Re: [TLS] Connection ID Draft
Eric Rescorla <ekr@rtfm.com> Thu, 26 October 2017 04:06 UTC
Return-Path: <ekr@rtfm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DD6B813AF04 for <tls@ietfa.amsl.com>; Wed, 25 Oct 2017 21:06:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.598
X-Spam-Level:
X-Spam-Status: No, score=-2.598 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hYSWjjbxAXVS for <tls@ietfa.amsl.com>; Wed, 25 Oct 2017 21:05:59 -0700 (PDT)
Received: from mail-yw0-x235.google.com (mail-yw0-x235.google.com [IPv6:2607:f8b0:4002:c05::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0142C13AE0B for <tls@ietf.org>; Wed, 25 Oct 2017 21:05:59 -0700 (PDT)
Received: by mail-yw0-x235.google.com with SMTP id w2so1845409ywa.9 for <tls@ietf.org>; Wed, 25 Oct 2017 21:05:58 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=x4LGD+4S1ok/wgm9NMAMAKPJZ68w3y1nXdS+spksxs4=; b=sMDE9j6QH4IWNiRUOLS5AYEK33hZX9R5T//xcEEtw2KcNPMK2n6coqhpXCXtvHnKgi 1Az4XzOZ5EpgxZJHgwrK0a2J+BiRwcOSy4XbncH1eel1GVLCNx1oCp33jqmkWUxpbgY/ m0nKgQgKcN6Hx6TXXcPsqMwsXVXB8kpHXJtjybNLg5JUWcJyoIVr4pfNzt13vvJY17PW o8D5Q+p1tRfWKjCPt0Gm1Y7IDSAOOdKdXP9JsEMknajmvkCsxeP0mBoQu/iXyiT/FHoR SgAxWi++wXaLnL2nTGq40pO2dQ/0ukEJ3SYR/3n8/t8dHtEX8Wx6TTUk0j4uS8v4Q2jG t65w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=x4LGD+4S1ok/wgm9NMAMAKPJZ68w3y1nXdS+spksxs4=; b=aJ0+TZFBE7CtVf92qjnPZ+y7Fl9eW87Xjn7jsxLluh/Y66scUU75/H6+k1OBAUX+qW 9g+E/Lvk8/J9vFbxKMOLMnkutY/pIVvrDhxzW/oE37+9mNciuzYPU0T50FYRg81ePc44 LNxanp1SMD6E4gtVkGlnmzme9ABvTZvpXXbTB8M5jizx3SzAnk/11/8sQBw7SVQ7kjCx 46v8DU1PAqxzSr3H2q7m50wq8ylHhauhaKhNGegxcCs7jIGbD0lroWSViJRnjCHlHVWt m+PAmwzCbmQ7oD89MoQPhinkm4VdyxChLg88Cg+W8ka5dUQU93RcEOsTi0tNEGxnuBMq S+aQ==
X-Gm-Message-State: AMCzsaW0qv8xMn5BvCsmebi50wTa71+lCwIVrG9lvYsIbj7x3BKL1bUu 2OJ0K+thKsU0X3i6muDlUmyI2HDyXJ86DjvJvCNMmr8EJzE=
X-Google-Smtp-Source: ABhQp+RrMnKOY6CY6Kgj6XkAth29eGOGguxxYXMWXaSAn2hr+sMY1lOGaSEEqPkCj875vQObwMIVAlhhz1ZnkJDORvk=
X-Received: by 10.37.45.83 with SMTP id s19mr2587812ybe.400.1508990758186; Wed, 25 Oct 2017 21:05:58 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.129.75.194 with HTTP; Wed, 25 Oct 2017 21:05:17 -0700 (PDT)
In-Reply-To: <DBDF9AE44733284D808F0E585E1919022D150360@dggeml511-mbs.china.huawei.com>
References: <DBDF9AE44733284D808F0E585E1919022D150360@dggeml511-mbs.china.huawei.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Wed, 25 Oct 2017 21:05:17 -0700
Message-ID: <CABcZeBM-m4GcyyqvrHwvoVezCcCg=tSKshfTdSG9bN-8DxupYg@mail.gmail.com>
To: yinxinxing <yinxinxing@huawei.com>
Cc: "tls@ietf.org" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="f4030435b0101c872e055c6b4a66"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/BrPH0EcJ4j1dlh8IhdeSziXmpTo>
Subject: Re: [TLS] Connection ID Draft
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 26 Oct 2017 04:06:03 -0000
On Wed, Oct 25, 2017 at 8:02 PM, yinxinxing <yinxinxing@huawei.com> wrote: > Hi Ekr, > > > > Sorry for the delay. I don’t quite understand “The way that this > mechanism works is that it either replaces all of them or supplements the > set.” I see the new CID is encrypted in the post-handshake message and > transferred to the peer. So, the record header of this message needs to > contain the “old” CID. > Yes. I don't understand what your question is. When you send a new CID, you can either label it as cid_immediate or cid_spare. "immediate" means "stop using all the other CIDs you have and "spare" means "this is a CID you can use in addition to the others you have. > Besides, I have summarized the ways of distinguishing the CID packet and > standard packet that people have discussed in the mailing list: > > a) Adding new ContentType. > > b) Adding new version. (As you replied, since 1.3 is going to > remove version field in the record header, so this choice may not be > proper.) > > c) Using specifically-constructed CID. (I saw you replied that it > would be a way for DTLS 1.2. But for 1.3, you want a different way.) > > d) By comparing the 5-tuple. Martin made this. (If I understand > right) His idea is that first check the 5-tuple of the packet, if there is > a match, then use the corresponding key. If there is no match, then treat > the packet as a CID packet and find the CID in the packet according to the > new format. But, the precondition for well working is that the 5-tuple of > the CID packet will not be successfully matched in the receiver's 5-tuple > table. > > > > For the above choices, what do you think? Or do you have any other good > solution to be updated in the draft? > I think we should do neither (a) nor (b). I don't really understand (c) but I think (d) is fine, though not the only technique implementors could use. -Ekr > > > Regards, > > Yin Xinxing > > > > *发件人:* Eric Rescorla [mailto:ekr@rtfm.com] > *发送时间:* 2017年10月23日 20:13 > *收件人:* yinxinxing > *抄送:* tls@ietf.org > *主题:* Re: [TLS] Connection ID Draft > > > > > > > > On Mon, Oct 23, 2017 at 12:53 AM, yinxinxing <yinxinxing@huawei.com> > wrote: > > Hi Ekr, > > > > For the post-handshake messages in the draft, I have some comments. > > > > 1. When one peer sends NewconnectionID message to the other, it > uses a newly defined handshake type. This new CID is attached in the > payload of the record message. But there must be some information for the > receiver to know which CID is going to be updated. I mean that when sending > new CID through the NewConnectionID message, the record header should > include the “old” CID, so that the receiver knows which one to replace. > > The way that this mechanism works is that it either replaces all of them > or supplements the set. I'm not sure that this is the right dynamic, but > I'd first want to see some worked through cases. > > > > 2. In the draft, is the new CID encrypted? I suggest that the new > CID (for the first time sending) can be encrypted to make sure that an > attacker can not associate a new CID with an old CID. Let’s consider a case > where an attacker wants to track an IOT device. If the newly generated CID > is not encrypted when updating, the attacker can associate the new CID with > the old one. Then, when the peer sends message with the new CID later, the > attacker knows this packet is sent from the victim. If we encrypt the new > CID when updating, this tracking problem can be avoided. > > > > TLS 1.3 post-handshake messages are always encrypted. > > > > Another comment is about symmetrical CID. > > 1. Consider a client sends a normal CID (CID length is not zero, > named C-CID) to server, but the server doesn’t wants to use client’s CID > and sends a CID generated by the server (named S-CID) to the client. > > No. The CID is for the client's benefit, so why would this be useful? > > > > At the same time, client needs to know server has ignored C-CID (which > means the downlink application message from the server will not include > C-CID), and client will use S-CID in its application message. Will the > draft cover this scenario? > > No. > > > > -Ekr > > > > > > Yin Xinxing > > > > *发件人**:* Eric Rescorla [mailto:ekr@rtfm.com] > *发送时间**:* 2017年10月13日 21:00 > *收件人**:* yinxinxing > *抄送**:* tls@ietf.org > *主题**:* Re: [TLS] Connection ID Draft > > > > > > > > On Fri, Oct 13, 2017 at 1:11 AM, yinxinxing <yinxinxing@huawei.com> wrote: > > Hi Ekr, > > > > Thanks for your effort. The draft looks good. A few comments are listed > below. > > > > 1. Based on the draft, for either DTLS1.2 or 1.3, server can’t > differentiate whether the packet from client is a “connection ID” packet or > a standard DTLS 1.2/1.3 packet. (I saw Thomas Fossati and Nikos also > introduced this problem) > > Maybe we can add a new “ContentType” in the DTLS record format to help > server identify the “connection ID” packet. In addition, you see the length > of the record payload is limited by 2^14-1, this means the first two bits > of “length” is zero. We could utilize this feature and set the first two > bits or more bits of CID being one, e.g., 1111….(but the CID must be put > between sequence number and length). When server finds 1111 after sequence > number, it knows this is a “connection ID” packet. However, I don’t know > whether it is proper to use such magic number. In my view, adding new > contenttype may be a choice. > > > > As I said to Nikos, for DTLS 1.2, you can use a specially-constructed CID > that would not be a valid length field. This can actually just have the > leading bit set. As we're revising the DTLS 1.3 record format, we would > need to do something different for that. > > > > 2. For DTLS 1.2, there is no NewConnectionID and > RequestConnectionID message. DTLS 1.2 server and client also has the > requirement to request for a new CID, and at present, many products still > use DTLS1.2 and I believe it will continue to be used for a long time even > if TLS/DTLS1.3 is published. My point is that we need a corresponding > method for updating CID for DTLS1.2 too. > > In general, the WG is working on TLS 1.3, not TLS 1.2, so I'm not really > that excited about putting a lot of effort into enhancing TLS 1.2. The > basic extension works fine for them, but if they want to change CIDs, then > they should adopt DTLS 1.3. > > > > I don’t quite understand the following sentences > > “In DTLS 1.2, connection ids are exchanged at the beginning of the > > DTLS session only. There is no dedicated "connection id update" > > message that allows new connection ids to be established mid-session, > > because DTLS 1.2 in general does not allow post-handshake messages > > that do not themselves begin other handshakes.” > > > > The only post-handshake messages allowed in DTLS 1.2 are ClientHello and > HelloRequest. > > > > Besides, for CID in DTLS1.3, I think the corresponding responding messages > of NewConnectionID and RequestConnectionID are also needed to ensure that > the peer has received CID. > > > > No, you use the ACK for these (https://tools.ietf.org/html/ > draft-ietf-tls-dtls13-01#section-7). This is one reason why there is not > a straightforward port to DTLS 1.2 for these messages. > > > > 4. The generation of CID should be more concrete. For example, > using random number or a counter? > > I explicitly did not want to do that, because there are a lot of valid > ways to generate CID. This is also what we did in QUIC. > > > > -Ekr > > > > > > > > Regards, > > Yin Xinxing > > > > *发件人**:* TLS [mailto:tls-bounces@ietf.org] *代表* Eric Rescorla > *发送时间**:* 2017年10月13日 7:14 > *收件人**:* tls@ietf.org > *主题**:* [TLS] Connection ID Draft > > > > Hi folks, > > > > I have just posted a first cut at a connection ID draft. > > https://tools.ietf.org/html/draft-rescorla-tls-dtls-connection-id-00 > > > > Comments welcome. > > > > -Ekr > > > > > > > > > > >
- [TLS] Connection ID Draft Eric Rescorla
- Re: [TLS] Connection ID Draft Martin Thomson
- Re: [TLS] Connection ID Draft Eric Rescorla
- Re: [TLS] Connection ID Draft Martin Thomson
- Re: [TLS] Connection ID Draft Eric Rescorla
- Re: [TLS] Connection ID Draft Martin Thomson
- Re: [TLS] Connection ID Draft Eric Rescorla
- Re: [TLS] Connection ID Draft Nikos Mavrogiannopoulos
- Re: [TLS] Connection ID Draft Fossati, Thomas (Nokia - GB/Cambridge, UK)
- Re: [TLS] Connection ID Draft yinxinxing
- Re: [TLS] Connection ID Draft Eric Rescorla
- Re: [TLS] Connection ID Draft Eric Rescorla
- Re: [TLS] Connection ID Draft Matt Caswell
- Re: [TLS] Connection ID Draft Stephen Farrell
- Re: [TLS] Connection ID Draft Eric Rescorla
- Re: [TLS] Connection ID Draft Stephen Farrell
- Re: [TLS] Connection ID Draft Eric Rescorla
- Re: [TLS] Connection ID Draft Stephen Farrell
- Re: [TLS] Connection ID Draft Hannes Tschofenig
- Re: [TLS] Connection ID Draft Eric Rescorla
- [TLS] 答复: Connection ID Draft yinxinxing
- [TLS] 答复: Connection ID Draft yinxinxing
- Re: [TLS] 答复: Connection ID Draft Eric Rescorla
- Re: [TLS] 答复: Connection ID Draft Eric Rescorla
- [TLS] 答复: Connection ID Draft yinxinxing
- Re: [TLS] 答复: Connection ID Draft Eric Rescorla
- [TLS] 答复: 答复: Connection ID Draft yinxinxing
- Re: [TLS] Connection ID Draft Benjamin Kaduk
- Re: [TLS] Connection ID Draft Eric Rescorla
- Re: [TLS] Connection ID Draft Fossati, Thomas (Nokia - GB/Cambridge, UK)
- Re: [TLS] Connection ID Draft Eric Rescorla
- Re: [TLS] Connection ID Draft Martin Thomson
- Re: [TLS] Connection ID Draft Christian Huitema
- Re: [TLS] Connection ID Draft Fossati, Thomas (Nokia - GB/Cambridge, UK)
- Re: [TLS] Connection ID Draft Martin Thomson
- Re: [TLS] Connection ID Draft Fossati, Thomas (Nokia - GB/Cambridge, UK)
- Re: [TLS] Connection ID Draft Fossati, Thomas (Nokia - GB/Cambridge, UK)
- Re: [TLS] Connection ID Draft Martin Thomson
- Re: [TLS] Connection ID Draft Nikos Mavrogiannopoulos
- Re: [TLS] Connection ID Draft Simon Bernard
- Re: [TLS] Connection ID Draft Eric Rescorla
- Re: [TLS] Connection ID Draft Fossati, Thomas (Nokia - GB/Cambridge, UK)
- Re: [TLS] Connection ID Draft yinxinxing
- Re: [TLS] Connection ID Draft Stephen Farrell
- Re: [TLS] Connection ID Draft Eric Rescorla
- Re: [TLS] Connection ID Draft Stephen Farrell
- Re: [TLS] Connection ID Draft yinxinxing
- Re: [TLS] Connection ID Draft Eric Rescorla
- Re: [TLS] Connection ID Draft Stephen Farrell
- Re: [TLS] Connection ID Draft Eric Rescorla
- Re: [TLS] Connection ID Draft Benjamin Kaduk
- Re: [TLS] Connection ID Draft Eric Rescorla
- Re: [TLS] Connection ID Draft yinxinxing
- Re: [TLS] Connection ID Draft Eric Rescorla
- Re: [TLS] Connection ID Draft yinxinxing
- Re: [TLS] Connection ID Draft Matt Caswell
- Re: [TLS] Connection ID Draft Martin Thomson
- Re: [TLS] Connection ID Draft yinxinxing
- Re: [TLS] Connection ID Draft Matt Caswell
- Re: [TLS] Connection ID Draft Martin Thomson
- Re: [TLS] Connection ID Draft Fossati, Thomas (Nokia - GB/Cambridge, UK)
- Re: [TLS] Connection ID Draft Matt Caswell
- Re: [TLS] Connection ID Draft Simon Bernard