[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: TLS clarifications (Re: [eap] Ordered delivery of EAP messages)

To: Lakshminath Dondeti <ldondeti@qualcomm.com>
Subject: Re: TLS clarifications (Re: [eap] Ordered delivery of EAP messages)
From: Yoshihiro Ohba <yohba@tari.toshiba.com>
Date: Sun, 11 Mar 2007 00:56:16 -0500
Cc: Yoshihiro Ohba <yohba@tari.toshiba.com>, Avi Lior <avi@bridgewatersystems.com>, radiusext@ops.ietf.org, eap@frascone.com
In-reply-to: <45F38EDA.8050103@qualcomm.com>
References: <20070308001437.GQ22467@steelhead> <E7CCE8A83907104ABEE91AC3AE3709A00B76304D@exchange.bridgewatersys.com> <20070308052017.GA26227@steelhead> <45F28A57.8030907@qualcomm.com> <20070311021010.GB10637@steelhead> <45F38EDA.8050103@qualcomm.com>
User-agent: Mutt/1.5.13 (2006-08-11)

Let's forget about DTLS and focus on TLS.  I was arguing that
correctness and security are different things.

If TLS are used over unreliable transport, of course it is not
possible for TLS to maintain implicit sequence number.  Without
reliable transport implicit sequence number would not work if loss or
out-of-order delivery of TLS records happens and *even if there is no
attacker*.  That is why I think that reliable transport is needed for
TLS to make implicit sequence number work *correctly* so that it is
used for *security*.  Maybe we are talking about the same thing in
different ways.

Yoshihiro Ohba

On Sat, Mar 10, 2007 at 09:08:42PM -0800, Lakshminath Dondeti wrote:
> Yoshihiro Ohba wrote:
> >On Sat, Mar 10, 2007 at 02:37:11AM -0800, Lakshminath Dondeti wrote:
> >>TLS requires reliable transport for replay protection.  (I guess Bernard 
> >>was trying to get at this in another context in this thread)
> >
> >TLS requires reliable transport for implicit sequence number to work
> >for replay protection.  
> 
> Right, that's what I was getting at.
> 
> >But this does not mean replay attack is
> >possible if TLS is run over unreliable transport.
> 
> How is the sequence number maintained in that case?  Are you saying that 
> we might use an explicit sequence number as in DTLS?  But, we are not 
> discussing DTLS, are we?
> 
> What am I missing?
> 
> thanks,
> Lakshminath
> 
> PS: To Avi's question, I was thinking in case of PEAP and TTLS if the 
> EAP layer cannot guarantee in-order reliable delivery, how else do the 
> endpoints maintain sequence numbers?  If there is no other way, we can 
> conclude that PEAP and TTLS require in-order reliable delivery for one 
> of its security guarantees.
> 
> >
> >Yoshihiro Ohba
> >
> 

--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>

References:
- Re: [eap] Ordered delivery of EAP messages
  - From: Yoshihiro Ohba <yohba@tari.toshiba.com>
- RE: [eap] Ordered delivery of EAP messages
  - From: "Avi Lior" <avi@bridgewatersystems.com>
- Re: [eap] Ordered delivery of EAP messages
  - From: Yoshihiro Ohba <yohba@tari.toshiba.com>
- Re: TLS clarifications (Re: [eap] Ordered delivery of EAP messages)
  - From: Yoshihiro Ohba <yohba@tari.toshiba.com>

Prev by Date: Re: TLS clarifications (Re: [eap] Ordered delivery of EAP messages)
Next by Date: Re: TLS clarifications (Re: [eap] Ordered delivery of EAP messages)
Previous by thread: Re: TLS clarifications (Re: [eap] Ordered delivery of EAP messages)
Next by thread: Re: TLS clarifications (Re: [eap] Ordered delivery of EAP messages)
Index(es):
- Date
- Thread