1) You send a heartbeat at time t0;
2) You wait until time t1;
3) You send another heartbeat at time t2;
4) You receive a heartbeat reply at time t3;
Was your t3 receipt the result of your t0 heartbeat, or your t2 heartbeat?
That is the purpose of the payload, to distinguish which reply matches with which transmission.
Now, why variable sized with a max of 64k vs. say an 8-byte integer? The variable sized with max of 64k was most likely intended to support the second purpose in the RFC, path MTU discovery. To discover the path MTU, you need to be able to send a "too big packet", as well as adjust the packet size until you find the proper MTU value.
I understand needing a unique identifier to distinguish between heartbeats ... but why conflate the heartbeat with Path MTU, which is an orthogonal process.
Is it really that much less efficient to do Path MTU with a different message/system/module? Why absorb this function into the OpenSSL pacakge?
I feel I am still missing something about the way this system works. Perhaps I just need to educate myself more on security and networking.
> I understand needing a unique identifier to distinguish between heartbeats ... but why conflate the heartbeat with Path MTU, which is an orthogonal process.
The only people who can accurately answer that are the author of the RFC/code, and the TLS committee members who discussed the changes.
From a security standpoint, it is more dangerous to commingle the two, because a bug in one side (path MTU) will also effect the other half (heartbeat). And that is exactly what happened.
> Why absorb this function into the OpenSSL pacakge?
Unknown. Path MTU discovery is supposed to be handled at a low layer in the OSI network stack abstraction (closer to the physical hardware) such that higher level layers/apps should not need to care. Putting it into TLS the protocol is a blatant layering violation.
That is the purpose of the payload, to distinguish which reply matches with which transmission.
Now, why variable sized with a max of 64k vs. say an 8-byte integer? The variable sized with max of 64k was most likely intended to support the second purpose in the RFC, path MTU discovery. To discover the path MTU, you need to be able to send a "too big packet", as well as adjust the packet size until you find the proper MTU value.
[edit, formatting]