[tcpinc] Review of https://tools.ietf.org/html/draft-rescorla-tcpinc-tls-option-05
Kyle Rose <krose@krose.org> Tue, 20 October 2015 17:04 UTC
Return-Path: <krose@krose.org>
X-Original-To: tcpinc@ietfa.amsl.com
Delivered-To: tcpinc@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 53B321AC3C6 for <tcpinc@ietfa.amsl.com>; Tue, 20 Oct 2015 10:04:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.379
X-Spam-Level:
X-Spam-Status: No, score=-1.379 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PCZTNz6EUqGL for <tcpinc@ietfa.amsl.com>; Tue, 20 Oct 2015 10:04:19 -0700 (PDT)
Received: from mail-ig0-x235.google.com (mail-ig0-x235.google.com [IPv6:2607:f8b0:4001:c05::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0F90B1AC3BA for <tcpinc@ietf.org>; Tue, 20 Oct 2015 10:04:19 -0700 (PDT)
Received: by igbkq10 with SMTP id kq10so79664442igb.0 for <tcpinc@ietf.org>; Tue, 20 Oct 2015 10:04:18 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=krose.org; s=google; h=mime-version:date:message-id:subject:from:to:content-type :content-transfer-encoding; bh=sYaCCL77HT0JKobh/A8kA6dXoaFVCyioOpIbGjb/d8g=; b=iMPWnHjfGizM/PI/3viuC1sAZLzCK+n6qRKgs0AZYbBpiFs6UgOuzN/juRqTsDoEmP Xrlfh0ti+Bh3zyZhdc6An+QvP5N4LZOwW+ipO6rYuQpPtToaXME2cWRPjghMEEHoA61t OElC9uoQP0X4HwqANNvh6zEEybEjsmFoLvyBs=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:date:message-id:subject:from:to :content-type:content-transfer-encoding; bh=sYaCCL77HT0JKobh/A8kA6dXoaFVCyioOpIbGjb/d8g=; b=CYoqtKmnF8n9ouPtTMWd+fghEkifCmz3kAn0IXMTYB94fYH2XZZvQVETfjftxNsOm3 ykUZuIN7fAIARIBU10bbRxsRgDYterRBwX5j2wSb5K319xW+XYCLzi2fay/XEfedVf03 7uRJu3G1XBwAhDBCADEPSu6ON9VTF/wbiXYTx6lITJdWKZ3vf72EjaZMELWPpEK6Rs+E kdTZUkNzbvGa45LH3db2Ufvw/G9HRF0PNncC/hVMSzTQRSXkOEcisjdm0imNa/VTvUbo Gr6EbMHBX9hKgL3yp9gQfLdubA+EZvmHByBUUOKM3Xz5MaUpn0KwQJUVXa13dNwMl3Vn OJtw==
X-Gm-Message-State: ALoCoQmoztJcrUPfZjZ4qAl+l86MNWM7Wxru7ivvVPy5Rqg8cIYh1mp3lYdtUdzU3Y7ihuCdsTHs
MIME-Version: 1.0
X-Received: by 10.50.73.98 with SMTP id k2mr25637211igv.96.1445360658403; Tue, 20 Oct 2015 10:04:18 -0700 (PDT)
Received: by 10.79.31.130 with HTTP; Tue, 20 Oct 2015 10:04:18 -0700 (PDT)
X-Originating-IP: [72.246.0.10]
Date: Tue, 20 Oct 2015 13:04:18 -0400
Message-ID: <CAJU8_nWbeXSNJwNSAy+z-0UcmJ2o1DLuoB8P3q3JF91A2t69ew@mail.gmail.com>
From: Kyle Rose <krose@krose.org>
To: tcpinc <tcpinc@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <http://mailarchive.ietf.org/arch/msg/tcpinc/BZ1odSN6c3FGRBpJ-u-Lj4laU6c>
Subject: [tcpinc] Review of https://tools.ietf.org/html/draft-rescorla-tcpinc-tls-option-05
X-BeenThere: tcpinc@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Discussion list for adding encryption to TCP." <tcpinc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tcpinc>, <mailto:tcpinc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tcpinc/>
List-Post: <mailto:tcpinc@ietf.org>
List-Help: <mailto:tcpinc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tcpinc>, <mailto:tcpinc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 20 Oct 2015 17:04:21 -0000
(1) §2: "If the TLS handshake fails for non-cryptographic reasons such as failure to negotiate a compatible cipher or the like, endpoints SHOULD behave as if the the TCP-TLS option was not present." David is right that this conflicts with TCP-ENO, but I'd actually advocate changing the ENO draft and moving in the opposite direction in order to be most in-line with the spirit of the WG: that failure to negotiate TCPINC means fallback to unencrypted TCP. To that end I'd suggest that any failure to negotiate TLS, except a loss of sync resulting in an inability to deserialize the record stream, should result in fallback to TCP. It should then be up to the application to decide whether or not to proceed in the absence of encryption. This still leaves a huge DoS attack surface for certain classes of attackers, but much of that can be addressed with TCP-AO, so I think we still gain a lot by requiring this. (2) §3: "but encourage implementations to implement only TLS 1.3". If this is the case, 1.2 would be mostly useless outside of custom installations, which is not really the point of the WG as custom installations can (and probably do) support TLS directly. Requiring interoperability with the rare TLS 1.2-supporting implementations would mostly just add complexity and additional attack surface. I'd strike it and require TLS 1.3. (3) §3.1.2.2.1: "ServerConfiguration [6.3.7]" Maybe reiterate here that this is optional? Otherwise, the wording at the top of the section suggests that every record in the sequence is required. (4) §3.1.2: What is the point of the server certificate, the signature in CertficateVerify, and authenticating said signature on the client? As the public key is either made up on the spot, or its provenance explicitly ignored ("it SHOULD NOT attempt to validate the certificate"), It seems to provide no value and consumes CPU. Any actual authentication of the channel's privacy would have to occur either out-of-band or at the application layer using the TLS Exporter-derived session ID, requiring yet another signature, or at least an indication from the application that, yes, the client really should check the signature on the certificate. IMO, Certificate and CertificateVerify should be eliminated, and authentication explicitly moved into the application layer. (5) §3.1.4 and 3.1.5: "(Application Data)" "() Indicates messages protected using keys derived from the static secret." "The 0-RTT traffic keys are derived solely from ES" This seems to be in conflict. In general, the terminology around the various secrets needs to be clarified. (6) Given that applications will bootstrap authentication on top of TCPINC, it's important that the same attention to replay attacks be paid to this profile of TLS as it was to the full TLS 1.3. Clearly this concern isn't as important for applications making use only of OE, as they were already subject to replay attacks, but once application layer authentication is enabled, the expectations for what TCPINC provides are higher. (7) §5: IPv6 does not have checksums at the TCP layer. (8) Ekr, what are your thoughts on how TCP-ENO negotiation should proceed in the presence of an application that wants TLS authentication? E.g., let's say both client and server support TCP-ENO, and the client browser and web server support TLS directly. I'm thinking what you want is for the server not to negotiate TCP-use-TLS, but to fall back to unencrypted TCP and then do the TLS handshake in userspace, but I'd like to hear your thoughts. Kyle