Re: [TLS] Maximum Fragment Length negotiation
Hannes Tschofenig <hannes.tschofenig@gmx.net> Fri, 25 November 2016 09:49 UTC
Return-Path: <hannes.tschofenig@gmx.net>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 94BD0129574 for <tls@ietfa.amsl.com>; Fri, 25 Nov 2016 01:49:57 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.098
X-Spam-Level:
X-Spam-Status: No, score=-4.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=-0.001, RP_MATCHES_RCVD=-1.497, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0zCfshgwb7dx for <tls@ietfa.amsl.com>; Fri, 25 Nov 2016 01:49:53 -0800 (PST)
Received: from mout.gmx.net (mout.gmx.net [212.227.15.15]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CB2B912959B for <tls@ietf.org>; Fri, 25 Nov 2016 01:49:50 -0800 (PST)
Received: from [172.16.254.118] ([80.92.114.246]) by mail.gmx.com (mrgmx002 [212.227.17.190]) with ESMTPSA (Nemesis) id 0MAPoQ-1bzn071x18-00BbTM for <tls@ietf.org>; Fri, 25 Nov 2016 10:49:45 +0100
To: tls@ietf.org
References: <20161124195002.GA32346@bolet.org>
From: Hannes Tschofenig <hannes.tschofenig@gmx.net>
Openpgp: id=071A97A9ECBADCA8E31E678554D9CEEF4D776BC9
Message-ID: <8d507392-3fb3-82a3-8679-edb6a7e5970d@gmx.net>
Date: Fri, 25 Nov 2016 10:49:44 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.4.0
MIME-Version: 1.0
In-Reply-To: <20161124195002.GA32346@bolet.org>
Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="krFDMjvs465gtRBiBcv885MNKapkLKQrJ"
X-Provags-ID: V03:K0:hV/1VNOl0PVu2e7w/m1LaTrOkewkXS5cxb1cTTzvWJZLvA1Z1a8 WW/vmTyxGb6/h1Hs15KkJxkDJvUR+Yw3OzC5n31KNyBp6CJZneTnq4EjxrCniWQgf9HSYvj lcL/AcE4vzK3J8Ilt1f0xeo3PTuyF2Iyl0iHdjnSoQ0EfQTPT50iHEfT+b71s92WfblvtXq 4gIbqq+SJQYflc64qtlZQ==
X-UI-Out-Filterresults: notjunk:1;V01:K0:rJh54WNhhoc=:7kN5q6B8kI22PmWk/2KyLo 9xZRo54+cN9rdPb4lauF2MH7fOsI4kxsIgFdXn9xWInnsLUBdoKXyp2PZEnp4BY45r+Kt7yKA MHZ9m6yp6csc4OVvKzKouH11HXLrsSD7yQKjNDdnVa/FCAVRhhTi/jHcZx1qBAXzbH1wmwRh5 6I4+PsGrp+2rLtfxZwwt+tiRgrTNoQJf9vvk8Ze95dW7vddvb3iwRHT1rs0LmnEiyiWGptR9p YKqunv3eGo3zhl+JZT0mjKaUPK/QgEgZxz7IjaPNjma6LqPa/HUxEsx5vALNgXWcJQx/Tzkin wVBE0VSQ/x5VabsRtI6vINngWY999jnk5gL3J3KaSM6PtbsKrgQOZbiIFKtQEcaUsbrWTmsFB DTA2f9GEU3ldY5IpEO+awiEQH73ouojQtbP3WgqDhKqyykK9G38appG30CJ3jZ3DSWIH+O9T0 Pm3GAyg+O/NDSI5sOluoFsTEw8XvRiivKiXh/slZ9NMXLsKUFo9oNLo64mDCYcNYtpgOf11R8 tqNo6DCVdu/WX8zXNoLSsIBSufe2ezw9UuN0b7UDHkgA05aQVVK8qxkZpRlKjpJ7HGwB5/pTx l2HfLnuEdRUe6aAH8eOphVD/KsA45zXYxo+JEYSMyiiw89cBSxZWxSP8KE/NPj5kiKToffLKZ g8sxlKn9RWnxy8NEGDrDTPbnX0T2TthOh+NPWwmaE6rK+q7M1z2qBW1H65hqj7uZ8/NdH0Dj4 JDNcFS3pwnBf89ULP/N+USoYlt6Rf+fo/7CKpAVLinFA3FBv0Z17KPukq3kqegFuoyVu8HQzH rtZCrSN
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/BtMmO-z5dVAAfIqhxlgORMMJDAk>
Subject: Re: [TLS] Maximum Fragment Length negotiation
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 25 Nov 2016 09:49:58 -0000
Hi Thomas, your observations are in line with what we had noticed as well, see Section 6 of https://tools.ietf.org/html/draft-fossati-tls-iot-optimizations-00 Ciao Hannes On 11/24/2016 08:50 PM, Thomas Pornin wrote: > Hello, > > I know that I am a bit late to the party, but I have a suggestion for > the upcoming TLS 1.3. > > Context: I am interested in TLS support in constrained architectures, > specifically those which have very little RAM. I recently published a > first version of an implementation of TLS 1.0 to 1.2, that primarily > targets that kind of system ( https://www.bearssl.org/ ); a fully > functional TLS server can then run in as little as 25 kB of RAM (and > even less of ROM, for the code itself). > > Out of these 25 kB, 16 kB are used for the buffer for incoming records, > because encrypted records cannot be processed until fully received (data > could be obtained from a partial record, but we must wait for the MAC > before actually acting on the data) and TLS specifies that records can > have up to 16384 bytes of plaintext. Thus, about 2/3 of the RAM usage is > directly related to that maximum fragment length. > > There is a defined extension (in RFC 6066) that allows a client to > negotiate a smaller maximum fragment length. That extension is simple > to implement, but it has two problems that prevent it from being > really usable: > > 1. It is optional, so any implementation is free not to implement it, > and in practice many do not (e.g. last time I checked, OpenSSL did > not support it). > > 2. It is one-sided: the client may asked for a smaller fragment, but > the server has no choice but to accept the value sent by the client. > In situations where the constrained system is the server, the > extension is not useful (e.g. the embedded system runs a minimal > HTTPS server, for a Web-based configuration interface; the client is > a Web browser and won't ask for a smaller maximum fragment length). > > > I suggest to fix these issues in TLS 1.3. My proposal is the following: > > - Make Max Fragment Length extension support mandatory (right now, > draft 18 makes it "recommended" only). > > - Extend the extension semantics **when used in TLS 1.3** in the following > ways: > > * When an implementation supports a given maximum fragment length, it > MUST also support all smaller lengths (in the list of lengths > indicated in the extension: 512, 1024, 2048, 4096 and 16384). > > * When the server receives the extension for maximum length N, it > may respond with the extension with any length N' <= N (in the > list above). > > * If the client does not send the extension, then this is equivalent > to sending it with a maximum length of 16384 bytes (so the server > may still send the extension, even if the client did not). > > Semantics for the extension in TLS 1.2 and previous is unchanged. > > With these changes, RAM-constrained clients and servers can negotiate a > maximum length for record plaintext that they both support, and such an > implementation can use a small record buffer with the guarantee that all > TLS-1.3-aware peers will refrain from sending larger records. With, for > instance, a 2048-byte buffer, per-record overhead is still small (about > 1%), and overall RAM usage is halved, which is far from negligible. > > > RAM-constrained full TLS 1.3 is likely to be challenging (I envision > issues with, for instance, cookies, since they can be up to 64 kB in > length), but a guaranteed flexible negotiation for maximum fragment > length would be a step in the right direction. > > Any comments / suggestions ? > > Thanks, > > > --Thomas Pornin > > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls >
- [TLS] Maximum Fragment Length negotiation Thomas Pornin
- Re: [TLS] Maximum Fragment Length negotiation Fossati, Thomas (Nokia - GB)
- Re: [TLS] Maximum Fragment Length negotiation Hannes Tschofenig
- Re: [TLS] Maximum Fragment Length negotiation Michael Tuexen
- Re: [TLS] Maximum Fragment Length negotiation Thomas Pornin
- Re: [TLS] Maximum Fragment Length negotiation Martin Thomson
- Re: [TLS] Maximum Fragment Length negotiation Raja ashok
- Re: [TLS] Maximum Fragment Length negotiation Hubert Kario
- Re: [TLS] Maximum Fragment Length negotiation Martin Thomson
- Re: [TLS] Maximum Fragment Length negotiation Hubert Kario