Re: [tcpm] SYN/ACK Payloads, draft 01
Eric Rescorla <ekr@networkresonance.com> Wed, 13 August 2008 17:17 UTC
Return-Path: <tcpm-bounces@ietf.org>
X-Original-To: tcpm-archive@megatron.ietf.org
Delivered-To: ietfarch-tcpm-archive@core3.amsl.com
Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 4881428C0E7; Wed, 13 Aug 2008 10:17:32 -0700 (PDT)
X-Original-To: tcpm@core3.amsl.com
Delivered-To: tcpm@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 621493A68B9 for <tcpm@core3.amsl.com>; Wed, 13 Aug 2008 10:17:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.836
X-Spam-Level:
X-Spam-Status: No, score=-1.836 tagged_above=-999 required=5 tests=[AWL=0.763, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nwvZd7LtbedS for <tcpm@core3.amsl.com>; Wed, 13 Aug 2008 10:17:30 -0700 (PDT)
Received: from romeo.rtfm.com (romeo.rtfm.com [74.95.2.173]) by core3.amsl.com (Postfix) with ESMTP id 6E2063A6A31 for <tcpm@ietf.org>; Wed, 13 Aug 2008 10:17:30 -0700 (PDT)
Received: from romeo.rtfm.com (localhost.rtfm.com [127.0.0.1]) by romeo.rtfm.com (Postfix) with ESMTP id AA7A650846; Wed, 13 Aug 2008 10:27:52 -0700 (PDT)
Date: Wed, 13 Aug 2008 10:27:52 -0700
From: Eric Rescorla <ekr@networkresonance.com>
To: Adam Langley <agl@imperialviolet.org>
In-Reply-To: <396556a20808111035s2b974233o1e9d3671e82e3350@mail.gmail.com>
References: <396556a20808111035s2b974233o1e9d3671e82e3350@mail.gmail.com>
User-Agent: Wanderlust/2.14.0 (Africa) Emacs/21.3 Mule/5.0 (SAKAKI)
MIME-Version: 1.0 (generated by SEMI 1.14.6 - "Maruoka")
Message-Id: <20080813172752.AA7A650846@romeo.rtfm.com>
Cc: tcpm@ietf.org
Subject: Re: [tcpm] SYN/ACK Payloads, draft 01
X-BeenThere: tcpm@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: TCP Maintenance and Minor Extensions Working Group <tcpm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://www.ietf.org/mailman/private/tcpm>
List-Post: <mailto:tcpm@ietf.org>
List-Help: <mailto:tcpm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: tcpm-bounces@ietf.org
Errors-To: tcpm-bounces@ietf.org
$Id: draft-agl-tcpm-sadata-01-rev.txt,v 1.2 2008/08/13 16:15:00 ekr Exp $
I don't really have a strong opinion about whether this extension
should be approved for use with TCP; that's for the TCP experts
to decide. However, I don't find motivational use cases--particularly
the cryptographic use cases listed in S 4 and S 4--particularly
motivating.
S 4. Opportunistic HTTP Encryption
As the draft states, this is intended to provide opportunistic
security without burning any round trips in the application
layer.
As I understand this mechanism, what's being proposed is this:
Client Server
------ ------
SYN + PPExt ->
<- SYN/ACK + PPExt + [Crypto stuff]
[Crypto Stuff] ->
[HTTP Req]
Do I have that right?
I see a number of issues here:
1. The PPExt payload is overloaded here. First, it's signalling
a transport message "it's OK to put stuff in the SYN/ACK". Second,
it's signalling an application layer message "It's OK to send me
a crypto handshake as the first thing you send." Note that in
an ordinary HTTP connection, this data would be invalid.
This overloading seems fairly unwise, since it would preclude
any other use of this SYN/ACK payload in the future. If the
server is going to send non-HTTP compliant data in response to
this option, then more information needs to be signalled than
just "I would accept data".
2. It's not clear to me that opportunistic security for HTTP is that
great. Unlike, for instance, SMTP, HTTP fetches are nearly always
the result of some URI, so it's very easy to simply indicate
in the URI that the server supports HTTPS. This is superior
from a security perspective for the usual reasons (referential
integrity, etc...)
3. There are a number of mechanisms for optimizing the performance
of TLS vis-a-vis round trips that have not yet been explored
(e.g., Fast-Track [BSR04]). It's not clear if we can shave
things down to zero RTTs (though I've got some ideas), but
it seems that if we're really concerned about crypto setup
time it would be worth exploring this before we start with
a new security layer, especially because of point (2) above.
4. Some of the latency benefit you're getting here is from not
negotiating the crypto algorithms; this is why in TLS the
client speaks first. This isn't an issue for the symmetric
algorithm since the server could provide a list, but it's
a real issue for the asymmetric algorithm, since it provides
no agility in the case of upgrade or compromise. If, for
instance, someone successfully attacks this curve but there
are other, strong curves available, then we'd be hosed.
S 5. Faster SSH Connections
It's true that SSH latency is really bad, but it's really much
worse than you suggest, since the authentication handshake takes
several exchanges as well. [GutXX] It's not clear to me that removing
1 RTT helps here. I'm skeptical that there are really that
many applications that involve bringing up and tearing down
a lot of SSH connections.
Moreover, since SSH involves a lot of connections between the same
pair of nodes, it seems like a TLS style session caching mechanism
would improve the situation a lot more, optimizing out nearly all
round trips for subsequent connections, while also reducing public
key load while again requiring no changes to the kernel.
S 6. Compressed HTTP Headers
I don't know how much value this adds, but note that the server's
indication that it supports compressed headers lives in the same
section of the datastream as the crypto stuff from S 5. So, we
now need some sort of framing mechanism for this data to allow
clients which know about opportunistic crypto but not compressed
headers to ignore that advertisement.
[BSR04] H. Shacham, D. Boneh, and E. Rescorla. "Client-Side Caching for
TLS." ACM Trans. Info. & Sys. Security, 7(4):553-75,
Nov. 2004.
[GutXX] P. Gutmann, "Performance Characteristics of Application-Level
Security Protocols," Work in Progress.
-Ekr
_______________________________________________
tcpm mailing list
tcpm@ietf.org
https://www.ietf.org/mailman/listinfo/tcpm
- Re: [tcpm] SYN/ACK Payloads, draft 01 Sergio Freire
- [tcpm] SYN/ACK Payloads, draft 01 Adam Langley
- Re: [tcpm] SYN/ACK Payloads, draft 01 Sergio Freire
- Re: [tcpm] SYN/ACK Payloads, draft 01 Adam Langley
- Re: [tcpm] SYN/ACK Payloads, draft 01 Sergio Freire
- Re: [tcpm] SYN/ACK Payloads, draft 01 Lars Eggert
- Re: [tcpm] SYN/ACK Payloads, draft 01 Sergio Freire
- Re: [tcpm] SYN/ACK Payloads, draft 01 Adam Langley
- Re: [tcpm] SYN/ACK Payloads, draft 01 Adam Langley
- Re: [tcpm] SYN/ACK Payloads, draft 01 Sergio Freire
- Re: [tcpm] SYN/ACK Payloads, draft 01 Eric Rescorla
- Re: [tcpm] SYN/ACK Payloads, draft 01 Adam Langley
- Re: [tcpm] SYN/ACK Payloads, draft 01 Eric Rescorla
- Re: [tcpm] SYN/ACK Payloads, draft 01 Adam Langley
- Re: [tcpm] SYN/ACK Payloads, draft 01 Eric Rescorla
- Re: [tcpm] SYN/ACK Payloads, draft 01 Adam Langley
- Re: [tcpm] SYN/ACK Payloads, draft 01 Eric Rescorla
- Re: [tcpm] SYN/ACK Payloads, draft 01 Adam Langley
- Re: [tcpm] SYN/ACK Payloads, draft 01 Joe Touch
- Re: [tcpm] SYN/ACK Payloads, draft 01 Adam Langley
- Re: [tcpm] SYN/ACK Payloads, draft 01 Joe Touch
- Re: [tcpm] SYN/ACK Payloads, draft 01 Adam Langley
- Re: [tcpm] SYN/ACK Payloads, draft 01 Joe Touch
- Re: [tcpm] SYN/ACK Payloads, draft 01 Joe Touch
- Re: [tcpm] SYN/ACK Payloads, draft 01 Adam Langley
- Re: [tcpm] SYN/ACK Payloads, draft 01 Adam Langley
- Re: [tcpm] SYN/ACK Payloads, draft 01 Joe Touch
- Re: [tcpm] SYN/ACK Payloads, draft 01 Joe Touch
- Re: [tcpm] SYN/ACK Payloads, draft 01 Caitlin Bestler
- Re: [tcpm] SYN/ACK Payloads, draft 01 Adam Langley
- Re: [tcpm] SYN/ACK Payloads, draft 01 Joe Touch
- Re: [tcpm] SYN/ACK Payloads, draft 01 Adam Langley
- Re: [tcpm] SYN/ACK Payloads, draft 01 Joe Touch
- Re: [tcpm] SYN/ACK Payloads, draft 01 Adam Langley
- Re: [tcpm] SYN/ACK Payloads, draft 01 Adam Langley
- Re: [tcpm] SYN/ACK Payloads, draft 01 Joe Touch
- Re: [tcpm] SYN/ACK Payloads, draft 01 Caitlin Bestler
- Re: [tcpm] SYN/ACK Payloads, draft 01 Adam Langley
- Re: [tcpm] SYN/ACK Payloads, draft 01 Joe Touch
- Re: [tcpm] SYN/ACK Payloads, draft 01 Adam Langley
- Re: [tcpm] SYN/ACK Payloads, draft 01 Joe Touch
- Re: [tcpm] SYN/ACK Payloads, draft 01 Adam Langley
- Re: [tcpm] SYN/ACK Payloads, draft 01 Adam Langley
- Re: [tcpm] SYN/ACK Payloads, draft 01 Joe Touch
- Re: [tcpm] SYN/ACK Payloads, draft 01 Adam Langley
- Re: [tcpm] SYN/ACK Payloads, draft 01 Michael Tüxen
- Re: [tcpm] SYN/ACK Payloads, draft 01 Caitlin Bestler
- Re: [tcpm] SYN/ACK Payloads, draft 01 Adam Langley
- Re: [tcpm] SYN/ACK Payloads, draft 01 Eric Rescorla
- Re: [tcpm] SYN/ACK Payloads, draft 01 Michael Tüxen
- Re: [tcpm] SYN/ACK Payloads, draft 01 Adam Langley
- Re: [tcpm] SYN/ACK Payloads, draft 01 Joe Touch
- Re: [tcpm] SYN/ACK Payloads, draft 01 Joe Touch
- Re: [tcpm] SYN/ACK Payloads, draft 01 Caitlin Bestler
- Re: [tcpm] SYN/ACK Payloads, draft 01 Adam Langley
- Re: [tcpm] SYN/ACK Payloads, draft 01 Anantha Ramaiah (ananth)
- Re: [tcpm] SYN/ACK Payloads, draft 01 Joe Touch
- Re: [tcpm] SYN/ACK Payloads, draft 01 Joe Touch