Re: [TLS] Last Call: <draft-ietf-tls-applayerprotoneg-03.txt> (Transport Layer Security (TLS) Application Layer Protocol Negotiation Extension) to Proposed Standard

"Stephan Friedl (sfriedl)" <sfriedl@cisco.com> Sat, 14 December 2013 00:28 UTC

Return-Path: <sfriedl@cisco.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 72C531AE0F3; Fri, 13 Dec 2013 16:28:40 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.502
X-Spam-Level:
X-Spam-Status: No, score=-14.502 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1yX091-LnWNL; Fri, 13 Dec 2013 16:28:37 -0800 (PST)
Received: from rcdn-iport-9.cisco.com (rcdn-iport-9.cisco.com [173.37.86.80]) by ietfa.amsl.com (Postfix) with ESMTP id 7E9261ADFAD; Fri, 13 Dec 2013 16:28:37 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=9123; q=dns/txt; s=iport; t=1386980911; x=1388190511; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-transfer-encoding:mime-version; bh=+1eQ/pJMjfZvA6BNr2hytOrzvc/IGhzeVujgi3oUTpA=; b=XgtvQIfu9fDr9+orszC9UHDCiMLmWpXD5qSbipq4vsGMho3JQoaTFRjZ JAk23AY/H3Ywqe/0vcOxBOejuxaLZJ+PRLHzvuRYUcBujzP+55JpIMyUL PtQafRLIAtqDjWcE6WA8nOzscLdmQFKQdP7IOK+V+23pw/r4AzH7L5gY2 4=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AhUFAB6lq1KtJV2c/2dsb2JhbABZgwo4VbhggSIWdIIlAQEBAwEBAQEaHTQLBQcEAgEIDgMEAQEBCgsJBQQHJwsUCQgCBA4FCBOHYQgNymYXjikbAQEeMQIFBgSDGYETAQOqKoFsgT6BcTk
X-IronPort-AV: E=Sophos;i="4.95,482,1384300800"; d="scan'208";a="288471792"
Received: from rcdn-core-5.cisco.com ([173.37.93.156]) by rcdn-iport-9.cisco.com with ESMTP; 14 Dec 2013 00:28:30 +0000
Received: from xhc-rcd-x14.cisco.com (xhc-rcd-x14.cisco.com [173.37.183.88]) by rcdn-core-5.cisco.com (8.14.5/8.14.5) with ESMTP id rBE0SUmg029615 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Sat, 14 Dec 2013 00:28:30 GMT
Received: from xmb-aln-x02.cisco.com ([169.254.5.231]) by xhc-rcd-x14.cisco.com ([173.37.183.88]) with mapi id 14.03.0123.003; Fri, 13 Dec 2013 18:28:30 -0600
From: "Stephan Friedl (sfriedl)" <sfriedl@cisco.com>
To: Alyssa Rowan <akr@akr.io>
Thread-Topic: [TLS] Last Call: <draft-ietf-tls-applayerprotoneg-03.txt> (Transport Layer Security (TLS) Application Layer Protocol Negotiation Extension) to Proposed Standard
Thread-Index: AQHO+DuFs2oYMzPJ906OnKLd/YTTY5pTDMOA//+9RVA=
Date: Sat, 14 Dec 2013 00:28:29 +0000
Message-ID: <2AA4F2B7B0341A4CA4DAB10D4EDA0D7C2322C978@xmb-aln-x02.cisco.com>
References: <20131213171608.10285.15352.idtracker@ietfa.amsl.com> <9D6C4F2B-25ED-4A2A-AE89-03122D7213B8@vpnc.org> <52AB6323.2050107@akr.io> <FB25564E-DD77-45B1-B9B7-605C6F581E70@checkpoint.com>
In-Reply-To: <FB25564E-DD77-45B1-B9B7-605C6F581E70@checkpoint.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.19.81.153]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: "<iesg@ietf.org>" <iesg@ietf.org>, "<ietf@ietf.org>" <ietf@ietf.org>, "<tls@ietf.org>" <tls@ietf.org>
Subject: Re: [TLS] Last Call: <draft-ietf-tls-applayerprotoneg-03.txt> (Transport Layer Security (TLS) Application Layer Protocol Negotiation Extension) to Proposed Standard
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 14 Dec 2013 00:28:40 -0000

I fear that there is a perception that ALPN leaks information like a sieve and NPN doesn't leak at all.  Both extensions leak information in plain text - they just leak different information.  

NPN leaks the entire list of protocols available on a host/port combination and encrypts the single protocol selected by the client.  When watching a single TLS negotiation using NPN, a passive attacker knows all the protocols exposed by a server and therefore has a big head start on identifying the single protocol chosen by the client as well as assessing a server for potential vulnerabilities to exploit - effectively an instant port scan.  In contrast ALPN has the client advertising the protocols it supports in plaintext and has the server's selection of a protocol returned in plaintext.  In ALPN the entire list of protocols supported by a given host on a given port is never revealed during a single TLS negotiation.

Also, I agree with Yoav's take on ALPN as simple networking and not a 'cryptographic protocol'.  All ALPN does is provides the protocol to be used for a connection when the port number is no longer definitive.  ALPN is a plain, vanilla extension - whereas NPN does introduce some non-standard twists to TLS extension practice in that the negotiation is not encapsulated in the hello messages and that it introduces a padded handshake message between the ChangeCipherSpec and Finished messages.

Thanks,

Stephan


> -----Original Message-----
> From: TLS [mailto:tls-bounces@ietf.org] On Behalf Of Yoav Nir
> Sent: Friday, December 13, 2013 2:43 PM
> To: Alyssa Rowan
> Cc: <ietf@ietf.org>;; <tls@ietf.org>;; <iesg@ietf.org>;
> Subject: Re: [TLS] Last Call: <draft-ietf-tls-applayerprotoneg-03.txt>
> (Transport Layer Security (TLS) Application Layer Protocol Negotiation
> Extension) to Proposed Standard
> 
> Hi Alyssa
> 
> I mostly agree with the facts presented below. However:
> 
> - I object to characterizing this as a "cryptographic protocol". This is simple
> networking. Just as Ethernet tells us there's IP inside, and IP tells us there's
> TCP inside, and TCP tells us about port 443 (which used to mean https), we
> now have TLS tell us whether there's HTTP/1 or HTTP/2 inside. This is needed
> because the HTTP specifications and implementations don't handle version
> negotiation well. This can have security implications, but it's not a
> cryptographic protocol.
> 
> - Mass surveillance is a concern. It is not the only concern. The IP address of
> the server I'm accessing leaks far more important information then whether
> I'm using HTTP/1 or HTTP/2. This may also leak the browser version, but that
> can also be readily recognized by looking at the ciphersuite list. Sure, others
> (including me) raised all sorts of possibilities for extra used for ALPN. For
> now, there's only the two versions of HTTP.  We haven't heard anyone
> explain what good knowing the version of HTTP does to a nation state
> adversary.
> 
> - The chairs did not ignore the requests. They rejected them. You can still
> disagree. One thing is missing from the account of the hum at IETF 87. Yes,
> there were some voices for each proposal, and that does not a consensus
> make. But then Sean asked a different question, and got overwhelming
> support for the statement that reaching a decision right then was important,
> and that we didn't want to wait and discuss it more. That is why the choice
> between them was done as an almost vote - nearly all of us at the time
> preferred to get *a* decision rather than keep hashing the subject over and
> over again. Rolling back, as people are suggesting now, runs contrary to that
> consensus.
> 
> - I've read that message suggesting the chairs had conflict of interest. There's
> no question the chairs worked to rush this decision, but my memory is that
> they mostly wanted to avoid accepting this work item at all. Having accepted
> it, they may have had a bias for less radical changes, but I don't remember
> any "railroading".
> 
> While I prefer ALPN, I wouldn't consider it tragic to have had NPN. But we (in
> the sense of the IETF, mostly the httpbis group) have a goal for a feature
> complete document for HTTP/2 with multiple interoperable implementations
> in the wild. This requires the negotiation part to be done. Rolling back the TLS
> WG decision now puts that goal at risk, so I oppose it.
> 
> Yoav
> 
> 
> On Dec 13, 2013, at 9:42 PM, Alyssa Rowan <akr@akr.io>; wrote:
> 
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA512
> >
> > On 13/12/2013 17:27, Paul Hoffman wrote:
> >
> >> A hum was taken at IETF 87 for the WG to pick between this proposal
> >> and another; there were many hums in the room for each, with more for
> >> this proposal. That hum was not taken to the WG mailing list. Since
> >> then, many people have given strong reasons to prefer the other
> >> proposal for technical reasons.
> >
> > Strongly seconded. This cryptographic protocol is not ready yet, and
> > requires careful reconsideration on-list, and at the very least a
> > public on-list call for consensus - which it does not seem to have
> > received - before deciding whether it is appropriate to proceed.
> >
> > * At IETF 88's Technical Plenary, serious concerns were raised about
> > mass surveillance of data and metadata by Nation State Adversaries.
> >
> > * Decisions were made at IETF 88, with overwhelming consensus, that
> > new protocols MUST consider the impact they have on mass surveillance.
> >
> > * ALPN has no such consideration. It leaks plaintext metadata which
> > its  competitor, NPN, encrypts. This makes ALPN quantitatively more
> > vulnerable to passive attackers, including Nation State Adversaries.
> >  [It may be that a future TLS 1.3 can encrypt the whole ClientHello;
> > but that is not the current state-of-play. As it stands, it would be
> > plaintext.]
> >
> > * Profound concerns have been raised about the protocol and the voting
> > process. A call has been made for at the very least the opportunity
> > to stop, rewind, and rethink whether ALPN is appropriate, and for a
> > new consensus call.
> >  <https://www.ietf.org/mail-archive/web/tls/current/msg10892.html>
> >
> > * The chairs and AD have refused, and simply ignored the concerns.
> >  <https://www.ietf.org/mail-archive/web/tls/current/msg10947.html>
> >  <https://www.ietf.org/mail-archive/web/tls/current/msg10948.html>
> >
> > * It is publicly known that Nation State Adversaries have attempted
> > to,  and in some cases succeeded in, weakening or backdooring
> > cryptographic standards. TLS has very likely been a main target of
> > this, as the most-used cryptographic standard on the internet.
> >
> > <http://www.nytimes.com/interactive/2013/09/05/us/documents-reveal-
> nsa
> > -campaign-against-encryption.html>
> >
> > * Concerns have been raised that one or more of the chairs or AD may
> > have a conflict of interest and appear to be railroading the process.
> >  <https://www.ietf.org/mail-archive/web/tls/current/msg10943.html>
> >
> > * As discussed at the IETF 88 Plenary, especially in light of the
> > Snowden BULLRUN disclosures, it is absolutely vital that
> > cryptographic standards such as TLS are devised openly,
> > transparently, and with clear, public consensus as being the best
> > available solution.
> >
> > * That has not happened with the ALPN extension to date.
> >
> > Therefore, I second Brian's proposal for a new consensus call and
> > discussion on ALPN, and Paul's appeal to the IETF LC: in my opinion,
> > it is wholly premature to advance ALPN to Proposed Standard at this time.
> >
> > - --
> > /akr
> > -----BEGIN PGP SIGNATURE-----
> >
> >
> iQIcBAEBCgAGBQJSq2MjAAoJEOyEjtkWi2t6L0MQAIxsdB4aAZvw6XdiIttRzaHR
> > bmvvGCScckyUfSFS6t2V36oxp9FNmkEzaXUTpUcRMrJsRlsXgjExlIsYKYqvtPzi
> >
> x8zPRyc2Yp61zTj2tZI0tlYDwQ3M53Pfy1br+0eLfqqy+dRaPsRyQWHi9FlMLU5u
> >
> eGaA1KMgUOAZSxNB9oliJOXmSj+DcQpcWpp+D3piYBSINUYrY3xtO31khhG0f
> 8xX
> >
> EOLH7pMwVkyEhQOG83qA801Yt45j0cr6X7Wg34jFhCfCR1xQDbkMLabAXHYT
> Wmdo
> >
> C4cmJQVTHgnYXiIPdwXR87iPpAevBNpoxNQzps1LoHYEM6xpqDwln9aExyaPA
> iT6
> >
> 4fV+Wr5C22H/Xh+wbkVFPRQEvZbbjDJKGSWyB0i6YKgmUxrF+VQHlJKFrS2Tw
> Eni
> > nmIIcFFN/bo2f8bwbtLf2bEQRAzz8R2N5gVeLQJcoWEz4lcl/1F2E82tZnd9ArLU
> >
> XGH5gawLh3bqLZRFUU0VfCYfQSrGy2PtIViyKSLKLCOlI7onL9CGB3jtSuqQDHe
> p
> >
> 8h3yeSk68d0gVVLmRUmx9aZMbOivZOP54t+Q8wwtluuHnGKdN2NU3oAFSf
> mDKcRG
> >
> cEWsddc44tF1eANVWXxJsHe8LvxUA6UCvI19kLxuNcV4RL8lCzWr38YaUVRpqX
> by
> > cYdzEMv6nqKpAynigGgh
> > =u0As
> > -----END PGP SIGNATURE-----
> > _______________________________________________
> > TLS mailing list
> > TLS@ietf.org
> > https://www.ietf.org/mailman/listinfo/tls
> 
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls