Re: [secdir] Secdir review of draft-ietf-tls-record-limit

Hannes Tschofenig <Hannes.Tschofenig@arm.com> Tue, 27 February 2018 10:27 UTC

Return-Path: <Hannes.Tschofenig@arm.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 62E1F1200F1; Tue, 27 Feb 2018 02:27:13 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.91
X-Spam-Level:
X-Spam-Status: No, score=-2.91 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H5=-1, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=armh.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TmG2OoaLrcfA; Tue, 27 Feb 2018 02:27:11 -0800 (PST)
Received: from EUR02-AM5-obe.outbound.protection.outlook.com (mail-eopbgr00062.outbound.protection.outlook.com [40.107.0.62]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1C4E41204DA; Tue, 27 Feb 2018 02:27:10 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=armh.onmicrosoft.com; s=selector1-arm-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=fHzmxI9G//b3sqTrLhYPV37HzDbSn9B2+MqLshLBMnY=; b=BsjnpiLsMIuEdg+x0BIwUJi1vHdS19zURyLElUfvPX7bEEnoVo3dE/unLBgT0tkwL2Juyy3BDcAeUElrWkHMUF8UGmqQXy4kLRPEC8ix94iFoM2MLLDqGnkbe6DbLp8svEqgEq8bIoReYcoGA12Uoic1wUL7J6XvUROZamxgpb0=
Received: from AM4PR0801MB2706.eurprd08.prod.outlook.com (10.167.90.148) by AM4PR0801MB1570.eurprd08.prod.outlook.com (10.168.6.10) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id 15.20.506.18; Tue, 27 Feb 2018 10:27:08 +0000
Received: from AM4PR0801MB2706.eurprd08.prod.outlook.com ([fe80::7954:44ac:aab4:bc2c]) by AM4PR0801MB2706.eurprd08.prod.outlook.com ([fe80::7954:44ac:aab4:bc2c%14]) with mapi id 15.20.0527.021; Tue, 27 Feb 2018 10:27:07 +0000
From: Hannes Tschofenig <Hannes.Tschofenig@arm.com>
To: Martin Thomson <martin.thomson@gmail.com>, Benjamin Kaduk <kaduk@mit.edu>
CC: Alan DeKok <aland@deployingradius.com>, "draft-ietf-tls-record-limit@ietf.org" <draft-ietf-tls-record-limit@ietf.org>, IESG <iesg@ietf.org>, "secdir@ietf.org" <secdir@ietf.org>
Thread-Topic: Secdir review of draft-ietf-tls-record-limit
Thread-Index: AQHTrqGSa72OyyaNEUOT8kn5vxYs5KO4BpFg
Date: Tue, 27 Feb 2018 10:27:07 +0000
Message-ID: <AM4PR0801MB2706045BB181BB0DBE95BCCFFAC00@AM4PR0801MB2706.eurprd08.prod.outlook.com>
References: <5C2E06FE-8685-457D-ACED-5600092C1CB1@deployingradius.com> <CABkgnnVYbK-==zHyUTPiWxQ_so9XepWKpUpdd=1-OsJuv_0VFQ@mail.gmail.com> <F9726F86-DF0E-46DE-B0E4-F688C7D9A51C@deployingradius.com> <20180223191714.GG50954@kduck.kaduk.org> <CABkgnnULmVtg+a0ukGSETF1nJTav+Q969u93LgL-cO-=bx2RSA@mail.gmail.com>
In-Reply-To: <CABkgnnULmVtg+a0ukGSETF1nJTav+Q969u93LgL-cO-=bx2RSA@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=Hannes.Tschofenig@arm.com;
x-originating-ip: [80.92.116.87]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; AM4PR0801MB1570; 7:dmFg+BQHPuYKfCcnue5ITc/IQsmG1abDtlwnv77hSs4ZkRCnaOo9vOev8NHeUpbX+ZzsuXQRD51En4SVyAyG2tgPYGYyl04NAnXsaVuM5kV6YuJrPqp8jTr1i3MZdB+/6+ROPcDgZpQzQb7xuWCnI+AiEEHdoN4gOIhKeSDnEBMBsTEdkqiJ8NfuRSiDmJ33kr6hnB6BtUXKzA/j3C0f3VqH5vlhfsU1NSkbZGpSsIebcsBlyIXbeA4IYr0AMECn
x-ms-exchange-antispam-srfa-diagnostics: SSOS;
x-ms-office365-filtering-ht: Tenant
x-ms-office365-filtering-correlation-id: 8939ecdb-b760-465e-e3c2-08d57dcca781
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(7020095)(4652020)(48565401081)(4534165)(4627221)(201703031133081)(201702281549075)(5600026)(4604075)(3008032)(2017052603307)(7153060)(7193020); SRVR:AM4PR0801MB1570;
x-ms-traffictypediagnostic: AM4PR0801MB1570:
x-microsoft-antispam-prvs: <AM4PR0801MB1570C0E00EA52251F46E43B7FAC00@AM4PR0801MB1570.eurprd08.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(85827821059158)(240460790083961);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(8211001083)(6040501)(2401047)(8121501046)(5005006)(3002001)(3231220)(944501161)(52105095)(93006095)(93001095)(10201501046)(6055026)(6041288)(20161123562045)(20161123558120)(20161123564045)(20161123560045)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(6072148)(201708071742011); SRVR:AM4PR0801MB1570; BCL:0; PCL:0; RULEID:; SRVR:AM4PR0801MB1570;
x-forefront-prvs: 05961EBAFC
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(346002)(396003)(39860400002)(39380400002)(366004)(376002)(40434004)(13464003)(189003)(199004)(59450400001)(186003)(7736002)(6506007)(74316002)(3280700002)(68736007)(8936002)(54906003)(6116002)(26005)(110136005)(3846002)(53936002)(7696005)(97736004)(53546011)(76176011)(102836004)(81166006)(2950100002)(81156014)(2171002)(305945005)(6436002)(8676002)(6246003)(93886005)(2900100001)(478600001)(105586002)(5250100002)(4326008)(5660300001)(72206003)(99286004)(39060400002)(2906002)(25786009)(5890100001)(33656002)(316002)(14454004)(9686003)(86362001)(3660700001)(66066001)(106356001)(55016002)(229853002); DIR:OUT; SFP:1101; SCL:1; SRVR:AM4PR0801MB1570; H:AM4PR0801MB2706.eurprd08.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; MX:1; A:1; LANG:en;
received-spf: None (protection.outlook.com: arm.com does not designate permitted sender hosts)
x-microsoft-antispam-message-info: Ap9GXFjY1Grt+N5zegHeWDQsisBBRVwfYAxgGDUZbKZhXBqCtoWjFAUaeZ6kMW9ijVKagCmtQhi9sjz1MMb7CC5Ap7fw/mKwkPoLyGFO5GdCvGhsUHqOj6GcBkv77jBiLbYVVpxsugDkizT33kaolCr32pYjR7UT04QMW0FprBk=
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: arm.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 8939ecdb-b760-465e-e3c2-08d57dcca781
X-MS-Exchange-CrossTenant-originalarrivaltime: 27 Feb 2018 10:27:07.8807 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: f34e5979-57d9-4aaa-ad4d-b122a662184d
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM4PR0801MB1570
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/NqOPxd4rlgxPLI6_PBlK8nV_gmI>
Subject: Re: [secdir] Secdir review of draft-ietf-tls-record-limit
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 27 Feb 2018 10:27:13 -0000

My 5 cents. We currently only have a very basic implementation of the Maximum Fragment Length extension and have been waiting for the RSL extension to complete before we add the functionality to the Mbed TLS stack.

The problem we have with IoT devices is that they are quite limited in terms of available RAM*. Additionally, public key crypto requires a lot of RAM when performance optimizations are enabled. Hence, there is not much left for the message buffers.

Hence, we want to let the other communication party know what limits there are. As pointed out in this discussion thread there is an interworking between the MTU/PMTU and the MFL/RSL mechanisms when a stack decides about fragmenting (or combining) messages into records.

My thinking was that the relationship between MTU/PMTU and MFL/RSL is actually fairly easy, namely something like max_fragment_size=min(MTU/PMTU, MFL/RSL)

Of course, implementations are going to be complex since they cannot just look at the fragment size alone. Instead you also have to consider what the stack or the application should do with the received data.

For example, imagine a certificate message that may contain multiple certificates that then need to be processed one by one by the recipient. Here the stack needs to be "smart" enough to send enough data that the recipient can actually do something with it (like one complete certificate) but also not too much so that it still fits into the buffer. For application data it may be less complicated since the application developer who had set the RSL limit is most likely aware of what to do when the stack cannot send all the data.

In my earlier review I pointed out that setting reasonable values by the developer may actually be complicated since the size of transmitted messages in DTLS/TLS depends very much on the selected ciphersuite and various other parameters (key size, padding of the algorithm, padding for avoiding traffic analysis, authentication tag size, use of certain extensions). Additionally, there are higher layer protocols (such as CoAP) that also add header information. A developer therefore has to know quite a bit to pick the values appropriately when they are using a constrained device.

FWIW: The draft currently says that "unprotected messages - handshake messages in particular - are not subject to this limit.". I am not sure whether I fully understand that sentence. Does it mean that the limit does not apply to handshake messages at all or only to handshake messages that are unprotected? In either case I am not sure whether that scoping makes sense since handshake messages can become fairly large.

Ciao
Hannes

PS: The RAM limitation is obviously independent of whether you use TCP or UDP. Hence, I expect this extension to be applicable to both. Of course, with TCP you additionally have a layer in there that offers fragmentation...


-----Original Message-----
From: Martin Thomson [mailto:martin.thomson@gmail.com]
Sent: 26 February 2018 02:32
To: Benjamin Kaduk; Hannes Tschofenig
Cc: Alan DeKok; draft-ietf-tls-record-limit@ietf.org; IESG; secdir@ietf.org
Subject: Re: Secdir review of draft-ietf-tls-record-limit

On Sat, Feb 24, 2018 at 6:17 AM, Benjamin Kaduk <kaduk@mit.edu>; wrote:
> The record size limit is a cap, not a mandatory record size.

That's right.  Alan, does that address your primary concern?

> On Fri, Feb 23, 2018 at 09:49:11AM -0500, Alan DeKok wrote:
>>   RFC 6347 Section 4.1.1.1 gives some guidance, but I think not enough.  Exposing the MTU to the application is good, but what does the application *do* with this information?

In many cases, nothing.

My understanding of DTLS implementations is that the size of a write determines the size of the packet that is ultimately sent.  Say I write 100 octets to the socket, so DTLS writes out a record of 128 octets.

What stacks do when a write exceeds PMTU differs.  The same applies to this new limit:

* The stack I work on splits records based on its understanding of the MTU, but it only learns that during the handshake and so relies mostly on the application making smaller writes.  (There is currently no way to set the MTU, which is an open bug.)  It also sends a single record in each packet for application data, so the net effect of a large write is multiple UDP datagrams with one record each.

If your stack operates like this, then the information is pretty much just advisory.  The only thing you might contemplate is changing any coalescing rules you might have to compensate.

* If a stack did automatic splits, but then put multiple records in the same datagram, that's the same for a using application.

* If a stack rejects large writes and forces the application to write within its constraints, then that stack needs to be clear about what limit was in force, such as through the use of specific error codes.
Such stack that adds this feature would need to be careful about introducing this feature.
IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.