On Mon, Dec 28, 2015 at 06:59:48PM -0500, Eric Rescorla wrote: > On Mon, Dec 28, 2015 at 4:49 PM, Ilari Liusvaara <ilariliusva...@welho.com> > wrote: > > > > Also, on topic of DTLS 1.3... It occurs to me that naively doing it > > would leave it open to "fragementation attacks" a'la IPv6. > > > > Basically, it occurs to me that ClientHello messages SHOULD NOT be > > fragmented (at TLS level, SCTP(?) or IP level fragmentation is another > > kettle of fish) and if it is fragmented, the Cookie extension MUST be > > in the first fragment. > > Sorry, I'm not sure I am processing this. Can you explain in more detail.
Basically, the server should avoid keeping any state for what it is going to reject (because keeping such state would be pretty major DoS vector). And no state means no fragment reassembly and only first fragment being parseable. And it is not only Cookie that can generate rejects, but also KeyShare. -Ilari _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
