RFC Errata
RFC 9147, "The Datagram Transport Layer Security (DTLS) Protocol Version 1.3", April 2022
Source of RFC: tls (sec)
Errata ID: 8108
Status: Reported
Type: Technical
Publication Format(s) : TEXT, PDF, HTML
Reported By: David Benjamin
Date Reported: 2024-09-18
Section 7.2 says:
acknowledgements for records which have already been ACKed. As noted above, the receipt of any record responding to a given flight MUST be taken as an implicit acknowledgement for the entire flight to which it is responding.
It should say:
acknowledgements for records which have already been ACKed. As noted above, the receipt of any record responding to a given flight MUST be taken as an implicit acknowledgement for the entire flight to which it is responding. If any element of record_numbers in the ACK references an epoch that is higher than the epoch in which the ACK was received, the implementation MUST terminate the connection with an "illegal_parameter" alert.
Notes:
Section 7 discusses that you cannot send ACKs for later epochs, but does not say anything about what the receiver does. To prevent an attacker from, e.g., using a plaintext ACK to interfere with ACKs of an encrypted epoch, I think we need to tell the receiver to check this.
Otherwise we need to be much more explicit about the points at which the receiver MUST close old epochs. Honestly, we probably should be explicit about this too, but we should also be clear on this point.