Re: [TLS] Keeping TLS extension points working

Wan-Teh Chang <wtc@google.com> Wed, 27 July 2016 16:50 UTC

Return-Path: <wtc@google.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C693412B04E for <tls@ietfa.amsl.com>; Wed, 27 Jul 2016 09:50:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.988
X-Spam-Level:
X-Spam-Status: No, score=-3.988 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RP_MATCHES_RCVD=-1.287, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fZyvAlnAMxG1 for <tls@ietfa.amsl.com>; Wed, 27 Jul 2016 09:50:23 -0700 (PDT)
Received: from mail-yw0-x22e.google.com (mail-yw0-x22e.google.com [IPv6:2607:f8b0:4002:c05::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 360BB12B03D for <tls@ietf.org>; Wed, 27 Jul 2016 09:50:23 -0700 (PDT)
Received: by mail-yw0-x22e.google.com with SMTP id u134so62546633ywg.3 for <tls@ietf.org>; Wed, 27 Jul 2016 09:50:23 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=M00ZlNKi7qYwRSdZzudkVKviOSthbc2WNeZxCYyrOfw=; b=GtPCitqj+X2a7Xtcko1oJrXplnxy0wzg19+4lWxJ3wXhJWjyfg65y9eV1Qm8TORfv6 Q4Xu5nVg33TKCizCrcb3FNnNeqzEjg8u4JTlx79weWTO/+rhmAq+B8BDmUWsUyZHYpVW q5ArJ2PHjy24KWJpZGad/gDhKXAc+rlXtTu4UNbNaeI7512JSmPVcmpgIBgXSVksjbRE uQam0ufzKUdink0HEMumjSurDNLdRbALG7ouxbmIDrFRXwuK9+XXV1OtfibQZnxjuuFh 35A82GooLRm4UsiG/6xCE7ohQigtw0v97X3d0Y/9l+a4Jb4wwvuLUPvsQmhfOX3fvq51 WWBg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=M00ZlNKi7qYwRSdZzudkVKviOSthbc2WNeZxCYyrOfw=; b=HZRucA67X2sInJ7TDoU7fMm0E0Ru0ikgvTZNAWC8uTlbvTlPTzgZ5BE0JjMfe+SkTB JzVx1qCJfNIsH+BvEERsxqZakB77R6oiWSAK8RNuEOw8w460gIlE+E4IvYCtO4nN6DHO XJdr2HpHA9A30mXAUpFfzayWNYolWB/QGIDzpdUkzTQnWU+1gtJn64zTU4MyndM0K36g E0LhimcjS2CiwADw40TXA0orjv+DWWzkUdukwapFpBf3fsvh+dMUmUX568sJTp9+eErL u6a4YmT5DgVKG9vD9ynEGifQmN2yulCBdsXdHRdS4pZOq2fvyawh6I/fVAdrz9njcTjA TEnQ==
X-Gm-Message-State: AEkooutdVAEu/+JbhxgIv/J0QDklxoEDAvjGl8R+v40q9LnM+kBtTgPWoNVxjKMU7Xarth34SpkLxGMLxPwX13pz
X-Received: by 10.129.93.197 with SMTP id r188mr26551110ywb.286.1469638222374; Wed, 27 Jul 2016 09:50:22 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.37.219.78 with HTTP; Wed, 27 Jul 2016 09:50:18 -0700 (PDT)
In-Reply-To: <CAF8qwaARvrFKhBUi10rEEUWpito3n4OWXuK5JH0ZO4gU6rzK5w@mail.gmail.com>
References: <CAF8qwaCaW2Q+z_JoDqzQZaGCWJ2aqUiyK8_J8_CO4Ck_cqtaSA@mail.gmail.com> <0B0C11B8-CC4A-46C4-A134-881A41005502@sn3rd.com> <CAF8qwaARvrFKhBUi10rEEUWpito3n4OWXuK5JH0ZO4gU6rzK5w@mail.gmail.com>
From: Wan-Teh Chang <wtc@google.com>
Date: Wed, 27 Jul 2016 09:50:18 -0700
Message-ID: <CALTJjxHukROs-mrMUCmX1GjmfNAHhcmcVbykJnQ7UPDDiZHUJg@mail.gmail.com>
To: David Benjamin <davidben@chromium.org>
Content-Type: text/plain; charset=UTF-8
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/6WURkZrVHAjFpGfex5Zx1MkaWwA>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Keeping TLS extension points working
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 27 Jul 2016 16:50:24 -0000

On Mon, Jul 25, 2016 at 3:32 PM, David Benjamin <davidben@chromium.org> wrote:
> Hi folks,
>
> I'm not sure how this process usually works, but I would like to reserve a
> bunch of values in the TLS registries to as part of an idea to keep our
> extension points working. Here's an I-D:
> https://tools.ietf.org/html/draft-davidben-tls-grease-00
>
> (The name GREASE is in honor of AGL's rusted vs. well-oiled joints analogy
> from https://www.imperialviolet.org/2016/05/16/agility.html )
>
> One problem we repeatedly run into is servers failing to implement TLS's
> various extension points correctly. The most obvious being version
> intolerance. When we deployed X25519 in Chrome, we discovered an intolerant
> implementation. (Thankfully it was rare enough to not warrant a fallback or
> revert!) It appears that signature algorithms maybe also be gathering rust.
> Ciphers and extensions seem to have held up, but I would like to ensure they
> stay that way.
>
> The root problem here is these broken servers interoperate fine with clients
> at the time they are deployed. It is only after new values get defined do we
> notice, by which time it is too late.
>
> I would like to fix this by reserving a few values in our registries so that
> clients may advertise random ones and regularly exercise these codepaths in
> servers. If enough of the client base does this, we can turn a large class
> of tomorrow's interop failures into today's interop failures. This is
> important because an bug will not thrive in the ecosystem if it does not
> work against the current deployment.

Hi David,

In general I like your idea. Thank you for writing up a proposal.

Another source of interop failures is the firewall devices that do
anomaly detection. Some of them will abort TLS handshakes if they see
unknown TLS protocol versions or extensions in ClientHello. (They all
seem to allow unknown cipher suite values.) I suspect they will treat
the GREASE cipher suite, extension, and named group values as "normal"
and continue to abort the handshake if they see truly new values. I
can only hope that these network security devices are updated
regularly.

Wan-Teh Chang