[tcpinc] Review of https://tools.ietf.org/html/draft-rescorla-tcpinc-tls-option-05
Kyle Rose <krose@krose.org> Tue, 20 October 2015 17:04 UTC
Return-Path: <krose@krose.org>
X-Original-To: tcpinc@ietfa.amsl.com
Delivered-To: tcpinc@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 53B321AC3C6 for <tcpinc@ietfa.amsl.com>; Tue, 20 Oct 2015 10:04:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.379
X-Spam-Level:
X-Spam-Status: No, score=-1.379 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PCZTNz6EUqGL for <tcpinc@ietfa.amsl.com>; Tue, 20 Oct 2015 10:04:19 -0700 (PDT)
Received: from mail-ig0-x235.google.com (mail-ig0-x235.google.com [IPv6:2607:f8b0:4001:c05::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0F90B1AC3BA for <tcpinc@ietf.org>; Tue, 20 Oct 2015 10:04:19 -0700 (PDT)
Received: by igbkq10 with SMTP id kq10so79664442igb.0 for <tcpinc@ietf.org>; Tue, 20 Oct 2015 10:04:18 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=krose.org; s=google; h=mime-version:date:message-id:subject:from:to:content-type :content-transfer-encoding; bh=sYaCCL77HT0JKobh/A8kA6dXoaFVCyioOpIbGjb/d8g=; b=iMPWnHjfGizM/PI/3viuC1sAZLzCK+n6qRKgs0AZYbBpiFs6UgOuzN/juRqTsDoEmP Xrlfh0ti+Bh3zyZhdc6An+QvP5N4LZOwW+ipO6rYuQpPtToaXME2cWRPjghMEEHoA61t OElC9uoQP0X4HwqANNvh6zEEybEjsmFoLvyBs=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:date:message-id:subject:from:to :content-type:content-transfer-encoding; bh=sYaCCL77HT0JKobh/A8kA6dXoaFVCyioOpIbGjb/d8g=; b=CYoqtKmnF8n9ouPtTMWd+fghEkifCmz3kAn0IXMTYB94fYH2XZZvQVETfjftxNsOm3 ykUZuIN7fAIARIBU10bbRxsRgDYterRBwX5j2wSb5K319xW+XYCLzi2fay/XEfedVf03 7uRJu3G1XBwAhDBCADEPSu6ON9VTF/wbiXYTx6lITJdWKZ3vf72EjaZMELWPpEK6Rs+E kdTZUkNzbvGa45LH3db2Ufvw/G9HRF0PNncC/hVMSzTQRSXkOEcisjdm0imNa/VTvUbo Gr6EbMHBX9hKgL3yp9gQfLdubA+EZvmHByBUUOKM3Xz5MaUpn0KwQJUVXa13dNwMl3Vn OJtw==
X-Gm-Message-State: ALoCoQmoztJcrUPfZjZ4qAl+l86MNWM7Wxru7ivvVPy5Rqg8cIYh1mp3lYdtUdzU3Y7ihuCdsTHs
MIME-Version: 1.0
X-Received: by 10.50.73.98 with SMTP id k2mr25637211igv.96.1445360658403; Tue, 20 Oct 2015 10:04:18 -0700 (PDT)
Received: by 10.79.31.130 with HTTP; Tue, 20 Oct 2015 10:04:18 -0700 (PDT)
X-Originating-IP: [72.246.0.10]
Date: Tue, 20 Oct 2015 13:04:18 -0400
Message-ID: <CAJU8_nWbeXSNJwNSAy+z-0UcmJ2o1DLuoB8P3q3JF91A2t69ew@mail.gmail.com>
From: Kyle Rose <krose@krose.org>
To: tcpinc <tcpinc@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <http://mailarchive.ietf.org/arch/msg/tcpinc/BZ1odSN6c3FGRBpJ-u-Lj4laU6c>
Subject: [tcpinc] Review of https://tools.ietf.org/html/draft-rescorla-tcpinc-tls-option-05
X-BeenThere: tcpinc@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Discussion list for adding encryption to TCP." <tcpinc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tcpinc>, <mailto:tcpinc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tcpinc/>
List-Post: <mailto:tcpinc@ietf.org>
List-Help: <mailto:tcpinc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tcpinc>, <mailto:tcpinc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 20 Oct 2015 17:04:21 -0000
(1) §2: "If the TLS handshake fails for non-cryptographic reasons such as
failure to negotiate a compatible cipher or the like, endpoints
SHOULD behave as if the the TCP-TLS option was not present."
David is right that this conflicts with TCP-ENO, but I'd actually
advocate changing the ENO draft and moving in the opposite direction
in order to be most in-line with the spirit of the WG: that failure to
negotiate TCPINC means fallback to unencrypted TCP.
To that end I'd suggest that any failure to negotiate TLS, except a
loss of sync resulting in an inability to deserialize the record
stream, should result in fallback to TCP. It should then be up to the
application to decide whether or not to proceed in the absence of
encryption. This still leaves a huge DoS attack surface for certain
classes of attackers, but much of that can be addressed with TCP-AO,
so I think we still gain a lot by requiring this.
(2) §3: "but encourage implementations to implement only TLS 1.3". If
this is the case, 1.2 would be mostly useless outside of custom
installations, which is not really the point of the WG as custom
installations can (and probably do) support TLS directly. Requiring
interoperability with the rare TLS 1.2-supporting implementations
would mostly just add complexity and additional attack surface. I'd
strike it and require TLS 1.3.
(3) §3.1.2.2.1: "ServerConfiguration [6.3.7]" Maybe reiterate here
that this is optional? Otherwise, the wording at the top of the
section suggests that every record in the sequence is required.
(4) §3.1.2: What is the point of the server certificate, the signature
in CertficateVerify, and authenticating said signature on the client?
As the public key is either made up on the spot, or its provenance
explicitly ignored ("it SHOULD NOT attempt to validate the
certificate"), It seems to provide no value and consumes CPU. Any
actual authentication of the channel's privacy would have to occur
either out-of-band or at the application layer using the TLS
Exporter-derived session ID, requiring yet another signature, or at
least an indication from the application that, yes, the client really
should check the signature on the certificate.
IMO, Certificate and CertificateVerify should be eliminated, and
authentication explicitly moved into the application layer.
(5) §3.1.4 and 3.1.5:
"(Application Data)"
"() Indicates messages protected using keys
derived from the static secret."
"The 0-RTT traffic keys are derived solely from ES"
This seems to be in conflict. In general, the terminology around the
various secrets needs to be clarified.
(6) Given that applications will bootstrap authentication on top of
TCPINC, it's important that the same attention to replay attacks be
paid to this profile of TLS as it was to the full TLS 1.3. Clearly
this concern isn't as important for applications making use only of
OE, as they were already subject to replay attacks, but once
application layer authentication is enabled, the expectations for what
TCPINC provides are higher.
(7) §5: IPv6 does not have checksums at the TCP layer.
(8) Ekr, what are your thoughts on how TCP-ENO negotiation should
proceed in the presence of an application that wants TLS
authentication? E.g., let's say both client and server support
TCP-ENO, and the client browser and web server support TLS directly.
I'm thinking what you want is for the server not to negotiate
TCP-use-TLS, but to fall back to unencrypted TCP and then do the TLS
handshake in userspace, but I'd like to hear your thoughts.
Kyle