IETF Logo Mail Archive

Re: [TLS] RFC 6066 - Max fragment length negotiation

Hannes Tschofenig <hannes.tschofenig@gmx.net> Fri, 17 March 2017 15:02 UTC

Return-Path: <hannes.tschofenig@gmx.net>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B585E128B4E for <tls@ietfa.amsl.com>; Fri, 17 Mar 2017 08:02:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.896
X-Spam-Level:
X-Spam-Status: No, score=-4.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=-2.796, RCVD_IN_SORBS_SPAM=0.5, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CsjXzyVbLtf4 for <tls@ietfa.amsl.com>; Fri, 17 Mar 2017 08:02:02 -0700 (PDT)
Received: from mout.gmx.net (mout.gmx.net [212.227.15.18]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 70A87129450 for <tls@ietf.org>; Fri, 17 Mar 2017 08:02:02 -0700 (PDT)
Received: from [192.168.91.179] ([80.92.121.218]) by mail.gmx.com (mrgmx003 [212.227.17.190]) with ESMTPSA (Nemesis) id 0MJBRC-1cm8EH1qoc-002o9b; Fri, 17 Mar 2017 16:01:51 +0100
To: Martin Thomson <martin.thomson@gmail.com>, Peter Gutmann <pgut001@cs.auckland.ac.nz>
References: <CAD8WAomJLs4hdaso9hT036=UORjT9=H5-oCHbdSofuv++n3rYg@mail.gmail.com> <1489706298995.98317@cs.auckland.ac.nz> <855C5079-FDA7-4E68-AE29-1E9605B495D7@broadcom.com> <1489707933992.42551@cs.auckland.ac.nz> <CABkgnnVRZBwXHZ6w=gX9pykNpXp80OLP1pe-VMg-uO-C6O8yEQ@mail.gmail.com> <1489710142144.88978@cs.auckland.ac.nz> <CABkgnnXiB5ksGbbPqDP3D=FVdQu9ht0vD8-T-5HTaEKQQE4+9w@mail.gmail.com> <1489721710740.52293@cs.auckland.ac.nz> <CABkgnnWq_5e8TJgJV+okqi6vo-_5=811pOZRtUCp0TD07SmNoQ@mail.gmail.com>
Cc: "tls@ietf.org" <tls@ietf.org>
From: Hannes Tschofenig <hannes.tschofenig@gmx.net>
Openpgp: id=071A97A9ECBADCA8E31E678554D9CEEF4D776BC9
Message-ID: <dee1bf8d-788e-2869-88b3-75a37a51bff2@gmx.net>
Date: Fri, 17 Mar 2017 16:01:47 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.7.0
MIME-Version: 1.0
In-Reply-To: <CABkgnnWq_5e8TJgJV+okqi6vo-_5=811pOZRtUCp0TD07SmNoQ@mail.gmail.com>
Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="2SF424mBQnOQ67g34CWvFPSADoQxlkXNu"
X-Provags-ID: V03:K0:FB7oc507j1RsmA6mjJQgw3245l5R3dy16iQBFG4C3652wuUmbWZ eWhab20UxHOYWYS9pMBrsTIpqgI6j6UE3j2p09Ik28ivzVkTNQHEkW80ixFvT1m001l6bnK AwQ2ow/lTXoYz5/XkrH35Tn3mNs2JLnesLgxRLFbI1Hpi8D3/2kCiKS2+kMbxQjCY9QLSDV ih3vrCWRajq9agAniqc3A==
X-UI-Out-Filterresults: notjunk:1;V01:K0:oBqfa9kFmZk=:P8UyoG9Ch7J9xebjy65ROz mASwtF6EqBMz+5rBblMXSwjTvXuHnN23iZXBlq/xenrpZ0GY5sgS4SSwWA7gez8hCr1DPkp1o livD3COh5nE5Tvn5XJczOP0QVn0Accy45tJ8tP7sMysOwcG6IWSJwERN0+rWlImfGThCIzHSi kwLpxW9uZ2oCPelMGucob1nZ7Hgvd35Z4+hEM30PCRQamPka4UEjf1V+rR8fi+mmWUObIPd0H AMZB+HO5L/C8IAvDpTpz0PE+hXWHQk0aVaxDCb1GlQOAWc0ejqaYdY5S11FSy17SzHKfWsnWz DyagmmKJsSac8aKpyb0Nt12Wk+B4/i5UITgPecuOsEjkXcyhwRKnsK+O/lEgLJDiS8+ZjBrqh 99NW4o7v9iWJWc1kjDb37iimwgj1/F6vlnDK2SB5jybiHId/LBCVAfb9dvJwyNNrVDkVx+gQ4 13KKxDGwEdRIopqC9PV2u/UmgHwytJA+VbMsJBDQTJDoZOwNskUDmPDItUdeHaPHlCcpiRYwk 8pJAqoRjhpD2duSQN2Sd07rzKFZHuSWtTGK8mQSN9Fe02NBTIAkWTt8l+HUsdAZlTm0CMnGec FwfcC5A1u7olrdigRan74pYQy+NXY3z6+fWKUvmvMePToeKWDa0jKgE9S27QdprPJdnlqte+6 1n9uvC4w3YyOIOI9sG8H3eCMya2SOsRrDFDdnQis2yjBh8AiBve2A1GLcFeFBOyGqtL0fyGve qp4ErmHt5xnH593a1/x8S4b16WxX4MqjqUPRIAipRF5axkabyiT5m2hk5S8=
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/5sjzLeZaMHBbTfKn2FD34da0S2w>
Subject: Re: [TLS] RFC 6066 - Max fragment length negotiation
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 17 Mar 2017 15:02:06 -0000

Here are my 5 cents: we implement this extension in our mbed TLS stack
and we consider it quite important for IoT devices that have limited
amount of RAM. The DTLS/TLS profiles for IoT RFC also recommends the use
of this extension and we discussed this in the DICE WG and there was no
objection against the recommendation.

We had also suggested to extend this functionality to make it symmetric
(i.e., both the client and the server can indicate that they are facing
memory restrictions). Currently, only the TLS client can indicate his
restrictions with the max fragment length extension.

We do, however, understand that this is not an extension that is very
useful for generic Internet devices since they are typically not
suffering from the same constraints.

Ciao
Hannes

On 03/17/2017 04:49 AM, Martin Thomson wrote:
> On 17 March 2017 at 14:35, Peter Gutmann <pgut001@cs.auckland.ac.nz> wrote:
>> Why is it badly designed?  I can guess that some people would prefer to have a
>> mechanism for client and server to debate endlessly what the most cromulent
>> fragment size is, but that's about the only thing I can see.
> 
> I looked at implementing this for NSS with the idea that I would try
> to be nice to embedded servers (because web servers are constrained
> devices too).
> 
> I can't send a max_fragment_length extension that says I support
> records of 2^14 octets in length.  Because I don't care and full-sized
> fragments are valuable to me in some cases, but if a server is
> constrained, it would be no trouble to send it smaller records.
> 
> And I can't fix that.  If I send a max_fragment_length extension with
> a value other than the four values defined in RFC 6066, all I get for
> my troubles is an "illegal_parameter" alert from any server that
> implements the RFC correctly.
> 
> The design I would use is much simpler.  The extension would carry a
> two octet value that is the maximum size of the plaintext that the
> endpoint is willing to receive.  A client could say 2^14 and that
> would allow the server to send that much if it were able.  The same
> server could say 5 and the client would be forced to fragment like
> crazy (ok, that last might be too far, we'd probably want to set a
> lower bound on the value).
> 
> I'd happily implement and advertise that extension.
> 
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls
>

v2.23.0 | Report a Bug | By Email