IETF Logo Mail Archive

Re: [tcpinc] Call for adoption of draft-rescorla-tcpinc-tls-option-05

Eric Rescorla <ekr@rtfm.com> Mon, 02 November 2015 02:00 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: tcpinc@ietfa.amsl.com
Delivered-To: tcpinc@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DFB711B4170 for <tcpinc@ietfa.amsl.com>; Sun, 1 Nov 2015 18:00:40 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.277
X-Spam-Level:
X-Spam-Status: No, score=-1.277 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XPQQtl0VJQqe for <tcpinc@ietfa.amsl.com>; Sun, 1 Nov 2015 18:00:39 -0800 (PST)
Received: from mail-yk0-x235.google.com (mail-yk0-x235.google.com [IPv6:2607:f8b0:4002:c07::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id ADF201B416F for <tcpinc@ietf.org>; Sun, 1 Nov 2015 18:00:39 -0800 (PST)
Received: by ykft191 with SMTP id t191so126142352ykf.0 for <tcpinc@ietf.org>; Sun, 01 Nov 2015 18:00:38 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm_com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; bh=UTPLEmk2BPi9A+wgbuGGSUhKWocSjSg8yV3MhaRt8DU=; b=NhM2qahaxGLOpigOE7U46iavIFfQDoWWn7QqkBNIIZPLNCX7uEJmKToVbXYNN58trU 7w/ZpiT5dxIXLsIORrsWwkmgIZo5HiKkwb/XYhdRcGQwFOrOpy+tAD7X7lO1qYjG6azS FynqVU5wa1yTPh/Qgb+s7H1nGOXm86Ba7/YFYtzkwVnu9O1ASCKJ4XtHe/BvQF28EA9M NrTIzSwfAwsq0XNgMf3gCcpKexuembxg78nKCkZJ8xEeV4WRmOG0jMLcSFpfaUK9awgS tdFcTPwL72Krn11CqOudomvvWSSAbdpoY+L6IORX6rpjzSSe/LXGe1ZQRareW0XStQ9o 0rDw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=UTPLEmk2BPi9A+wgbuGGSUhKWocSjSg8yV3MhaRt8DU=; b=JjQ7yEJWzhLeSJaQDkrbQz2jlG7N2ebHywjmuxMqAGsijNe5tQVaDGMDgPX9ZgTXZS zzzbnHNQNnNfJp4OzYiIVz04jPN+cQQvtficSg54FiY+7vMoN8iJuAuusDLiZ+nf/Ykp LU0ilSQc4Ms4Z9bixr8oCMtOn2dPD4WuDSv0sv6GYtG9rVaJveznrk7pSvRMn5QKRIvz lHWkZg23e1dbd4I6ZV6obMIQudHK952lsnSXabspaC6oKaSjK4rive3lOYZWWJ40sZsa i2rG8eROrBX1Uisv1mjwsZHQ9lZcIfAzCZvvDA1D9GTU6KlkI7As/tWiOd1vF10719M3 1Vjg==
X-Gm-Message-State: ALoCoQkETaoQw2firFakfdC5FumgVuT8RUqCpgp5neb2n/23ax7dxHofyMO9P0FFpQ2NEBK/RFCj
X-Received: by 10.129.70.139 with SMTP id t133mr14386869ywa.115.1446429638846; Sun, 01 Nov 2015 18:00:38 -0800 (PST)
MIME-Version: 1.0
Received: by 10.13.221.203 with HTTP; Sun, 1 Nov 2015 17:59:59 -0800 (PST)
In-Reply-To: <5636C31E.9060202@bluematt.me>
References: <56267097.7060509@tik.ee.ethz.ch> <5636BE5A.9090408@bluematt.me> <CABcZeBPjvHuycOu-QtA6ScuvHErhyvHF+YLxd7Cd7LxfJtikZw@mail.gmail.com> <5636C31E.9060202@bluematt.me>
From: Eric Rescorla <ekr@rtfm.com>
Date: Mon, 02 Nov 2015 10:59:59 +0900
Message-ID: <CABcZeBNztS5svgwjyVRoSSBRXy=uWh1+RSBsNckTGNfAxEiSNg@mail.gmail.com>
To: Matt Corallo <tcpinc@bluematt.me>
Content-Type: multipart/alternative; boundary="001a114d7256d11cc005238524f5"
Archived-At: <http://mailarchive.ietf.org/arch/msg/tcpinc/prbp_Q0tkpZQuab6ZftU3B1gliE>
Cc: tcpinc <tcpinc@ietf.org>
Subject: Re: [tcpinc] Call for adoption of draft-rescorla-tcpinc-tls-option-05
X-BeenThere: tcpinc@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Discussion list for adding encryption to TCP." <tcpinc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tcpinc>, <mailto:tcpinc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tcpinc/>
List-Post: <mailto:tcpinc@ietf.org>
List-Help: <mailto:tcpinc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tcpinc>, <mailto:tcpinc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 02 Nov 2015 02:00:41 -0000

On Mon, Nov 2, 2015 at 10:57 AM, Matt Corallo <tcpinc@bluematt.me> wrote:

> Indeed, it does effect both tls-option and tcpcrypt as written. However,
> fixing it in tls-option appears to require departing from TLS,


Again, I don't believe that this is correct.  The mode described here
is the basic operating mode for TLS 1.3 [0].

-Ekr

[0] TLS 1.2 is equally fast to the client's first send (if you use False
Start)
but slower for the server's.


whereas
> fixing it in tcpcrypt does not.
>
> On 11/02/15 01:42, Eric Rescorla wrote:
> > On Mon, Nov 2, 2015 at 10:37 AM, Matt Corallo <tcpinc@bluematt.me
> > <mailto:tcpinc@bluematt.me>> wrote:
> >
> >     I do not support adopting tcpinc-tls-option because:
> >
> >     * Using TLS (even a limited set of allowed options) as the tcpinc
> >     mechanism loses the "defense in depth" property that tcpinc nicely
> >     provides for some applications.
> >     * I believe the extra round-trip for new connections to a new server
> >     will significantly harm adoption of such a proposal.
> >
> >
> > Can you elaborate on this? As indicated in the document, in TLS 1.3
> > the server can send his first byte upon receiving the client's first
> > handshake message (in the ACK) and the client can send upon
> > receiving the server's first handshake message (in the server's
> > response to that message). I believe this shares the same latency
> > characteristics as tcpcrypt.
> >
> > -Ekr
>

v2.23.0 | Report a Bug | By Email