Let's forget about DTLS and focus on TLS. I was arguing
that
correctness and security are different things.
If TLS are used over unreliable transport, of course it is
not
possible for TLS to maintain implicit sequence number.
Without
reliable transport implicit sequence number would not work
if loss or
out-of-order delivery of TLS records happens and *even if
there is no
attacker*. That is why I think that reliable transport is
needed for
TLS to make implicit sequence number work *correctly* so
that it is
used for *security*. Maybe we are talking about the same
thing in
different ways.
Yoshihiro Ohba
On Sat, Mar 10, 2007 at 09:08:42PM -0800, Lakshminath
Dondeti wrote:
> Yoshihiro Ohba wrote:
> >On Sat, Mar 10, 2007 at 02:37:11AM -0800,
Lakshminath Dondeti wrote:
> >>TLS requires reliable transport for replay
protection. (I guess Bernard
> >>was trying to get at this in another context in
this thread)
> >
> >TLS requires reliable transport for implicit
sequence number to work
> >for replay protection.
>
> Right, that's what I was getting at.
>
> >But this does not mean replay attack is
> >possible if TLS is run over unreliable transport.
>
> How is the sequence number maintained in that case?
Are you saying that
> we might use an explicit sequence number as in DTLS?
But, we are not
> discussing DTLS, are we?
>
> What am I missing?
>
> thanks,
> Lakshminath
>
> PS: To Avi's question, I was thinking in case of PEAP
and TTLS if the
> EAP layer cannot guarantee in-order reliable delivery,
how else do the
> endpoints maintain sequence numbers? If there is no
other way, we can
> conclude that PEAP and TTLS require in-order reliable
delivery for one
> of its security guarantees.
>
> >
> >Yoshihiro Ohba
> >
>
____________________________________________________________
_____
To unsubscribe or modify your subscription options, please
visit:
http:/
/lists.frascone.com/mailman/listinfo/eap
Arhives: http://lists.
frascone.com/pipermail/eap
|
