fatal error. I haven't checked other implementations. So I think we
>> > must take as a constraint that you cannot send an ACK unless you know
>> > the peer is 1.3-capable.
>>
>> This is tangential, but I find this claim about {Open|Boring}SSL to be a
>> bit troubling, if true.
>>
>> No DTLS implementation should treat unauthenticated packets as being
>> fatal.  Though perhaps that could be true prior to completing the
>> handshake, the reasons for dying should still be somewhat limited.
>>
>
> This is unavoidable, no? Suppose I sent you an unauthenticated ACK, or
> part of a ClientHello/ServerHello with the wrong contents. Or maybe I made
> you think that the server sent HelloRetryRquest
>

Sorry I meant to say HelloVerifyRequest, since that is no longer allowed in
DTLS 1.3.

or a non-existent message as the first message. You'll update your internal
> state accordingly and fail to complete the handshake, e.g. because the
> transcript is wrong or you thought a packet was received but it wasn't.
>
> If the attacker can manipulate the transport for a given connection, they
> can cause the connection to fail. That's true in either TLS or DTLS. Of
> course, if they can break the integrity or confidentiality of the
> connection, that's a problem. Or if one connection can cause *another*
> connection to fail by using disproportionate global resources. But things
> we do in this working group can't really guarantee availability in the face
> of the underlying transport not working at all.
>
> David
>
>>

_______________________________________________
TLS mailing list -- tls@ietf.org
To unsubscribe send an email to tls-le...@ietf.org

Reply via email to