On 17 March 2017 at 10:58, Matt Caswell <fr...@baggins.org> wrote: > In DTLS1.3 the cookie is now (potentially) much larger and appears much later > in > the ClientHello, making it much more likely that it will not fall > fully within the > first fragment. This could mean a fully stateless solution is impossible.
I think that it is feasible to simply require that ClientHello be contained in a single datagram. QUIC does this and when we did the sums it wasn't completely unreasonable, even assuming several key shares and a big-ish cookie. And then we made it possible to make the cookie even smaller in -19. That assumes that you are willing to assume a 1k MTU, which I know IPv4 doesn't guarantee. I'd be OK with adding a caveat on that point in the form of "Consequently, DTLS might not work with a small MTU". _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
