Re: [tcpinc] Adam Roach's Yes on draft-ietf-tcpinc-tcpcrypt-09: (with COMMENT)

Adam Roach <adam@nostrum.com> Fri, 17 November 2017 03:31 UTC

Return-Path: <adam@nostrum.com>
X-Original-To: tcpinc@ietfa.amsl.com
Delivered-To: tcpinc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id ADD11127866; Thu, 16 Nov 2017 19:31:31 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.88
X-Spam-Level:
X-Spam-Status: No, score=-1.88 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, T_SPF_HELO_PERMERROR=0.01, T_SPF_PERMERROR=0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YhM67HVuiRjW; Thu, 16 Nov 2017 19:31:30 -0800 (PST)
Received: from nostrum.com (raven-v6.nostrum.com [IPv6:2001:470:d:1130::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 52E951275F4; Thu, 16 Nov 2017 19:31:30 -0800 (PST)
Received: from Orochi.local ([185.41.141.24]) (authenticated bits=0) by nostrum.com (8.15.2/8.15.2) with ESMTPSA id vAH3VLii043275 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NO); Thu, 16 Nov 2017 21:31:25 -0600 (CST) (envelope-from adam@nostrum.com)
X-Authentication-Warning: raven.nostrum.com: Host [185.41.141.24] claimed to be Orochi.local
To: Daniel B Giffin <dbg@scs.stanford.edu>
Cc: The IESG <iesg@ietf.org>, draft-ietf-tcpinc-tcpcrypt@ietf.org, Kyle Rose <krose@krose.org>, tcpinc-chairs@ietf.org, tcpinc@ietf.org
References: <151018832684.17229.17081270342741352337.idtracker@ietfa.amsl.com> <20171117031736.GC11150@scs.stanford.edu>
From: Adam Roach <adam@nostrum.com>
Message-ID: <7ec079d6-741d-4b96-2240-31db64ecffe7@nostrum.com>
Date: Fri, 17 Nov 2017 11:31:20 +0800
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:52.0) Gecko/20100101 Thunderbird/52.4.0
MIME-Version: 1.0
In-Reply-To: <20171117031736.GC11150@scs.stanford.edu>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 7bit
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/tcpinc/lhZiUW5YFYFNmwP0MywUmAOpKV4>
Subject: Re: [tcpinc] Adam Roach's Yes on draft-ietf-tcpinc-tcpcrypt-09: (with COMMENT)
X-BeenThere: tcpinc@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "Working group mailing list for TCP Increased Security \(tcpinc\)" <tcpinc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tcpinc>, <mailto:tcpinc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tcpinc/>
List-Post: <mailto:tcpinc@ietf.org>
List-Help: <mailto:tcpinc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tcpinc>, <mailto:tcpinc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 17 Nov 2017 03:31:32 -0000

On 11/17/17 11:17, Daniel B Giffin wrote:
> Is your concern that these two peers can get "stuck" in a
> state where they repeatedly fail a mutual attempt at
> resumption, thus forever falling back to no encryption?
>
> In the case of a hash-collision of resumption identifiers,
> it seems we don't get stuck because the active opener will
> advance to the next session secret on the next connection:
>
> 	When proposing resumption, the active opener MUST use the lowest value
> 	of `i` that has not already been used (successfully or not) to
> 	negotiate resumption with the same host and for the same pre-session
> 	key `ss[0]`.
>

Ah, you're right -- this will prevent issues with hash collisions. I 
suppose there's still a small chance of this situation arising due to 
implementation errors, but I suspect it's not worth decreasing the 
incidence of resumption to account for those.

/a