Re: [TLS] Followup on Update
Eric Rescorla <ekr@rtfm.com> Thu, 05 March 2015 19:41 UTC
Return-Path: <ekr@rtfm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C5DA91A885F for <tls@ietfa.amsl.com>; Thu, 5 Mar 2015 11:41:18 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.977
X-Spam-Level:
X-Spam-Status: No, score=-1.977 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BmL8wMQ7mSQ7 for <tls@ietfa.amsl.com>; Thu, 5 Mar 2015 11:41:16 -0800 (PST)
Received: from mail-wi0-f177.google.com (mail-wi0-f177.google.com [209.85.212.177]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 86EE61A873E for <tls@ietf.org>; Thu, 5 Mar 2015 11:41:09 -0800 (PST)
Received: by wibbs8 with SMTP id bs8so9699582wib.0 for <tls@ietf.org>; Thu, 05 Mar 2015 11:41:08 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=SDdSKDeFGFeexOgLwtcqQYY4JkExQ+tVf0DfCnSkqwQ=; b=NPBntq8kOYeX6ZdpvlJO/vKc3J1cg/jrWlrUm9GX9y8ks9AGHPxZ/ZH2J9loY5aS40 t7pi9B8LuPLsNbqMjbwHtzLplce9KIohKuafOiz9/NY54vo01w1gSaKqvl8BSIZduJuZ K+VLYvY81yXpUCh52t8g92KZTrBkNA0Kj1eW6CbhdRvJfOGMGUO66QEItdtGr9r5ca4f 7QFpSZ9ANPgVBCrbBRxIV6CuO3f7/hECK6qVKW+wXHtkFb3awL26ngnnFzf36FxZ1umn /iUqn6Z74xi+sgrzVPq8m0989MHkIbJsCc5k79IildxVpLxG9dakQhJZlnOzdWDAOkQ0 9PnQ==
X-Gm-Message-State: ALoCoQk8jCEObQ+DoH0Fd4SH74oWzld24LptA3GRLIM6TXA26Gmqy7Qb64SmP+lVeSHDXwbLp0or
X-Received: by 10.194.191.228 with SMTP id hb4mr22510724wjc.116.1425584468214; Thu, 05 Mar 2015 11:41:08 -0800 (PST)
MIME-Version: 1.0
Received: by 10.27.214.203 with HTTP; Thu, 5 Mar 2015 11:40:28 -0800 (PST)
In-Reply-To: <201502250009.08942.davemgarrett@gmail.com>
References: <CABcZeBNLe+ffTPVi=i5xHCPL=eEKfM++RhjAf05S_sRwaAB72A@mail.gmail.com> <201502242043.50128.davemgarrett@gmail.com> <CABcZeBPGBe_S=7vUv8DPOD-1DM73xAkFDG4bJmP2Twc+9Wj2=w@mail.gmail.com> <201502250009.08942.davemgarrett@gmail.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Thu, 05 Mar 2015 11:40:28 -0800
Message-ID: <CABcZeBN8tCXNgSoLXw_WfisJTm+gJQpek-13_HCGoKsbA-0Vkg@mail.gmail.com>
To: Dave Garrett <davemgarrett@gmail.com>
Content-Type: multipart/alternative; boundary="047d7b8750bed36e6005108fbfd7"
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/7eGqXjBmW2-X6U5w7VJIwOCJ1sk>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Followup on Update
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 05 Mar 2015 19:41:18 -0000
On Tue, Feb 24, 2015 at 9:09 PM, Dave Garrett <davemgarrett@gmail.com> wrote: > On Tuesday, February 24, 2015 09:00:46 pm Eric Rescorla wrote: > > On Tue, Feb 24, 2015 at 5:43 PM, Dave Garrett <davemgarrett@gmail.com> > > wrote: > > > > > On Tuesday, February 24, 2015 07:44:22 pm Eric Rescorla wrote: > > > > [0] See https://github.com/tlswg/tls13-spec/pull/94 for a WIP > > > > version of the basic mechanism. > > > > > > The current proposal says: > > > > > > "An implementation MAY send an UpdateRekey at any time after > > > the handshake completes." > > > > > > Is there a particular reason to not just have an automatic rekey at > > > semi-regular intervals? So, every N records or M minutes (or whichever > > > comes first) an endpoint must send a rekey, and then after a similarly > > > measured interval the other endpoint sends a rekey; repeat ad > infinitum. > > > > It's not entirely clear that we know how to design a good heuristic here, > > especially one that covers the entire range of possible algorithms. > > That's sort of my point; this proposal requires implementations to do so. > I'm saying that picking one in the spec would be preferable to leaving it > up to the whims of whatever the many combinations of implementations > end up deciding. Even if some use-case needs to add rekeys, starting > from a conservative heuristic in the spec would ensure implementations > are provided with at least a general expectation of how to use this. I'm going to argue that the frequency of update is a semi-orthogonal issue. I.e., if you think this mechanism works, then we can decide to put it in and have a separate discussion of minimum update frequency. Best, -Ekr > > As a minor nit, it's kind of a pain to say every M minutes because > > often TLS stacks are driven by the application and don't have internal > > timers, but you could of course say "first record after M minutes" > > which would (probably) be close enough. > > I'm not suggesting a precise heuristic here; just some semi-regular > interval > that would be more specific than "MAY ... at any time". With it left as > vague > as proposed, you could get deployments that never rekey or ones that > decide to rekey stupidly frequently. (DoS risk if not implemented > efficiently?) Picking any arbitrary interval would make things simpler and > ensure that this feature is used sufficiently. > > The simplest route is to just specify a number of records to rekey after. > > > > This would also ensure entropy for rekeying comes from both endpoints > > > equally over the course of the connection. > > > > Can you explain more about why that's an important consideration? > > It's just something that occurs to me with the current proposal. It allows > for one sided rekeys, whereas the handshake gets randomness in each > hello from each endpoint. It just strikes me as notably different to rely > on > just the one source of entropy here (plus previous). > > It's a "huh, interesting" thought not a "oh, that's horrible" thought. > > > > I would expect it would be better to not rely on implementations all > > > designing their own heuristics on when to send rekey updates, and also > > > would avoid multiple updates being sent at the same time by each > endpoint > > > (and the possible pitfalls of doing so) > > > > The algorithm in this document is intended to be safe in the case of both > > simultaneous > > and (I believe) pipelined updates. I'd be interested in knowing if it's > not. > > Yes, I don't think it's a spec risk. An implementation risk is possible, > though. > > It's a new feature that could end up with a new setting for an admin to > fiddle with that probably doesn't need to be highly variable to do the job. > Or put another way, it's a feature that I'm overthinking about the > possibility > of implementations overthinking how to use it. ;) > > > Dave >
- [TLS] Followup on Update Eric Rescorla
- Re: [TLS] Followup on Update Dave Garrett
- Re: [TLS] Followup on Update Eric Rescorla
- Re: [TLS] Followup on Update Martin Thomson
- Re: [TLS] Followup on Update Dave Garrett
- Re: [TLS] Followup on Update Ilari Liusvaara
- Re: [TLS] Followup on Update Watson Ladd
- Re: [TLS] Followup on Update Joseph Salowey
- Re: [TLS] Followup on Update Eric Rescorla
- Re: [TLS] Followup on Update Dave Garrett