IETF Logo Mail Archive

Re: [tcpinc] Call for adoption of draft-rescorla-tcpinc-tls-option-05

Eric Rescorla <ekr@rtfm.com> Mon, 02 November 2015 01:43 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: tcpinc@ietfa.amsl.com
Delivered-To: tcpinc@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 29E951B4077 for <tcpinc@ietfa.amsl.com>; Sun, 1 Nov 2015 17:43:01 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.277
X-Spam-Level:
X-Spam-Status: No, score=-1.277 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vzRxO_UKtsV9 for <tcpinc@ietfa.amsl.com>; Sun, 1 Nov 2015 17:42:59 -0800 (PST)
Received: from mail-yk0-x22b.google.com (mail-yk0-x22b.google.com [IPv6:2607:f8b0:4002:c07::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B120A1B408A for <tcpinc@ietf.org>; Sun, 1 Nov 2015 17:42:59 -0800 (PST)
Received: by ykba4 with SMTP id a4so125812232ykb.3 for <tcpinc@ietf.org>; Sun, 01 Nov 2015 17:42:59 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm_com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; bh=VPo4Q8tatgsKnpMSYxMZ4RgPXUA9sc507NrY2bor8OM=; b=W0wuE+uHWdMM2B/PEvSvaQpT8KM8PT0sN++s1hF3KZhN/yygUXnfCQzRjODhQuOt/E sRQdpZlyg9HoUQIK94reRqdasycXw/HsjZO4LGTLaalacvSWeKT1YAiWcctaJM5CglA6 jQtqNosfj24DAS/q74W3vEkElfnUn49jNtsmNAJdYVv6iypC/n0e965I2m2bAFrl4Xui bTj5bce1gSO7+5hqamILvOOJPhZecHUvG3VpIFG97sZaiPR3trIyTKPDn48fhMAS15q/ 0ycaRdI5xfJuFK+f6gGv2cf9eMNyRXGmqeO8pIvjqmbPEujN1RDbvLPKM20M/CcgBMO1 Iddg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=VPo4Q8tatgsKnpMSYxMZ4RgPXUA9sc507NrY2bor8OM=; b=dCROaB9fEe4OUsywNI9M6+gsSXS93T937UbywIqw7vnd+7NARLBvssmCfhxkNpgPPr ZzVDjrzMPlqhdLVHKo0Q6WjzW4emjG1mXT7o1rh8LkJCzrNfG8nQf95HjYGmHoI1Q+G8 mBZdsT0cGNsBJ10tLqia+AaPJ1j+aODuUcDcgJIRa8eNvOXO0/uo7sZ81m6z37qYSDB1 4ahndf3pyeZ65Sc+T+0XyvBsJSc0DwuxWHC83oFeIJmYJ16mjNkNY49iWoxa9++3kxC0 h7QQ+Zi1jtogR3TSoBlAU3HutKHsVPb+QToJKVa96f5Ui93LQW35kFwC60UstdiesXNS nSKQ==
X-Gm-Message-State: ALoCoQnhmf0tTmVw3zT9wAsaZcBA78oRdK3xdHeGgMaSRB9MgUGx3RN3fud16IKBpjM1joaC3VWC
X-Received: by 10.13.223.132 with SMTP id i126mr14408359ywe.129.1446428579000; Sun, 01 Nov 2015 17:42:59 -0800 (PST)
MIME-Version: 1.0
Received: by 10.13.221.203 with HTTP; Sun, 1 Nov 2015 17:42:19 -0800 (PST)
In-Reply-To: <5636BE5A.9090408@bluematt.me>
References: <56267097.7060509@tik.ee.ethz.ch> <5636BE5A.9090408@bluematt.me>
From: Eric Rescorla <ekr@rtfm.com>
Date: Mon, 02 Nov 2015 10:42:19 +0900
Message-ID: <CABcZeBPjvHuycOu-QtA6ScuvHErhyvHF+YLxd7Cd7LxfJtikZw@mail.gmail.com>
To: Matt Corallo <tcpinc@bluematt.me>
Content-Type: multipart/alternative; boundary="001a114e46c0a521df052384e572"
Archived-At: <http://mailarchive.ietf.org/arch/msg/tcpinc/8FBoe7h9ax9Y7wqlCaLOP8zYSkM>
Cc: tcpinc <tcpinc@ietf.org>, Mirja Kühlewind <mirja.kuehlewind@tik.ee.ethz.ch>
Subject: Re: [tcpinc] Call for adoption of draft-rescorla-tcpinc-tls-option-05
X-BeenThere: tcpinc@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Discussion list for adding encryption to TCP." <tcpinc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tcpinc>, <mailto:tcpinc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tcpinc/>
List-Post: <mailto:tcpinc@ietf.org>
List-Help: <mailto:tcpinc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tcpinc>, <mailto:tcpinc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 02 Nov 2015 01:43:01 -0000

On Mon, Nov 2, 2015 at 10:37 AM, Matt Corallo <tcpinc@bluematt.me> wrote:

> I do not support adopting tcpinc-tls-option because:
>
> * Using TLS (even a limited set of allowed options) as the tcpinc
> mechanism loses the "defense in depth" property that tcpinc nicely
> provides for some applications.
> * I believe the extra round-trip for new connections to a new server
> will significantly harm adoption of such a proposal.


Can you elaborate on this? As indicated in the document, in TLS 1.3
the server can send his first byte upon receiving the client's first
handshake message (in the ACK) and the client can send upon
receiving the server's first handshake message (in the server's
response to that message). I believe this shares the same latency
characteristics as tcpcrypt.

-Ekr

v2.23.0 | Report a Bug | By Email