[TLS] Re: draft-ietf-tls-key-share-prediction next steps
David Adrian <davadria@umich.edu> Thu, 12 September 2024 20:25 UTC
Return-Path: <davadria@umich.edu>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 08A78C169436 for <tls@ietfa.amsl.com>; Thu, 12 Sep 2024 13:25:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.103
X-Spam-Level:
X-Spam-Status: No, score=-2.103 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=umich.edu
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qrTwBJj8Zv-x for <tls@ietfa.amsl.com>; Thu, 12 Sep 2024 13:25:53 -0700 (PDT)
Received: from mighty-olwen.relay-egress.a.mail.umich.edu (relay-egress-host.us-east-2.a.mail.umich.edu [13.59.128.245]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 34D02C17C884 for <tls@ietf.org>; Thu, 12 Sep 2024 13:25:52 -0700 (PDT)
Received: from completed-crocotta.authn-relay.a.mail.umich.edu (ip-10-0-73-8.us-east-2.compute.internal [10.0.73.8]) by mighty-olwen.relay-egress.a.mail.umich.edu with ESMTPS id 66E34E50.48C1F59.1B7DAC25.3643577; Thu, 12 Sep 2024 16:25:52 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=umich.edu; s=relay-1; t=1726172751; bh=sGCsXi5x8+Z5H5sidUMQbiHdYkZArKOs3ddkovXw+HI=; h=References:In-Reply-To:From:Date:Subject:To:Cc; b=faYvvvIty67PzOUbJG3W0VWA3Z7FcYXBXDK3yv8IdgI210xBKTYIAh16AAOl6GWsS 1uAU1iPvwbZRsG6KCQQlxR/V09RpRJbamFqEmPUXub+pyxOiqH/C7uO3ZtcbcptW4Y wBxvCMvOfZbRWajDJK2qVaiAAnykS7eQTsDLLDGt58TPraOGVmCrseJpoJqG417y5t 5ZGwcHinGNr+FfNs+ME5R0vZMzLqVEy02Z1DO1vfvJveHNG0ALpTg+FbEJR1ng8Ysz HMPvoJZ/MCh1TD2g6zn9Uu6g68YvnpJdLjhoMsRuZugCnsu35KIZ1zdnyOucOUg0dE neoVwFKEwbkvg==
Authentication-Results: completed-crocotta.authn-relay.a.mail.umich.edu; iprev=pass policy.iprev=209.85.222.48 (mail-ua1-f48.google.com); auth=pass smtp.auth=davadria
Received: from mail-ua1-f48.google.com (mail-ua1-f48.google.com [209.85.222.48]) by completed-crocotta.authn-relay.a.mail.umich.edu with ESMTPSA id 66E34E4F.294CACF2.5BE955D5.3615602; Thu, 12 Sep 2024 16:25:51 -0400
Received: by mail-ua1-f48.google.com with SMTP id a1e0cc1a2514c-848b77c89e0so66211241.0 for <tls@ietf.org>; Thu, 12 Sep 2024 13:25:51 -0700 (PDT)
X-Forwarded-Encrypted: i=1; AJvYcCX1toiE7QDqESBtdgJgUIdI1TRTwRBuJ1q2bDGvZ+Z6EUbibgCi/nKZtJYAoO8eHDC1FLc=@ietf.org
X-Gm-Message-State: AOJu0YyAXx+vLb16+XArLaI50/+iL4FiuYL3fqfQeRFPi8CIsZihpAbC Ngoh1kbdxdR4corAtgwRBloOV3u2XRCcJweLXyRnyKBIZGx3yBarKwYp50BCwvBCuDHZCet9Zle Ek5TSKyWbVXQqWs63plOhtdfadfk=
X-Google-Smtp-Source: AGHT+IFvNAxQDDF29/XGkp33BpP4aweKqs6QkM9rngwyEulSmpP6IVqtI1BhyOZNpV9S3zLpYwUcnG8gqMF7KlmWoVc=
X-Received: by 2002:a05:6102:ccd:b0:49d:4492:77b7 with SMTP id ada2fe7eead31-49d4f612b12mr797644137.15.1726172750735; Thu, 12 Sep 2024 13:25:50 -0700 (PDT)
MIME-Version: 1.0
References: <CAF8qwaAU+cRapAc3xnySXiq2nOTXAFvLQYdWNC6rXdFj8iA39w@mail.gmail.com> <CAOp4FwTySAHKtwKv4ade9qm19GCvag-PAJxmDndxG5CYsDPvkw@mail.gmail.com> <ZuFNRD6UWgkhAbdl@LK-Perkele-VII2.locald> <CAF8qwaBmyZR4ky_sMZNbk4ZiKbZche8uXLhbPkLzU-xau77Ciw@mail.gmail.com> <cc1e576c70f24659b220945b1e53f26f@amazon.com>
In-Reply-To: <cc1e576c70f24659b220945b1e53f26f@amazon.com>
From: David Adrian <davadria@umich.edu>
Date: Thu, 12 Sep 2024 16:25:39 -0400
X-Gmail-Original-Message-ID: <CACf5n79nvEXJM3tPLNRBFfZa3z_VUPTJASMqO2FaBbh4cH02tA@mail.gmail.com>
Message-ID: <CACf5n79nvEXJM3tPLNRBFfZa3z_VUPTJASMqO2FaBbh4cH02tA@mail.gmail.com>
To: "Kampanakis, Panos" <kpanos=40amazon.com@dmarc.ietf.org>
Content-Type: multipart/alternative; boundary="000000000000a0fdaa0621f1e959"
Message-ID-Hash: QO6BOB32NEY2AXKCPUK4ALFUUL3SSX5H
X-Message-ID-Hash: QO6BOB32NEY2AXKCPUK4ALFUUL3SSX5H
X-MailFrom: davadria@umich.edu
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-tls.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: "<tls@ietf.org>" <tls@ietf.org>
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [TLS] Re: draft-ietf-tls-key-share-prediction next steps
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/3x4Yr7Pw8VOPktQzSubFC4mvWNw>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Owner: <mailto:tls-owner@ietf.org>
List-Post: <mailto:tls@ietf.org>
List-Subscribe: <mailto:tls-join@ietf.org>
List-Unsubscribe: <mailto:tls-leave@ietf.org>
> Any numbers you have to showcase the regression and the relevant affected web metrics? Adding Kyber to the TLS handshake increased TLS handshake latency by 4% on desktop [1] and 9% on Android at P50, and considerably higher at P95. In general, Cloudflare found that every 1K of additional data added to the server response caused median HTTPS handshake latency increase by around 1.5% [2]. > I have seen this claim before and, respectfully, I don’t fully buy it. A mobile client that suffers with two packet CHs is probably already crawling for hundreds of KBs of web content per conn. There is a considerable difference between loading large amounts of data for a single site, which is a decision that is controllable by a site, and adding a fixed amount of latency to _all_ connections to all sites to defend against a computer that does not exist [3]. [1]: https://blog.chromium.org/2024/05/advancing-our-amazing-bet-on-asymmetric.html [2]: https://blog.cloudflare.com/pq-2024/ [3]: https://dadrian.io/blog/posts/pqc-not-plaintext/ On Thu, Sep 12, 2024 at 4:11 PM Kampanakis, Panos <kpanos= 40amazon.com@dmarc.ietf.org> wrote: > Hi David, > > > > Note I am not against draft-ietf-tls-key-share-prediction. It is > definitely better to not send unnecessary bytes on the wire. > > > > > Yup. Even adding one PQ key was a noticeable size cost (we still haven't > shipped Kyber/ML-KEM to mobile Chrome because the performance regression > was more prominent) so, yeah, we definitely do not want to send two PQ keys > in the initial ClientHello. > > > > I have seen this claim before and, respectfully, I don’t fully buy it. A > mobile client that suffers with two packet CHs is probably already crawling > for hundreds of KBs of web content per conn. Any numbers you have to > showcase the regression and the relevant affected web metrics? > > > > > > *From:* David Benjamin <davidben@chromium.org> > *Sent:* Wednesday, September 11, 2024 8:02 PM > *To:* Ilari Liusvaara <ilariliusvaara@welho.com> > *Cc:* <tls@ietf.org> <tls@ietf.org> > *Subject:* [EXTERNAL] [TLS] Re: draft-ietf-tls-key-share-prediction next > steps > > > > *CAUTION*: This email originated from outside of the organization. Do not > click links or open attachments unless you can confirm the sender and know > the content is safe. > > > > On Wed, Sep 11, 2024 at 3:58 AM Ilari Liusvaara <ilariliusvaara@welho.com> > wrote: > > On Wed, Sep 11, 2024 at 10:13:55AM +0400, Loganaden Velvindron wrote: > > On Wed, 11 Sept 2024 at 01:40, David Benjamin <davidben@chromium.org> > wrote: > > > > > > Hi all, > > > > > > Now that we're working through the Kyber to ML-KEM transition, TLS > > > 1.3's awkwardness around key share prediction is becoming starkly > > > visible. (It is difficult for clients to efficiently offer both > > > Kyber and ML-KEM, but a hard transition loses PQ coverage for some > > > clients. Kyber was a draft standard, just deployed by early > > > adopters, so while not ideal, I think the hard transition is not > > > the end of the world. ML-KEM is expected to be durable, so a > > > coverage-interrupting transition to FancyNewKEM would be a problem.) > > > > > > > Can you detail a little bit more in terms of numbers ? > > -Did you discover that handshakes are failing because of the larger > > ClientHello ? > > -Some web clients aren't auto-updating ? > > The outright failures because of larger ClientHello are actually web > server issues. However, even ignoring any hard failures, larger > ClientHello can cause performance issues. > > The most relevant of the issues is tldr.fail (https://tldr.fail/) > where web server ends up unable to deal with TCP-level fragmentation > of ClientHello. Even one PQ key (1216 bytes) fills vast manjority of > TCP fragment (and other stuff in ClientHello can easily push it over, > as upper limit is around 1430-1460 bytes). There is no way to fit two > PQ keys. > > Then some web servers have ClientHello buffer limits. However, these > limits are almost invariably high enough that one could fit two PQ > keys. IIRC, some research years back came to conclusion that the > maximum tolerable key size is about 3.3kB, which is almost enough for > three PQ keys. > > Then there are a lot of web servers that are unable to deal with TLS- > level fragmentation of ClientHello. However, this is not really > relevant, given that the limit is 16kB, which is easily enough for > 10 PQ keys and more than enough to definitely cause performance issues > with TCP. > > > > Yup. Even adding one PQ key was a noticeable size cost (we still haven't > shipped Kyber/ML-KEM to mobile Chrome because the performance regression > was more prominent) so, yeah, we definitely do not want to send two PQ keys > in the initial ClientHello. Sending them in supported_groups is cheap, but > as those options take a RTT hit, they're not really practical. Hence all > the key-share-prediction work. (For some more background, so the earlier WG > discussions around this draft, before it was adopted.) > > > > And it is possible for web server to offer both, so even with hard > client transition both old and new clients get PQ coverage. > > > > Yup, although that transition strategy requires that *every* PQ server > move before *any* client moves, if your goal is to never interrupt > coverage. That's not really a viable transition strategy in the long run, > once PQ becomes widely deployed. > > > > David > _______________________________________________ > TLS mailing list -- tls@ietf.org > To unsubscribe send an email to tls-leave@ietf.org >
- [TLS] draft-ietf-tls-key-share-prediction next st… David Benjamin
- [TLS] Re: draft-ietf-tls-key-share-prediction nex… John Mattsson
- [TLS] Re: [EXTERNAL] draft-ietf-tls-key-share-pre… Andrei Popov
- [TLS] Re: [EXTERNAL] draft-ietf-tls-key-share-pre… Bas Westerbaan
- [TLS] Re: [EXTERNAL] draft-ietf-tls-key-share-pre… Bob Beck
- [TLS] Re: draft-ietf-tls-key-share-prediction nex… Loganaden Velvindron
- [TLS] Re: draft-ietf-tls-key-share-prediction nex… Ilari Liusvaara
- [TLS] Re: draft-ietf-tls-key-share-prediction nex… David Benjamin
- [TLS] Re: draft-ietf-tls-key-share-prediction nex… David Benjamin
- [TLS] Re: draft-ietf-tls-key-share-prediction nex… Kampanakis, Panos
- [TLS] Re: draft-ietf-tls-key-share-prediction nex… David Adrian
- [TLS] Re: draft-ietf-tls-key-share-prediction nex… Kampanakis, Panos
- [TLS] Re: draft-ietf-tls-key-share-prediction nex… Eric Rescorla