Re: [secdir] Secdir review of draft-ietf-tls-record-limit

Hannes Tschofenig <> Mon, 05 March 2018 16:52 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 35E3612D94F; Mon, 5 Mar 2018 08:52:05 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id fzJVNG7car51; Mon, 5 Mar 2018 08:52:02 -0800 (PST)
Received: from ( [IPv6:2a01:111:f400:fe02::62e]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 0822112D94A; Mon, 5 Mar 2018 08:52:01 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=selector1-arm-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=RpU7rnsj1Sks80lLhTXGyqaKALjCcU5BzquMc33yOGk=; b=j20fWwN+OhcBbDLytj9L5D/vAlPBDZaSX6qCk10NXRDcmHR/1GwHzMQuRRSDzKge09O9OM2xiuMGwexSeq+zqKj0MnCnDuZ364IYoid7HUK4833+0Q1IOvBUMmr4PQisk3nh76vm82kfyAO+0gK4xUHVy4Bd+rZpz4Ng407oRkg=
Received: from ( by ( with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id 15.20.548.13; Mon, 5 Mar 2018 16:51:58 +0000
Received: from ([fe80::783f:d09c:fea6:f83d]) by ([fe80::783f:d09c:fea6:f83d%17]) with mapi id 15.20.0548.016; Mon, 5 Mar 2018 16:51:58 +0000
From: Hannes Tschofenig <>
To: Martin Thomson <>
CC: Benjamin Kaduk <>, Alan DeKok <>, "" <>, IESG <>, "" <>
Thread-Topic: Secdir review of draft-ietf-tls-record-limit
Thread-Index: AQHTrqGSa72OyyaNEUOT8kn5vxYs5KO4BpFggAD7SYCAB0Hm4IAAZ/uAgAE7axA=
Date: Mon, 5 Mar 2018 16:51:58 +0000
Message-ID: <>
References: <> <> <> <> <> <> <> <> <>
In-Reply-To: <>
Accept-Language: en-US
Content-Language: en-US
authentication-results: spf=none (sender IP is );
x-originating-ip: []
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; VI1PR0801MB1759; 7:dKxjuxG4gRePf7vdlArWOHX9BmfTuVKQoEMOotkLxGuxwp+bZvRmQqlKiOC3xXfDY8fA/YvFpjrrGMZrwP5wugnqUgIaRTBsrMCsWoOSzNqip8NaJfZP4cqckpK823PhA8wPjmAPaJLrnhjknBxQDrmPCnm3MUPKwajkbyYrmX4cr0Ngu3Z8ms6xrXjMpWiLL1IuVCZ1Bv6C6E0+DDKl3FVDYGsiUXwz9ymvym4fTKVlPNH65wKnO5zzCsn9mT3J
x-ms-exchange-antispam-srfa-diagnostics: SSOS;
x-ms-office365-filtering-ht: Tenant
x-ms-office365-filtering-correlation-id: cb48f0b2-64ec-433c-86e1-08d582b9693e
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(7020095)(4652020)(48565401081)(5600026)(4604075)(3008032)(4534165)(4627221)(201703031133081)(201702281549075)(2017052603307)(7153060)(7193020); SRVR:VI1PR0801MB1759;
x-ms-traffictypediagnostic: VI1PR0801MB1759:
x-microsoft-antispam-prvs: <>
x-exchange-antispam-report-test: UriScan:(158342451672863)(180628864354917)(85827821059158);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(8211001083)(6040501)(2401047)(8121501046)(5005006)(93006095)(93001095)(10201501046)(3231220)(944501244)(52105095)(3002001)(6055026)(6041288)(20161123562045)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(20161123558120)(20161123564045)(20161123560045)(6072148)(201708071742011); SRVR:VI1PR0801MB1759; BCL:0; PCL:0; RULEID:; SRVR:VI1PR0801MB1759;
x-forefront-prvs: 06022AA85F
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(396003)(366004)(39380400002)(376002)(346002)(39860400002)(40434004)(13464003)(199004)(189003)(55016002)(186003)(26005)(93886005)(8676002)(9686003)(102836004)(478600001)(53546011)(6506007)(6436002)(72206003)(59450400001)(5890100001)(4326008)(14454004)(5250100002)(81166006)(8936002)(81156014)(53936002)(68736007)(6246003)(3660700001)(25786009)(66066001)(106356001)(7736002)(86362001)(7696005)(97736004)(39060400002)(105586002)(2900100001)(6116002)(74316002)(316002)(2906002)(3280700002)(305945005)(5660300001)(76176011)(229853002)(6916009)(99286004)(3846002)(2950100002)(54906003)(33656002); DIR:OUT; SFP:1101; SCL:1; SRVR:VI1PR0801MB1759;; FPR:; SPF:None; PTR:InfoNoRecords; A:1; MX:1; LANG:en;
received-spf: None ( does not designate permitted sender hosts)
x-microsoft-antispam-message-info: Z7UPGA2PzlUKvqW1zSCvt/oGYywXrbErXaMStGE01qg4LNhWfMK5oPXW8my5iuF1i2AAqxiKsF4/jdm9w33p/vzU/s6Nv6d0a/mv+ZKgheE5Q6XfBwJCGnxorOyux8Tyok05O3S5vTQJ4r0sNTtsJTjB7HnxrMyAUFLZTqB+1cDKDgxfAsAB4lYDSvKeDys+ONxR+uCc037pUauCpGmf0AuAxck3A9l0uQIs10woLaQcgsedlDpkyUHJ/51rpudERhelTj60FrHfW+FqFhk5Ts2JNH7u9t6l0YwCUQz3P5VI7tqVrNjbzN9oF7n+nLG8CA5d6c1TeEanafv/su71CA==
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: cb48f0b2-64ec-433c-86e1-08d582b9693e
X-MS-Exchange-CrossTenant-originalarrivaltime: 05 Mar 2018 16:51:58.7965 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: f34e5979-57d9-4aaa-ad4d-b122a662184d
X-MS-Exchange-Transport-CrossTenantHeadersStamped: VI1PR0801MB1759
Archived-At: <>
Subject: Re: [secdir] Secdir review of draft-ietf-tls-record-limit
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Security Area Directorate <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 05 Mar 2018 16:52:05 -0000

I believe we are on the same page with regards to this issue.

-----Original Message-----
From: Martin Thomson []
Sent: 04 March 2018 23:03
To: Hannes Tschofenig
Cc: Benjamin Kaduk; Alan DeKok;; IESG;
Subject: Re: Secdir review of draft-ietf-tls-record-limit

On Mon, Mar 5, 2018 at 2:57 AM, Hannes Tschofenig <>; wrote:
> [Hannes] I am not sure I fully understand the approach. Even if
> someone uses TCP a RAM limitation will not go away. TCP is likely to
> make the situation worse since it requires some amount of RAM as well
> even with the best possible configuration. (There is this work in LWIG
> on TCP implementation guidance where the authors are supposed to
> provide some information about the actual RAM usage of various TCP
> features and settings.)

Let me try to explain more.

An endpoint that can't handle a big packet (whether that be a big TCP segment or a big UDP datagram) can always pretend that this is a link issue and send the appropriate ICMP message.  That limits the size of packets they receive, at least to the point that the minimum for the IP version in use is reached (576 for v4, 1280 for v6).  I'm not sure what fragmentation does here, other than make things far worse.

If there are multiple packets arriving and no space for more than one, then the endpoint can pretend that it didn't receive the packet.  TCP also has ACKs, which the endpoint can withhold until it has space.

Thus, the endpoint can hold as little as a single MTU of data at once.
Given that it is not encrypted, my understanding is that there is no need to constrain how it is turned into records.

Note that a constrained server has to handle a full ClientHello - the client won't know the limit at the server.
IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.