IETF Logo Mail Archive

Re: [TLS] ALPN with 0-RTT Data

David Benjamin <davidben@chromium.org> Wed, 12 October 2016 21:29 UTC

Return-Path: <davidben@google.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7AA6812970E for <tls@ietfa.amsl.com>; Wed, 12 Oct 2016 14:29:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.006
X-Spam-Level:
X-Spam-Status: No, score=-3.006 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=1.989, RP_MATCHES_RCVD=-2.996, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=chromium.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id h3xds8qgVpzS for <tls@ietfa.amsl.com>; Wed, 12 Oct 2016 14:29:20 -0700 (PDT)
Received: from mail-io0-x229.google.com (mail-io0-x229.google.com [IPv6:2607:f8b0:4001:c06::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5A3971296B8 for <tls@ietf.org>; Wed, 12 Oct 2016 14:29:20 -0700 (PDT)
Received: by mail-io0-x229.google.com with SMTP id i202so64392931ioi.2 for <tls@ietf.org>; Wed, 12 Oct 2016 14:29:20 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=xBNuKZi2pEa+GrbtwM8QajHZK2jHRj2SPFKou3k9v7k=; b=KdS8yI3uUlJCZ/7gQpqlUM2W0YyGkLH/zwcf1njjNnPX7BQ56O0ObGI7hfrLvLjLJF Te7RUUrqPg0Q90vHjrTzKR2Xzo4IXZXVL0ag1pCmmvgdBfMhm9uk3FmQUWpaNAvCnsQG QimTQ/gurdGmYmWYU5igXdz9fYj519eGlaHiQ=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=xBNuKZi2pEa+GrbtwM8QajHZK2jHRj2SPFKou3k9v7k=; b=aMMfwzdeT7r5iX0PCnL2wVudBkLRrPlowC5TsQVHTcvtq9122ZyBa3RrRoNIvaJ7Is boizNpIJaYMutQFdNzTsLJDvW0bktD/64dJstjHZrkldX+dSI4rhFQbsk3p7UY4nS4dS rOndmUGVFlKuJpWEoiKFa/lIY/VDoMBV50yny/udD9ZXhkm0jHDQ3NoTv53aqkNszUnS 6tUU4IpSzceLD+m9DISgmpkDQFZVqWZFoqvgU2DoUqrYS6D6JS+e54mfXhQI6oBLbbXR 3s0wuZeqhVS8TsBs2+D5JGzpIEYVfO1tA8H1zAD2wTDx//qTjFXYIL1fFM3Dmq9i/ryk C39w==
X-Gm-Message-State: AA6/9RnifC2uA6oCmRDmS5rzC+FbaR3cY7SwTvGirLTwJ0/HtsQklFd39V/U6xV8P4n3Kuih+1xskLwe7HK8nZ7o
X-Received: by 10.107.144.138 with SMTP id s132mr3499005iod.146.1476307759442; Wed, 12 Oct 2016 14:29:19 -0700 (PDT)
MIME-Version: 1.0
References: <MWHPR15MB118283AEF96DAD58FD3F6FF3AFDD0@MWHPR15MB1182.namprd15.prod.outlook.com> <CAF8qwaAj=Dzs+DBoTVkFTCLz07HhtgmGp7YjsmzZx6BBSU+Zmw@mail.gmail.com> <CABcZeBPaMMv23W9sqggcnhQKEy9QAYPDpgUH-naji_fVTHZ=+g@mail.gmail.com> <MWHPR15MB1182EB64501B697B7B4E3D4FAFDD0@MWHPR15MB1182.namprd15.prod.outlook.com>
In-Reply-To: <MWHPR15MB1182EB64501B697B7B4E3D4FAFDD0@MWHPR15MB1182.namprd15.prod.outlook.com>
From: David Benjamin <davidben@chromium.org>
Date: Wed, 12 Oct 2016 21:29:07 +0000
Message-ID: <CAF8qwaB3cfavjgHt0LDSe6jL-A2yFXza-kj5WdetWYmoDdnhOg@mail.gmail.com>
To: Kyle Nekritz <knekritz@fb.com>, Eric Rescorla <ekr@rtfm.com>
Content-Type: multipart/alternative; boundary="94eb2c0557d895478c053eb1af0b"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/9frVf-ob8rTOqmtn2zIC4YQ4_GQ>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] ALPN with 0-RTT Data
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 12 Oct 2016 21:29:23 -0000

On Wed, Oct 12, 2016 at 5:07 PM Kyle Nekritz <knekritz@fb.com> wrote:

>
> Reordering the ALPN offer has a couple advantages:
>
> * It explicitly defines the protocol that the 0-RTT data is using on that
> connection. Without this, both the client and the server must independently
> store the ALPN in use
> (of course the server can put it in the ticket). While this should work if
> implemented properly, there is nothing in the protocol that enforces they
> match before the server accepts the data. If the client ALPN offer does
> happen to change, it’s even possible
> for the selected ALPN to be one that the client didn’t even offer.
>

The client shouldn't offer 0-RTT on a session which predicts an ALPN that
it doesn't accept. This is consistent with the client not wanting to offer
session that uses a cipher it doesn't support. That is illegal already.

(Note clients already must have code for checking if an ALPN is acceptable
because that's what happens when a server responds. The nice thing about
the session-remembering algorithm is it involves no new codepaths apart
from a simple equality check. Clients offer parameters and confirm
acceptability of a single one, servers select given an offer.)


> * If the client knows out-of-band (or learns over the application
> protocol) that the server supports multiple protocols, it will not be able
> to use its current connection to
> start up a 0-RTT connection over the new protocol.
>

Why wouldn't it have negotiated that protocol over ALPN originally? One
should not need 0-RTT to unlock ALPN protocols.


> * I think realistically for many clients the protocol used to send 0-RTT
> data will end up being the only protocol that can be used on that
> connection, even if 0-RTT is rejected.
> Rejected 0-RTT data can’t be resent 1-RTT if a different application
> protocol is used, and it’s difficult API-wise to tell the higher layer
> “Your http/2 early data failed, but you can send http/1.1 requests if you
> want”. Thus it makes sense for these clients
> to advertise the 0-RTT data’s application protocol as the most preferred.
>

ALPN protocol switching (or any other connection property) on 0-RTT rejects
is always something a client must account for. I think your proposal has
the same problem. Perhaps the server had to turn h2 off for some reason.
You cannot assume the server's configuration remains unchanged. It is an
excellent prediction, but it is only a prediction.

A 0-RTT reject for a client ultimately must look like a retry. Everything
you ever wrote on the socket was discarded. It also must be bubbled up
sufficiently high that all connection properties are allowed to change.
This is pretty much fundamental to the whole idea of predicting
server-selected parameters. (If TLS were server-offer/client-select like
QUIC it would be a bit more obvious what's going on, but it's still the
same deal.)

For instance, here's an implementation strategy for socket-pooling clients
(i.e. browsers): you tell the HTTP layer to try again completely from the
top, meanwhile taking the socket and returning it to the socket pool as a
1-RTT-capable socket. The retry will grab that socket and use it. (Or maybe
some other request else will. That sounds weird, but it's no different from
what socket pools already do. A 0-RTT reject means the socket is reset.)


> I’m not sure how this makes protocol transitions awkward. I’d still expect
> clients to choose the application protocol that was previously negotiated,
> so preferring h3 wouldn’t
> cause all h2 0-RTT to go away.
>

They either go away or you pin on h2 when you should have gone to h3.
Suppose I prefer h3 > h2 and I talk to an h2 server. Per your proposal, if
I attempt to 0-RTT with that session, my choices are:

1. Keep my order h3 > h2. That means 0-RTT is conditioned on the server
picking h3 and I cannot 0-RTT.
2. Swap the order h2 > h3. That means 0-RTT works, but if the server then
gets upgraded to support h3, my order is false and the server continues to
pick h2. Since the server is going to continually issue me new tickets,
I'll never get the order switched back unless I go long periods without
talking to it.

With the session-remembering interpretation, once the server's preferences
change, you 0-RTT miss once. (Because your prediction is wrong... that's
unavoidable. The server's configuration changed.) But after that, all your
new tickets are at h3 and the steady state is 0-RTT-capable again.

David


>
>
> Kyle
>
>
>
> *From:* Eric Rescorla [mailto:ekr@rtfm.com]
>
>
> *Sent:* Wednesday, October 12, 2016 4:03 PM
>
> *To:* David Benjamin <davidben@chromium.org>
>
> *Cc:* Kyle Nekritz <knekritz@fb.com>; tls@ietf.org
>
> *Subject:* Re: [TLS] ALPN with 0-RTT Data
>
>
>
>
>
>
>
>
>
>
> On Wed, Oct 12, 2016 at 1:01 PM, David Benjamin <davidben@chromium.org>
> wrote:
>
>
>
>
>
> My interpretation was:
>
>
>
>
>
>
>
> 1. Client and server remember the previous selected ALPN protocol in the
> session.
>
>
>
>
>
>
>
> 2. The client may offer whatever ALPN protocols it likes. It does not need
> to match the previous offer list, though it presumably will unless you've
> got a persistent session cache or so.
>
>
>
>
>
>
>
> 3. The client assumes that session's ALPN protocol was selected for
> purposes of minting 0-RTT data.
>
>
>
>
>
>
>
> 4. The server must decline 0-RTT if it choses a different ALPN protocol.
> This can be implemented by just doing ALPN negotiation as normal and
> declining 0-RTT if the result does not match. (If client and server prefs
> have not changed, 0-RTT
> will work. If prefs have changed, 0-RTT will miss but future sessions will
> start being 0-RTT-able. I think this is probably the sanest behavior.)
>
>
>
>
>
>
>
> 5. The client performs the usual checks on the selected ALPN protocol
> (must be one of the advertised ones). In addition, it enforces that, if
> 0-RTT was accepted, the protocol must match the session one.
>
>
>
>
>
>
>
>
>
>
>
>
> This matches the behavior I intended in the spec (and the one NSS
> implements).
>
>
>
>
>
>
>
> -Ekr
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> Pinning on the most preferred one causes awkward transitions when the most
> preferred ALPN protocol is not the same as the most commonly deployed one.
> If we ever define, say, h3, we want that one in front of h2 presumably, but
> we wouldn't
> want to lose 0-RTT against all the h2 servers out there.
>
>
>
>
>
>
>
> I don't think we should be reorder preferences based on the sessions we
> are offering. That makes it much harder to reason about the behavior of
> preference lists.
>
>
>
>
>
>
>
>
>
>
>
>
>
> David
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> On Wed, Oct 12, 2016 at 3:49 PM Kyle Nekritz <knekritz@fb.com> wrote:
>
>
>
> Currently the draft specifies that the ALPN must be "the same" as in the
> connection that established the PSK used with 0-RTT, and that the server
> must check that the selected ALPN matches what was previously
> used. I find this unclear if
>
>
>
> 1) the client should select and offer one (and only one) application
> protocol
>
>
>
> 2) the client can offer multiple protocols, but use the most preferred one
> offered for 0-RTT data
>
>
>
> 3) the client must send the exact same ALPN extension as in the previous
> connection, but must use the ALPN previously selected by the server (even
> if it was not the client's first offer).
>
>
>
>
>
>
>
> To clarify this we can instead
>
>
>
> * allow the client to offer whatever ALPN extension it wants
>
>
>
> * define that the 0-RTT data uses the client's most preferred application
> protocol offer (and the server must pick this ALPN if it accepts 0-RTT),
> similar to using the first PSK offer if multiple are offered
>
>
>
> * recommend that the client uses the same application protocol that was
> used on the previous connection.
>
>
>
>
>
>
>
> PR: https://github.com/tlswg/tls13-spec/pull/681
>
>
>
>
>
>
>
> Kyle
>
>
>
>
>
>
>
> _______________________________________________
>
>
>
> TLS mailing list
>
>
>
> TLS@ietf.org
>
>
>
> https://www.ietf.org/mailman/listinfo/tls
> <https://urldefense.proofpoint.com/v2/url?u=https-3A__www.ietf.org_mailman_listinfo_tls&d=DQMFaQ&c=5VD0RTtNlTh3ycd41b3MUw&r=l2j4BjkO0Lc3u4CH2z7jPw&m=diBVKMBm_GJBrqBsilZWP0aN5KD9xwvXSCIDOE5-LAA&s=FuSqdY1S96Vtry63oUY7VG4b-5JRJgZYv33IoBPkAhM&e=>
>
>
>
>
>
>
>
>
>
>
>
>
> _______________________________________________
>
> TLS mailing list
>
> TLS@ietf.org
>
> https://www.ietf.org/mailman/listinfo/tls
> <https://urldefense.proofpoint.com/v2/url?u=https-3A__www.ietf.org_mailman_listinfo_tls&d=DQMFaQ&c=5VD0RTtNlTh3ycd41b3MUw&r=l2j4BjkO0Lc3u4CH2z7jPw&m=diBVKMBm_GJBrqBsilZWP0aN5KD9xwvXSCIDOE5-LAA&s=FuSqdY1S96Vtry63oUY7VG4b-5JRJgZYv33IoBPkAhM&e=>
>
>
>
>
>
>
>
>

v2.23.0 | Report a Bug | By Email