Skip to main content

Extension for protecting (D)TLS handshakes against Denial of Service
draft-tiloca-tls-dos-handshake-01

The information below is for an old version of the document.
Document Type
This is an older version of an Internet-Draft whose latest revision state is "Expired".
Authors Marco Tiloca , Ludwig Seitz , Maarten Hoeve , Olaf Bergmann
Last updated 2017-10-28
RFC stream (None)
Formats
Stream Stream state (No stream defined)
Consensus boilerplate Unknown
RFC Editor Note (None)
IESG IESG state I-D Exists
Telechat date (None)
Responsible AD (None)
Send notices to (None)
draft-tiloca-tls-dos-handshake-01
TLS Working Group                                              M. Tiloca
Internet-Draft                                                  L. Seitz
Intended status: Standards Track                            RISE SICS AB
Expires: May 1, 2018                                            M. Hoeve
                                                                    ENCS
                                                             O. Bergmann
                                                 Universitaet Bremen TZI
                                                        October 28, 2017

  Extension for protecting (D)TLS handshakes against Denial of Service
                   draft-tiloca-tls-dos-handshake-01

Abstract

   This document describes an extension for TLS and DTLS to protect the
   server from Denial of Service attacks against the handshake protocol,
   carried out by an on-path adversary.  The extension includes a nonce
   and a Message Authentication Code (MAC) over that nonce, encoded as a
   Handshake Token that a Trust Anchor entity computes and provides to
   the client.  The server registered at the Trust Anchor verifies the
   MAC to determine whether continuing or aborting the handshake.

Status of This Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at http://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on May 1, 2018.

Copyright Notice

   Copyright (c) 2017 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (http://trustee.ietf.org/license-info) in effect on the date of

Tiloca, et al.             Expires May 1, 2018                  [Page 1]
Internet-Draft (D)TLS extension against Denial of Service   October 2017

   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.

Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   2
     1.1.  Terminology . . . . . . . . . . . . . . . . . . . . . . .   3
   2.  DoS Protection Extension  . . . . . . . . . . . . . . . . . .   4
     2.1.  Extension Type  . . . . . . . . . . . . . . . . . . . . .   4
     2.2.  Extension Data  . . . . . . . . . . . . . . . . . . . . .   4
   3.  Protocol overview . . . . . . . . . . . . . . . . . . . . . .   5
   4.  Client to Trust Anchor  . . . . . . . . . . . . . . . . . . .   6
   5.  Client to Server  . . . . . . . . . . . . . . . . . . . . . .   7
   6.  Server Processing . . . . . . . . . . . . . . . . . . . . . .   7
   7.  Replay Protection . . . . . . . . . . . . . . . . . . . . . .   8
   8.  Session Resumption  . . . . . . . . . . . . . . . . . . . . .   9
   9.  Security Considerations . . . . . . . . . . . . . . . . . . .  10
     9.1.  Security Effectiveness  . . . . . . . . . . . . . . . . .  10
     9.2.  Renewal of Long-Term Key K_M  . . . . . . . . . . . . . .  11
     9.3.  Rate Limit to Nonce Release . . . . . . . . . . . . . . .  12
   10. IANA Considerations . . . . . . . . . . . . . . . . . . . . .  12
   11. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . .  12
   12. References  . . . . . . . . . . . . . . . . . . . . . . . . .  12
     12.1.  Normative References . . . . . . . . . . . . . . . . . .  12
     12.2.  Informative References . . . . . . . . . . . . . . . . .  13
   Authors' Addresses  . . . . . . . . . . . . . . . . . . . . . . .  13

1.  Introduction

   Servers running TLS [RFC5246][I-D.ietf-tls-tls13] and DTLS
   [RFC6347][I-D.ietf-tls-dtls13] are vulnerable to Denial of Service
   (DoS) attacks during the very first step of the handshake protocol.
   That is, an adversary can repeatedly send ClientHello messages to the
   server and induce it to perform computations and execute handshakes,
   before stopping handshake executions and make the server hold state
   open.

   DTLS 1.2 as well as both TLS 1.3 and DTLS 1.3 provide the optional
   Cookie exchange as possible solution to mitigate this DoS attack.
   This mechanism is specifically oriented towards adversaries that are
   not on-path.  That is, the Cookie exchange makes the attack more
   complicated to mount.  However, a well determined and resourceful on-
   path adversary, able to spoof valid IP addresses, can still
   successfully perform the DoS attack, by intercepting the possible

Tiloca, et al.             Expires May 1, 2018                  [Page 2]
Internet-Draft (D)TLS extension against Denial of Service   October 2017

   server response including the Cookie and then echoing it in the
   second ClientHello.  This is in particular possible if the handshake
   does not use Pre-Shared Key exchange modes.

   More specifically, the handshake protocol is exposed to DoS attacks
   mounted by an on-path adversary, ranging minimally from a man-on-the-
   side (i.e. able to read and inject traffic, but not block) to
   maximally a full active adversary (i.e. able also to block traffic).

   Depending on the specific protocol version and the key establishment
   mode used in the handshake, the attack impact can range from a single
   reply triggered by invalid ClientHello messages, to the server
   performing advanced handshake steps with consequent setup of invalid
   half-open sessions.  Especially if performed in a large-scale and
   distributed manner, this attack can thwart performance and service
   availability of (D)TLS servers.  Moreover, the attack can be
   particularly effective in application scenarios where servers are
   resource-constrained devices running DTLS over low-power, low
   bandwidth and lossy networks.

   This specification describes a "dos_protection" extension for TLS and
   DTLS, included into ClientHello messages in order to mark them as
   valid and neutralize the DoS attacks mentioned above.  In essence,
   the "dos_protection" extension includes a Handshake Token encoding a
   nonce and a Message Authentication Code (MAC) computed over that
   nonce.  Upon receiving the ClientHello message, the server checks the
   MAC conveyed in the Handshake Token, and determines whether to either
   continue the handshake or to immediately abort it.

   The proposed method relies on a Trust Anchor (TA) entity, which is in
   a trust relation with the server, and authorizes the client to
   establish a secure session with the server.  In particular, the Trust
   Anchor computes the MAC encoded in the Handshake Token, before
   providing the latter to the client.

1.1.  Terminology

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
   "OPTIONAL" in this document are to be interpreted as described in BCP
   14 [RFC2119][RFC8174] when, and only when, they appear in all
   capitals, as shown here.

   Readers are expected to be familiar with terms and concepts related
   to TLS 1.2 [RFC5246] and DTLS 1.2 [RFC6347], as well as to TLS 1.3
   [I-D.ietf-tls-tls13] and DTLS 1.3 [I-D.ietf-tls-dtls13], with
   particular reference to their respective handshake protocol.

Tiloca, et al.             Expires May 1, 2018                  [Page 3]
Internet-Draft (D)TLS extension against Denial of Service   October 2017

   This document refers also to the following terminology.

   o  Trust Anchor (TA): a trusted third party in a trust relation with
      the (D)TLS server.

   o  Master Key (K_M): a long-term symmetric key shared between the
      Trust Anchor and the server.

   o  Handshake Token (T): piece of information provided by the Trust
      Anchor to a client intending to start a handshake with the server.
      The Handshake Token is opaque to the client, i.e. the semantics of
      the Handshake Token are intelligible only to the Trust Anchor and
      the server.

   o  Nonce (N): an unsigned integer value used by the Trust Anchor to
      produce a fresh Handshake Token.  The Trust Anchor maintains a
      pairwise counter separately for each associated server, in order
      to produce Nonce values.

2.  DoS Protection Extension

2.1.  Extension Type

   This specification extends the ExtensionType enum as follows:

      enum {
          ...,
          dos_protection(TBD),
          (65535)
      } ExtensionType;

2.2.  Extension Data

   The "extension_data" field of the "dos_protection" extension contains
   the following information:

       struct {
         opaque handshake_token;
       } extension_data_content;

   The "handshake_token" field is intended to include the Handshake
   Token generated by the Trust Anchor.  The Handshake Token encodes a
   nonce and a Message Authentication Code (MAC) computed over the
   nonce.

Tiloca, et al.             Expires May 1, 2018                  [Page 4]
Internet-Draft (D)TLS extension against Denial of Service   October 2017

3.  Protocol overview

   Before becoming fully operational, the server S registers at the TA
   through a secure communication channel or other out-of-band means.  A
   server is registered at one TA only, while the same TA can be
   associated to multiple servers.

   For each registered server S, the TA and S maintain a pairwise
   counter z_S, associated to that server and encoded as an unsigned
   integer.  Upon S's registration, S and the TA initialize z_S to 0 and
   establish a long-term symmetric key K_M.  The specific means to
   establish K_M are out of the scope of this specification.

   The rest of this document refers to H as a hash function and to an
   HMAC [RFC2104] relying on H.  The TA and the server MUST support the
   hash function SHA-256.

   Figure 1 shows the messages exchanged between the client (C), the
   Trust Anchor (TA) and the server (S).

           C                                   TA                   S
           |                                   |                    |
           |                                   | { Shared key K_M } |
           |                                   |                    |
           | --- Request handshake with S ---> |                    |
     (1)   |                                   |                    |
           | <------- Handshake Token -------- |                    |
           |                                   |                    |
     ---   |                                   |                    |
           |                                                        |
           |      ClientHello with "dos_protection" extension       |
     (2)   | -----------------------------------------------------> |
           |             Including the Handshake Token              |
           |                                                        |
     ---   |                                   |                    |
           |                                   |                    |
           |                                                        |
     (3)   | [<-------------- Next handshake steps -------------->] |
           |                                                        |
           |                                   |                    |

                        Figure 1: Protocol Overview

   Step (1) concerns a client C that intends to start a (D)TLS session
   with the server S.  That is, C contacts the TA and specifies its
   intention to start a (D)TLS handshake with S.  The client C can rely
   on services such as [I-D.ietf-core-resource-directory] to know what
   is the specific TA associated to S.  All communications between C and

Tiloca, et al.             Expires May 1, 2018                  [Page 5]
Internet-Draft (D)TLS extension against Denial of Service   October 2017

   the TA MUST be secured, ensuring integrity, source authentication,
   confidentiality and replay protection of exchanged messages.  The
   specific means to secure communications between C and the TA are out
   of the scope of this specification.

   The TA MUST verify that C is authorized to establish a (D)TLS session
   with S.  To this end, the TA can directly authorize the client, or
   expect the client to upload authorization evidence previously
   obtained from a trusted entity.  Compared with models based on
   proxies, this approach does not require particular adaptations to the
   communication between clients and servers.  The specific
   authorization process of clients is out of the scope of this
   specification.

   In case of successful authorization, the TA provides C with a fresh
   Handshake Token, which encodes a nonce as well as a Message
   Authentication Code (MAC) computed over the nonce using the key K_M.
   The Handshake Token is opaque to the client.

   During Step (2), C prepares the ClientHello message addressed to S,
   including the "dos_protection" extension defined in Section 2.  In
   particular, the extension includes the Handshake Token received by
   the TA, as content of the field "handshake_token".  Then, C sends the
   ClientHello message to S.  The overall content and format of the
   ClientHello message depend on the specific version of (D)TLS.

   Upon receiving the ClientHello message, the server S retrieves the
   Handshake Token from the "dos_protection" extension.  Then, S relies
   on the nonce included in the Handshake Token to check that the
   ClientHello message is not a replay.  After that, S uses the key K_M
   to recompute the MAC, and checks it against the MAC encoded in the
   received Handshake Token.

   In case the ClientHello message is fresh and the MAC is valid, S
   continues to Step (3), i.e., it proceeds with the handshake with C.
   Otherwise, S discards the ClientHello message and aborts the
   handshake.

4.  Client to Trust Anchor

   The client C requests from the TA an authorization to open a new
   (D)TLS session with S.  That is, this step does not take place if C
   intends to resume a (D)TLS session previously established with S.
   Considerations about session resumption are discussed in Section 8.

   In case of successful authorization, the TA selects the nonce N as
   the current value of the pairwise counter z_S associated to S.  Then,
   the TA performs the following actions.

Tiloca, et al.             Expires May 1, 2018                  [Page 6]
Internet-Draft (D)TLS extension against Denial of Service   October 2017

   1.  It sets the variable token_nonce to the nonce N.

   2.  It computes a MAC as the output of HMAC(K_M, H(token_nonce)).

   3.  It builds a Handshake Token including token_nonce and the MAC.

   After that, the TA provides the Handshake Token to C, and increments
   the counter z_S by 1.

   The TA handles a wrap-around of the counter z_S by renewing the
   Master Key K_M as described in Section 9.2.

5.  Client to Server

   This section considers a client C intending to establish a new (D)TLS
   session with S.  Considerations about session resumption are
   discussed in Section 8.

   When preparing the ClientHello message, the client C proceeds as
   follows.

   1.  It builds the "dos_protection" extension defined in Section 2.

   2.  It includes the Handshake Token received from the TA in the
       "handshake_token" field of the "dos_protection" extension.

   3.  It includes the "dos_protection" extension into the ClientHello
       message, consistently with what is mandated and recommended by
       the specific version of (D)TLS.

   Once the ClientHello message has been completely prepared, C
   transmits it to S.  Note that C retransmits exactly the same
   "dos_protection" extension from this first ClientHello message, in
   case it sends a second ClientHello message as a reply to a
   HelloVerifyRequest in DTLS 1.2 or a HelloRetryRequest in (D)TLS 1.3.

6.  Server Processing

   This section considers a server S receiving a ClientHello message
   from C for initiating a new (D)TLS session.  Considerations on
   session resumption are discussed in Section 8.

   A server MAY require clients to send a valid "dos_protection"
   extension.  A server requiring this MUST respond to a ClientHello
   lacking a "dos_protection" extension by terminating the handshake,
   with a "missing_extension" alert if the client has shown support for
   (D)TLS 1.3, or a "handshake_failure" alert otherwise.

Tiloca, et al.             Expires May 1, 2018                  [Page 7]
Internet-Draft (D)TLS extension against Denial of Service   October 2017

   Upon receiving the first ClientHello message from C, the server S
   retrieves the Handshake Token from the "handshake_token" field of the
   "dos_protection" extension.

   Then, the server S MUST check that the ClientHello message is not a
   replay.  Section 7 of this specification describes a possible method
   to perform the anti-replay check, based on the nonce encoded in the
   Handhshake Token.  If the ClientHello message is found to be not
   fresh, then S discards it and terminates the handshake with a
   "handshake_failure" alert.

   If the ClientHello message is found to be fresh, then S performs the
   following actions.

   1.  It retrieves token_nonce from the Handshake Token.

   2.  It computes a MAC as the output of HMAC(K_M, H(token_nonce)).

   If the computed MAC differs from the MAC encoded in the Handshake
   Token, S discards the ClientHello message and terminates the
   handshake with a "handshake_failure" alert.  Otherwise, S continues
   performing the handshake with C.

7.  Replay Protection

   This section describes a possible method to perform anti-replay
   checks on received ClientHello messages, based on the nonce encoded
   in the Handshake Token as token_nonce.

   The server S maintains a sliding window W of size A, as a pair {w,
   w_b}, where w is an A-bit vector and w_b indicates the current left
   bound of W.  That is, w_b indicates the lowest value that S can
   accept as the nonce N encoded in the Handshake Token as token_nonce.
   Upon startup, S sets w_b to 0 and all bits in w to 0.

   Upon receiving a ClientHello message for establishing a new (D)TLS
   session, the server S considers the nonce N encoded in the Handshake
   Token as token_nonce, and performs the following checks.  As an
   example, the following considers a 32-bit nonce N.

   o  If N < w_b, then S discards the ClientHello message and terminates
      the handshake.

   o  If w_b <= N < min(w_b + A, 2^32), then S defines i = (N - w_b),
      and checks the i-th bit of vector w.  If such bit is set to 1,
      i.e. the same nonce N has been already used, then S discards the
      ClientHello message and terminates the handshake.  Instead, if

Tiloca, et al.             Expires May 1, 2018                  [Page 8]
Internet-Draft (D)TLS extension against Denial of Service   October 2017

      such bit is set to 0, then S proceeds with processing the
      "dos_protection" extension as described in Section 6.

   o  If (w_b + A) <= N < 2^32, then S proceeds with processing the
      "dos_protection" extension as described in Section 6.

   During this handshake execution, S discards any possible first
   ClientHello message including the same nonce N encoded in the
   Handshake Token as token_nonce.

   Once the handshake has been successfully completed, S checks whether
   the condition N >= w_b is still valid.  In such a case, S updates the
   window W as follows.

   o  If w_b <= N < min(w_b + A, 2^32), then S defines i = (N - w_b) and
      sets the i-th bit of vector w to 1, so marking N as used.
      Instead,

   o  if (w_b + A) <= N < 2^32, then S defines w* = (N - A + 1) and
      updates vector w as w = w >> (w* - w_b), where '>>' is the
      unsigned right bit shift operator.  After that, S updates w_b as
      w_b = w*. Finally, S defines i = (N - w_b) and sets the i-th bit
      of vector w to 1, so marking N as used.

   The window size A should be determined based on the expected
   frequency of new session establishments on the server S.  Evidently,
   the larger the window, the more accurate is the replay protection,
   but the greater the memory overhead on the server side.

8.  Session Resumption

   In case a client C sends a ClientHello message asking to resume a
   session, the server S relies on the existing association with C and
   hence does not need a further assertion of client's validity from the
   TA.  In addition, S can rely on the Client Hello Recording mechanism
   described in Section 8 of [I-D.ietf-tls-tls13], in order to perform
   anti-replay checks on ClientHello messages asking for session
   resumption.

   As a consequence, the "dos_protection" extension defined in Section 2
   is not strictly necessary in ClientHello messages sent for session
   resumption.

   However, Section 7.4.1.4 of [RFC5246] states that a client asking for
   session resumption SHOULD send the same extensions as it would if it
   was not attempting resumption.  At the same time, it states that most
   extensions are relevant only when a new session is initiated, and

Tiloca, et al.             Expires May 1, 2018                  [Page 9]
Internet-Draft (D)TLS extension against Denial of Service   October 2017

   hence the server would not process them in case of session
   resumption.

   In accordance with such guidelines, a server S can possibly instruct
   the TA to also provide requesting clients with a small number R of
   additional Resumption Tokens.

   In order to compute each of the Resumption Tokens for a same request
   from a given client, the TA MUST use the same nonce value N used to
   compute the Handshake Token (see Section 4).  In particular, the TA
   computes the i-th Resumption Token, 0 <= i < R, as follows.

   1.  It sets the variable token_nonce to (N + i), where '+' is the
       concatenate operator.

   2.  It computes a MAC as the output of HMAC(K_M, H(token_nonce)).

   3.  It builds the i-th Resumption Token including token_nonce and the
       MAC.

   Finally, the TA provides the requesting client with the Handshake
   Token and the additional Resumption Tokens.  The client MUST use the
   Handshake Token during a handshake with S for session initiation, as
   described in Section 5.  The client MUST use the i-th Resumption
   Token upon attempting the i-th resumption of that session.  After it
   has used all the Resumption Tokens received from the TA, the client
   MUST assume that S does not support further resumptions of the same
   session.

   Upon receiving a ClientHello message from C asking to resume a
   session, the server S verifies the MAC encoded in the Resumption
   Token as described in Section 6.  However, S does not rely on the
   "dos_protection" extension and the token_nonce in the Resumption
   Token to perform an anti-replay check.

   Further details about session resumption are defined in the (D)TLS
   specifications of the different respective versions.

9.  Security Considerations

   This specification does not change the intended security properties
   of TLS and DTLS.  Additional security aspects are discussed below.

9.1.  Security Effectiveness

   The MAC encoded in the "dos_protection" extension as part of the
   Handshake Token is computed only over the 'token_nonce' part of the
   same Handshake Token.  That is, a server S can actually assert the

Tiloca, et al.             Expires May 1, 2018                 [Page 10]
Internet-Draft (D)TLS extension against Denial of Service   October 2017

   validity and freshness of the Handshake Token only, rather than of
   the whole ClientHello message.

   As a consequence, an on-path adversary can intercept ClientHello
   messages sent by legitimate clients, retrieve the "dos_protection"
   extension, and then use it inside forged ClientHello messages
   injected and addressed to the server.  However, this practically
   displays negligible consequences in terms of additional impact on the
   server, as discussed in the following.

   On one hand, a man-on-the-side adversary, namely able to intercept
   and inject traffic but not block, can, with reasonable effort,
   exploit the limitation above in order to induce the server to
   negotiate more expensive cipher suites, which is fair to consider as
   a weak attack achievement.  Furthermore, the injection of such forged
   ClientHello messages including a stolen "dos_protection" extension is
   anyway rate limited by the number of legitimate clients and the
   frequency of their handshake executions.

   On the other hand, a full active adversary, namely able to also block
   traffic, would not even bother to inject forged ClientHello messages
   including a stolen "dos_protection" extension.  In fact, (s)he can
   more easily let the server process handshake messages from legitimate
   clients during handhshake early phases, and later on block specific
   client messages during handshake advanced phases, so leaving the
   server with several half-open sessions and open states.  Again, this
   is anyway rate limited by the number of legitimate clients and the
   frequency of their handshake executions.

9.2.  Renewal of Long-Term Key K_M

   While it can practically take a long amount of time, the pairwise
   counter z_S maintained by the TA and associated to S eventually wraps
   around.  When this happens, the TA MUST revoke the key K_M shared
   with S, in order to not reuse {K_M, N} pairs when building Handshake
   Tokens for requesting clients.

   In particular, when the counter z_S wraps-around, the TA MUST perform
   the following actions.

   1.  It stops accepting requests related to S from clients.

   2.  It securely generates a new long-term key K_M and securely
       provides it to S.

   3.  It resumes serving requests related to S from clients, using the
       new K_M to compute MACs when building Handshake Tokens.

Tiloca, et al.             Expires May 1, 2018                 [Page 11]
Internet-Draft (D)TLS extension against Denial of Service   October 2017

9.3.  Rate Limit to Nonce Release

   It is RECOMMENDED that the TA does not release Handshake Tokens to
   clients beyond a maximum rate.  This prevents a client with
   legitimate credentials from quickly consuming the nonce space
   associated to S, and thus making the TA unable to serve other
   clients.

10.  IANA Considerations

   IANA is requested to allocate an entry to the existing TLS
   "ExtensionType" registry defined in [RFC5246] and originally created
   in [RFC4366], for dos_protection (TBD) defined in this document.

11.  Acknowledgments

   The authors are sincerely thankful to Santiago Aragon, Rolf Blom and
   Eric Rescorla for their comments and feedback.

   The work on this document has been partly supported by the EU FP7
   project SEGRID (Grant Agreement no. 607109) and the EIT-Digital High
   Impact Initiative ACTIVE.

12.  References

12.1.  Normative References

   [I-D.ietf-tls-dtls13]
              Rescorla, E., Tschofenig, H., and N. Modadugu, "The
              Datagram Transport Layer Security (DTLS) Protocol Version
              1.3", draft-ietf-tls-dtls13-01 (work in progress), July
              2017.

   [I-D.ietf-tls-tls13]
              Rescorla, E., "The Transport Layer Security (TLS) Protocol
              Version 1.3", draft-ietf-tls-tls13-21 (work in progress),
              July 2017.

   [RFC2104]  Krawczyk, H., Bellare, M., and R. Canetti, "HMAC: Keyed-
              Hashing for Message Authentication", RFC 2104,
              DOI 10.17487/RFC2104, February 1997, <https://www.rfc-
              editor.org/info/rfc2104>.

   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
              Requirement Levels", BCP 14, RFC 2119,
              DOI 10.17487/RFC2119, March 1997, <https://www.rfc-
              editor.org/info/rfc2119>.

Tiloca, et al.             Expires May 1, 2018                 [Page 12]
Internet-Draft (D)TLS extension against Denial of Service   October 2017

   [RFC5246]  Dierks, T. and E. Rescorla, "The Transport Layer Security
              (TLS) Protocol Version 1.2", RFC 5246,
              DOI 10.17487/RFC5246, August 2008, <https://www.rfc-
              editor.org/info/rfc5246>.

   [RFC6347]  Rescorla, E. and N. Modadugu, "Datagram Transport Layer
              Security Version 1.2", RFC 6347, DOI 10.17487/RFC6347,
              January 2012, <https://www.rfc-editor.org/info/rfc6347>.

   [RFC8174]  Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
              2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
              May 2017, <https://www.rfc-editor.org/info/rfc8174>.

12.2.  Informative References

   [I-D.ietf-core-resource-directory]
              Shelby, Z., Koster, M., Bormann, C., Stok, P., and C.
              Amsuess, "CoRE Resource Directory", draft-ietf-core-
              resource-directory-11 (work in progress), July 2017.

   [RFC4366]  Blake-Wilson, S., Nystrom, M., Hopwood, D., Mikkelsen, J.,
              and T. Wright, "Transport Layer Security (TLS)
              Extensions", RFC 4366, DOI 10.17487/RFC4366, April 2006,
              <https://www.rfc-editor.org/info/rfc4366>.

Authors' Addresses

   Marco Tiloca
   RISE SICS AB
   Isafjordsgatan 22
   Kista  SE-164 29
   Sweden

   Phone: +46 70 604 65 01
   Email: marco.tiloca@ri.se

   Ludwig Seitz
   RISE SICS AB
   Scheelevaegen 17
   Lund  SE-223 70
   Sweden

   Phone: +46 70 349 92 51
   Email: ludwig.seitz@ri.se

Tiloca, et al.             Expires May 1, 2018                 [Page 13]
Internet-Draft (D)TLS extension against Denial of Service   October 2017

   Maarten Hoeve
   ENCS
   Regulusweg 5
   The Hague  2516 AC
   The Netherlands

   Phone: +31 62 015 75 51
   Email: maarten.hoeve@encs.eu

   Olaf Bergmann
   Universitaet Bremen TZI
   Postfach 330440
   Bremen  D-28359
   Germany

   Phone: +49 421 218 63904
   Email: bergmann@tzi.org

Tiloca, et al.             Expires May 1, 2018                 [Page 14]