| Re: TLS clarifications (Re: Ordered delivery of EAP messages) | <– Date –> <– Thread –> |
From: Lakshminath Dondeti (ldondeti qualcomm.com)
|
|
| Date: Sat, 10 Mar 2007 22:07:31 -0800 (PST) | |
Yoshihiro Ohba wrote:
I understand this part. But, I am not sure the example fits, but it doesn't matter. I am glad to understand your position. :) Thanks for explaining.
So, moving forward from here, let's consider a question along the lines Avi has been asking, (note: this may not exactly be the question he asked)
Do EAP methods require in-order delivery to support any of their security properties?
Let's forget about DTLS and focus on TLS. I was arguing that correctness and security are different things.
I understand this part. But, I am not sure the example fits, but it doesn't matter. I am glad to understand your position. :) Thanks for explaining.
So, moving forward from here, let's consider a question along the lines Avi has been asking, (note: this may not exactly be the question he asked)
Do EAP methods require in-order delivery to support any of their security properties?
I think yes; for example, TTLS would need in-order delivery for "Replay protection: Yes" in Section 9 of draft-funk-eap-ttls-v1-01.
Thoughts?
Lakshminath
If TLS are used over unreliable transport, of course it is not possible for TLS to maintain implicit sequence number. Without reliable transport implicit sequence number would not work if loss or out-of-order delivery of TLS records happens and *even if there is no attacker*. That is why I think that reliable transport is needed for TLS to make implicit sequence number work *correctly* so that it is used for *security*. Maybe we are talking about the same thing in different ways.
Yoshihiro Ohba
On Sat, Mar 10, 2007 at 09:08:42PM -0800, Lakshminath Dondeti wrote:Yoshihiro Ohba wrote:On Sat, Mar 10, 2007 at 02:37:11AM -0800, Lakshminath Dondeti wrote:TLS requires reliable transport for replay protection. (I guess Bernard was trying to get at this in another context in this thread)TLS requires reliable transport for implicit sequence number to work
for replay protection.Right, that's what I was getting at.
How is the sequence number maintained in that case? Are you saying that we might use an explicit sequence number as in DTLS? But, we are not discussing DTLS, are we?But this does not mean replay attack is possible if TLS is run over unreliable transport.
What am I missing?
thanks, Lakshminath
PS: To Avi's question, I was thinking in case of PEAP and TTLS if the EAP layer cannot guarantee in-order reliable delivery, how else do the endpoints maintain sequence numbers? If there is no other way, we can conclude that PEAP and TTLS require in-order reliable delivery for one of its security guarantees.
Yoshihiro Ohba
- TLS clarifications (Re: Ordered delivery of EAP messages), (continued)
- TLS clarifications (Re: Ordered delivery of EAP messages) Lakshminath Dondeti, March 10 2007
- Re: TLS clarifications (Re: Ordered delivery of EAP messages) Yoshihiro Ohba, March 10 2007
- Re: TLS clarifications (Re: Ordered delivery of EAP messages) Lakshminath Dondeti, March 10 2007
- Re: TLS clarifications (Re: Ordered delivery of EAP messages) Yoshihiro Ohba, March 10 2007
- Re: TLS clarifications (Re: Ordered delivery of EAP messages) Lakshminath Dondeti, March 10 2007
- Re: TLS clarifications (Re: Ordered delivery of EAP messages) Yoshihiro Ohba, March 11 2007
- Re: TLS clarifications (Re: Ordered delivery of EAP messages) Lakshminath Dondeti, March 11 2007
- Re: Ordered delivery of EAP messages Glen Zorn (gwz), March 6 2007
- Re: Ordered delivery of EAP messages Alper Yegin, March 7 2007
Results generated by Tiger Technologies using MHonArc.