--- 1/draft-ietf-tls-rfc4347-bis-01.txt 2009-03-08 01:12:08.000000000 +0100 +++ 2/draft-ietf-tls-rfc4347-bis-02.txt 2009-03-08 01:12:08.000000000 +0100 @@ -1,99 +1,125 @@ INTERNET-DRAFT E. Rescorla Obsoletes (if approved): RFC 4347 RTFM, Inc. Intended Status: Proposed Standard N. Modadugu - Stanford University - November 2008 (Expires May 2009) + Stanford University + March 7, 2009 (Expires September 2009) Datagram Transport Layer Security version 1.2 Status of This Memo - By submitting this Internet-Draft, each author represents that any - applicable patent or other IPR claims of which he or she is aware - have been or will be disclosed, and any of which he or she becomes - aware will be disclosed, in accordance with Section 6 of BCP 79. + This Internet-Draft is submitted to IETF in full conformance with the + provisions of BCP 78 and BCP 79. This document may contain material + from IETF Documents or IETF Contributions published or made publicly + available before November 10, 2008. The person(s) controlling the + copyright in some of this material may not have granted the IETF + Trust the right to allow modifications of such material outside the + IETF Standards Process. Without obtaining an adequate license from + the person(s) controlling the copyright in such materials, this + document may not be modified outside the IETF Standards Process, and + derivative works of it may not be created outside the IETF Standards + Process, except to format it for publication as an RFC or to + translate it into languages other than English. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet- Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt. The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html. Copyright Notice - Copyright (C) The IETF Trust (2008). + Copyright (c) 2009 IETF Trust and the persons identified as the + document authors. All rights reserved. + + This document is subject to BCP 78 and the IETF Trust's Legal + Provisions Relating to IETF Documents in effect on the date of + publication of this document (http://trustee.ietf.org/license-info). + Please review these documents carefully, as they describe your rights + and restrictions with respect to this document. Abstract This document specifies Version 1.2 of the Datagram Transport Layer Security (DTLS) protocol. The DTLS protocol provides communications privacy for datagram protocols. The protocol allows client/server applications to communicate in a way that is designed to prevent eavesdropping, tampering, or message forgery. The DTLS protocol is based on the Transport Layer Security (TLS) protocol and provides equivalent security guarantees. Datagram semantics of the underlying - transport are preserved by the DTLS protocol. This document - updates DTLS 1.0 to work with TLS version 1.2. + transport are preserved by the DTLS protocol. This document updates + DTLS 1.0 to work with TLS version 1.2. + +Legal + + This documents and the information contained therein are provided on + an "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE + REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE + IETF TRUST AND THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL + WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY + WARRANTY THAT THE USE OF THE INFORMATION THEREIN WILL NOT INFRINGE + ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS + FOR A PARTICULAR PURPOSE. Table of Contents - 1. Introduction 2 - 1.1. Requirements Terminology 3 - 2. Usage Model 3 - 3. Overview of DTLS 4 - 3.1. Loss-Insensitive Messaging 4 + 1. Introduction 3 + 1.1. Requirements Terminology 4 + 2. Usage Model 4 + 3. Overview of DTLS 5 + 3.1. Loss-Insensitive Messaging 5 3.2. Providing Reliability for Handshake 5 - 3.2.1. Packet Loss 5 - 3.2.2. Reordering 5 + 3.2.1. Packet Loss 6 + 3.2.2. Reordering 6 3.2.3. Message Size 6 - 3.3. Replay Detection 6 - 4. Differences from TLS 6 - 4.1. Record Layer 6 - 4.1.1. Transport Layer Mapping 8 - 4.1.1.1. PMTU Issues 9 - 4.1.2. Record Payload Protection 10 - 4.1.2.1. MAC 10 - 4.1.2.2. Null or Standard Stream Cipher 11 - 4.1.2.3. Block Cipher 11 - 4.1.2.3. AEAD Ciphers 11 - 4.1.2.5. New Cipher Suites 11 - 4.1.2.6. Anti-replay 11 - 4.2. The DTLS Handshake Protocol 12 - 4.2.1. Denial of Service Countermeasures 12 - 4.2.2. Handshake Message Format 15 - 4.2.3. Message Fragmentation and Reassembly 16 - 4.2.4. Timeout and Retransmission 17 - 4.2.4.1. Timer Values 21 - 4.2.5. ChangeCipherSpec 21 - 4.2.6. CertificateVerify and Finished Messages 21 - 4.2.7. Alert Messages 21 - 4.3. Summary of new syntax 22 - 4.3.1. Record Layer 23 - 4.3.2. Handshake Protocol 23 - 5. Security Considerations 24 - 6. Acknowledgements 25 - 7. IANA Considerations 25 - 8. References 25 - 8.1. Normative References 25 - 8.2. Informative References 26 + 3.3. Replay Detection 7 + 4. Differences from TLS 7 + 4.1. Record Layer 7 + 4.1.1. Transport Layer Mapping 9 + 4.1.1.1. PMTU Issues 10 + 4.1.2. Record Payload Protection 11 + 4.1.2.1. MAC 11 + 4.1.2.2. Null or Standard Stream Cipher 12 + 4.1.2.3. Block Cipher 12 + 4.1.2.3. AEAD Ciphers 12 + 4.1.2.5. New Cipher Suites 12 + 4.1.2.6. Anti-replay 13 + 4.2. The DTLS Handshake Protocol 13 + 4.2.1. Denial of Service Countermeasures 14 + 4.2.2. Handshake Message Format 16 + 4.2.3. Message Fragmentation and Reassembly 18 + 4.2.4. Timeout and Retransmission 18 + 4.2.4.1. Timer Values 22 + 4.2.5. ChangeCipherSpec 22 + 4.2.6. CertificateVerify and Finished Messages 22 + 4.2.7. Alert Messages 22 + 4.3. Summary of new syntax 23 + 4.3.1. Record Layer 24 + 4.3.2. Handshake Protocol 24 + 5. Security Considerations 25 + 6. Acknowledgements 26 + 7. IANA Considerations 26 + 8. References 26 + 8.1. Normative References 26 + 8.2. Informative References 27 1. Introduction TLS [TLS] is the most widely deployed protocol for securing network traffic. It is widely used for protecting Web traffic and for e-mail protocols such as IMAP [IMAP] and POP [POP]. The primary advantage of TLS is that it provides a transparent connection-oriented channel. Thus, it is easy to secure an application protocol by inserting TLS between the application layer and the transport layer. However, TLS must run over a reliable transport channel -- typically TCP [TCP]. @@ -306,54 +332,68 @@ The sequence number for this record. length Identical to the length field in a TLS 1.2 record. As in TLS 1.2, the length should not exceed 2^14. fragment Identical to the fragment field of a TLS 1.2 record. DTLS uses an explicit sequence number, rather than an implicit one, - carried in the sequence_number field of the record. As with TLS, the - sequence number is set to zero after each ChangeCipherSpec message is - sent. + carried in the sequence_number field of the record. Sequence numbers + are maintained separately for each epoch, with each sequence_number + initially being 0 for each epoch. For instance, if a handshake + message from epoch 0 is retransmitted, it might have a sequence + number after a message from epoch 1, even if the message from epoch 1 + was transmitted first. Note that some care needs to be taken during + the handshake to ensure that retransmitted messages use the right + epoch and keying material. If several handshakes are performed in close succession, there might be multiple records on the wire with the same sequence number but from different cipher states. The epoch field allows recipients to distinguish such packets. The epoch number is initially zero and is incremented each time the ChangeCipherSpec messages is sent. In order to ensure that any given sequence/epoch pair is unique, implementations MUST NOT allow the same epoch value to be reused within two times the TCP maximum segment lifetime. In practice, TLS implementations rarely rehandshake and we therefore do not expect this to be a problem. Note that because DTLS records may be reordered, a record from epoch 1 may be received after epoch 2 has begun. In general, implementations SHOULD discard packets from earlier epochs, but if packet loss causes noticeable problems MAY choose to retain keying material from previous epochs for up to 120 seconds (the default TCP - MSL) to allow for packet reordering. + MSL) to allow for packet reordering. Until the handshake has + completed, implementations MUST accept packets from the old epoch. Conversely, it is possible for records that are protected by the newly negotiated context to be received prior to the completion of a handshake. For instance, the server may send its Finished and then start transmitting data. Implementations MAY either buffer or discard such packets, though when DTLS is used over reliable transports (e.g., SCTP), they SHOULD be buffered and processed once the handshake completes. Note that TLS's restrictions on when packets may be sent still apply, and the receiver treats the packets as if they were sent in the right order. In particular, it is still impermissible to send data prior to completion of the first handshake. + Note that in the special case of a rehandshake on an existing + association, it is safe to process a data packet immediately even if + the CSS or Finished has not yet been received provided that either + the rehandshake resumes the existing session or that it uses exactly + the same security parameters as the existing association. In an + other case, the implementation MUST wait for the receipt of the + Finished to prevent downgrade attack. + 4.1.1. Transport Layer Mapping Each DTLS record MUST fit within a single datagram. In order to avoid fragmentation, that clients of the DTLS record layer SHOULD attempt to size records so that they fit within any PMTU estimates obtained from the record layer. Note that unlike IPsec, DTLS records do not contain any association identifiers. Applications must arrange to multiplex between associations. With UDP, this is presumably done with host/port @@ -408,22 +448,23 @@ particular: - For DTLS over UDP, the upper layer protocol SHOULD be allowed to obtain the PMTU estimate maintained in the IP layer. - For DTLS over DCCP, the upper layer protocol SHOULD be allowed to obtain the current estimate of the PMTU. - For DTLS over TCP or SCTP, which automatically fragment - and reassemble datagrams, the upper layer protocol - SHOULD be informed that the PMTU is effectively infinite. + and reassemble datagrams, there is no PMTU limitation. + However, the upper layer protocol MUST NOT write any + record that exceeds the maximum record size of 2^14 bytes. The DTLS record layer SHOULD allow the upper layer protocol to discover the amount of record expansion expected by the DTLS processing. Note that this number is only an estimate because of block padding and the potential use of DTLS compression. If there is a transport protocol indication (either via ICMP or via a refusal to send the datagram as in DCCP Section 14), then DTLS record layer should inform the upper layer protocol of the error. @@ -680,21 +721,25 @@ handshake. If HelloVerifyRequest is used, the initial ClientHello and HelloVerifyRequest are not included in the calculation of the handshake_messages (for the CertificateVerify message) and verify_data (for the Finished message). If a server receives a ClientHello with an invalid cookie, it SHOULD treat it the same as a ClientHello with no cookie. This avoids race/deadlock conditions if the client somehow gets a bad cookie - (e.g., because the server changes its cookie signing key). + (e.g., because the server changes its cookie signing key). Note to + implementors: this may results in clients receiving multiple + HelloVerifyRequest messages with different cookies. Clients SHOULD + handle this by sending a new HelloVerify in response to the new + HelloVerifyRequest. 4.2.2. Handshake Message Format In order to support message loss, reordering, and fragmentation, DTLS modifies the TLS 1.2 handshake header: struct { HandshakeType msg_type; uint24 length; uint16 message_seq; // New field @@ -1205,55 +1251,10 @@ EMail: ekr@rtfm.com Nagendra Modadugu Computer Science Department Stanford University 353 Serra Mall Stanford, CA 94305 EMail: nagendra@cs.stanford.edu - -Full Copyright Statement - - Copyright (C) The IETF Trust (2008). - - This document is subject to the rights, licenses and restrictions - contained in BCP 78, and except as set forth therein, the authors - retain all their rights. - - This document and the information contained herein are provided on an - "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS - OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND - THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS - OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF - THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED - WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. - -Intellectual Property - - The IETF takes no position regarding the validity or scope of any - Intellectual Property Rights or other rights that might be claimed to - pertain to the implementation or use of the technology described in - this document or the extent to which any license under such rights - might or might not be available; nor does it represent that it has - made any independent effort to identify any such rights. Information - on the procedures with respect to rights in RFC documents can be - found in BCP 78 and BCP 79. - - Copies of IPR disclosures made to the IETF Secretariat and any - assurances of licenses to be made available, or the result of an - attempt made to obtain a general license or permission for the use of - such proprietary rights by implementers or users of this - specification can be obtained from the IETF on-line IPR repository at - http://www.ietf.org/ipr. - - The IETF invites any interested party to bring to its attention any - copyrights, patents or patent applications, or other proprietary - rights that may cover technology that may be required to implement - this standard. Please address the information to the IETF at - ietf-ipr@ietf.org. - -Acknowledgment - - Funding for the RFC Editor function is provided by the IETF - Administrative Support Activity (IASA).