IETF Logo Mail Archive

Re: [TLS] Maximum Fragment Length negotiation

Hannes Tschofenig <hannes.tschofenig@gmx.net> Fri, 25 November 2016 09:49 UTC

Return-Path: <hannes.tschofenig@gmx.net>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 94BD0129574 for <tls@ietfa.amsl.com>; Fri, 25 Nov 2016 01:49:57 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.098
X-Spam-Level:
X-Spam-Status: No, score=-4.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=-0.001, RP_MATCHES_RCVD=-1.497, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0zCfshgwb7dx for <tls@ietfa.amsl.com>; Fri, 25 Nov 2016 01:49:53 -0800 (PST)
Received: from mout.gmx.net (mout.gmx.net [212.227.15.15]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CB2B912959B for <tls@ietf.org>; Fri, 25 Nov 2016 01:49:50 -0800 (PST)
Received: from [172.16.254.118] ([80.92.114.246]) by mail.gmx.com (mrgmx002 [212.227.17.190]) with ESMTPSA (Nemesis) id 0MAPoQ-1bzn071x18-00BbTM for <tls@ietf.org>; Fri, 25 Nov 2016 10:49:45 +0100
To: tls@ietf.org
References: <20161124195002.GA32346@bolet.org>
From: Hannes Tschofenig <hannes.tschofenig@gmx.net>
Openpgp: id=071A97A9ECBADCA8E31E678554D9CEEF4D776BC9
Message-ID: <8d507392-3fb3-82a3-8679-edb6a7e5970d@gmx.net>
Date: Fri, 25 Nov 2016 10:49:44 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.4.0
MIME-Version: 1.0
In-Reply-To: <20161124195002.GA32346@bolet.org>
Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="krFDMjvs465gtRBiBcv885MNKapkLKQrJ"
X-Provags-ID: V03:K0:hV/1VNOl0PVu2e7w/m1LaTrOkewkXS5cxb1cTTzvWJZLvA1Z1a8 WW/vmTyxGb6/h1Hs15KkJxkDJvUR+Yw3OzC5n31KNyBp6CJZneTnq4EjxrCniWQgf9HSYvj lcL/AcE4vzK3J8Ilt1f0xeo3PTuyF2Iyl0iHdjnSoQ0EfQTPT50iHEfT+b71s92WfblvtXq 4gIbqq+SJQYflc64qtlZQ==
X-UI-Out-Filterresults: notjunk:1;V01:K0:rJh54WNhhoc=:7kN5q6B8kI22PmWk/2KyLo 9xZRo54+cN9rdPb4lauF2MH7fOsI4kxsIgFdXn9xWInnsLUBdoKXyp2PZEnp4BY45r+Kt7yKA MHZ9m6yp6csc4OVvKzKouH11HXLrsSD7yQKjNDdnVa/FCAVRhhTi/jHcZx1qBAXzbH1wmwRh5 6I4+PsGrp+2rLtfxZwwt+tiRgrTNoQJf9vvk8Ze95dW7vddvb3iwRHT1rs0LmnEiyiWGptR9p YKqunv3eGo3zhl+JZT0mjKaUPK/QgEgZxz7IjaPNjma6LqPa/HUxEsx5vALNgXWcJQx/Tzkin wVBE0VSQ/x5VabsRtI6vINngWY999jnk5gL3J3KaSM6PtbsKrgQOZbiIFKtQEcaUsbrWTmsFB DTA2f9GEU3ldY5IpEO+awiEQH73ouojQtbP3WgqDhKqyykK9G38appG30CJ3jZ3DSWIH+O9T0 Pm3GAyg+O/NDSI5sOluoFsTEw8XvRiivKiXh/slZ9NMXLsKUFo9oNLo64mDCYcNYtpgOf11R8 tqNo6DCVdu/WX8zXNoLSsIBSufe2ezw9UuN0b7UDHkgA05aQVVK8qxkZpRlKjpJ7HGwB5/pTx l2HfLnuEdRUe6aAH8eOphVD/KsA45zXYxo+JEYSMyiiw89cBSxZWxSP8KE/NPj5kiKToffLKZ g8sxlKn9RWnxy8NEGDrDTPbnX0T2TthOh+NPWwmaE6rK+q7M1z2qBW1H65hqj7uZ8/NdH0Dj4 JDNcFS3pwnBf89ULP/N+USoYlt6Rf+fo/7CKpAVLinFA3FBv0Z17KPukq3kqegFuoyVu8HQzH rtZCrSN
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/BtMmO-z5dVAAfIqhxlgORMMJDAk>
Subject: Re: [TLS] Maximum Fragment Length negotiation
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 25 Nov 2016 09:49:58 -0000

Hi Thomas,

your observations are in line with what we had noticed as well, see
Section 6 of
https://tools.ietf.org/html/draft-fossati-tls-iot-optimizations-00

Ciao
Hannes

On 11/24/2016 08:50 PM, Thomas Pornin wrote:
> Hello,
> 
> I know that I am a bit late to the party, but I have a suggestion for
> the upcoming TLS 1.3.
> 
> Context: I am interested in TLS support in constrained architectures,
> specifically those which have very little RAM. I recently published a
> first version of an implementation of TLS 1.0 to 1.2, that primarily
> targets that kind of system ( https://www.bearssl.org/ ); a fully
> functional TLS server can then run in as little as 25 kB of RAM (and
> even less of ROM, for the code itself).
> 
> Out of these 25 kB, 16 kB are used for the buffer for incoming records,
> because encrypted records cannot be processed until fully received (data
> could be obtained from a partial record, but we must wait for the MAC
> before actually acting on the data) and TLS specifies that records can
> have up to 16384 bytes of plaintext. Thus, about 2/3 of the RAM usage is
> directly related to that maximum fragment length.
> 
> There is a defined extension (in RFC 6066) that allows a client to
> negotiate a smaller maximum fragment length. That extension is simple
> to implement, but it has two problems that prevent it from being
> really usable:
> 
>  1. It is optional, so any implementation is free not to implement it,
>     and in practice many do not (e.g. last time I checked, OpenSSL did
>     not support it).
> 
>  2. It is one-sided: the client may asked for a smaller fragment, but
>     the server has no choice but to accept the value sent by the client.
>     In situations where the constrained system is the server, the
>     extension is not useful (e.g. the embedded system runs a minimal
>     HTTPS server, for a Web-based configuration interface; the client is
>     a Web browser and won't ask for a smaller maximum fragment length).
> 
> 
> I suggest to fix these issues in TLS 1.3. My proposal is the following:
> 
>  - Make Max Fragment Length extension support mandatory (right now,
>    draft 18 makes it "recommended" only).
> 
>  - Extend the extension semantics **when used in TLS 1.3** in the following
>    ways:
> 
>    * When an implementation supports a given maximum fragment length, it
>      MUST also support all smaller lengths (in the list of lengths
>      indicated in the extension: 512, 1024, 2048, 4096 and 16384).
> 
>    * When the server receives the extension for maximum length N, it
>      may respond with the extension with any length N' <= N (in the
>      list above).
> 
>    * If the client does not send the extension, then this is equivalent
>      to sending it with a maximum length of 16384 bytes (so the server
>      may still send the extension, even if the client did not).
> 
>    Semantics for the extension in TLS 1.2 and previous is unchanged.
> 
> With these changes, RAM-constrained clients and servers can negotiate a
> maximum length for record plaintext that they both support, and such an
> implementation can use a small record buffer with the guarantee that all
> TLS-1.3-aware peers will refrain from sending larger records. With, for
> instance, a 2048-byte buffer, per-record overhead is still small (about
> 1%), and overall RAM usage is halved, which is far from negligible.
> 
> 
> RAM-constrained full TLS 1.3 is likely to be challenging (I envision
> issues with, for instance, cookies, since they can be up to 64 kB in
> length), but a guaranteed flexible negotiation for maximum fragment
> length would be a step in the right direction.
> 
> Any comments / suggestions ?
> 
> Thanks,
> 
> 
> 	--Thomas Pornin
> 
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls
>

v2.23.0 | Report a Bug | By Email