IETF Logo Mail Archive

Re: [hybi] Websocket over TLS keep-alive overhead

Takeshi Yoshino <tyoshino@google.com> Thu, 06 December 2012 07:35 UTC

Return-Path: <tyoshino@google.com>
X-Original-To: hybi@ietfa.amsl.com
Delivered-To: hybi@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A0BED21F8D77 for <hybi@ietfa.amsl.com>; Wed, 5 Dec 2012 23:35:11 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.976
X-Spam-Level:
X-Spam-Status: No, score=-102.976 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id K8RLTxxlKNbJ for <hybi@ietfa.amsl.com>; Wed, 5 Dec 2012 23:35:11 -0800 (PST)
Received: from mail-vb0-f54.google.com (mail-vb0-f54.google.com [209.85.212.54]) by ietfa.amsl.com (Postfix) with ESMTP id D620021F8D74 for <hybi@ietf.org>; Wed, 5 Dec 2012 23:35:10 -0800 (PST)
Received: by mail-vb0-f54.google.com with SMTP id l1so8642659vba.27 for <hybi@ietf.org>; Wed, 05 Dec 2012 23:35:10 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; bh=/eGU1o5ISj95SGMwrjrfXQR7+eiIuiLjPNFJpzgLlh8=; b=o63aIniKiz1nCFmuF1n60UX6NP3NCmHRiHQbY37O1ng+Wlf/HHZCkq2442Ttimyt53 eb69U3SwOvE78gCNI/fOmottQxDNcofEWLF1UB6dcYyejEkP34ezADIK4fqJ6p3TRySO S8CokFxDHrWqlnnlrL82uUPHGGkzqjihHhKGmCqp6ysK3G21TNQ6GV+XNDi6qPtoqFk2 EDRvyaoa4efZtBqteOK5TVo2ku4B8wKUiMvlViBhKAdIwmN7QDjM2ZXPb6atzcq5p1ws NyJlvxK9/vE27rg5nOppXDkwGkXU425IFe77a6kCh0SywHndycYEvpzbznQRIhZABJ2s VEwg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type:x-gm-message-state; bh=/eGU1o5ISj95SGMwrjrfXQR7+eiIuiLjPNFJpzgLlh8=; b=XjLjqU6IaLHv5x0L5EMmgUZmi3m8pH14D+wj75SrwZl6DJkMB9obgIZtJxFGun2hqC 8SFM4tLRDUbqYqfNVUBm3wg3CZysIokblxigyS6c3CfStp82/EBxo9pvEZAoF7YbYwQr l2CGugB575VhVOOCqNa3LsBPArRQgmYUy7y/p9bvrYsVKkHVJBej86RKstU5pJs6UrKq bZXVW5/te0Qa+r1CfKcDW34OQ9OphHh77vRSMfXX02C8XViy5YS/LazTBCPEjXvG3h8/ FZ4WgHw/6KMFlYHIHQnIrIg8ooDBxEXf7LeHphynlTU3/kkwVG48lYtOdGgK4xtn+Wud NAoA==
Received: by 10.58.221.228 with SMTP id qh4mr335742vec.49.1354779310067; Wed, 05 Dec 2012 23:35:10 -0800 (PST)
MIME-Version: 1.0
Received: by 10.58.248.228 with HTTP; Wed, 5 Dec 2012 23:34:49 -0800 (PST)
In-Reply-To: <CAGzyod65+eFzY9BetHCXHM_rwRDok1WUMwsrtprWJ-g02NECDA@mail.gmail.com>
References: <E44893DD4E290745BB608EB23FDDB762317CFF@008-AM1MPN1-042.mgdnok.nokia.com> <634914A010D0B943A035D226786325D4339290CD54@EXVMBX020-12.exch020.serverdata.net> <CAH9hSJYm3Ucynuumd7iMO8Cw3use1BKBi2MTpybecuS1Si7caA@mail.gmail.com> <20121129101102.GA17793@jl-vm1.vm.bytemark.co.uk> <CAGzyod65+eFzY9BetHCXHM_rwRDok1WUMwsrtprWJ-g02NECDA@mail.gmail.com>
From: Takeshi Yoshino <tyoshino@google.com>
Date: Thu, 06 Dec 2012 16:34:49 +0900
Message-ID: <CAH9hSJb1KtejgdyV=8ET1e97rJJj7e4Ae99TM-mD50cNGOQgpg@mail.gmail.com>
To: Roberto Peon <fenix@google.com>
Content-Type: multipart/alternative; boundary="047d7bdc7a9a868f2904d02a2304"
X-Gm-Message-State: ALoCoQlcB7V55d6qwzzjUJ040gwQ11hVMUpWetYYGrcaRAk9QQmknd6dcr3+jOxAe66SvEC0+0aWXTurPvmBYlvrnU28pJguhebYaOLbRhl96gtZROTGmkMJCtQRrrZH2iFykQn2+VvtxAJyvJ+U2ijNrcZIWRAdoGCiJzR7vi23ssTxME8BjwR1p0pkKTPJsW4x/vjx6On1
Cc: hybi@ietf.org
Subject: Re: [hybi] Websocket over TLS keep-alive overhead
X-BeenThere: hybi@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Server-Initiated HTTP <hybi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/hybi>, <mailto:hybi-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hybi>
List-Post: <mailto:hybi@ietf.org>
List-Help: <mailto:hybi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 06 Dec 2012 07:35:11 -0000

On Fri, Nov 30, 2012 at 3:42 AM, Roberto Peon <fenix@google.com> wrote:

> ++
> On Nov 29, 2012 2:11 AM, "Jamie Lokier" <jamie@shareable.org> wrote:
>
snip

>  It might make sense if TLS could transmit its own, much shorter,
>> keepalive messages, which are for the sole purpose of keeping the link
>> alive.  I would guess, since they have no other effect, that they
>> wouldn't be exploitable in the same way.  Is that right?
>>
>>
There might be some nop available at TLS level, but I'm not sure. I heard
that old attempt (0/n record splitting) to address ancestor of the BEAST
attack faced a problem that some of existing NWs can't handle empty record
correctly.

How about allowing the API to invoke TCP layer keepalive (null TCP packet)
instead of nop TLS record?

I found similar discussion in these threads for
http://tools.ietf.org/html/rfc6520.
- http://www.ietf.org/mail-archive/web/tls/current/msg07986.html
- http://www.ietf.org/mail-archive/web/tls/current/msg07987.html


>  It would be best if they could be invoked from the higher layer rather
>> than generated in TLS itself (because the higher layer will have a
>> better idea of the keepalive patterns that it needs), and if they were
>> one-way keepalives rather than PING/PONG to avoid amplification
>> attacks, and because PING/PONG is not the most efficient keepalive
>> pattern.
>>
>> Is there provision in TLS for that sort of thing now?
>>
>> (Of course over mobile links, it would make much more sense for power
>> efficiency to have a single, aggregated keepalive stream for all
>> sockets rather than one per active websocket, or some other way of
>> taking advantage of the phone's existing mobile link-level keepalives
>> which it already does and are designed for efficiency.)
>>
>>

v2.23.0 | Report a Bug | By Email