Re: [TLS] Impact of draft-ietf-mptcp-api on TLS
Peter Saint-Andre <stpeter@stpeter.im> Wed, 28 November 2012 21:41 UTC
Return-Path: <stpeter@stpeter.im>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E3A2021F8593 for <tls@ietfa.amsl.com>; Wed, 28 Nov 2012 13:41:09 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.498
X-Spam-Level:
X-Spam-Status: No, score=-102.498 tagged_above=-999 required=5 tests=[AWL=0.099, BAYES_00=-2.599, NORMAL_HTTP_TO_IP=0.001, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jXX5KoONp6w2 for <tls@ietfa.amsl.com>; Wed, 28 Nov 2012 13:41:09 -0800 (PST)
Received: from stpeter.im (mailhost.stpeter.im [207.210.219.225]) by ietfa.amsl.com (Postfix) with ESMTP id 170CD21F8575 for <tls@ietf.org>; Wed, 28 Nov 2012 13:41:09 -0800 (PST)
Received: from [10.129.24.67] (unknown [128.107.239.234]) (Authenticated sender: stpeter) by stpeter.im (Postfix) with ESMTPSA id 2D4CD40062; Wed, 28 Nov 2012 14:46:06 -0700 (MST)
Message-ID: <50B684F6.4050004@stpeter.im>
Date: Wed, 28 Nov 2012 14:41:10 -0700
From: Peter Saint-Andre <stpeter@stpeter.im>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:17.0) Gecko/17.0 Thunderbird/17.0
MIME-Version: 1.0
To: Geoffrey Keating <geoffk@geoffk.org>
References: <20121128153650.7A2971A3BD@ld9781.wdf.sap.corp> <50B6333C.50606@cs.tcd.ie> <m2624ptshs.fsf@localhost.localdomain>
In-Reply-To: <m2624ptshs.fsf@localhost.localdomain>
X-Enigmail-Version: 1.4.6
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Cc: Florian Weimer <fweimer@redhat.com>, tls@ietf.org
Subject: Re: [TLS] Impact of draft-ietf-mptcp-api on TLS
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 28 Nov 2012 21:41:10 -0000
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 11/28/12 12:52 PM, Geoffrey Keating wrote: > Stephen Farrell <stephen.farrell@cs.tcd.ie> writes: > >> Hi Martin, >> >> We're trying to figure out if the mptcp API document needs to say >> anything about tls, and if so, what. And I'd like to do that so >> mptcp doesn't have to fall back to just tcp for all cases where >> you need tls, if that's ok, so that mptcp has a chance to get >> used. (I figure its hard enough being a new transport these days, >> but being a new transport that is useless under TLS seems like a >> bit of a killer.) > >> On 11/28/2012 03:36 PM, Martin Rex wrote: >>> The IP-address that the socket shows after connection >>> establishment is completely irrelevant to the security of TLS, >>> even when Server-Certificates with IP-Addresses in the >>> SubjectAltName are used for server endpoint identification >>> according to rfc2818 section 3.1. >> >> Well, 2818 is just http/tls/tcp and the context here is >> anything/tls/mptcp so I'm not sure that solves the problem of >> what to say. >> >> I think its true that there's no security issue, but there might >> be an interop issue, if different folks implement tls/mptcp >> differently. If the tls code just uses the normal socket api then >> there's nothing to say, but it won't get the benefit of mptcp. If >> the tls code uses the basic api then it can see which subflows >> are being used and different folks might do different comparisons >> to the certs used. > > Maybe a related example will help: suppose the user is trying to > connect to https://198.51.100.3. There is an HTTP proxy > configured, so what the browser actually does is make a TCP > connection to 192.0.2.99, send 'CONNECT https://198.51.100.3', and > then start the SSL negotiation. The certificate still has to > mention 198.51.100.3, and doesn't have to mention 192.0.2.99. > > So, in MPTCP, if the user asks for mphttps://198.51.100.3 (or > whatever), then 198.51.100.3 is the address that has to appear in > the certificate, even if the connection is redirected to some > other endpoint, even if the redirection happens before any data is > actually sent on the connection. This is basically the "CertID" problem (RFC 6125). When Jeff Hodges and I worked on that spec, we deliberately left IP addresses out of scope, but if someone wants to work on a similar (though much simpler) document about IP addresses instead of domain names, I'm sure they could find quite a bit of text to borrow. Peter - -- Peter Saint-Andre https://stpeter.im/ -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.18 (Darwin) Comment: Using GnuPG with undefined - http://www.enigmail.net/ iEYEARECAAYFAlC2hPYACgkQNL8k5A2w/vxh+QCgozvyk8K6K1z6lHEz8hafzTGL CEYAoL6fF0tgUeP3oohDbXmLRafdTEqj =iJ0P -----END PGP SIGNATURE-----
- [TLS] Impact of draft-ietf-mptcp-api on TLS Sean Turner
- Re: [TLS] Impact of draft-ietf-mptcp-api on TLS Sean Turner
- Re: [TLS] Impact of draft-ietf-mptcp-api on TLS Florian Weimer
- Re: [TLS] Impact of draft-ietf-mptcp-api on TLS Stephen Farrell
- Re: [TLS] Impact of draft-ietf-mptcp-api on TLS Martin Rex
- Re: [TLS] Impact of draft-ietf-mptcp-api on TLS Stephen Farrell
- Re: [TLS] Impact of draft-ietf-mptcp-api on TLS Geoffrey Keating
- Re: [TLS] Impact of draft-ietf-mptcp-api on TLS Peter Saint-Andre
- Re: [TLS] Impact of draft-ietf-mptcp-api on TLS Stephen Farrell
- Re: [TLS] Impact of draft-ietf-mptcp-api on TLS Stephen Farrell
- Re: [TLS] Impact of draft-ietf-mptcp-api on TLS Martin Rex
- Re: [TLS] Impact of draft-ietf-mptcp-api on TLS Stephen Farrell
- Re: [TLS] Impact of draft-ietf-mptcp-api on TLS Florian Weimer
- Re: [TLS] Impact of draft-ietf-mptcp-api on TLS Geoffrey Keating
- Re: [TLS] Impact of draft-ietf-mptcp-api on TLS Florian Weimer