IETF Logo Mail Archive

Re: [TLS] Connection ID Draft

Stephen Farrell <stephen.farrell@cs.tcd.ie> Sun, 22 October 2017 17:29 UTC

Return-Path: <stephen.farrell@cs.tcd.ie>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 18A7B13A0FB for <tls@ietfa.amsl.com>; Sun, 22 Oct 2017 10:29:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.3
X-Spam-Level:
X-Spam-Status: No, score=-4.3 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cs.tcd.ie
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TXtmAxnwCEcF for <tls@ietfa.amsl.com>; Sun, 22 Oct 2017 10:29:03 -0700 (PDT)
Received: from mercury.scss.tcd.ie (mercury.scss.tcd.ie [134.226.56.6]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C2B3C13A100 for <tls@ietf.org>; Sun, 22 Oct 2017 10:29:03 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mercury.scss.tcd.ie (Postfix) with ESMTP id 402CDBE79; Sun, 22 Oct 2017 18:29:01 +0100 (IST)
X-Virus-Scanned: Debian amavisd-new at scss.tcd.ie
Received: from mercury.scss.tcd.ie ([127.0.0.1]) by localhost (mercury.scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AiXErAeSeWUr; Sun, 22 Oct 2017 18:28:59 +0100 (IST)
Received: from [10.244.2.100] (95-45-153-252-dynamic.agg2.phb.bdt-fng.eircom.net [95.45.153.252]) by mercury.scss.tcd.ie (Postfix) with ESMTPSA id 9C772BE73; Sun, 22 Oct 2017 18:28:59 +0100 (IST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cs.tcd.ie; s=mail; t=1508693339; bh=0XtJnfpTGGGe7AJ7J5zHxV+e8xzHQbzDN71WGf0O/tc=; h=Subject:To:Cc:References:From:Date:In-Reply-To:From; b=q+Tyz5BWNq0dztZXph9YA8V/SYW6Ru9xogZdpSZWlz1uT16Ivn/yicFKabj9fdhk3 W4O+MGXUUXj8erN288fjh0uUXWMvvgR2gmx2xvt6aeXlX4m8L+H+rSr7RV47mwJvoi W4XR2AC5jzyw+uGqU6KRfENJW6ZwmkLAlbWNL07o=
To: Eric Rescorla <ekr@rtfm.com>
Cc: "tls@ietf.org" <tls@ietf.org>
References: <CABcZeBPXB6cOSztzDHtKSWUCJrgET+9cF_rAiiE8CYCUSY_uLA@mail.gmail.com> <574d133f-0531-2206-c7d3-825ebaffacdd@cs.tcd.ie> <CABcZeBM_xUadFDnAK-FLGjqciDOLGoePv8xhSFkmBYS5nooXxQ@mail.gmail.com> <765bb5b0-2129-9ea8-2c51-b6b4163748e8@cs.tcd.ie> <CABcZeBNbt-ZB=8jsp=pKkDfS9qKOogfmjeAieN6KC9KBNkWnrg@mail.gmail.com> <016ec9b6-d59e-531a-0930-9f355edb34be@cs.tcd.ie> <CABcZeBP_a_tLkMz87CBNzsv7LCpPCHYMTk2asN8hHHtgN1ZRFQ@mail.gmail.com> <f8e1f136-014c-6471-c5f2-bff31cc54723@cs.tcd.ie> <CABcZeBOKydO+g-73eB-pqGXKgiD9XYjP3JTQGjy1GwphWenPFg@mail.gmail.com> <d5849014-8bea-2ad0-0f2d-b477e269d80a@cs.tcd.ie> <CABcZeBO2v=v91tn06dinOH_EuEVD1haM8ggoQ+RNtgy4aR+v5w@mail.gmail.com>
From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Openpgp: id=D66EA7906F0B897FB2E97D582F3C8736805F8DA2; url=
Message-ID: <3de461d1-04f2-f409-5cb1-adf67ccf1091@cs.tcd.ie>
Date: Sun, 22 Oct 2017 18:28:58 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.4.0
MIME-Version: 1.0
In-Reply-To: <CABcZeBO2v=v91tn06dinOH_EuEVD1haM8ggoQ+RNtgy4aR+v5w@mail.gmail.com>
Content-Type: multipart/signed; micalg="pgp-sha256"; protocol="application/pgp-signature"; boundary="p5L00EvE54jAhoo3PGb7MfFigSiXNHPKl"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/4NivjGRnRO1nZwrWsdLE_TvLWzE>
Subject: Re: [TLS] Connection ID Draft
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 22 Oct 2017 17:29:06 -0000


On 22/10/17 17:04, Eric Rescorla wrote:
> On Sun, Oct 22, 2017 at 8:50 AM, Stephen Farrell <stephen.farrell@cs.tcd.ie>
> wrote:
> 
>>
>>
>> On 22/10/17 16:41, Eric Rescorla wrote:
>>>
>>>> Maybe the thing we could agree at this stage is that the cid scheme
>>>> has to be usable in that one-message-per-day scenario and needs to
>>>> provide some way that such messages aren't easily linkable based on
>>>> cids.
>>>
>>> I think that's a requirement in some cases but not others. It might be
>>> best to settle for the others.
>>
>> Sorry, I'm not sure what you mean there. Are you saying that you think
>> the above requirement can't be met by a generally usable scheme?
>>
>> I agree that not all scenarios need to meet the req posited above.
>>
>> I'd worry that if DTLS1.3 can't meet the above requirement then folks
>> will invent something that does, which may be worse than using DTLS
>> in a bunch of cases. OTOH, one could equally, and maybe fairly, argue
>> that DTLS really doesn't scale down quite that far, which'd I guess
>> argue that there's a need for some other security protocol for those
>> situations.
>>
> 
> It's not a matter of DTLS versus non-DTLS. 

Not sure tbh, ISTM there's a bunch of challenges in trying to
use the kind of lpwan technologies being developed with DTLS,
with cid just being one of those. But time will tell I guess,
and that's a different discussion.

> I am unaware of any method
> of providing conn-IDs that simultaneously meets the requirements of:
> 
> - Unlinkability
> - Being able to survive multiple conn-ID changes in one round-trip
>   (which is implicit in both the one-packet per day and the unknown
>   address changes scenarios)
> - Low bandwidth
> - Good receiver-side scaling (both state and computational)
> 

Fair enough - I can buy that the last above suffers when one tries
to satisfy all the rest. Maybe that means a WG draft ought have an
applicability statement section that captures the scenarios where
that particular cid extension is suitable.

I'll be sad though if the end result is to sacrifice unlinkability
which I fear will be the likely outcome in practice.

> This is a generic problem, not one limited to DTLS. And as I said earlier,
> to the extent to which we either need specific schemes that meet different
> subsets of these requirements or we come up with a better generic scheme,
> the extension-based approach accommodates it.

Again, maybe some applicability text as per the above would make
it clearer that the draft is describing one (though hopefully the
most commonly useful) scheme and that others may be needed in
other situations.

Cheers,
S.

PS: In case it helps, with the additions discussed earlier and
above, and with the understanding that exploring other cid schemes
for cases where this one isn't fully satisfactory isn't ruled
out, I think this draft would be a fine starting point for a WG
document.


> 
> 
> PS: I fully accept your point that purely napkin-based schemes aren't
>> good enough and if those're the only kind of hash-chain based proposals
>>
> seen, then the WG oughtn't go for one of those.
>>
> 
> We've seen others, and they fail the receiver-side scaling test, IMO
> 
> -Ekr
>

v2.23.0 | Report a Bug | By Email