IETF Logo Mail Archive

Re: [TLS] Updated DTLS draft

Matt Caswell <frodo@baggins.org> Fri, 17 March 2017 11:32 UTC

Return-Path: <frodo@baggins.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5D4A01274D0 for <tls@ietfa.amsl.com>; Fri, 17 Mar 2017 04:32:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.419
X-Spam-Level:
X-Spam-Status: No, score=-1.419 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RCVD_IN_SORBS_SPAM=0.5, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aWHg7eQGF0Ne for <tls@ietfa.amsl.com>; Fri, 17 Mar 2017 04:32:19 -0700 (PDT)
Received: from mx496502.smtp-engine.com (mx496502.smtp-engine.com [217.160.92.157]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9A838126B6E for <tls@ietf.org>; Fri, 17 Mar 2017 04:32:19 -0700 (PDT)
Received: from mail-it0-f44.google.com (mail-it0-f44.google.com [209.85.214.44]) by mx496502.smtp-engine.com (Postfix) with ESMTPSA id E603EF7B for <tls@ietf.org>; Fri, 17 Mar 2017 11:32:17 +0000 (GMT)
Received: by mail-it0-f44.google.com with SMTP id m27so21702335iti.1 for <tls@ietf.org>; Fri, 17 Mar 2017 04:32:17 -0700 (PDT)
X-Gm-Message-State: AFeK/H1EdH0nvhG5G3E0WNNxU2HrurXAgXWc/wFUC9Sjzs7x0+TPeozDtD+UdfM1yFL14CRZ30pqt/J7BLdwCQ==
X-Received: by 10.107.142.136 with SMTP id q130mr14333558iod.31.1489750336362; Fri, 17 Mar 2017 04:32:16 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.79.147.155 with HTTP; Fri, 17 Mar 2017 04:32:16 -0700 (PDT)
In-Reply-To: <CABkgnnVEPstEUMfh1umbS8=10ubei9Ka22H6uuBjcGvR_rwpfA@mail.gmail.com>
References: <CABcZeBPjry16=zpwajosiKtiA3ADeFsgZdkN+cFBdg6iTjQrfQ@mail.gmail.com> <CAMoSCWbtzm49uyg8qTgEnhcRox5Bx4vi=rQ56GcDG9fj_RmL8w@mail.gmail.com> <CABkgnnVEPstEUMfh1umbS8=10ubei9Ka22H6uuBjcGvR_rwpfA@mail.gmail.com>
From: Matt Caswell <frodo@baggins.org>
Date: Fri, 17 Mar 2017 11:32:16 +0000
X-Gmail-Original-Message-ID: <CAMoSCWZTj_zRuQ8XzWvJ-OZCP40naqoUng1xXnvu5FjRELSgjg@mail.gmail.com>
Message-ID: <CAMoSCWZTj_zRuQ8XzWvJ-OZCP40naqoUng1xXnvu5FjRELSgjg@mail.gmail.com>
To: Martin Thomson <martin.thomson@gmail.com>
Cc: Eric Rescorla <ekr@rtfm.com>, "tls@ietf.org" <tls@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/0azC-XEiUyb8Y3i4i6Sq9sI4sLY>
Subject: Re: [TLS] Updated DTLS draft
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 17 Mar 2017 11:32:21 -0000

On 17 March 2017 at 00:03, Martin Thomson <martin.thomson@gmail.com> wrote:
> On 17 March 2017 at 10:58, Matt Caswell <frodo@baggins.org> wrote:
>> In DTLS1.3 the cookie is now (potentially) much larger and appears much later in
>> the ClientHello, making it much more likely that it will not fall
>> fully within the
>> first fragment. This could mean a fully stateless solution is impossible.
>
>
> I think that it is feasible to simply require that ClientHello be
> contained in a single datagram.

Yes, this is one of several solutions - although it is possibly a
retrograde step. With the assumptions that I currently have for
DTLSv1.2, even with max size cookie and session id the full cookie
will always be contained within the first 346 bytes of the record (if
I did my sums right) - which doesn't seem unreasonable. So as long as
the first fragment isn't smaller than that then, with our current
implementation, we are good.

By stating that the *whole* ClientHello must be within the first
fragment we are placing some significant restrictions on the
extensibility of the protocol and how much we can stuff into it.
Fragmenting the initial ClientHello does happen even in DTLS1.2
(before we've added extra ciphersuites and extensions for DTLSv1.3) -
we had a recent report of someone having problems when receiving
fragmented ClientHellos:

https://mta.openssl.org/pipermail/openssl-users/2017-February/005332.html

Another option is to say that the cookie extension must be fully
contained within the first fragment - which avoids the above
extensibility concerns. This option is much better but is still
retrograde from DTLS1.2 because the extensions block appears later in
the ClientHello (most importantly after ciphersuites, which could be
quite long).

A third option is to retain use of the cookie field in DTLSv1.3 and
require that the first fragment contains it, i.e. the server sends the
cookie in the HRR and the client reflects it back in the cookie field.
This would solve all of the above problems but introduces a new one -
the TLSv1.3 max cookie length is bigger than the length of the cookie
field. There are a couple of ways around that that I can think of -
the simplest being that DTLS1.3 could restrict the max cookie length -
but that in itself could cause some problems due to the fact that more
data needs to be stored in the cookie for DTLS1.3 (i.e. the transcript
hash).

>  QUIC does this and when we did the
> sums it wasn't completely unreasonable, even assuming several key
> shares and a big-ish cookie.  And then we made it possible to make the
> cookie even smaller in -19.

Did we? How did we do that?

Matt

v2.23.0 | Report a Bug | By Email