IETF Logo Mail Archive

Re: [TLS] Record header size?

"Michael Gray" <mickgray@au1.ibm.com> Thu, 19 November 2015 02:07 UTC

Return-Path: <mickgray@au1.ibm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 772481B3B5C for <tls@ietfa.amsl.com>; Wed, 18 Nov 2015 18:07:53 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.784
X-Spam-Level:
X-Spam-Status: No, score=-4.784 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, MSGID_FROM_MTA_HEADER=0.001, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.585, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PTP4tazaf0l9 for <tls@ietfa.amsl.com>; Wed, 18 Nov 2015 18:07:50 -0800 (PST)
Received: from e23smtp01.au.ibm.com (e23smtp01.au.ibm.com [202.81.31.143]) (using TLSv1 with cipher CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C5AD41B3B57 for <tls@ietf.org>; Wed, 18 Nov 2015 18:07:49 -0800 (PST)
Received: from localhost by e23smtp01.au.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for <tls@ietf.org> from <mickgray@au1.ibm.com>; Thu, 19 Nov 2015 12:07:46 +1000
Received: from d23dlp01.au.ibm.com (202.81.31.203) by e23smtp01.au.ibm.com (202.81.31.207) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted; Thu, 19 Nov 2015 12:07:44 +1000
X-IBM-Helo: d23dlp01.au.ibm.com
X-IBM-MailFrom: mickgray@au1.ibm.com
X-IBM-RcptTo: tls@ietf.org
Received: from d23relay10.au.ibm.com (d23relay10.au.ibm.com [9.190.26.77]) by d23dlp01.au.ibm.com (Postfix) with ESMTP id 25B7B2CE8052 for <tls@ietf.org>; Thu, 19 Nov 2015 13:07:44 +1100 (EST)
Received: from d23av04.au.ibm.com (d23av04.au.ibm.com [9.190.235.139]) by d23relay10.au.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id tAJ27Zum64487546 for <tls@ietf.org>; Thu, 19 Nov 2015 13:07:44 +1100
Received: from d23av04.au.ibm.com (localhost [127.0.0.1]) by d23av04.au.ibm.com (8.14.4/8.14.4/NCO v10.0 AVout) with ESMTP id tAJ27BKE024973 for <tls@ietf.org>; Thu, 19 Nov 2015 13:07:11 +1100
Received: from d50lp01.ny.us.ibm.com ([146.89.104.207]) by d23av04.au.ibm.com (8.14.4/8.14.4/NCO v10.0 AVin) with ESMTP id tAJ2796g023242 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK) for <tls@ietf.org>; Thu, 19 Nov 2015 13:07:10 +1100
Message-Id: <201511190207.tAJ2796g023242@d23av04.au.ibm.com>
Received: from /spool/local by d50lp01.ny.us.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for <tls@ietf.org> from <mickgray@au1.ibm.com>; Wed, 18 Nov 2015 21:06:11 -0500
Received: from smtp.notes.na.collabserv.com (192.155.248.73) by d50lp01.ny.us.ibm.com (158.87.18.20) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted; (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256/256) Wed, 18 Nov 2015 21:06:09 -0500
Received: from /spool/local by smtp.notes.na.collabserv.com with smtp.notes.na.collabserv.com ESMTP for <tls@ietf.org> from <mickgray@au1.ibm.com>; Thu, 19 Nov 2015 02:06:08 -0000
Received: from us1a3-smtp03.a3.dal06.isc4sb.com (10.106.154.94) by smtp.notes.na.collabserv.com (10.106.227.90) with smtp.notes.na.collabserv.com ESMTP; Thu, 19 Nov 2015 02:06:06 -0000
Received: from us1a3-mail68.a3.dal09.isc4sb.com ([10.142.3.220]) by us1a3-smtp03.a3.dal06.isc4sb.com with ESMTP id 2015111902064380-2333 ; Thu, 19 Nov 2015 02:06:43 +0000
In-Reply-To: <20151118205229.E58841A380@ld9781.wdf.sap.corp>
To: mrex@sap.com
From: Michael Gray <mickgray@au1.ibm.com>
Date: Thu, 19 Nov 2015 12:05:55 +1000
References: <B79F7446-0BBF-4006-A448-E81FF5E7ECD4@gmail.com> <20151118205229.E58841A380@ld9781.wdf.sap.corp>
X-KeepSent: F65FC5AC:8F4DB61B-4A257F01:00732ED6; type=4; name=$KeepSent
X-Mailer: IBM Notes Release 9.0.1SHF211 December 19, 2013
X-LLNOutbound: False
X-Disclaimed: 18919
X-TNEFEvaluated: 1
Content-type: multipart/alternative; Boundary="0__=C5BBF592DFE0A8468f9e8a93df938690918cC5BBF592DFE0A846"
Content-Disposition: inline
x-cbid: 15111902-1618-0000-0000-0000032A1F1E
X-IBM-ISS-SpamDetectors: Score=0.417846; BY=0; FL=0; FP=0; FZ=0; HX=0; KW=0; PH=0; SC=0.417846; ST=0; TS=0; UL=0; ISC=
X-IBM-ISS-DetailInfo: BY=3.00004599; HX=3.00000236; KW=3.00000007; PH=3.00000004; SC=3.00000121; SDB=6.00619404; UDB=6.00274904; UTC=2015-11-19 02:06:08
x-cbparentid: 15111902-0598-0000-0000-00000547C671
X-TM-AS-MML: disable
X-Content-Scanned: Fidelis XPS MAILER
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/-1gRsAZiaGvc-Q3lXO5xd-klA7E>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Record header size?
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 19 Nov 2015 02:07:53 -0000


"TLS" <tls-bounces@ietf.org> wrote on 19/11/2015 06:52:29 AM:

> From: mrex@sap.com (Martin Rex)
> To: Yoav Nir <ynir.ietf@gmail.com>
> Cc: "tls@ietf.org" <tls@ietf.org>
> Date: 19/11/2015 06:53 AM
> Subject: Re: [TLS] Record header size?
> Sent by: "TLS" <tls-bounces@ietf.org>
>
> Yoav Nir wrote:
> >> Peter Gutmann <pgut001@cs.auckland.ac.nz> wrote:
> >>
> >> Eric Rescorla <ekr@rtfm.com> writes:
> >>>
> >>> The concern here is backward compatibility with inspection
> middleboxes which
> >>> expect the length field to be in a particular place.
> >>
> >> Given that the rest of TLS 1.3 is going to break compatibility with
pretty
> >> much everything everywhere, I can't see this as a big concern, may
> >> as well fix it at the same time as everything else is being changed.
> >
> > A sanity check on TLS might involve validating 5-byte record headers
> > with sane length and version fields. A firewall might be out there that
> > verifies this.
>
> The issue is much more about breaking _applications_ on top of TLS
> by changing the existing 5-byte record header.  Padding the header
> to 8 bytes (3 bytes into the original record body) would be OK, though.
>
> With several TLS implementations it is possible to completely seperate
> network communication (of the application) from the processing of
> TLS records (performed by the TLS protocol stack).  For some TLS
> implementations (e.g. Microsoft SChannel) this seems to be the only
> possible mode of operation.

We have the same kind of IO separation and I have observed a few times that
some products either interleave/multiplex TLS records with other
application data flow or route/buffer TLS traffic based on TLS record
header checking.  Padding the header to 8 bytes, as above, would probably
be OK.

-Mick

v2.23.0 | Report a Bug | By Email