Datagram Transport Transport Layer Security (DTLS) Transport-Agnostic Security Association Extension
draft-mavrogiannopoulos-tls-cid-00

Document Type Active Internet-Draft (individual)
Last updated 2016-11-13
Stream (None)
Intended RFC status (None)
Formats plain text xml pdf html bibtex
Stream Stream state (No stream defined)
Consensus Boilerplate Unknown
RFC Editor Note (None)
IESG IESG state I-D Exists
Telechat date
Responsible AD (None)
Send notices to (None)
TLS Working Group                                   N. Mavrogiannopoulos
Internet-Draft                                                    RedHat
Intended status: Standards Track                           H. Tschofenig
Expires: May 17, 2017                                                ARM
                                                              T. Fossati
                                                                   Nokia
                                                       November 13, 2016

 Datagram Transport Transport Layer Security (DTLS) Transport-Agnostic
                     Security Association Extension
                 draft-mavrogiannopoulos-tls-cid-00

Abstract

   This memo proposes a new Datagram Transport Transport Layer Security
   (DTLS) extension that provides the ability to negotiate, during
   handshake, a transport independent identifier that is unique per
   security association.  This identifier effectively decouples the DTLS
   session from the underlying transport protocol, allowing the same
   security association to be migrated across different instances of the
   same transport, or to a completely different transport.

Status of This Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at http://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on May 17, 2017.

Copyright Notice

   Copyright (c) 2016 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (http://trustee.ietf.org/license-info) in effect on the date of

Mavrogiannopoulos, et al. Expires May 17, 2017                  [Page 1]
Internet-Draft            DTLS ta_sa Extension             November 2016

   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.

Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   2
   2.  Conventions used in this document . . . . . . . . . . . . . .   3
   3.  Transport Agnostic Security Associatiation Extension  . . . .   4
     3.1.  Extended Client Hello . . . . . . . . . . . . . . . . . .   4
     3.2.  Extended Server Hello . . . . . . . . . . . . . . . . . .   5
     3.3.  Wire Format Changes . . . . . . . . . . . . . . . . . . .   6
   4.  Clashing HOTP CIDs  . . . . . . . . . . . . . . . . . . . . .   6
   5.  Security Considerations . . . . . . . . . . . . . . . . . . .   7
   6.  IANA Considerations . . . . . . . . . . . . . . . . . . . . .   7
   7.  Acknowledgments . . . . . . . . . . . . . . . . . . . . . . .   7
   8.  References  . . . . . . . . . . . . . . . . . . . . . . . . .   7
     8.1.  Normative References  . . . . . . . . . . . . . . . . . .   7
     8.2.  Informative References  . . . . . . . . . . . . . . . . .   8
   Authors' Addresses  . . . . . . . . . . . . . . . . . . . . . . .   8

1.  Introduction

   DTLS security context demultiplexing is done via the 5-tuple.
   Therefore, the security association needs to be re-negotiated from
   scratch whenever the transport identifiers change.  For example, when
   moving the network attachment from WLAN to a cellular connection, or
   when the IP address of the IoT devices changes during a sleep cycle.
   A NAT device may also modify the source UDP port after a short idle
   period.  In such cases, there is not enough information in the DTLS
   record header for a server that is handling multiple concurrent
   sessions to associate the new address to an existing client.

   This memo proposes a new TLS extension [RFC6066] that provides the
   ability to negotiate, at handshake time, a transport independent
   identifier that is unique per security association.  We call this
   identifier Connection ID (CID).  Its function is to effectively
   decouple the DTLS session from the underlying transport protocol,
   allowing the same DTLS security association to be migrated across
Show full document text