Re: [TLS] Fwd: New Version Notification for draft-kazuho-protected-sni-00.txt
Kazuho Oku <kazuhooku@gmail.com> Wed, 19 July 2017 08:37 UTC
Return-Path: <kazuhooku@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5BCDE131C37 for <tls@ietfa.amsl.com>; Wed, 19 Jul 2017 01:37:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7X4lEBgl-ywm for <tls@ietfa.amsl.com>; Wed, 19 Jul 2017 01:37:22 -0700 (PDT)
Received: from mail-pf0-x233.google.com (mail-pf0-x233.google.com [IPv6:2607:f8b0:400e:c00::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1642B131C2F for <tls@ietf.org>; Wed, 19 Jul 2017 01:37:22 -0700 (PDT)
Received: by mail-pf0-x233.google.com with SMTP id s70so15038490pfs.0 for <tls@ietf.org>; Wed, 19 Jul 2017 01:37:22 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=gYTPtIHL9i0G1/lweZgMR82ut1Rb18oARn9z6vMjG8Y=; b=M8GAda27ZeKmL3D2PIzTBOZqfRR4N7Bd+fZGa5jPmpPmWO1ViAKELIoKdKJ4wRn2R5 h6pgvOl/zx/159jVGYAMT3jbpw4zOyND9bvAUYtNNAnZRa7Lq66TuFbkWsDaKVxweAId ZNhPzlyYadInvZVlpZLgRy/VfApuZSenMrOj7C7meqfXj4/sUTf4G7Ini8DpQ9S2M+jx YBpNVNo/6KfOOvOFLEv5n95xysCmFHTXvZZ2ZzW8JXcSIpz91UsgJ86ccd+dTy1cfn7/ sQBZkW0UbOs8vlw/w4p8Zx2DCHHJ0r2n6zc+wuqYZDiiJHM28WWf17TwLZK0PbSwGAC1 DlZw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=gYTPtIHL9i0G1/lweZgMR82ut1Rb18oARn9z6vMjG8Y=; b=qhNngE1FvmlSqAQsUBNzdm6uFxqV2bnZTRW8JCpWLlhGgLZHuunZbUoglQOA5cBP4g +tG+pWV6gdKfO9nLfsWECBKgiISt/0yqg7gzICQftBDHPBLp8P+e0cjRBb3e1ishR278 EQHWnq8O1BdMTVDV+fOapU+V6wYawGDuP/MXVTSxwR0CF/yExYshXre1SLiRer/GwYms rDH0GcisjGf5Pz7H1h/TgbJOcKXqWHbNkHp/5GyKeUZu6qhn8CouQbbbqHFVrmyECCLd D1Gt4HtNV+CgFQznH732xdb/U+K0GLZvHQuH5/88XAPG+ytIMmxnblegIuKI2oa0cv/e EPvQ==
X-Gm-Message-State: AIVw113nNC52ECziHL2M7Q3p7sYWEyEdweRFADn1kRXxjTzZih7pDCiy UL4wt3uQ+zCC5vebIdmWMiOfgByWsQ==
X-Received: by 10.98.42.4 with SMTP id q4mr1865109pfq.143.1500453441516; Wed, 19 Jul 2017 01:37:21 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.100.130.3 with HTTP; Wed, 19 Jul 2017 01:37:20 -0700 (PDT)
In-Reply-To: <20170719050513.2e6v4w3fkdg2q26y@LK-Perkele-VII>
References: <150043553129.25392.13213180786681889232.idtracker@ietfa.amsl.com> <CANatvzyus----nLQE4qAVY4E3sfnXetUHJLAMj3JcCahkhZGRA@mail.gmail.com> <20170719050513.2e6v4w3fkdg2q26y@LK-Perkele-VII>
From: Kazuho Oku <kazuhooku@gmail.com>
Date: Wed, 19 Jul 2017 10:37:20 +0200
Message-ID: <CANatvzxrP=P1+3O8DBFnDb3iSfsB1bAVuWMJg5kDYdVTrXxjTg@mail.gmail.com>
To: Ilari Liusvaara <ilariliusvaara@welho.com>
Cc: "<tls@ietf.org>" <tls@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/Dp7zgndVOMNpTdmvm2Gz6FUOEKc>
Subject: Re: [TLS] Fwd: New Version Notification for draft-kazuho-protected-sni-00.txt
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 19 Jul 2017 08:37:24 -0000
Hi, Thank you for your comments. 2017-07-19 7:05 GMT+02:00 Ilari Liusvaara <ilariliusvaara@welho.com>: > On Wed, Jul 19, 2017 at 05:42:24AM +0200, Kazuho Oku wrote: >> Hi, >> >> I am happy to see us having discussions on how to protected SNI. I am >> also happy to see that draft-huitema-tls-sni-encryption [1] proposes >> actual methods that we might want to use, and that the I-D discusses >> about various attack vectors that we need to be aware of. >> >> On the other hand, as stated on the mailing list an on the mic, I am >> not super happy with the fact that the proposed methods have a >> negative impact on connection establishment time. >> >> So here goes my straw-man proposal, as an Internet Draft: >> https://datatracker.ietf.org/doc/draft-kazuho-protected-sni/. > > At least that method does not obviously vulernable to replay. However, > it has multitude of other problems: > >> In essence, the draft proposes of sending information (e.g., >> semi-static (EC)DH key) to bootstrap encryption in ClientHello as a >> DNS record. Clients will use the obtained (EC)DH key to encrypt SNI. > > There are multiple problems with use of DNS: > > - Individual DNS records can be at most 64kB. > - The whole DNS reply can be at most 64kB. > - In practice, exceeding about 1200 bytes for response starts > causing problems with DNSoDTLS (there is a fallback to DNSoTLS, > but it is not very pleasant). Yes. It is very unlikely that a TLS bootstrap record that contains a signature and a certificate chain will fit into a single packet, hence there would be a performance penalty if DNS over DTLS that fallback to TLS is used. I have had DNS over QUIC in mind when writing the draft, and I might say that the draft (especially the mode that bootstraps the _signed_ signature) is written under the premise that DNS over QUIC will become popular in the future. > - The textual representation starts getting unpleasant way before > that. > - DNS records are defined to have textual and wire formats. Using TLS > notation would be pretty great for latter, but not good for the > former. Generally speaking, for the following two reasons, I prefer having a TLS structure that defines how a bootstrap information should be encoded, and then have a DNS record type that conveys the information. First reason is because the certificate chain and the signature that signs the EC(DH) keys ideally should be validated the same way as we do with the server certificates transmitted within a TLS handshake. It would make sense to just convey certain extensions that affect the behavior of validation (e.g., OCSP stapling extension) as-is, rather than trying to come with corresponding textual representations. Second reason is that we might want to transmit the bootstrap record using something other than DNS. >> Since DNS queries can run in parallel, there would be no negative >> performance impact, as long as DNS responses can be obtained in a >> single RTT. > > Unfortunately, this is not quite true: > > - Packets can get lost, and DNS retransmissions are fairly slow. > - There are lots of horked DNS servers that respond in all sorts of > bad ways (including timing out, or sending utterly bogus error > codes) to unknown RRTypes, especially if the RRType number is > above 255 (but bad servers that do that to any RRType they do > not know about still exist). If DNS over QUIC (or TLS) is used to transfer a signed bootstrap record with a certificate chain, the amount of data that is sent (in sum of DNS query and TLS handshake) will be roughly the same, assuming that Cached Information Extension (RFC7924) is used. Therefore, I believe that the performance will be roughly the same even when taking packet loss into consideration. If UDP-based DNS protocol is used to transfer a signed bootstrap record with a certificate chain, the DNS query needs to fallback to TCP, since the record does not fit into a single packet. That means that it would never be possible to obtain the DNS response in 1 RTT in such case. If UDP-based DNS protocol is used to transfer a bootstrap record without a sign or a certificate chain, then the question will be how high the probability will be in the following two cases: lose more than 1 packet within 2 packets vs. lose more than 1 packet within 4 packets. I agree that amortized performance will be worse for the latter. > (And let's also ignore difficulties in adding new RRTypes, despite > RFC3597 being almost 14 years old, and covering almost everything that > has been added (one needs extra justfication for breaking RFC3597- > complatiblity[1]).) > > > [1] In practicular, following kinds of things break RFC3597: > > - Compressing RRDATA with reference to rest of the DNS message (e.g., > DNS name compression). > - Requiring any kinds of transofrmations on the data in path between > the master file and the end application. > >> The draft mainly discusses about sending a signed bootstrap >> information together with the certificate chain, since doing so is not >> only more secure but opens up other possibilities in the future (such >> as 0-RTT full handshake). However, since transmitting a bootstrap >> record with digital signature and identity is unlikely to fit in a >> single packet (and therefore will have negative performance impact >> until DNS over TLS or QUIC becomes popular), the draft also discusses >> the possibility of sending the EC(DH) key unsigned in the "Things to >> Consider" section. > > There is not much space in DNS records for anything bigger than one > ECDH key per record (but there is space for a few records of that > kind). Agreed. > > -Ilari -- Kazuho Oku
- [TLS] Fwd: New Version Notification for draft-kaz… Kazuho Oku
- Re: [TLS] Fwd: New Version Notification for draft… Tom Ritter
- Re: [TLS] Fwd: New Version Notification for draft… Kazuho Oku
- Re: [TLS] Fwd: New Version Notification for draft… Ilari Liusvaara
- Re: [TLS] Fwd: New Version Notification for draft… Kazuho Oku