Re: [TLS] WGLC for draft-ietf-tls-sni-encryption
Martin Thomson <martin.thomson@gmail.com> Tue, 16 October 2018 23:59 UTC
Return-Path: <martin.thomson@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 12FFB130E9A for <tls@ietfa.amsl.com>; Tue, 16 Oct 2018 16:59:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Caiy_oRR9WDu for <tls@ietfa.amsl.com>; Tue, 16 Oct 2018 16:59:11 -0700 (PDT)
Received: from mail-oi1-x230.google.com (mail-oi1-x230.google.com [IPv6:2607:f8b0:4864:20::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4DE73130E70 for <tls@ietf.org>; Tue, 16 Oct 2018 16:59:11 -0700 (PDT)
Received: by mail-oi1-x230.google.com with SMTP id j68-v6so19626323oib.7 for <tls@ietf.org>; Tue, 16 Oct 2018 16:59:11 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=fGyfEjlqsMS8euqvOUbKkxjpIOZjwnMQHan0C7KdXOE=; b=DtdZzyC5NCr0vt/3q6z1F6lfv151z9RxXA7FAWM2hTwBT+W5TDAgcQvQ9DAq0kzLI1 c/GTgLNJf9q4wBEdAJZtSxfOrHp0ahYaN0rkVxD4wUtQZJB/yScgt/6MDItLGSOLbWmZ jSl8wCH99pdKMRjvze0r65R8uxqwfgGd8nhdo2Yh+2E8BGupwc54jbsR1g9Cej7sUb6c A345c+MrmzNAU1KfrhumL4ahxJbB0iQL/P6YecLo2TZqchcQnyVMZL62t/psqS1bxdCy rRGlBMJSonvXrfnt096dtOFf92ogSMZAa1DJr487nXokKx35bebwEEahi857ZrUA0Sp4 SHMQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=fGyfEjlqsMS8euqvOUbKkxjpIOZjwnMQHan0C7KdXOE=; b=F6Kl4qorNt9Uzct5cFZ1HvDBj2c/7lkpAripNwcOxdzb9L3608HvGuQL0OOFCZ9j30 q0eKdtBAIYCzS17WJybimAPf0wA7nc7ttUiMoDp4Onk/oP1pm/xO42fAhmvgQ/jMsXem QyeicnvJhXGTBr/WNu8dJWL29JyGyA/RT61yM1EYTS0dJnZLOw8tJYqHBxXYbxKAQzKL jW6N33Hf4bMd5ELf0yTVekzRKSudiiYsv1+0IBV//g+9dCosHCcGQiqqPbS1HXUTG8Qu wYpwLYHf8P2uj4XslNR+baQJ2aJMWC0pLYD37JAZmu9GjbJwYphfU7xeTYroYxHnU5Oc eTug==
X-Gm-Message-State: ABuFfogSwx5CyIp9C9kpPRfvUHkSjO1QYr/Nfw6R8CJ9IO2ABuP3ZsgV SQsb7DWGCagvUOTcOuIbMlfS7NSNATz3ptU1p3IXIm8FNTM=
X-Google-Smtp-Source: ACcGV600/5/XtIDmB1eJ+su08EvI0Oe6mvgLkMLV1ymcH35BAl3KrhTwGbTBSn824AcFYDeWecn/UsLTEBgQqMHASjU=
X-Received: by 2002:aca:de46:: with SMTP id v67-v6mr13380326oig.167.1539734350322; Tue, 16 Oct 2018 16:59:10 -0700 (PDT)
MIME-Version: 1.0
References: <9DE64F7F-4740-4410-A004-373D8919920B@sn3rd.com> <9F1B6F5B-D6A4-4A83-8424-E07FA4D81616@sn3rd.com>
In-Reply-To: <9F1B6F5B-D6A4-4A83-8424-E07FA4D81616@sn3rd.com>
From: Martin Thomson <martin.thomson@gmail.com>
Date: Wed, 17 Oct 2018 10:58:58 +1100
Message-ID: <CABkgnnXenHx-pEKBru=aXTEqPDzoryE4QZ-=kD5_Edhk7zPLfg@mail.gmail.com>
To: Sean Turner <sean@sn3rd.com>
Cc: "<tls@ietf.org>" <tls@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/0wi7SOwmTCslwhWnr8-KGqTggg8>
Subject: Re: [TLS] WGLC for draft-ietf-tls-sni-encryption
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 16 Oct 2018 23:59:22 -0000
This is a pretty good piece of information that is very nearly done.
Regarding the idnits results, DoH is done, but DTLS and QUIC are still
a way off. Would we prefer publication with downref or waiting? For
me, this depends somewhat on the maturity of the documents that depend
on this. I'd be willing to wait until those documents would have to
wait for this one.
3.6 mentions attack by the fronting server or the multiplexed server.
But the multiplexed server is the desired endpoint. I think that you
can drop any reference to the multiplexed server here. It might
require some reframing.
3.8.1 says that it "is thus desirable that SNI Encryption mechanisms
be also able hide the ALPN." I think that we ultimately decided that
while the techniques might be usable, it would be preferable to
encrypt these independently. (Noting that SNI encryption as specified
is rather bulky...)
3.9 suggests that parameters might be stripped from the ClientHello:
When designing SNI encryption schemes, we have to take into account
attacks that strip parameters from the Client Hello, or replay
attacks. In both cases, the desired behavior is to fall back to a
connection with the fronting server, so there is no visble difference
between a regular connection to that server and an attempt to reach
the hidden server.
But any attack that modifies the ClientHello will cause the handshake
to fail when the client receives the Finished from the server (i.e.,
immediately). Not to mention the server certificate being for a name
the client doesn't expect.
The problem is that you can construct scenarios with controlled
release of a spoofed server flight to test whether a client is willing
to continue the connection. Note that you can't do a controlled
release of a real flight from a server because any modification to the
ClientHello will result in different handshake keys.
(Note also the typo: visble)
I don't know what was really intended by this section, but it needs work.
4 fails to acknowledge other work in this area, like
draft-ietf-httpbis-http2-secondary-certs and the ORIGIN frame (RFC
8336).
Nits:
The document contains a mix of title- and sentence- case headings.
Terms are inconsistently capitalized throughout (like Fronting Server).
2.1 list construction requires "and" or "or"
o Enterprise firewalls blocking web sites not deemed appropriate for
work, +and+
2.3 missing "of"
Deploying SNI encryption will help thwarting most +of+ the "unanticipated"
3.8 subject object disagreement
The SNI encryption requirement do+es+ not stop with HTTP over TLS.
3.9. Fail to fronting <- not sure what this phrase means
3.9 also has inconsistent use of "client hello" vs. "Client Hello". I
think that it's supposed to be "ClientHello".
4 just drop "/some-content" from the example, it doesn't help (and
it's badly wrapped)
4 mismatched quotes on 'co-tenant"
On Wed, Oct 17, 2018 at 10:04 AM Sean Turner <sean@sn3rd.com> wrote:
>
> All,
>
> I ran I-D nits before hitting the appropriate buttons to place this draft in WGLC. I figured we could address the following before we send the draft to Ben:
>
> == Outdated reference: draft-ietf-tls-tls13 has been
> published as RFC 8446
>
> == Outdated reference: A later version (-14) exists of
> draft-ietf-doh-dns-over-https-08
>
> == Outdated reference: A later version (-15) exists of
> draft-ietf-quic-tls-11
>
> == Outdated reference: A later version (-28) exists of
> draft-ietf-tls-dtls13-26
>
> == Outdated reference: draft-mm-wg-effect-encrypt has
> been published as RFC 8404
>
> To answer the other 5 I-D nits questions "Obsolete informational reference (is this intentional?)” - the answer is yes.
>
> spt
>
> > On Oct 16, 2018, at 18:43, Sean Turner <sean@sn3rd.com> wrote:
> >
> > All,
> >
> > This is the working group last call for the "Issues and Requirements for SNI Encryption in TLS" draft available at http://datatracker.ietf.org/doc/draft-ietf-tls-sni-encryption/. Please review the document and send your comments to the list by 2359 UTC on 31 October 2018.
> >
> > Thanks your chairs: C-J-S
>
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls
- [TLS] WGLC for draft-ietf-tls-sni-encryption Sean Turner
- Re: [TLS] WGLC for draft-ietf-tls-sni-encryption Sean Turner
- Re: [TLS] WGLC for draft-ietf-tls-sni-encryption Martin Thomson
- Re: [TLS] WGLC for draft-ietf-tls-sni-encryption Stephen Farrell
- Re: [TLS] WGLC for draft-ietf-tls-sni-encryption Martin Rex
- Re: [TLS] WGLC for draft-ietf-tls-sni-encryption Eric Rescorla
- Re: [TLS] WGLC for draft-ietf-tls-sni-encryption Martin Rex
- Re: [TLS] WGLC for draft-ietf-tls-sni-encryption Eric Rescorla
- Re: [TLS] WGLC for draft-ietf-tls-sni-encryption Geoffrey Keating
- Re: [TLS] WGLC for draft-ietf-tls-sni-encryption David Fifield
- Re: [TLS] WGLC for draft-ietf-tls-sni-encryption Salz, Rich
- Re: [TLS] WGLC for draft-ietf-tls-sni-encryption Mark O