Re: [TLS] Some comments about draft-ietf-tls-applayerprotoneg-01

Andrei Popov <Andrei.Popov@microsoft.com> Wed, 03 July 2013 21:18 UTC

Return-Path: <Andrei.Popov@microsoft.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 59EE521F9D22 for <tls@ietfa.amsl.com>; Wed, 3 Jul 2013 14:18:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.467
X-Spam-Level:
X-Spam-Status: No, score=-0.467 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1, UNRESOLVED_TEMPLATE=3.132]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CXr8h9qwjLAV for <tls@ietfa.amsl.com>; Wed, 3 Jul 2013 14:18:30 -0700 (PDT)
Received: from na01-by2-obe.outbound.protection.outlook.com (mail-by2lp0242.outbound.protection.outlook.com [207.46.163.242]) by ietfa.amsl.com (Postfix) with ESMTP id C833721F9D24 for <tls@ietf.org>; Wed, 3 Jul 2013 14:18:30 -0700 (PDT)
Received: from BL2FFO11FD027.protection.gbl (10.173.161.202) by BL2FFO11HUB024.protection.gbl (10.173.161.48) with Microsoft SMTP Server (TLS) id 15.0.717.3; Wed, 3 Jul 2013 21:18:29 +0000
Received: from TK5EX14MLTC104.redmond.corp.microsoft.com (131.107.125.37) by BL2FFO11FD027.mail.protection.outlook.com (10.173.161.106) with Microsoft SMTP Server (TLS) id 15.0.717.3 via Frontend Transport; Wed, 3 Jul 2013 21:18:28 +0000
Received: from DB8EHSOBE007.bigfish.com (157.54.51.114) by mail.microsoft.com (157.54.79.159) with Microsoft SMTP Server (TLS) id 14.3.136.1; Wed, 3 Jul 2013 21:18:11 +0000
Received: from mail19-db8-R.bigfish.com (10.174.8.253) by DB8EHSOBE007.bigfish.com (10.174.4.70) with Microsoft SMTP Server id 14.1.225.22; Wed, 3 Jul 2013 21:18:09 +0000
Received: from mail19-db8 (localhost [127.0.0.1]) by mail19-db8-R.bigfish.com (Postfix) with ESMTP id 41DBF34025E for <tls@ietf.org.FOPE.CONNECTOR.OVERRIDE>; Wed, 3 Jul 2013 21:18:09 +0000 (UTC)
X-Forefront-Antispam-Report-Untrusted: CIP:157.56.240.21; KIP:(null); UIP:(null); (null); H:BL2PRD0310HT002.namprd03.prod.outlook.com; R:internal; EFV:INT
X-SpamScore: -23
X-BigFish: PS-23(zz98dI9371I148cI542I1432I1418I4015Izz1f42h1ee6h1de0h1fdah2073h1202h1e76h1d1ah1d2ah1fc6hzz1033IL8275bh8275dhz31h2a8h668h839h944hd24hf0ah1220h1288h12a5h12a9h12bdh137ah13b6h1441h1504h1537h153bh162dh1631h1758h18e1h1946h19b5h1ad9h1b0ah1d07h1d0ch1d2eh1d3fh1de9h1dfeh1dffh1e1dh17ej9a9j1155h)
Received-SPF: softfail (mail19-db8: transitioning domain of microsoft.com does not designate 157.56.240.21 as permitted sender) client-ip=157.56.240.21; envelope-from=Andrei.Popov@microsoft.com; helo=BL2PRD0310HT002.namprd03.prod.outlook.com ; .outlook.com ;
X-Forefront-Antispam-Report-Untrusted: SFV:NSPM; SFS:(199002)(189002)(377454003)(52604005)(51704005)(13464003)(164054003)(51444003)(24454002)(46102001)(51856001)(79102001)(74502001)(54316002)(76786001)(74662001)(76576001)(33646001)(81342001)(54356001)(77096001)(74316001)(16406001)(74706001)(81542001)(47446002)(83072001)(56816003)(74366001)(47736001)(76482001)(4396001)(59766001)(80022001)(49866001)(69226001)(47976001)(74876001)(53806001)(76796001)(77982001)(56776001)(50986001)(31966008)(65816001)(63696002)(24736002)(3826001); DIR:OUT; SFP:; SCL:1; SRVR:BL2PR03MB196; H:BL2PR03MB194.namprd03.prod.outlook.com; RD:InfoNoRecords; A:1; MX:1; LANG:en;
Received: from mail19-db8 (localhost.localdomain [127.0.0.1]) by mail19-db8 (MessageSwitch) id 1372886287244944_12008; Wed, 3 Jul 2013 21:18:07 +0000 (UTC)
Received: from DB8EHSMHS028.bigfish.com (unknown [10.174.8.244]) by mail19-db8.bigfish.com (Postfix) with ESMTP id 37E2D700047; Wed, 3 Jul 2013 21:18:07 +0000 (UTC)
Received: from BL2PRD0310HT002.namprd03.prod.outlook.com (157.56.240.21) by DB8EHSMHS028.bigfish.com (10.174.4.38) with Microsoft SMTP Server (TLS) id 14.16.227.3; Wed, 3 Jul 2013 21:18:06 +0000
Received: from BL2PR03MB196.namprd03.prod.outlook.com (10.255.230.155) by BL2PRD0310HT002.namprd03.prod.outlook.com (10.255.97.37) with Microsoft SMTP Server (TLS) id 14.16.324.0; Wed, 3 Jul 2013 21:18:06 +0000
Received: from BL2PR03MB194.namprd03.prod.outlook.com (10.255.230.142) by BL2PR03MB196.namprd03.prod.outlook.com (10.255.230.155) with Microsoft SMTP Server (TLS) id 15.0.702.21; Wed, 3 Jul 2013 21:18:05 +0000
Received: from BL2PR03MB194.namprd03.prod.outlook.com ([169.254.14.98]) by BL2PR03MB194.namprd03.prod.outlook.com ([169.254.14.98]) with mapi id 15.00.0702.005; Wed, 3 Jul 2013 21:18:05 +0000
From: Andrei Popov <Andrei.Popov@microsoft.com>
To: Yoav Nir <ynir@checkpoint.com>
Thread-Topic: Some comments about draft-ietf-tls-applayerprotoneg-01
Thread-Index: AQHOcXYmoV9GvBkxHECtNVUf6mHhEZlQdzOggABOToCAAonR4A==
Date: Wed, 03 Jul 2013 21:18:05 +0000
Message-ID: <907a79bbee5a4733b0b5b618ccd2768b@BL2PR03MB194.namprd03.prod.outlook.com>
References: <279FAAD4-1FF3-4D9D-939A-10D83E0B036E@checkpoint.com> <31987392d2a3412f8e3932dc61264c32@BL2PR03MB194.namprd03.prod.outlook.com> <A6965FDF-099E-42AC-A577-B671B6B31E18@checkpoint.com>
In-Reply-To: <A6965FDF-099E-42AC-A577-B671B6B31E18@checkpoint.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [2001:4898:a:2:c085:5cb7:cd84:99c5]
x-forefront-prvs: 0896BFCE6C
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OrganizationHeadersPreserved: BL2PR03MB196.namprd03.prod.outlook.com
X-FOPE-CONNECTOR: Id%0$Dn%*$RO%0$TLS%0$FQDN%$TlsDn%
X-FOPE-CONNECTOR: Id%59$Dn%IETF.ORG$RO%2$TLS%6$FQDN%corpf5vips-237160.customer.frontbridge.com$TlsDn%
X-FOPE-CONNECTOR: Id%59$Dn%CHECKPOINT.COM$RO%2$TLS%6$FQDN%corpf5vips-237160.customer.frontbridge.com$TlsDn%
X-CrossPremisesHeadersPromoted: TK5EX14MLTC104.redmond.corp.microsoft.com
X-CrossPremisesHeadersFiltered: TK5EX14MLTC104.redmond.corp.microsoft.com
X-Forefront-Antispam-Report: CIP:131.107.125.37; CTRY:US; IPV:CAL; IPV:NLI; EFV:NLI; SFV:NSPM; SFS:(13464003)(51444003)(189002)(164054003)(199002)(51704005)(24454002)(377454003)(52604005)(47736001)(76796001)(54316002)(76786001)(54356001)(76576001)(33646001)(63696002)(16676001)(4396001)(51856001)(47776003)(74316001)(50986001)(80022001)(49866001)(20776003)(6806003)(47976001)(65816001)(81542001)(76482001)(77096001)(74502001)(74876001)(69226001)(74366001)(77982001)(53806001)(46406003)(50466002)(56776001)(56816003)(81342001)(83072001)(31966008)(59766001)(47446002)(46102001)(23726002)(74662001)(79102001)(44976004)(74706001)(3826001)(24736002); DIR:OUT; SFP:; SCL:1; SRVR:BL2FFO11HUB024; H:TK5EX14MLTC104.redmond.corp.microsoft.com; CLIP:131.107.125.37; RD:InfoDomainNonexistent; MX:1; A:1; LANG:en;
X-OriginatorOrg: microsoft.onmicrosoft.com
X-O365ENT-EOP-Header: Message processed by - O365_ENT: Allow from ranges (Engineering ONLY)
X-Forefront-PRVS: 0896BFCE6C
Cc: "tls@ietf.org list" <tls@ietf.org>
Subject: Re: [TLS] Some comments about draft-ietf-tls-applayerprotoneg-01
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 03 Jul 2013 21:18:37 -0000

" So as long as you support ALPN, you MUST reply."
Here's an example: let's say a TLS server supports both ALPN and XPN extensions, each with its own set of application protocols. The server receives both ALPN and XPN extensions in the ClientHello. The server might find no matching ALPN protocol ID, but there is still hope that XPN will have a match. Or, perhaps the server prefers to use XPN for some reason. In these and similar situations, it makes sense for the server to ignore ALPN extension and give XPN a try, without terminating the handshake with a fatal alert. I would like the draft to allow this behavior.

Regarding the private namespace, I see no problem adding it if enough people want it. Would the protocol IDs in the private namespace not require IANA registration, just like those in the experimental namespace?

Renegotiation is used for multiple purposes, commonly including client auth, so I believe it is less revealing than the "hide" protocol ID. More importantly, what does the "hide" protocol ID achieve that we don't have already?

Cheers,

Andrei

-----Original Message-----
From: Yoav Nir [mailto:ynir@checkpoint.com] 
Sent: Monday, July 1, 2013 11:40 PM
To: Andrei Popov
Cc: tls@ietf.org list
Subject: Re: Some comments about draft-ietf-tls-applayerprotoneg-01

Hi Andrei.

Inline.

On Jul 2, 2013, at 2:30 AM, Andrei Popov <Andrei.Popov@microsoft.com> wrote:

> Hi Yoav,
> 
> Thanks for reviewing the draft.
> 
> Regarding the preference order of the protocol IDs, the language was intended to indicate that most of the time it makes sense for the server to choose according to the server's preferences; however an implementation may have valid reasons to ignore this and go with the client's order of preference (that's why SHOULD is used). We can change the wording, if this is not clear.
> 
> As for returning the protocol selection response, the idea is that an extension is optional, and can be ignored (e.g. when disabled, or for some implementation-specific reasons). I would rather retain this flexibility and keep MAY.

I know some documents specify behavior of implementations that have turned off the feature. But I believe an implementation with the feature disabled is not bound by the RFC. So as long as you support ALPN, you MUST reply.

> The current draft makes a distinction between IANA-registered protocol IDs and those not registered by IANA. The latter can be used privately, for experimentation, etc. We can devise a more elaborate namespace scheme if there is consensus in the WG that this would be desirable. Personally, I would rather keep it simple.

I like the idea to have private space in addition to experimental space. Let's raise this issue in Berlin (and here)

> "hide" protocol ID seems to defeat the very purpose of hiding:). Those who are interested in hiding the negotiated protocol, usually don't want the intermediaries to be able to treat different protocols differently. E.g. proxies could easily filter out traffic which includes "hide" protocol ID.

Doing an immediate renegotiation is as obvious a "tell" as a "hide" protocol. But there are many more fields that people would like to hide besides protocol. In fact, protocol is unlikely to be the secret information. Hiding a client certificate (that might have a user name) is a higher priority. We can't really hide the fact that we *are* hiding a user identity. But we can hide the identity itself, and I think that's a worthy thing to have.

> Does it make sense to include a protocol list in the renegotiation handshake? I believe it is possible that one would want to renegotiate to a different application protocol.

Renegotiation is supposed to be done to replace encryption keys, and it can be done unbeknownst to the application layer (which was the basis for the famous vulnerability from 2009). So negotiating a new protocol would be weird.


> Thanks,
> 
> Andrei