IETF Logo Mail Archive

Re: [TLS] ALPS and TLS 1.3 half-RTT data

Cory Benfield <cory@lukasa.co.uk> Wed, 16 December 2020 10:16 UTC

Return-Path: <cory@lukasa.co.uk>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1BAFB3A0836 for <tls@ietfa.amsl.com>; Wed, 16 Dec 2020 02:16:51 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=lukasa-co-uk.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id o97NSvVFSdxg for <tls@ietfa.amsl.com>; Wed, 16 Dec 2020 02:16:49 -0800 (PST)
Received: from mail-lf1-x12b.google.com (mail-lf1-x12b.google.com [IPv6:2a00:1450:4864:20::12b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E77593A082F for <tls@ietf.org>; Wed, 16 Dec 2020 02:16:48 -0800 (PST)
Received: by mail-lf1-x12b.google.com with SMTP id o17so44002294lfg.4 for <tls@ietf.org>; Wed, 16 Dec 2020 02:16:48 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=lukasa-co-uk.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=vBydwJwld8xHuw3cMAYhf09sYdsTAhy2S3Xic1BLiUk=; b=NibJ0Cdc4HLbeD6BiBCp2UT3d9dCDqyg7du1NNlEzwgObpJta9X/Xa+TmlQmCFm08e wdQGlBTNCXb4aYLCk9dg5DbBp1r51fpSu10l2953GCLGVHjFURfBdml5oT9817Wb9mQB lmFxH7utsZAhrt87uHk8Gq7QfvL6Azg6bOh3AHELLg+7l6uDdgxx+OhGdUYTsXIW9bG9 BomyQ2QEc3ERvwZgqi5Eqq7pIHC6ta+b/C3pVfZacXDahBcsOAwbHi18YMSdxgteCAhN uvvL3n6Ks1p0xz9v1TXrgClvz/E+DlQcRPpNlEF+AA5ocCiEXWq6j1798S6+zk5l+oPg em+Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=vBydwJwld8xHuw3cMAYhf09sYdsTAhy2S3Xic1BLiUk=; b=ADvXOWTvpdB9Dc63qqgVa/BEaWXk0IJMv94QE3SR4WEAZiJ3HAR6AZLHlZ2yi4FNjl sc6mQDQM6LmWLY01zAUmTx9JstAnpMmaTqbRmrezqaSjxZ1PHlITqWoc9s2aC7LqtWfO i79aOhImfMwsoT9x2zRf2EZQK/hBCNFYXBdTZy2vaTxrsDmdnAhgwKRSye1WhxjHlL7L HFjtynqPtzeF41dahJEUGyjG94bP325dmp01FepfNJEuvHSwdARt2KiIzu4C9mIhpLQg BUbFJ84ozLaIGpCURTUhkmN4MXA2sc+jU5aMbQWcZMs5mnEETyH0MrrgWy2cGL6wm4Vs tefA==
X-Gm-Message-State: AOAM531QtquqY0BlQVxZhQmfXlA0mKZU8upEVP3xlWyFC00C/bk7dNwd UngKXwI+6YN9gfjpdgu1+CZm8cn70Dqw6vlFov0lNg==
X-Google-Smtp-Source: ABdhPJxn+kLNNidp0Ookz3zgcVhJ53O+pu0+gsYlHVWIoYQYx0S9IIhqUDx51xDN/RINZGRATx7uVVLFFQkY6rQZsvI=
X-Received: by 2002:ac2:5a50:: with SMTP id r16mr13523376lfn.195.1608113806855; Wed, 16 Dec 2020 02:16:46 -0800 (PST)
MIME-Version: 1.0
References: <160703055132.9234.3055845983488231389@ietfa.amsl.com> <CAF8qwaAUE4H2-JxCyQJSWW680=Xp9pkUOQdOQpbLhd-HjYaVcA@mail.gmail.com> <CAH_hAJGfKcDCLA7T_AnXHEK7Y4Qw814mkQcRNq-szF3-83L3Ag@mail.gmail.com> <CAAZdMafs-3xH8ZHaOfC9TZzj-qbfeg8H7b_FLOvkT4XZqChFvQ@mail.gmail.com>
In-Reply-To: <CAAZdMafs-3xH8ZHaOfC9TZzj-qbfeg8H7b_FLOvkT4XZqChFvQ@mail.gmail.com>
From: Cory Benfield <cory@lukasa.co.uk>
Date: Wed, 16 Dec 2020 10:16:35 +0000
Message-ID: <CAH_hAJFZ-Gryiq-hKyX0U0SA96fU1t_eTZEdCEA_E2nRDwwkEA@mail.gmail.com>
To: Victor Vasiliev <vasilvv@google.com>
Cc: David Benjamin <davidben@chromium.org>, "<tls@ietf.org>" <tls@ietf.org>, HTTP Working Group <ietf-http-wg@w3.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/DsdgcOK1G4z52-2J5L5XQOHS5bg>
Subject: Re: [TLS] ALPS and TLS 1.3 half-RTT data
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 16 Dec 2020 10:16:51 -0000

On Fri, 11 Dec 2020 at 03:44, Victor Vasiliev <vasilvv@google.com> wrote:
>
> Hi Cory,
>
> I am not sure there is a big difference between ALPN and ALPS in that regard.  ALPS is (or at least can be implemented as) "essentially a static byte sequence vended by the application layer protocol".  Furthermore, applications already have to vary their payloads dramatically depending on signals from the TLS stack whenever they implement ALPN (by choosing, e.g., HTTP/1.1 vs HTTP/2).  From that standpoint, it seems natural for ALPS handling to happen at the same or similar I/O points as ALPN handling.

The distinction here is that a HTTP/2 stack needs to know what the
peer sent for ALPS, which it never did for ALPN. That is, it was
possible to compose TLS and HTTP/2 entirely independently: the TLS
implementation accepted the static byte string from HTTP/2, and if the
ALPN it negotiated matched that string it had successfully negotiated
HTTP/2. I agree that applications needed to know what the ALPN
negotiation was, but HTTP/2 did not. You can observe this in OSS
stacks in the wild, where the HTTP/2 stack never sees the result of
the ALPN negotiation.

ALPS affects the HTTP/2 wire protocol: it is mandatory that the HTTP/2
stack behind the TLS implementation be actively told what the peer
presented in ALPS. This was not required with ALPN (H2 could assume it
was being driven based on successful ALPN negotiation of its H2 ALPN
token). While this is not novel for QUIC (see also Transport
Parameters), it is absolutely novel for H2.

> I am confused by the "fairly unpleasant" part; given that the existing implementations already can change settings in-band, this sounds like it's just a matter of making the existing logic conditional.

The two aren't the same, and the ALPS draft has so far skated around
this problem by not specifying how ALPS would actually work with
HTTP/2. In particular, ALPS must interact with the ยง 3.5 connection
preface in some way. The draft doesn't say how this would work, but
the logical design is that if ALPS is successfully used the connection
preface will be different (it won't bother to include SETTINGS
frames). This cannot help but require tighter coupling between H2 and
TLS, as the H2 stack must now be fed the ALPS data sent by the peer
before it can parse any bytes from that peer. This is simply not a
limitation we have today.

It is also different from making the existing logic conditional, as
presumably we wouldn't bother with SETTINGS ACKs for ALPS settings.
This is because a) the whole point of ALPS is that those settings are
well-ordered w.r.t. the rest of the protocol, obviating the need for
the ACK at all, and b) it would violate existing stack's assumptions
that SETTINGS ACKs can only be received in response to SETTINGS
frames. This requires a different path for the ALPS settings.

I want to stress: I don't think ALPS is a bad idea, I think it's a
good one! It clearly brings benefits for protocols that can require
its presence. If we want to mint a new ALPN token for HTTP/2 that also
mandates ALPS support I'm open to that, but frankly without it I don't
see that ALPS helps us much for HTTP/2.

>
> On Tue, Dec 8, 2020 at 3:48 AM Cory Benfield <cory@lukasa.co.uk> wrote:
>>
>> On Thu, 3 Dec 2020 at 21:56, David Benjamin <davidben@chromium.org> wrote:
>> >
>> > Hi TLS and HTTP friends,
>> >
>> > At the last HTTPWG interim, there was a question of why one would want something like ALPS (draft-vvv-tls-alps) for HTTP SETTINGS (draft-vvv-httpbis-alps) over TLS 1.3 half-RTT data. I know we've also had some discussion on this topic in the TLSWG as well. At the HTTP meeting, folks suggested writing up what a half-RTT-based mechanism might look like, so I put together an I-D below. I hope it helps clarify some of our thinking.
>> >
>> > (The I-D is not meant for adoption or publication or anything. I figured an I-D was probably the most familiar format for folks.)
>> >
>> > David
>>
>> Thanks for producing this document David: I think I was one of the
>> folks who pushed for clarification in this area.
>>
>> I think the document does a good job laying out the difficulties with
>> half-RTT data, but it didn't convince me that ALPS is easier for H2.
>>
>> My biggest concerns are around the need to tightly couple the TLS and
>> application layer stacks. ALPN has been reasonably straightforward to
>> handle, being essentially a static byte sequence vended by the
>> application layer protocol. QUIC transport parameters are already
>> harder, but for things like H2 the state machines have to be
>> complicated by the addition of an essentially parallel I/O path. This
>> is because, unlike QUIC, H2 does not (and cannot) spec the requirement
>> for supporting the ALPS extension so the state machines need to
>> tolerate the possibility that they will supply the SETTINGS as
>> ALPS-data but then need to redeliver it in-band, which is fairly
>> unpleasant (doubly so for servers that may want to use multiple TLS
>> stacks, which now have to mitigate timing issues).
>>
>> I think if ALPS were restricted to protocols that could mandate its
>> support then ALPS seems great. For H2 this seems unlikely to be
>> deployed in the long-tail which limits its usefulness, and tbh I think
>> brings more complexity than it's worth.
>>
>> _______________________________________________
>> TLS mailing list
>> TLS@ietf.org
>> https://www.ietf.org/mailman/listinfo/tls

v2.23.0 | Report a Bug | By Email