[TLS] Maximum Fragment Length negotiation
Thomas Pornin <pornin@bolet.org> Thu, 24 November 2016 19:50 UTC
Return-Path: <pornin@bolet.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 84D5A129C15 for <tls@ietfa.amsl.com>; Thu, 24 Nov 2016 11:50:36 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.399
X-Spam-Level:
X-Spam-Status: No, score=-3.399 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-1.497, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id h6DrA7hYygpn for <tls@ietfa.amsl.com>; Thu, 24 Nov 2016 11:50:34 -0800 (PST)
Received: from brontes.bolet.org (brontes.bolet.org [62.210.214.227]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 063CC129C12 for <tls@ietf.org>; Thu, 24 Nov 2016 11:50:33 -0800 (PST)
Received: by brontes.bolet.org (Postfix, from userid 1000) id 638552082E; Thu, 24 Nov 2016 20:50:02 +0100 (CET)
Date: Thu, 24 Nov 2016 20:50:02 +0100
From: Thomas Pornin <pornin@bolet.org>
To: tls@ietf.org
Message-ID: <20161124195002.GA32346@bolet.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
User-Agent: Mutt/1.5.24 (2015-08-30)
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/96dl5nOM9B5TIn6XAfPH_0h0umA>
Subject: [TLS] Maximum Fragment Length negotiation
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 24 Nov 2016 19:50:36 -0000
Hello, I know that I am a bit late to the party, but I have a suggestion for the upcoming TLS 1.3. Context: I am interested in TLS support in constrained architectures, specifically those which have very little RAM. I recently published a first version of an implementation of TLS 1.0 to 1.2, that primarily targets that kind of system ( https://www.bearssl.org/ ); a fully functional TLS server can then run in as little as 25 kB of RAM (and even less of ROM, for the code itself). Out of these 25 kB, 16 kB are used for the buffer for incoming records, because encrypted records cannot be processed until fully received (data could be obtained from a partial record, but we must wait for the MAC before actually acting on the data) and TLS specifies that records can have up to 16384 bytes of plaintext. Thus, about 2/3 of the RAM usage is directly related to that maximum fragment length. There is a defined extension (in RFC 6066) that allows a client to negotiate a smaller maximum fragment length. That extension is simple to implement, but it has two problems that prevent it from being really usable: 1. It is optional, so any implementation is free not to implement it, and in practice many do not (e.g. last time I checked, OpenSSL did not support it). 2. It is one-sided: the client may asked for a smaller fragment, but the server has no choice but to accept the value sent by the client. In situations where the constrained system is the server, the extension is not useful (e.g. the embedded system runs a minimal HTTPS server, for a Web-based configuration interface; the client is a Web browser and won't ask for a smaller maximum fragment length). I suggest to fix these issues in TLS 1.3. My proposal is the following: - Make Max Fragment Length extension support mandatory (right now, draft 18 makes it "recommended" only). - Extend the extension semantics **when used in TLS 1.3** in the following ways: * When an implementation supports a given maximum fragment length, it MUST also support all smaller lengths (in the list of lengths indicated in the extension: 512, 1024, 2048, 4096 and 16384). * When the server receives the extension for maximum length N, it may respond with the extension with any length N' <= N (in the list above). * If the client does not send the extension, then this is equivalent to sending it with a maximum length of 16384 bytes (so the server may still send the extension, even if the client did not). Semantics for the extension in TLS 1.2 and previous is unchanged. With these changes, RAM-constrained clients and servers can negotiate a maximum length for record plaintext that they both support, and such an implementation can use a small record buffer with the guarantee that all TLS-1.3-aware peers will refrain from sending larger records. With, for instance, a 2048-byte buffer, per-record overhead is still small (about 1%), and overall RAM usage is halved, which is far from negligible. RAM-constrained full TLS 1.3 is likely to be challenging (I envision issues with, for instance, cookies, since they can be up to 64 kB in length), but a guaranteed flexible negotiation for maximum fragment length would be a step in the right direction. Any comments / suggestions ? Thanks, --Thomas Pornin
- [TLS] Maximum Fragment Length negotiation Thomas Pornin
- Re: [TLS] Maximum Fragment Length negotiation Fossati, Thomas (Nokia - GB)
- Re: [TLS] Maximum Fragment Length negotiation Hannes Tschofenig
- Re: [TLS] Maximum Fragment Length negotiation Michael Tuexen
- Re: [TLS] Maximum Fragment Length negotiation Thomas Pornin
- Re: [TLS] Maximum Fragment Length negotiation Martin Thomson
- Re: [TLS] Maximum Fragment Length negotiation Raja ashok
- Re: [TLS] Maximum Fragment Length negotiation Hubert Kario
- Re: [TLS] Maximum Fragment Length negotiation Martin Thomson
- Re: [TLS] Maximum Fragment Length negotiation Hubert Kario