On Sat, Apr 25, 2020, at 01:56, chris - wrote: > However, the formal > models of [1,2] assume reliable transport (i.e., TCP): failure to > deliver packets in order is deemed an attack. Therefore, the > definitions would need to be changed in order to account for the case > of DTLS. (I'm not sure if this has been studied.) My hunch is that the > same design pattern (i.e., "authenticate everything on the wire") would > be called for, but I've not seen formal evidence either way.
A few of the submissions to QUIPS addressed this question for QUIC (which has a similar construction to DTLS) and concluded that this was broadly OK. What changes is the degree to which we rely on the strength of the AEAD for prevention of spoofing. (I'm sorry, but I can't find the paper that was most directly applicable, perhaps Felix can help out. https://eprint.iacr.org/2020/114.pdf does a pretty good job, though it is a broader treatment.) _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
