Re: [TLS] WGLC for draft-ietf-tls-ticketrequests

Viktor Dukhovni <ietf-dane@dukhovni.org> Tue, 04 February 2020 21:47 UTC

Return-Path: <ietf-dane@dukhovni.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CF89B120164 for <tls@ietfa.amsl.com>; Tue, 4 Feb 2020 13:47:06 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.2
X-Spam-Level:
X-Spam-Status: No, score=-4.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TW0pL0wE2OCb for <tls@ietfa.amsl.com>; Tue, 4 Feb 2020 13:47:05 -0800 (PST)
Received: from straasha.imrryr.org (straasha.imrryr.org [100.2.39.101]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E36E3120152 for <tls@ietf.org>; Tue, 4 Feb 2020 13:47:03 -0800 (PST)
Received: by straasha.imrryr.org (Postfix, from userid 1001) id 1B7533AA9E; Tue, 4 Feb 2020 16:47:02 -0500 (EST)
Date: Tue, 4 Feb 2020 16:47:02 -0500
From: Viktor Dukhovni <ietf-dane@dukhovni.org>
To: tls@ietf.org
Message-ID: <20200204214702.GT49778@straasha.imrryr.org>
Reply-To: tls@ietf.org
References: <20200121055411.GJ73491@straasha.imrryr.org> <CABcZeBP=BetaxVo5v-khdykP0U3P6j-e+hL307o8Wn3KC9rmhA@mail.gmail.com> <20200121224610.GR73491@straasha.imrryr.org> <CABcZeBOq+mvY4mx+VT0QB08b67noqZyvr0NE-_YMGsz5VoSDuA@mail.gmail.com> <CADZyTkmvJRCNXMU4vS_4Q6soD3_+b2aHLSVdSXeK5+WCWQr+Ew@mail.gmail.com> <CAChr6SwkwEntnigHaQ8rnN0Ku_MKbGcFFh4EBSaUtrxfQaMdUg@mail.gmail.com> <CABcZeBPiq8-2xT_E2A8OtDCN6p3ZQuK19Cxso28+C1tCyeUs=w@mail.gmail.com> <20200203054915.GO49778@straasha.imrryr.org> <6edaf470-ecc7-4f17-8727-dc166cc6d8d5@redhat.com> <2d587501-b323-9a75-99cd-5686219dba0d@wizmail.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <2d587501-b323-9a75-99cd-5686219dba0d@wizmail.org>
User-Agent: Mutt/1.12.2 (2019-09-21)
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/C8eKRTTNZhDuZkO2ciOeZbUmGXY>
Subject: Re: [TLS] WGLC for draft-ietf-tls-ticketrequests
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 04 Feb 2020 21:47:07 -0000

On Tue, Feb 04, 2020 at 03:08:31PM +0000, Jeremy Harris wrote:

> On 04/02/2020 13:56, Hubert Kario wrote:
> > the thing is that getting extra ticket from the server is at most an
> > inconvenience for postfix
> 
> Isn't the giving out of needless tickets a performance cost
> for the server, as well as a bandwidth cost for the network?
> 
> Or are tickets zero-cost to produce?

They are not free.  They can be modestly large, especially when client
cert authencation was used on the initial connection, in which case at
least the EE cert is typically bundled into the ticket (some
implementations may save the whole chain).

This means that abbreviated resumption handshakes are now followed
with potentially an additional O(1 KB) of ticket traffic.

The CPU cost of encrypting the ticket is generally modest, but in
an RPC protocol over TLS, which relies on resumption to ammortise
handshake overhead, the extra payload may dwarf the application
traffic.

Squirreling away a fresh tickets after each RPC request may also
increase garbage collection pressure in some languages.  Not all
the world is C, C++ or Rust.

-- 
    Viktor.