| draft-ietf-tls-rfc4347-bis-01.txt | draft-ietf-tls-rfc4347-bis-02.txt | |||
|---|---|---|---|---|
| INTERNET-DRAFT E. Rescorla | INTERNET-DRAFT E. Rescorla | |||
| Obsoletes (if approved): RFC 4347 RTFM, Inc. | Obsoletes (if approved): RFC 4347 RTFM, Inc. | |||
| Intended Status: Proposed Standard N. Modadugu | Intended Status: Proposed Standard N. Modadugu | |||
| <draft-ietf-tls-rfc4347-bis-01.txt> Stanford University | <draft-ietf-tls-rfc4347-bis-02.txt> Stanford University | |||
| November 2008 (Expires May 2009) | March 7, 2009 (Expires September 2009) | |||
| Datagram Transport Layer Security version 1.2 | Datagram Transport Layer Security version 1.2 | |||
| Status of This Memo | Status of This Memo | |||
| By submitting this Internet-Draft, each author represents that any | This Internet-Draft is submitted to IETF in full conformance with the | |||
| applicable patent or other IPR claims of which he or she is aware | provisions of BCP 78 and BCP 79. This document may contain material | |||
| have been or will be disclosed, and any of which he or she becomes | from IETF Documents or IETF Contributions published or made publicly | |||
| aware will be disclosed, in accordance with Section 6 of BCP 79. | available before November 10, 2008. The person(s) controlling the | |||
| copyright in some of this material may not have granted the IETF | ||||
| Trust the right to allow modifications of such material outside the | ||||
| IETF Standards Process. Without obtaining an adequate license from | ||||
| the person(s) controlling the copyright in such materials, this | ||||
| document may not be modified outside the IETF Standards Process, and | ||||
| derivative works of it may not be created outside the IETF Standards | ||||
| Process, except to format it for publication as an RFC or to | ||||
| translate it into languages other than English. | ||||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF), its areas, and its working groups. Note that | Task Force (IETF), its areas, and its working groups. Note that | |||
| other groups may also distribute working documents as Internet- | other groups may also distribute working documents as Internet- | |||
| Drafts. | Drafts. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| The list of current Internet-Drafts can be accessed at | The list of current Internet-Drafts can be accessed at | |||
| http://www.ietf.org/ietf/1id-abstracts.txt. | http://www.ietf.org/ietf/1id-abstracts.txt. | |||
| The list of Internet-Draft Shadow Directories can be accessed at | The list of Internet-Draft Shadow Directories can be accessed at | |||
| http://www.ietf.org/shadow.html. | http://www.ietf.org/shadow.html. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (C) The IETF Trust (2008). | Copyright (c) 2009 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | ||||
| This document is subject to BCP 78 and the IETF Trust's Legal | ||||
| Provisions Relating to IETF Documents in effect on the date of | ||||
| publication of this document (http://trustee.ietf.org/license-info). | ||||
| Please review these documents carefully, as they describe your rights | ||||
| and restrictions with respect to this document. | ||||
| Abstract | Abstract | |||
| This document specifies Version 1.2 of the Datagram Transport Layer | This document specifies Version 1.2 of the Datagram Transport Layer | |||
| Security (DTLS) protocol. The DTLS protocol provides communications | Security (DTLS) protocol. The DTLS protocol provides communications | |||
| privacy for datagram protocols. The protocol allows client/server | privacy for datagram protocols. The protocol allows client/server | |||
| applications to communicate in a way that is designed to prevent | applications to communicate in a way that is designed to prevent | |||
| eavesdropping, tampering, or message forgery. The DTLS protocol is | eavesdropping, tampering, or message forgery. The DTLS protocol is | |||
| based on the Transport Layer Security (TLS) protocol and provides | based on the Transport Layer Security (TLS) protocol and provides | |||
| equivalent security guarantees. Datagram semantics of the underlying | equivalent security guarantees. Datagram semantics of the underlying | |||
| transport are preserved by the DTLS protocol. This document | transport are preserved by the DTLS protocol. This document updates | |||
| updates DTLS 1.0 to work with TLS version 1.2. | DTLS 1.0 to work with TLS version 1.2. | |||
| Legal | ||||
| This documents and the information contained therein are provided on | ||||
| an "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE | ||||
| REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE | ||||
| IETF TRUST AND THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL | ||||
| WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY | ||||
| WARRANTY THAT THE USE OF THE INFORMATION THEREIN WILL NOT INFRINGE | ||||
| ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS | ||||
| FOR A PARTICULAR PURPOSE. | ||||
| Table of Contents | Table of Contents | |||
| 1. Introduction 2 | 1. Introduction 3 | |||
| 1.1. Requirements Terminology 3 | 1.1. Requirements Terminology 4 | |||
| 2. Usage Model 3 | 2. Usage Model 4 | |||
| 3. Overview of DTLS 4 | 3. Overview of DTLS 5 | |||
| 3.1. Loss-Insensitive Messaging 4 | 3.1. Loss-Insensitive Messaging 5 | |||
| 3.2. Providing Reliability for Handshake 5 | 3.2. Providing Reliability for Handshake 5 | |||
| 3.2.1. Packet Loss 5 | 3.2.1. Packet Loss 6 | |||
| 3.2.2. Reordering 5 | 3.2.2. Reordering 6 | |||
| 3.2.3. Message Size 6 | 3.2.3. Message Size 6 | |||
| 3.3. Replay Detection 6 | 3.3. Replay Detection 7 | |||
| 4. Differences from TLS 6 | 4. Differences from TLS 7 | |||
| 4.1. Record Layer 6 | 4.1. Record Layer 7 | |||
| 4.1.1. Transport Layer Mapping 8 | 4.1.1. Transport Layer Mapping 9 | |||
| 4.1.1.1. PMTU Issues 9 | 4.1.1.1. PMTU Issues 10 | |||
| 4.1.2. Record Payload Protection 10 | 4.1.2. Record Payload Protection 11 | |||
| 4.1.2.1. MAC 10 | 4.1.2.1. MAC 11 | |||
| 4.1.2.2. Null or Standard Stream Cipher 11 | 4.1.2.2. Null or Standard Stream Cipher 12 | |||
| 4.1.2.3. Block Cipher 11 | 4.1.2.3. Block Cipher 12 | |||
| 4.1.2.3. AEAD Ciphers 11 | 4.1.2.3. AEAD Ciphers 12 | |||
| 4.1.2.5. New Cipher Suites 11 | 4.1.2.5. New Cipher Suites 12 | |||
| 4.1.2.6. Anti-replay 11 | 4.1.2.6. Anti-replay 13 | |||
| 4.2. The DTLS Handshake Protocol 12 | 4.2. The DTLS Handshake Protocol 13 | |||
| 4.2.1. Denial of Service Countermeasures 12 | 4.2.1. Denial of Service Countermeasures 14 | |||
| 4.2.2. Handshake Message Format 15 | 4.2.2. Handshake Message Format 16 | |||
| 4.2.3. Message Fragmentation and Reassembly 16 | 4.2.3. Message Fragmentation and Reassembly 18 | |||
| 4.2.4. Timeout and Retransmission 17 | 4.2.4. Timeout and Retransmission 18 | |||
| 4.2.4.1. Timer Values 21 | 4.2.4.1. Timer Values 22 | |||
| 4.2.5. ChangeCipherSpec 21 | 4.2.5. ChangeCipherSpec 22 | |||
| 4.2.6. CertificateVerify and Finished Messages 21 | 4.2.6. CertificateVerify and Finished Messages 22 | |||
| 4.2.7. Alert Messages 21 | 4.2.7. Alert Messages 22 | |||
| 4.3. Summary of new syntax 22 | 4.3. Summary of new syntax 23 | |||
| 4.3.1. Record Layer 23 | 4.3.1. Record Layer 24 | |||
| 4.3.2. Handshake Protocol 23 | 4.3.2. Handshake Protocol 24 | |||
| 5. Security Considerations 24 | 5. Security Considerations 25 | |||
| 6. Acknowledgements 25 | 6. Acknowledgements 26 | |||
| 7. IANA Considerations 25 | 7. IANA Considerations 26 | |||
| 8. References 25 | 8. References 26 | |||
| 8.1. Normative References 25 | 8.1. Normative References 26 | |||
| 8.2. Informative References 26 | 8.2. Informative References 27 | |||
| 1. Introduction | 1. Introduction | |||
| TLS [TLS] is the most widely deployed protocol for securing network | TLS [TLS] is the most widely deployed protocol for securing network | |||
| traffic. It is widely used for protecting Web traffic and for e-mail | traffic. It is widely used for protecting Web traffic and for e-mail | |||
| protocols such as IMAP [IMAP] and POP [POP]. The primary advantage | protocols such as IMAP [IMAP] and POP [POP]. The primary advantage | |||
| of TLS is that it provides a transparent connection-oriented channel. | of TLS is that it provides a transparent connection-oriented channel. | |||
| Thus, it is easy to secure an application protocol by inserting TLS | Thus, it is easy to secure an application protocol by inserting TLS | |||
| between the application layer and the transport layer. However, TLS | between the application layer and the transport layer. However, TLS | |||
| must run over a reliable transport channel -- typically TCP [TCP]. | must run over a reliable transport channel -- typically TCP [TCP]. | |||
| skipping to change at page 7, line 34 | skipping to change at page 8, line 22 | |||
| The sequence number for this record. | The sequence number for this record. | |||
| length | length | |||
| Identical to the length field in a TLS 1.2 record. As in TLS | Identical to the length field in a TLS 1.2 record. As in TLS | |||
| 1.2, the length should not exceed 2^14. | 1.2, the length should not exceed 2^14. | |||
| fragment | fragment | |||
| Identical to the fragment field of a TLS 1.2 record. | Identical to the fragment field of a TLS 1.2 record. | |||
| DTLS uses an explicit sequence number, rather than an implicit one, | DTLS uses an explicit sequence number, rather than an implicit one, | |||
| carried in the sequence_number field of the record. As with TLS, the | carried in the sequence_number field of the record. Sequence numbers | |||
| sequence number is set to zero after each ChangeCipherSpec message is | are maintained separately for each epoch, with each sequence_number | |||
| sent. | initially being 0 for each epoch. For instance, if a handshake | |||
| message from epoch 0 is retransmitted, it might have a sequence | ||||
| number after a message from epoch 1, even if the message from epoch 1 | ||||
| was transmitted first. Note that some care needs to be taken during | ||||
| the handshake to ensure that retransmitted messages use the right | ||||
| epoch and keying material. | ||||
| If several handshakes are performed in close succession, there might | If several handshakes are performed in close succession, there might | |||
| be multiple records on the wire with the same sequence number but | be multiple records on the wire with the same sequence number but | |||
| from different cipher states. The epoch field allows recipients to | from different cipher states. The epoch field allows recipients to | |||
| distinguish such packets. The epoch number is initially zero and is | distinguish such packets. The epoch number is initially zero and is | |||
| incremented each time the ChangeCipherSpec messages is sent. In | incremented each time the ChangeCipherSpec messages is sent. In | |||
| order to ensure that any given sequence/epoch pair is unique, | order to ensure that any given sequence/epoch pair is unique, | |||
| implementations MUST NOT allow the same epoch value to be reused | implementations MUST NOT allow the same epoch value to be reused | |||
| within two times the TCP maximum segment lifetime. In practice, TLS | within two times the TCP maximum segment lifetime. In practice, TLS | |||
| implementations rarely rehandshake and we therefore do not expect | implementations rarely rehandshake and we therefore do not expect | |||
| this to be a problem. | this to be a problem. | |||
| Note that because DTLS records may be reordered, a record from epoch | Note that because DTLS records may be reordered, a record from epoch | |||
| 1 may be received after epoch 2 has begun. In general, | 1 may be received after epoch 2 has begun. In general, | |||
| implementations SHOULD discard packets from earlier epochs, but if | implementations SHOULD discard packets from earlier epochs, but if | |||
| packet loss causes noticeable problems MAY choose to retain keying | packet loss causes noticeable problems MAY choose to retain keying | |||
| material from previous epochs for up to 120 seconds (the default TCP | material from previous epochs for up to 120 seconds (the default TCP | |||
| MSL) to allow for packet reordering. | MSL) to allow for packet reordering. Until the handshake has | |||
| completed, implementations MUST accept packets from the old epoch. | ||||
| Conversely, it is possible for records that are protected by the | Conversely, it is possible for records that are protected by the | |||
| newly negotiated context to be received prior to the completion of a | newly negotiated context to be received prior to the completion of a | |||
| handshake. For instance, the server may send its Finished and then | handshake. For instance, the server may send its Finished and then | |||
| start transmitting data. Implementations MAY either buffer or | start transmitting data. Implementations MAY either buffer or | |||
| discard such packets, though when DTLS is used over reliable | discard such packets, though when DTLS is used over reliable | |||
| transports (e.g., SCTP), they SHOULD be buffered and processed once | transports (e.g., SCTP), they SHOULD be buffered and processed once | |||
| the handshake completes. Note that TLS's restrictions on when | the handshake completes. Note that TLS's restrictions on when | |||
| packets may be sent still apply, and the receiver treats the packets | packets may be sent still apply, and the receiver treats the packets | |||
| as if they were sent in the right order. In particular, it is still | as if they were sent in the right order. In particular, it is still | |||
| impermissible to send data prior to completion of the first | impermissible to send data prior to completion of the first | |||
| handshake. | handshake. | |||
| Note that in the special case of a rehandshake on an existing | ||||
| association, it is safe to process a data packet immediately even if | ||||
| the CSS or Finished has not yet been received provided that either | ||||
| the rehandshake resumes the existing session or that it uses exactly | ||||
| the same security parameters as the existing association. In an | ||||
| other case, the implementation MUST wait for the receipt of the | ||||
| Finished to prevent downgrade attack. | ||||
| 4.1.1. Transport Layer Mapping | 4.1.1. Transport Layer Mapping | |||
| Each DTLS record MUST fit within a single datagram. In order to | Each DTLS record MUST fit within a single datagram. In order to | |||
| avoid fragmentation, that clients of the DTLS record layer SHOULD | avoid fragmentation, that clients of the DTLS record layer SHOULD | |||
| attempt to size records so that they fit within any PMTU estimates | attempt to size records so that they fit within any PMTU estimates | |||
| obtained from the record layer. | obtained from the record layer. | |||
| Note that unlike IPsec, DTLS records do not contain any association | Note that unlike IPsec, DTLS records do not contain any association | |||
| identifiers. Applications must arrange to multiplex between | identifiers. Applications must arrange to multiplex between | |||
| associations. With UDP, this is presumably done with host/port | associations. With UDP, this is presumably done with host/port | |||
| skipping to change at page 9, line 41 | skipping to change at page 10, line 45 | |||
| particular: | particular: | |||
| - For DTLS over UDP, the upper layer protocol SHOULD be allowed | - For DTLS over UDP, the upper layer protocol SHOULD be allowed | |||
| to obtain the PMTU estimate maintained in the IP layer. | to obtain the PMTU estimate maintained in the IP layer. | |||
| - For DTLS over DCCP, the upper layer protocol | - For DTLS over DCCP, the upper layer protocol | |||
| SHOULD be allowed to obtain the current estimate of the | SHOULD be allowed to obtain the current estimate of the | |||
| PMTU. | PMTU. | |||
| - For DTLS over TCP or SCTP, which automatically fragment | - For DTLS over TCP or SCTP, which automatically fragment | |||
| and reassemble datagrams, the upper layer protocol | and reassemble datagrams, there is no PMTU limitation. | |||
| SHOULD be informed that the PMTU is effectively infinite. | However, the upper layer protocol MUST NOT write any | |||
| record that exceeds the maximum record size of 2^14 bytes. | ||||
| The DTLS record layer SHOULD allow the upper layer protocol to | The DTLS record layer SHOULD allow the upper layer protocol to | |||
| discover the amount of record expansion expected by the DTLS | discover the amount of record expansion expected by the DTLS | |||
| processing. Note that this number is only an estimate because of | processing. Note that this number is only an estimate because of | |||
| block padding and the potential use of DTLS compression. | block padding and the potential use of DTLS compression. | |||
| If there is a transport protocol indication (either via ICMP or via a | If there is a transport protocol indication (either via ICMP or via a | |||
| refusal to send the datagram as in DCCP Section 14), then DTLS record | refusal to send the datagram as in DCCP Section 14), then DTLS record | |||
| layer should inform the upper layer protocol of the error. | layer should inform the upper layer protocol of the error. | |||
| skipping to change at page 15, line 26 | skipping to change at page 16, line 34 | |||
| handshake. | handshake. | |||
| If HelloVerifyRequest is used, the initial ClientHello and | If HelloVerifyRequest is used, the initial ClientHello and | |||
| HelloVerifyRequest are not included in the calculation of the | HelloVerifyRequest are not included in the calculation of the | |||
| handshake_messages (for the CertificateVerify message) and | handshake_messages (for the CertificateVerify message) and | |||
| verify_data (for the Finished message). | verify_data (for the Finished message). | |||
| If a server receives a ClientHello with an invalid cookie, it SHOULD | If a server receives a ClientHello with an invalid cookie, it SHOULD | |||
| treat it the same as a ClientHello with no cookie. This avoids | treat it the same as a ClientHello with no cookie. This avoids | |||
| race/deadlock conditions if the client somehow gets a bad cookie | race/deadlock conditions if the client somehow gets a bad cookie | |||
| (e.g., because the server changes its cookie signing key). | (e.g., because the server changes its cookie signing key). Note to | |||
| implementors: this may results in clients receiving multiple | ||||
| HelloVerifyRequest messages with different cookies. Clients SHOULD | ||||
| handle this by sending a new HelloVerify in response to the new | ||||
| HelloVerifyRequest. | ||||
| 4.2.2. Handshake Message Format | 4.2.2. Handshake Message Format | |||
| In order to support message loss, reordering, and fragmentation, DTLS | In order to support message loss, reordering, and fragmentation, DTLS | |||
| modifies the TLS 1.2 handshake header: | modifies the TLS 1.2 handshake header: | |||
| struct { | struct { | |||
| HandshakeType msg_type; | HandshakeType msg_type; | |||
| uint24 length; | uint24 length; | |||
| uint16 message_seq; // New field | uint16 message_seq; // New field | |||
| skipping to change at page 28, line 4 | skipping to change at line 1261 | |||
| EMail: ekr@rtfm.com | EMail: ekr@rtfm.com | |||
| Nagendra Modadugu | Nagendra Modadugu | |||
| Computer Science Department | Computer Science Department | |||
| Stanford University | Stanford University | |||
| 353 Serra Mall | 353 Serra Mall | |||
| Stanford, CA 94305 | Stanford, CA 94305 | |||
| EMail: nagendra@cs.stanford.edu | EMail: nagendra@cs.stanford.edu | |||
| Full Copyright Statement | ||||
| Copyright (C) The IETF Trust (2008). | ||||
| This document is subject to the rights, licenses and restrictions | ||||
| contained in BCP 78, and except as set forth therein, the authors | ||||
| retain all their rights. | ||||
| This document and the information contained herein are provided on an | ||||
| "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS | ||||
| OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND | ||||
| THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS | ||||
| OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF | ||||
| THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED | ||||
| WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. | ||||
| Intellectual Property | ||||
| The IETF takes no position regarding the validity or scope of any | ||||
| Intellectual Property Rights or other rights that might be claimed to | ||||
| pertain to the implementation or use of the technology described in | ||||
| this document or the extent to which any license under such rights | ||||
| might or might not be available; nor does it represent that it has | ||||
| made any independent effort to identify any such rights. Information | ||||
| on the procedures with respect to rights in RFC documents can be | ||||
| found in BCP 78 and BCP 79. | ||||
| Copies of IPR disclosures made to the IETF Secretariat and any | ||||
| assurances of licenses to be made available, or the result of an | ||||
| attempt made to obtain a general license or permission for the use of | ||||
| such proprietary rights by implementers or users of this | ||||
| specification can be obtained from the IETF on-line IPR repository at | ||||
| http://www.ietf.org/ipr. | ||||
| The IETF invites any interested party to bring to its attention any | ||||
| copyrights, patents or patent applications, or other proprietary | ||||
| rights that may cover technology that may be required to implement | ||||
| this standard. Please address the information to the IETF at | ||||
| ietf-ipr@ietf.org. | ||||
| Acknowledgment | ||||
| Funding for the RFC Editor function is provided by the IETF | ||||
| Administrative Support Activity (IASA). | ||||
| End of changes. 13 change blocks. | ||||
| 53 lines changed or deleted | 98 lines changed or added | |||
This html diff was produced by rfcdiff 1.35. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||