On Mon, Apr 27, 2015 at 05:15:32PM +0200, Simon Josefsson wrote: > Ilari Liusvaara <[email protected]> writes: > > > - Does DNS-over-DTLS need some sort of channel identifier in queries > > (taking place of the 5-tuple)? To deal with things like client IP > > address/portrange changes or client socket being dropped[1]. > > If I understand correctly, I don't believe DTLS has this, nor that it is > something you want -- if something is messing with the traffic, you > wan't detect/reject it not work around it.
This is about dealing with things like: - ISP suddenly renumbering connection. - NAT dropping state. The DTLS itself does not specify how to associate packets with connection state. Some of the ways seen: 5-tuples, in-band connection identifiers, out- of-band designation. > > Also, some problems with (D)TLS: > > - No length hiding: There is no defined mechanism for length hiding > > (which is needed unless one can pad at DNS level). I think there > > have been at least one proposal tho. > > (D)TLS has message padding to mitigate packet length analysis. > Addmittedly, you can't pad more than 255 bytes. Only in block modes, which have number of problems (Chrome actually warns about "obsolete cryptography" if those are used). -Ilari _______________________________________________ dns-privacy mailing list [email protected] https://www.ietf.org/mailman/listinfo/dns-privacy
