Hi Martin, I believe the best approach is to address this issue is to use replay protection for post-handshake authentication messages. I believe there is value in enhancing the functionality of the post handshake authentication, particularly the key update message, and we could do it in this context.
FWIW I have prepared a draft that adds new functionality to the key update message: https://github.com/hannestschofenig/tschofenig-ids/blob/master/tls-key-update/draft-tschofenig-tls-extended-key-update.txt Ciao Hannes -----Ursprüngliche Nachricht----- Von: TLS <tls-boun...@ietf.org> Im Auftrag von Martin Thomson Gesendet: Dienstag, 28. November 2023 23:11 An: tls@ietf.org Betreff: Re: [TLS] DTLS 1.3 replay protection of post-handshake messages? On Tue, Nov 28, 2023, at 19:29, John Mattsson wrote: > I would strongly recommend all DTLS 1.3 libraries to completely remove > the option to disable replay protection. I believe that the reason this exists is that some higher-layer protocols have their own replay protection, such that as long as the datagram is authentic, it is safe. However, I agree that if we are sending handshake messages that affect DTLS state, it is probably not good to have the DTLS layer fail to provide that protection. I believe that you can operate DTLS 1.3 without post-handshake handshake/control messages, in which case you might manage to avoid exposure. NSS has no means to disable replay protection and I see no reason to add that means. _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
