Re: [tcpinc] Call for adoption of draft-rescorla-tcpinc-tls-option-05
Matt Corallo <tcpinc@bluematt.me> Mon, 02 November 2015 02:05 UTC
Return-Path: <tcpinc@bluematt.me>
X-Original-To: tcpinc@ietfa.amsl.com
Delivered-To: tcpinc@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6E9531B4191 for <tcpinc@ietfa.amsl.com>; Sun, 1 Nov 2015 18:05:46 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.911
X-Spam-Level:
X-Spam-Status: No, score=-1.911 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ss5b8dscFcuR for <tcpinc@ietfa.amsl.com>; Sun, 1 Nov 2015 18:05:44 -0800 (PST)
Received: from mail.bluematt.me (mail.bluematt.me [192.241.179.72]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C2EB11B4148 for <tcpinc@ietf.org>; Sun, 1 Nov 2015 18:05:44 -0800 (PST)
Received: from [172.17.0.1] (gw.vpn.bluematt.me [162.243.132.6]) by mail.bluematt.me (Postfix) with ESMTPSA id CC15E539F7; Mon, 2 Nov 2015 02:05:43 +0000 (UTC)
To: Eric Rescorla <ekr@rtfm.com>
References: <56267097.7060509@tik.ee.ethz.ch> <5636BE5A.9090408@bluematt.me> <CABcZeBPjvHuycOu-QtA6ScuvHErhyvHF+YLxd7Cd7LxfJtikZw@mail.gmail.com> <5636C31E.9060202@bluematt.me> <CABcZeBNztS5svgwjyVRoSSBRXy=uWh1+RSBsNckTGNfAxEiSNg@mail.gmail.com>
From: Matt Corallo <tcpinc@bluematt.me>
Message-ID: <5636C4F6.7010809@bluematt.me>
Date: Mon, 02 Nov 2015 02:05:42 +0000
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.3.0
MIME-Version: 1.0
In-Reply-To: <CABcZeBNztS5svgwjyVRoSSBRXy=uWh1+RSBsNckTGNfAxEiSNg@mail.gmail.com>
Content-Type: text/plain; charset="windows-1252"
Content-Transfer-Encoding: 7bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/tcpinc/4HBM8tDRVoaKFNdxO5HyEXT-g0A>
Cc: tcpinc <tcpinc@ietf.org>
Subject: Re: [tcpinc] Call for adoption of draft-rescorla-tcpinc-tls-option-05
X-BeenThere: tcpinc@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Discussion list for adding encryption to TCP." <tcpinc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tcpinc>, <mailto:tcpinc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tcpinc/>
List-Post: <mailto:tcpinc@ietf.org>
List-Help: <mailto:tcpinc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tcpinc>, <mailto:tcpinc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 02 Nov 2015 02:05:46 -0000
Am I incorrect in reading that both tls-option and tcpcrypt require a full three-way-handshake, and then the client is unable to send data for another round-trip as it must wait for another response from the server before session keys have been agreed upon? Moving client pubkeys into SYN is slightly crazy, but would shave off a RTT before client's first send. On 11/02/15 01:59, Eric Rescorla wrote: > > > On Mon, Nov 2, 2015 at 10:57 AM, Matt Corallo <tcpinc@bluematt.me > <mailto:tcpinc@bluematt.me>> wrote: > > Indeed, it does effect both tls-option and tcpcrypt as written. However, > fixing it in tls-option appears to require departing from TLS, > > > Again, I don't believe that this is correct. The mode described here > is the basic operating mode for TLS 1.3 [0]. > > -Ekr > > [0] TLS 1.2 is equally fast to the client's first send (if you use False > Start) > but slower for the server's. > > > whereas > fixing it in tcpcrypt does not. > > On 11/02/15 01:42, Eric Rescorla wrote: > > On Mon, Nov 2, 2015 at 10:37 AM, Matt Corallo <tcpinc@bluematt.me <mailto:tcpinc@bluematt.me> > > <mailto:tcpinc@bluematt.me <mailto:tcpinc@bluematt.me>>> wrote: > > > > I do not support adopting tcpinc-tls-option because: > > > > * Using TLS (even a limited set of allowed options) as the tcpinc > > mechanism loses the "defense in depth" property that tcpinc nicely > > provides for some applications. > > * I believe the extra round-trip for new connections to a new > server > > will significantly harm adoption of such a proposal. > > > > > > Can you elaborate on this? As indicated in the document, in TLS 1.3 > > the server can send his first byte upon receiving the client's first > > handshake message (in the ACK) and the client can send upon > > receiving the server's first handshake message (in the server's > > response to that message). I believe this shares the same latency > > characteristics as tcpcrypt. > > > > -Ekr > > > > > _______________________________________________ > Tcpinc mailing list > Tcpinc@ietf.org > https://www.ietf.org/mailman/listinfo/tcpinc >
- [tcpinc] Call for adoption of draft-rescorla-tcpi… Mirja Kühlewind
- Re: [tcpinc] Call for adoption of draft-rescorla-… Stephen Farrell
- Re: [tcpinc] Call for adoption of draft-rescorla-… Ted Hardie
- Re: [tcpinc] Call for adoption of draft-rescorla-… DIEGO LOPEZ GARCIA
- Re: [tcpinc] Call for adoption of draft-rescorla-… Eggert, Lars
- Re: [tcpinc] Call for adoption of draft-rescorla-… emile.stephan
- Re: [tcpinc] Call for adoption of draft-rescorla-… Eric Rescorla
- Re: [tcpinc] Call for adoption of draft-rescorla-… Eric Rescorla
- Re: [tcpinc] Call for adoption of draft-rescorla-… Yuchung Cheng
- Re: [tcpinc] Call for adoption of draft-rescorla-… ianG
- Re: [tcpinc] Call for adoption of draft-rescorla-… Eric Rescorla
- Re: [tcpinc] Call for adoption of draft-rescorla-… Border, John
- Re: [tcpinc] Call for adoption of draft-rescorla-… Derek Fawcus
- Re: [tcpinc] Call for adoption of draft-rescorla-… Stephen Kent
- [tcpinc] Reminder: 2 days left [was: Re: Call for… Mirja Kühlewind
- Re: [tcpinc] Call for adoption of draft-rescorla-… Matt Corallo
- Re: [tcpinc] Call for adoption of draft-rescorla-… Eric Rescorla
- Re: [tcpinc] Call for adoption of draft-rescorla-… Matt Corallo
- Re: [tcpinc] Call for adoption of draft-rescorla-… Eric Rescorla
- Re: [tcpinc] Call for adoption of draft-rescorla-… Matt Corallo
- Re: [tcpinc] Call for adoption of draft-rescorla-… Matt Corallo
- Re: [tcpinc] Call for adoption of draft-rescorla-… Eric Rescorla
- Re: [tcpinc] Call for adoption of draft-rescorla-… Martin Thomson
- Re: [tcpinc] Call for adoption of draft-rescorla-… Cullen Jennings
- Re: [tcpinc] Call for adoption of draft-rescorla-… Joseph Lorenzo Hall
- Re: [tcpinc] Call for adoption of draft-rescorla-… Sean Turner
- Re: [tcpinc] Call for adoption of draft-rescorla-… David Mazieres