Circling back to this thread, I think the best thing to do is to just
concede we failed to actually increase the epoch space and permit
implementations to keep it 16-bit. We can try again in DTLS 1.4, or just
fully revert to a 16-bit epoch space.

I've filed the following errata to do this:
https://www.rfc-editor.org/errata/eid8048
https://www.rfc-editor.org/errata/eid8050

David

On Tue, Apr 16, 2024 at 2:16 AM Tschofenig, Hannes <
hannes.tschofe...@siemens.com> wrote:

> Hi David,
>
>
>
> thanks for your reviews and the details comments.
>
>
>
> Let me search for the exchanges that lead to the increase in the epoch
> space. I recall that this was very late in the process based on feedback
> from John, who noticed that the smaller epoch space helps IoT communication
> but not the DTLS use in SCTP.
>
>
>
> Regarding your statement: “65K epochs should be enough for anybody,
> perhaps DTLS 1.4 should update the RecordNumber structure accordingly and
> save a few bytes in the ACKs“. Possibly correct. I am going to ask the
> SCTP community for feedback to find out whether that is also true for them.
>
>
>
> Ciao
>
> Hannes
>
>
>
> *From:* TLS <tls-boun...@ietf.org> *On Behalf Of *David Benjamin
> *Sent:* Friday, April 12, 2024 1:16 AM
> *To:* <tls@ietf.org> <tls@ietf.org>
> *Cc:* Nick Harper <nhar...@chromium.org>
> *Subject:* Re: [TLS] DTLS 1.3 epochs vs message_seq overflow
>
>
>
> On Thu, Apr 11, 2024 at 7:12 PM David Benjamin <david...@chromium.org>
> wrote:
>
> Hi all,
>
>
>
> In reviewing RFC 9147, I noticed something a bit funny. DTLS 1.3 changed
> the epoch number from 16 bits to 64 bits, though with a requirement that
> you not exceed 2^48-1. I assume this was so that you're able to rekey more
> than 65K times if you really wanted to.
>
>
>
> I'm not sure we actually achieved this. In order to change epochs, you
> need to do a KeyUpdate, which involves sending a handshake message. That
> means burning a handshake message sequence number. However, section 5.2
> says:
>
>
>
> > Note: In DTLS 1.2, the message_seq was reset to zero in case of a
> rehandshake (i.e., renegotiation). On the surface, a rehandshake in DTLS
> 1.2 shares similarities with a post-handshake message exchange in DTLS 1.3.
> However, in DTLS 1.3 the message_seq is not reset, to allow distinguishing
> a retransmission from a previously sent post-handshake message from a newly
> sent post-handshake message.
>
>
>
> This means that the message_seq space is never reset for the lifetime of
> the connection. But message_seq is a 16-bit field! So I think you would
> overflow message_seq before you manage to overflow a 16-bit epoch.
>
>
>
> Now, I think the change here was correct because DTLS 1.2's resetting on
> rehandshake was a mistake. In DTLS 1.2, the end of the previous handshake
> and the start of the next handshake happen in the same epoch, which meant
> that things were ambiguous and you needed knowledge of the handshake state
> machine to resolve things. However, given the wider epoch, perhaps we
> should have said that message_seq resets on each epoch or something. (Too
> late now, of course... DTLS 1.4 I suppose?)
>
>
>
> Alternatively, if we think 65K epochs should be enough for anybody,
> perhaps DTLS 1.4 should update the RecordNumber structure accordingly and
> save a few bytes in the ACKs. :-)
>
>
>
> Does all that check out, or did I miss something?
>
>
>
> David
>
>
_______________________________________________
TLS mailing list -- tls@ietf.org
To unsubscribe send an email to tls-le...@ietf.org

Reply via email to