Re: [TLS] I-D Action: draft-ietf-tls-ticketrequests-02.txt

Daniel Migault <daniel.migault@ericsson.com> Wed, 02 October 2019 20:42 UTC

Return-Path: <mglt.ietf@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 36C3B12002F for <tls@ietfa.amsl.com>; Wed, 2 Oct 2019 13:42:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.477
X-Spam-Level:
X-Spam-Status: No, score=-1.477 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FORGED_FROMDOMAIN=0.172, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.25, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sLXnD3___Otv for <tls@ietfa.amsl.com>; Wed, 2 Oct 2019 13:42:48 -0700 (PDT)
Received: from mail-vs1-f41.google.com (mail-vs1-f41.google.com [209.85.217.41]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 10C21120018 for <tls@ietf.org>; Wed, 2 Oct 2019 13:42:48 -0700 (PDT)
Received: by mail-vs1-f41.google.com with SMTP id y129so160827vsc.6 for <tls@ietf.org>; Wed, 02 Oct 2019 13:42:48 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=mItQXed/tynaUUxbzQHbB3/doEZE6W2egRK1qZ0Dsyw=; b=T/B1pQMsceeFQ9tvVvFcXDo9q+zGYoKailcFSbpPA5db3bJ4Idde5MT5Ohfl+cHI+N DZdLIzdTbJDBCTdQNcNZEUdJECLdNV9IH4VLQJjolOdQXI+6ZVsUe3qKprjRfsucUsK4 fku7oTp4tbLEMNiEcpA1j6HBxcVCtbX4ej6KMUihJ6epFNCALXakyXgWf6orCZlEU45I WojfzwtL5JaxAmpYkSFz6M+lFhGEVJS4ZnCOzFhvsuLR83fxNroG102yuwGS7s/pzqzd Tl9f0rOnM4RE/Lc8lR94YyT1fsVgEO4ge0r5CrC4dwoaw/3qRQdunK/N4t4+m5gQhgFl Xv7w==
X-Gm-Message-State: APjAAAWLoC2TK6Itdg4n1skg6peayX8ioOrpdntQvS3oTXMgC+xgoF3L lg9MN1JOLC8Z0vz4VUv2hrkxV4XO/TVOU2js1cQ=
X-Google-Smtp-Source: APXvYqwWqlcD+PvCc1t0AYy6UTtSNNvcH5y515u+8eSN5zZYQOaoHzfAFm/WIpd9TkZx6Mn8U7EdzRoY7Z7fHBC0Kz0=
X-Received: by 2002:a05:6102:445:: with SMTP id e5mr3039189vsq.69.1570048967084; Wed, 02 Oct 2019 13:42:47 -0700 (PDT)
MIME-Version: 1.0
References: <156962803631.24993.3421537129925787732@ietfa.amsl.com> <1971068.D9yiD15FoS@pintsize.usersys.redhat.com> <851aded9-70a7-4a9a-abd5-b75f98f86baf@www.fastmail.com> <1708345.JU3unZtj4k@pintsize.usersys.redhat.com> <350020eb-c43b-4941-93e9-06ea9a0cacc3@www.fastmail.com>
In-Reply-To: <350020eb-c43b-4941-93e9-06ea9a0cacc3@www.fastmail.com>
From: Daniel Migault <daniel.migault@ericsson.com>
Date: Wed, 2 Oct 2019 16:42:32 -0400
Message-ID: <CADZyTkm-MRF_ucy-_crC5SeTYZ9=VdPuF+TL5fLkU1gbb=7rfQ@mail.gmail.com>
To: Christopher Wood <caw@heapingbits.net>
Cc: Hubert Kario <hkario@redhat.com>, "TLS@ietf.org" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000f68db10593f382d2"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/5WUnjvxogfNMRTSWuStXtV2wlAU>
Subject: Re: [TLS] I-D Action: draft-ietf-tls-ticketrequests-02.txt
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 02 Oct 2019 20:42:50 -0000

Hi,

Please find some comments on the draft.

In the introduction, I believe both limitations may be merged into one
limitation which is the number of ticket is a server only decision. The
purpose of the extension is the client providing information so the server
can pick the appropriated number.

I find "choose" and "hard-coded" a bit contradicting. If the server uses a
hard coded value for the number of tickets, then I would understand the
limitation as the server being unable to chose a value per client or per
connection. This seems to me an implementation limitation and so maybe out
of scope of the extension. If it is able to choose that number, the
limitation is that it is a server only decision.

I understand the meaning of count is the higher limit of ticket and the
server can provides any tickets between 0 and count. If that is correct,
this could be clearly stated and indication to chose an appropriated value
for each cases may be provided.

I would rather see the count value as a hard line from the server with a
MUST NOT instead of a SHOULD NOT statement.

My reading of 8446 is that NewSessionTicket messages can be sent at
multiple time during or after the handshake. If that is correct, it seems
to me quite complex to track the number of tickets that had been sent.
Typically, if I have to send them at different time how much would I send
at each flight. I would rather consider the min(count, server_limit) as the
number of tickets in any batch of NewSessionTicket messages. We may also
ask the client to only keep the latest batch of tickets and delete the
others previously sent tickets.

The ability to request 255 tickets with one byte can be seen as an
amplification vector, especially when a server sends directly the tickets
after its Finished message. I believe that additional text in the security
consideration could be added.

Yours,
Daniel



On Tue, Oct 1, 2019 at 1:27 PM Christopher Wood <caw@heapingbits.net> wrote:

>
>
> On Tue, Oct 1, 2019, at 9:15 AM, Hubert Kario wrote:
> > On Tuesday, 1 October 2019 16:01:32 CEST Christopher Wood wrote:
> > > On Tue, Oct 1, 2019, at 5:18 AM, Hubert Kario wrote:
> > > > > > ```
> > > > > > Servers MUST NOT send more than 255 tickets to clients.
> > > > > > ```
> > > > > >
> > > > > > per what? session? at a time? connection?
> > > > >
> > > > > This is all per session. We can state it explicitly in the next
> version.
> > > >
> > > > so this count needs to be kept as part of session and impacts
> connections
> > > > that perform resumption?
> > >
> > > Sorry, I meant connection:
> > >
> > >    "Clients may indicate to servers their desired number of tickets
> for *a
> > > single connection* via the following "ticket_request" extension"
> > >
> > > This is a simple hint for servers. Nothing more. No state needs to be
> stored
> > > past connection establishment.
> >
> > sounds good
> >
> > > > > > what's the expected behaviour with tickets and post-handshake
> > > > > > authentication? Are tickets sent after PHA also bound by this
> limit?
> > > > >
> > > > > As mentioned earlier, there is no effect, so we left it out. We're
> happy
> > > > > to
> > > > > accept text should you think it's needed.
> > > >
> > > > If the I-D states that servers should not send more tickets than the
> > > > client
> > > > asked for, and then send exactly that amount, then they won't be
> able to
> > > > send new tickets after PHA and remain compliant.
> > > >
> > > > Yes, it's completely up to the server to decide if to send tickets
> after
> > > > PHA or not, and I'm not suggesting that the client should request for
> > > > tickets in one of its PHA messages, much less expect or require
> them, but
> > > > sending tickets after PHA is reasonable and explicitly stated
> behaviour:
> > > >
> > > > RFC 8446 Section 4.6.1:
> > > >    For instance, the server might send a new
> > > >    ticket after post-handshake authentication in order to encapsulate
> > > >    the additional client authentication state.
> > > >
> > > > so the I-D should explicitly state what's the expected behaviour in
> that
> > > > case.
> > > >
> > > > IMHO, the extension should be used for the tickets sent right after
> the
> > > > handshake, it should not put an upper bound for the tickets that a
> server
> > > > can send in a single connection. For a very long lived connection
> > > > (especially if the connection uses KeyUpdate messages regularly), the
> > > > initial tickets may expire. Server may notice that and send a new
> group
> > > > of tickets then.
> > > Since these hints are not mandatory to honor I don't think we need to
> > > describe this case. In particular, this is a valid case where ignoring
> the
> > > SHOULD is fine, in my opinion.
> > >
> > > If the draft required that servers MUST NOT send more tickets than
> what's
> > > requested, then yes, I think these details would be important.
> >
> > huh? I see the following in the draft-02:
> >
> >    Servers MUST NOT
> >    send more than 255 tickets to clients.
>
> I was referring to the "SHOULD NOT send more than
> TicketRequestContents.count NewSessionTicket messages" blurb. Indeed, the
> MUST NOT above should also be a SHOULD NOT. Thanks for your patience in
> working through the kinks!
>
> >
> >
> > --
> > Regards,
> > Hubert Kario
> > Senior Quality Engineer, QE BaseOS Security team
> > Web: www.cz.redhat.com
> > Red Hat Czech s.r.o., Purkyňova 115, 612 00  Brno, Czech Republic
> > Attachments:
> > * signature.asc
>
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls
>