IETF Logo Mail Archive

Re: [TLS] Connection ID Draft

Simon Bernard <contact@simonbernard.eu> Wed, 18 October 2017 16:39 UTC

Return-Path: <contact@simonbernard.eu>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E2A6413234B for <tls@ietfa.amsl.com>; Wed, 18 Oct 2017 09:39:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.62
X-Spam-Level:
X-Spam-Status: No, score=-2.62 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JpbFH111ZZEw for <tls@ietfa.amsl.com>; Wed, 18 Oct 2017 09:39:56 -0700 (PDT)
Received: from 10.mo6.mail-out.ovh.net (10.mo6.mail-out.ovh.net [87.98.157.236]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1F5B8132C2A for <tls@ietf.org>; Wed, 18 Oct 2017 09:39:55 -0700 (PDT)
Received: from player761.ha.ovh.net (b9.ovh.net [213.186.33.59]) by mo6.mail-out.ovh.net (Postfix) with ESMTP id 9D15E118C71 for <tls@ietf.org>; Wed, 18 Oct 2017 18:39:53 +0200 (CEST)
Received: from [10.41.51.212] (130.163-14-84.ripe.coltfrance.com [84.14.163.130]) (Authenticated sender: contact@simonbernard.eu) by player761.ha.ovh.net (Postfix) with ESMTPSA id 4F70248009C; Wed, 18 Oct 2017 18:39:51 +0200 (CEST)
To: Martin Thomson <martin.thomson@gmail.com>, "Fossati, Thomas (Nokia - GB/Cambridge, UK)" <thomas.fossati@nokia.com>
Cc: "tls@ietf.org" <tls@ietf.org>
References: <CABcZeBPXB6cOSztzDHtKSWUCJrgET+9cF_rAiiE8CYCUSY_uLA@mail.gmail.com> <CABkgnnXT7nv9aNQh12deeitF1CurENpxgUicn9GHjMbojcEvJg@mail.gmail.com> <D0524862-083C-4576-98B8-6D8A4825D458@nokia.com> <CABkgnnW4d=H5RZ0E+Hwo4jQptDpshVVuFtD-xQudJzxLXyReAQ@mail.gmail.com>
From: Simon Bernard <contact@simonbernard.eu>
Message-ID: <9a6cbdb6-2064-b7f9-d5bf-8416e06e595a@simonbernard.eu>
Date: Wed, 18 Oct 2017 18:39:44 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.3.0
MIME-Version: 1.0
In-Reply-To: <CABkgnnW4d=H5RZ0E+Hwo4jQptDpshVVuFtD-xQudJzxLXyReAQ@mail.gmail.com>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Content-Language: en-US
X-Ovh-Tracer-Id: 9500624892612262129
X-VR-SPAMSTATE: OK
X-VR-SPAMSCORE: -100
X-VR-SPAMCAUSE: gggruggvucftvghtrhhoucdtuddrgedttddrudeigddutdejucetufdoteggodetrfdotffvucfrrhhofhhilhgvmecuqfggjfdpvefjgfevmfevgfenuceurghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnhhtshculddquddttddm
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/6s59hJV9G_ZZvfL6goWh0B8tM6M>
Subject: Re: [TLS] Connection ID Draft
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 18 Oct 2017 16:39:59 -0000

This makes me think about if this is feasible/desirable to use 
connection id to do load balancing.

I think about use cases where you have a cluster of server behind only 
one IP address. Often traffic will be load balanced by IP.
But with UDP and Nat environment, the IP can change.

Thx to CID, if client is redirected to the same server in the cluster, 
even if its IP has changed it will be able to communicate without new 
handshake.
But if its IP has changed there is little chance than load balancer will 
balance it on the same server and so new handshake is needed. (unless 
server share their connection state)

Any thought about that ?


Le 17/10/2017 à 23:35, Martin Thomson a écrit :
> On Tue, Oct 17, 2017 at 9:26 PM, Fossati, Thomas (Nokia -
> GB/Cambridge, UK) <thomas.fossati@nokia.com> wrote:
>> The following case (NAT box reboot) is problematic:
>>
>> 1. Application '1' on host A (A.1) uses DTLS+CID with application '1' on
>>     host B (B.1);
>> 2. Application '2' on host A (A.2) uses plain-old DTLS with B.1;
>> 3. The NAT box reboots (all previous 5-tuple mappings are lost);
>> 4. B.1 receives a record from A.1 (whose 5-tuple has changed in the
>>     meanwhile);
>>
>> How is B.1 supposed to correctly interpret the bytes starting at offset
>> +11?  (For what it knows, it could be CID from A.1 or the length field
>> from A.2.)
> I don't think that this is a problem.
>
> connection = five_tuples.lookup(packet.five_tuple)
> if (!connection) {
>    connection = connection_ids.lookup(packet[connection_id_offset:connection_id_offset+connection_id_length])
> }
> if (!connection) {
>    // is this a ClientHello?  otherwise drop it
> }
>
> Of course this doesn't help you with A.2, but that's why this draft exists.
>
> If the server can insist on connection IDs from all clients (in the
> far future perhaps, or for an entirely new protocol), then the code is
> more simply:
>
> connection = connection_ids.lookup(packet[connection_id_offset:connection_id_offset+connection_id_length])
> if (!connection) {
>    // is this a ClientHello?  otherwise drop it
> }
>
>> I might be missing something fundamental here, but isn't the length
>> encoded in the CID field on the wire?
> Not by my understanding.  There isn't any need (the intent is to have
> the CID only consumable by the entity that created it, and any others
> that it collaborates with, like a load balancer).
>
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls

v2.23.0 | Report a Bug | By Email