IETF Logo Mail Archive

Re: [Dtls-iot] TLS False Start ... Re: WGLC for DTLS Profile draft: 11/11/2014 - 11/25/2014

Hannes Tschofenig <hannes.tschofenig@gmx.net> Sat, 29 November 2014 09:09 UTC

Return-Path: <hannes.tschofenig@gmx.net>
X-Original-To: dtls-iot@ietfa.amsl.com
Delivered-To: dtls-iot@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 096DF1A01F6 for <dtls-iot@ietfa.amsl.com>; Sat, 29 Nov 2014 01:09:01 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.91
X-Spam-Level:
X-Spam-Status: No, score=-1.91 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4aXvxc9Z6CNE for <dtls-iot@ietfa.amsl.com>; Sat, 29 Nov 2014 01:08:59 -0800 (PST)
Received: from mout.gmx.net (mout.gmx.net [212.227.15.15]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3A4CF1A01F2 for <dtls-iot@ietf.org>; Sat, 29 Nov 2014 01:08:59 -0800 (PST)
Received: from [192.168.131.133] ([80.92.115.84]) by mail.gmx.com (mrgmx001) with ESMTPSA (Nemesis) id 0MMCFR-1XosCS01jp-0085Gb; Sat, 29 Nov 2014 10:08:49 +0100
Message-ID: <54798D1F.9070705@gmx.net>
Date: Sat, 29 Nov 2014 10:08:47 +0100
From: Hannes Tschofenig <hannes.tschofenig@gmx.net>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.2.0
MIME-Version: 1.0
To: Nikos Mavrogiannopoulos <nmav@gnutls.org>
References: <6F73BAEE-5FA3-4BCA-9A28-B98E1093CB95@gmail.com> <FBB16F17-4DC5-47F1-A9DD-34A3DBCD980E@isode.com> <5478657E.4030106@gmx.net> <5478CA79.6010102@gmx.net> <1417207091.9790.1.camel@gnutls.org>
In-Reply-To: <1417207091.9790.1.camel@gnutls.org>
OpenPGP: id=4D776BC9
Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="5TQcSkScML1cxFj9TAvJ9fufdGaWXk506"
X-Provags-ID: V03:K0:xvaOko6sntdaPj0uR8+DHDY4fXC+3j8kOIKKETYUoK3L7YRmKkg l73srZjp2IyNbt9dqWhm7VlVa8tFQoObYAYj9sbBwQWz79YOrewhvJBSFcFXbvSAl1d1scI 9U5eC/ffNGopUwk73+xcblYsoIW8ssPLI+lPyT1Du/kJaz16prgangD0wXAnshY38i+MoZ/ HttgxtU3oON9YSC8qFASw==
X-UI-Out-Filterresults: notjunk:1;
Archived-At: http://mailarchive.ietf.org/arch/msg/dtls-iot/X4m44hEtZxQkx4GCBqpYuWf0sdc
Cc: Dorothy Gellert <dorothy.gellert@gmail.com>, Alexey Melnikov <alexey.melnikov@isode.com>, "dtls-iot@ietf.org" <dtls-iot@ietf.org>, Zach Shelby <Zach.Shelby@arm.com>
Subject: Re: [Dtls-iot] TLS False Start ... Re: WGLC for DTLS Profile draft: 11/11/2014 - 11/25/2014
X-BeenThere: dtls-iot@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: DTLS for IoT discussion list <dtls-iot.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dtls-iot>, <mailto:dtls-iot-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dtls-iot/>
List-Post: <mailto:dtls-iot@ietf.org>
List-Help: <mailto:dtls-iot-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dtls-iot>, <mailto:dtls-iot-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 29 Nov 2014 09:09:01 -0000

Hi Nikos,

when I attend the TLS interim meeting in Paris I got a different
perception about the status of the TLS False Start work.

First, I was told that TLS False Start is widely deployed.

Second, the TLS chairs asked Bodo to resubmit his document and to push
it through the standardization process.

Here is a recent mail to the TLS mailing list on that topic:
http://www.ietf.org/mail-archive/web/tls/current/msg14530.html

Here is the recently submitted draft:
http://tools.ietf.org/html/draft-bmoeller-tls-falsestart-01

Finally, the text I propose for the DTLS profile draft recommends its
usage but does not mandate the implementation nor the deployment.

I did, however, had questions when reading through the draft in terms of
applicability for the IoT context, which I raised on the TLS mailing
list yesterday:
http://www.ietf.org/mail-archive/web/tls/current/msg14787.html

Ciao
Hannes

On 11/28/2014 09:38 PM, Nikos Mavrogiannopoulos wrote:
> On Fri, 2014-11-28 at 20:18 +0100, Hannes Tschofenig wrote:
>> Hi Alexey,
>>
>> On 11/28/2014 01:07 PM, Hannes Tschofenig wrote:
>>>> In 5.1: is use of something like False Start common in IoT environment?
>>>>> As it reduces number of round trips, it might be advantageous and you
>>>>> should consider mentioning it.
>>> Good question. I added it to the issue tracker:
>>> https://tools.ietf.org/wg/dice/trac/ticket/20
>> I believe TLS False Start would be a good fit. I added a section about
>> it into the draft. Here is the text:
>>    Based on the improvement over a full roundtrip for the full TLS/DTLS
>>    exchange this specification RECOMMENDS the use of the TLS False Start
>>    mechanism when clients send application data first.
> 
> TLS false start is only described in an expired draft since 2010. Apart
> from taking the TLS security guarantees to its limits (attacks that may
> require significant online effort on TLS can be converted to off-line
> attacks with false start), and having very little review from crypto
> community, there is no guarantee that an IETF false start (or even an
> informational RFC of the same document) would be compatible with it. So
> at least a more stable reference should available before recommending it
> in a standard's track document.
> 
> regards,
> Nikos
> 
> 
> _______________________________________________
> dtls-iot mailing list
> dtls-iot@ietf.org
> https://www.ietf.org/mailman/listinfo/dtls-iot
>

v2.23.0 | Report a Bug | By Email