Re: [TLS] ESNI and padding
"Christopher Wood" <caw@heapingbits.net> Tue, 25 June 2019 20:49 UTC
Return-Path: <caw@heapingbits.net>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 95EE5120499 for <tls@ietfa.amsl.com>; Tue, 25 Jun 2019 13:49:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=heapingbits.net header.b=G9zFth5X; dkim=pass (2048-bit key) header.d=messagingengine.com header.b=YpExTVwT
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LEWE-uKEfk0l for <tls@ietfa.amsl.com>; Tue, 25 Jun 2019 13:49:09 -0700 (PDT)
Received: from out2-smtp.messagingengine.com (out2-smtp.messagingengine.com [66.111.4.26]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 341221204AA for <tls@ietf.org>; Tue, 25 Jun 2019 13:49:07 -0700 (PDT)
Received: from compute6.internal (compute6.nyi.internal [10.202.2.46]) by mailout.nyi.internal (Postfix) with ESMTP id 438B322087 for <tls@ietf.org>; Tue, 25 Jun 2019 16:49:06 -0400 (EDT)
Received: from imap4 ([10.202.2.54]) by compute6.internal (MEProxy); Tue, 25 Jun 2019 16:49:06 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=heapingbits.net; h=mime-version:message-id:in-reply-to:references:date:from:to :subject:content-type; s=fm1; bh=XGDQOXzNVNC1mtliIwBl7aomy1kbgiC YVl/lhSRZC9M=; b=G9zFth5XYOgSkHF/lDpama1I89UgL8Y+LkdzSYiuloTeAar 8glICson+O3aGPQrhRbDjq6wVDDi9gEHlAYUVc+oZTeKsoOk+NPGQPR7v9xOkFnu 6+Yv3w+8prjSIfbBgzdky+ccbwC4ZBP7FgZHB8dldOZP07Ab7f83yWxiNmB0JJsN Tpg9zMlvSwRJkc/MHsavAXLZLusQ9fHhzhnpBIxftZ4bThQGHaoaOgo2y9pyUsdC LdvjWfhhDUoKHUNQ5eQ309C4unaJvMjh03+IGB+/0YY0l1uYPb8siqWx6Xf53Tpv pz0bgs2VM2m4AsCyeGrUnMhRRrSrXPkNEcontMg==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-proxy :x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm3; bh=XGDQOX zNVNC1mtliIwBl7aomy1kbgiCYVl/lhSRZC9M=; b=YpExTVwTXNAuuaxTJBUT1S FcnZJzfXVgraLIEcMltbQEO1uthfSWhVguTMrNrNoYDolAJcf9KZ6PccC7/sk4IA XBgoc8Frnqol8dl47tQ1rR1sepIqz+eiNYGH3/r5qWib3Xz2ZdD/LAQ/qAUpsRYL xemIR5DDPR156Ha/cAGsNCkHyT9rxrDllghzxImsgkBGcBHHe4PWhWgmHjP76J31 iVRTJJZ6AwIDMM6jXGZzSrs3SuurBzKBwW6H5cDNmwm05xnPkm4nDxUscrl1klvj MOTpiZ4feVRrCuxvASQcCvnfHhRQkFczjwPc1Q1FHo8fbu5o+J6O4bOS49iMqkDA ==
X-ME-Sender: <xms:wYgSXWsrBKGrCe4ZthArzxi6gjiIXdetXAJDxGjNNtMYbGmELg_Npw>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeduvddrudeggdduheefucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucenucfjughrpefofgggkfgjfhffhffvufgtsehttd ertderredtnecuhfhrohhmpedfvehhrhhishhtohhphhgvrhcuhghoohgufdcuoegtrgif sehhvggrphhinhhgsghithhsrdhnvghtqeenucfrrghrrghmpehmrghilhhfrhhomheptg grfieshhgvrghpihhnghgsihhtshdrnhgvthenucevlhhushhtvghrufhiiigvpedt
X-ME-Proxy: <xmx:wogSXYZc-bFbRyKZ5tKYg1tIXq9cI3wUosup9KQvEw5bxndNfpsI4w> <xmx:wogSXdbmvcTWxQN9u4BlRXOFzsmsib7d-poOliChi5J6tFhj16H8ug> <xmx:wogSXZkbxusHNSr_s64-VxIPzyeLJxjC8PsaUgOCZmw7ahPBSuPhVA> <xmx:wogSXViz6EkcXBWMxP70lYSpVSFX-yCmlDNMZiRo8xMwiZStv9716A>
Received: by mailuser.nyi.internal (Postfix, from userid 501) id DD0B53C00A2; Tue, 25 Jun 2019 16:49:05 -0400 (EDT)
X-Mailer: MessagingEngine.com Webmail Interface
User-Agent: Cyrus-JMAP/3.1.6-730-g63f2c3b-fmstable-20190622v1
Mime-Version: 1.0
Message-Id: <9a94a3ec-062f-480c-b98b-a8d2f704ae50@www.fastmail.com>
In-Reply-To: <CAHbrMsCBzUH_Pk-qTAOR37qPsQogxa41Qbnrkoiub79tQHsAzA@mail.gmail.com>
References: <eb4bc1a3-ebff-b174-e601-5cf727a7bedd@cs.tcd.ie> <CAHbrMsAa+FudZ-t3MOnxa37rz=D_-1=izaPqBk-2nHaO_L9czA@mail.gmail.com> <65bae8fa-36b1-4724-4107-2e0e02a6adc6@cs.tcd.ie> <CAHbrMsCBzUH_Pk-qTAOR37qPsQogxa41Qbnrkoiub79tQHsAzA@mail.gmail.com>
Date: Tue, 25 Jun 2019 13:49:05 -0700
From: Christopher Wood <caw@heapingbits.net>
To: "TLS@ietf.org" <tls@ietf.org>
Content-Type: text/plain
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/2CiHnieKM_txl3dd7pya8of1Hyk>
Subject: Re: [TLS] ESNI and padding
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 25 Jun 2019 20:49:19 -0000
On Thu, Jun 20, 2019, at 6:16 AM, Ben Schwartz wrote: > > > On Thu, Jun 20, 2019 at 8:04 AM Stephen Farrell > <stephen.farrell@cs.tcd.ie> wrote: > > > > Hiya, > > > > On 20/06/2019 12:20, Ben Schwartz wrote: > > > > > > As you are clearly aware, this approach provides essentially no privacy > > > protection in the case where a user is repeatedly connecting to a very long > > > domain on a server whose other domains are reasonably short. > > > > Yep. I don't believe that that's at all a common scenario, > > but if I'm wrong then sure, the approach I outlined wouldn't > > be a good plan, at least not with N=32, but maybe some other > > N would work fine. Do we know how common very long SNI names > > are? (I don't.) > > > > If we think that scenario is a real problem, that can't be > > sufficiently mitigated via picking a good N, then I guess > > always having padding_length==260 would be the only answer. > > In which case I see no upside and some downsides in having > > that field in ESNIkeys. > > > > > Rather than make a privacy-vs-efficiency tradeoff in the spec, the current > > > text leaves this option to the implementer. For example, within the > > > current protocol (albeit bending the recommendations slightly), an > > > implementer could easily bucket names by length, and offer separate > > > ESNIKeys for each length bucket. I think this is preferable; only the > > > server operator knows their own privacy and efficiency goals. In my view, > > > setting N=32 for the first bucket would reproduce most of the benefits of > > > this proposal without altering the current protocol. > > > > Fair point. OTOH, if you did that, the last (or maybe even > > all but the first) bucket would likely mean an ESNIKey used > > for very few names, so you end up with the same issue you > > called out above. And it adds some more complexity to what's > > an already complicated thing. So while that could always > > be done, and with the current spec, I'd not be keen to > > recommend it myself. > > > > I just looked back at RFC8467 which recommends padding DNS > > queries to a multiple of 128 octets. I also looked at a couple > > of DNS queries on my laptop just now and there seems to be > > about 40 octets overhead over and above the qname length > > (each "." adds two octets in the encoded length vs. the > > string length it seems). So one could I guess argue for some > > commensurate amount of padding in the ESNI extension and > > whatever was used for DoT or DoH. I wonder if the data DKG > > used to generate that recommendation in 8467 might tell us > > anything here? > > I've implemented RFC 8467 myself, and I'm grateful for the > recommendation, but I think it's rightly marked Experimental. It's not > clear how to judge the amount of privacy protection it offers, or > whether it's truly a good balance between privacy and efficiency. > > However, as a matter of overhead, your test suggests that RFC 8467 > roughly doubles the size of each query packet. That's similar to the > proportional effect of maximum ESNI padding on a typical ClientHello. > Proportionally, I expect RFC 8467 adds more padding to the whole DNS > transaction than current ESNI adds to the whole TLS handshake. It might > even be true in absolute terms, on average. In the context of a full > TLS connection, the proportional impact of ESNI is even smaller. > > > Again though, I think considering DNS query padding argues > > that this ought be a client-driven thing and not tied to the > > ESNIKeys. > One important difference between these cases is that DNS is essentially > an "open world", where no one knows the whole space of possibilities, > whereas a specific server is a "closed world", a finite set of domains > (known only to the server operator). That puts the server operator in > the unique position to make correct padding decisions, and also makes > the adversary's job much easier if the padding is incorrect. +1 -- I don't think we ought to change the current text. Best, Chris (no hat)
- [TLS] ESNI and padding Stephen Farrell
- Re: [TLS] ESNI and padding Eric Rescorla
- Re: [TLS] ESNI and padding Stephen Farrell
- Re: [TLS] ESNI and padding Ben Schwartz
- Re: [TLS] ESNI and padding Stephen Farrell
- Re: [TLS] ESNI and padding Ben Schwartz
- Re: [TLS] ESNI and padding Eric Rescorla
- Re: [TLS] ESNI and padding Stephen Farrell
- Re: [TLS] ESNI and padding Stephen Farrell
- Re: [TLS] ESNI and padding Christopher Wood