IETF Logo Mail Archive

Re: [TLS] Session resumption ticket reuse considered harmful

Viktor Dukhovni <ietf-dane@dukhovni.org> Thu, 05 March 2020 23:15 UTC

Return-Path: <ietf-dane@dukhovni.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 010C63A0E03 for <tls@ietfa.amsl.com>; Thu, 5 Mar 2020 15:15:29 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id alw1cRca27mE for <tls@ietfa.amsl.com>; Thu, 5 Mar 2020 15:15:27 -0800 (PST)
Received: from straasha.imrryr.org (straasha.imrryr.org [100.2.39.101]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 62FDE3A0E02 for <tls@ietf.org>; Thu, 5 Mar 2020 15:15:27 -0800 (PST)
Received: by straasha.imrryr.org (Postfix, from userid 1001) id 9BE991B0CA3; Thu, 5 Mar 2020 18:15:26 -0500 (EST)
Date: Thu, 05 Mar 2020 18:15:26 -0500
From: Viktor Dukhovni <ietf-dane@dukhovni.org>
To: tls@ietf.org
Message-ID: <20200305231526.GC7977@straasha.imrryr.org>
Reply-To: tls@ietf.org
References: <20200305205524.GR18021@localhost> <CAN2QdAGja9JoXsSSnmdkjHk7kNbDpEiMVkPpA6VDCfRjo9DRVw@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <CAN2QdAGja9JoXsSSnmdkjHk7kNbDpEiMVkPpA6VDCfRjo9DRVw@mail.gmail.com>
User-Agent: Mutt/1.12.2 (2019-09-21)
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/0UO5-2X9-IBBDAAq-NGAnSIYdxc>
Subject: Re: [TLS] Session resumption ticket reuse considered harmful
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 05 Mar 2020 23:15:29 -0000

On Thu, Mar 05, 2020 at 02:49:23PM -0800, Watson Ladd wrote:

> My skepticism is entirely a function of this being a late breaking
> change to a relatively simple proposal, with not very much in the way
> of quantifiable evidence to back up the concern that shared cache
> contention is a big overhead. Is it 1%? .5? 10%? of the total time to
> use a connection. At 10% we definitely need to do something, at .01%
> we almost certainly don't.

It isn't just the impact on client ticket cache processing, whatever it
might be.  Tickets can be quite large when client certs are in use,
because various TLS APIs promise server applications the ability to
return the client cert (or full chain) at the completion of the
handshake, which means recording the client cert or chain in 
the ticket.

And with PQ certs about to get substantially bigger than RSA certs, I
don't see why carefully designed servers and clients need to engage in
wasteful network traffic, CPU and I/O costs.

In the case of Postfix, the new ticket has to be generated, encrypted
and transmitted by the server, received and decrypted by the client,
then base64 encoded and transmitted to the tlsmgr(8) process, which
stores it an LMDB or Berkeley DB database, incurring I/O costs to
store it (likely also an fsync).

With spinning rust the MTA's throughput is largely limited by the number
of synchronous writes to disk per second, and additional synchronous
writes degrade overall throughput.

-- 
    Viktor.

v2.23.0 | Report a Bug | By Email