IETF Logo Mail Archive

Re: [tcpinc] Call for adoption of draft-rescorla-tcpinc-tls-option-05

Eric Rescorla <ekr@rtfm.com> Mon, 02 November 2015 02:10 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: tcpinc@ietfa.amsl.com
Delivered-To: tcpinc@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 85C531B41DA for <tcpinc@ietfa.amsl.com>; Sun, 1 Nov 2015 18:10:03 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.277
X-Spam-Level:
X-Spam-Status: No, score=-1.277 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 208ml1ev1AjJ for <tcpinc@ietfa.amsl.com>; Sun, 1 Nov 2015 18:10:01 -0800 (PST)
Received: from mail-yk0-x230.google.com (mail-yk0-x230.google.com [IPv6:2607:f8b0:4002:c07::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A54F51B41D9 for <tcpinc@ietf.org>; Sun, 1 Nov 2015 18:10:01 -0800 (PST)
Received: by ykba4 with SMTP id a4so126251137ykb.3 for <tcpinc@ietf.org>; Sun, 01 Nov 2015 18:10:01 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm_com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; bh=3LsWIvQhrhCxfUTNL1Q0LJ01BNsPQ+k89nBoA87ej4M=; b=btAc9qU2ghyZTFVeL/6yVja/9WouA+FaTXccksSYIEoFjNcYXrV4CSNZPd+M2UUi4I uBX05at22dt/2s903k4z0NY4X1JXrXvGUPzEpsXNI+ZoSmFVXkzhlUWW+2MVoSQOTQm8 UcOJdNCk5p4mYfL48COZKdxtfWpOZTxndGleMfBiDgcQsEtqPivMe+wgWYL2aBT7ope7 t4vYKFPcbqhrbNPTKbP9/kizJjin5ZmV0zz90yuH0bIS2V2KxjY6F/gciidXzoyrcjTb kCxXEomWrqqna8wegl9pK+RGB4Od4NptGPomDcfqq5lqhXhY4usfVqHZQLjIccOvvTAT VPkA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=3LsWIvQhrhCxfUTNL1Q0LJ01BNsPQ+k89nBoA87ej4M=; b=M7s2ZrjL8+Q/86N19q6ePNXRt/2rXrRKb0kTsVWfIbr+a/KH4SRSiVLPyAPe7TyNND Mu8LN0fdBcQIqvLyJraEvIzOJkrP/4QHEbRVkr17VmSghs8nSZzhpkTLmZt/sg1e3QLG pueGOdqRHiILprm749iZdtZ6Y50Q7uHpFZXJlLnSVGHHG6MkeRDGTXQWly7ezhEWrESk lhNXGS5V1emwVdhX1TXteVMrnYE3tv+j18If+EPZ4J+5j8REkU8FJR6cgspq/71tqkCc bAY552APerCEqOgmC/a3naAQD1vgHc0/f9rrgOr0KHvm9b4wVfYmI5xexcdySH4nZ0IG tuOQ==
X-Gm-Message-State: ALoCoQnPojhVdiHU8w6VZFMlo5L0xUZaoo/yKye6iTI97LU6lJ5pWcVtFrxW/3L+eouFX/mjKiuC
X-Received: by 10.13.216.141 with SMTP id a135mr14785798ywe.12.1446430200886; Sun, 01 Nov 2015 18:10:00 -0800 (PST)
MIME-Version: 1.0
Received: by 10.13.221.203 with HTTP; Sun, 1 Nov 2015 18:09:21 -0800 (PST)
In-Reply-To: <5636C4F6.7010809@bluematt.me>
References: <56267097.7060509@tik.ee.ethz.ch> <5636BE5A.9090408@bluematt.me> <CABcZeBPjvHuycOu-QtA6ScuvHErhyvHF+YLxd7Cd7LxfJtikZw@mail.gmail.com> <5636C31E.9060202@bluematt.me> <CABcZeBNztS5svgwjyVRoSSBRXy=uWh1+RSBsNckTGNfAxEiSNg@mail.gmail.com> <5636C4F6.7010809@bluematt.me>
From: Eric Rescorla <ekr@rtfm.com>
Date: Mon, 02 Nov 2015 11:09:21 +0900
Message-ID: <CABcZeBPdpRygt5PRbANuHGhXwGp25JF9x7zhTi8fu8MJ1a4iyg@mail.gmail.com>
To: Matt Corallo <tcpinc@bluematt.me>
Content-Type: multipart/alternative; boundary="001a114e488a51260105238546d8"
Archived-At: <http://mailarchive.ietf.org/arch/msg/tcpinc/Ml9lhJFNXmqPqA0mjdG5j3T6Ong>
Cc: tcpinc <tcpinc@ietf.org>
Subject: Re: [tcpinc] Call for adoption of draft-rescorla-tcpinc-tls-option-05
X-BeenThere: tcpinc@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Discussion list for adding encryption to TCP." <tcpinc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tcpinc>, <mailto:tcpinc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tcpinc/>
List-Post: <mailto:tcpinc@ietf.org>
List-Help: <mailto:tcpinc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tcpinc>, <mailto:tcpinc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 02 Nov 2015 02:10:03 -0000

On Mon, Nov 2, 2015 at 11:05 AM, Matt Corallo <tcpinc@bluematt.me> wrote:

> Am I incorrect in reading that both tls-option and tcpcrypt require a
> full three-way-handshake, and then the client is unable to send data for
> another round-trip as it must wait for another response from the server
> before session keys have been agreed upon?
>

Both tls-option and tcpcrypt send the client's DHE share along with
the client's ACK and the server's DHE share in response. In both
cases, the server can piggyback data on his share and the
client can only send data upon receiving the server's share.

I agree that this isn't optimal. My point is just that TLS and tcpcrypt
have the same performance behavior here.


Moving client pubkeys into SYN is slightly crazy, but would shave off a
> RTT before client's first send.


I believe we have definitively decided not to do this in an existing
option. It's possible we would decide to do this via some of the
option-extending mechanisms, but if you were to do this, you
could equally well put the ClientHello in the SYN.

-Ekr


>
> On 11/02/15 01:59, Eric Rescorla wrote:
> >
> >
> > On Mon, Nov 2, 2015 at 10:57 AM, Matt Corallo <tcpinc@bluematt.me
> > <mailto:tcpinc@bluematt.me>> wrote:
> >
> >     Indeed, it does effect both tls-option and tcpcrypt as written.
> However,
> >     fixing it in tls-option appears to require departing from TLS,
> >
> >
> > Again, I don't believe that this is correct.  The mode described here
> > is the basic operating mode for TLS 1.3 [0].
> >
> > -Ekr
> >
> > [0] TLS 1.2 is equally fast to the client's first send (if you use False
> > Start)
> > but slower for the server's.
> >
> >
> >     whereas
> >     fixing it in tcpcrypt does not.
> >
> >     On 11/02/15 01:42, Eric Rescorla wrote:
> >     > On Mon, Nov 2, 2015 at 10:37 AM, Matt Corallo <tcpinc@bluematt.me
> <mailto:tcpinc@bluematt.me>
> >     > <mailto:tcpinc@bluematt.me <mailto:tcpinc@bluematt.me>>> wrote:
> >     >
> >     >     I do not support adopting tcpinc-tls-option because:
> >     >
> >     >     * Using TLS (even a limited set of allowed options) as the
> tcpinc
> >     >     mechanism loses the "defense in depth" property that tcpinc
> nicely
> >     >     provides for some applications.
> >     >     * I believe the extra round-trip for new connections to a new
> >     server
> >     >     will significantly harm adoption of such a proposal.
> >     >
> >     >
> >     > Can you elaborate on this? As indicated in the document, in TLS 1.3
> >     > the server can send his first byte upon receiving the client's
> first
> >     > handshake message (in the ACK) and the client can send upon
> >     > receiving the server's first handshake message (in the server's
> >     > response to that message). I believe this shares the same latency
> >     > characteristics as tcpcrypt.
> >     >
> >     > -Ekr
> >
> >
> >
> >
> > _______________________________________________
> > Tcpinc mailing list
> > Tcpinc@ietf.org
> > https://www.ietf.org/mailman/listinfo/tcpinc
> >
>

v2.23.0 | Report a Bug | By Email