Re: [TLS] Updated DTLS draft
Eric Rescorla <ekr@rtfm.com> Fri, 17 March 2017 11:46 UTC
Return-Path: <ekr@rtfm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 28C9F128616 for <tls@ietfa.amsl.com>; Fri, 17 Mar 2017 04:46:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.598
X-Spam-Level:
X-Spam-Status: No, score=-2.598 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aHie79AIEYCa for <tls@ietfa.amsl.com>; Fri, 17 Mar 2017 04:46:11 -0700 (PDT)
Received: from mail-yw0-x22f.google.com (mail-yw0-x22f.google.com [IPv6:2607:f8b0:4002:c05::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D19F8127A91 for <tls@ietf.org>; Fri, 17 Mar 2017 04:46:10 -0700 (PDT)
Received: by mail-yw0-x22f.google.com with SMTP id v198so51126170ywc.2 for <tls@ietf.org>; Fri, 17 Mar 2017 04:46:10 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=r80s3NPQ3akBE1T04HivuM812yj6baYVBTaoZKznR8Q=; b=0p8SrhVB3JzRgD4JI7Nve86uMQgDF1zggikzLNiWb0+U1oc85ZRGcEhg7qP8GQAXki HCxEvay2XDX60q/PIaIlpWxhfKbH9K6kKMY0lByNaGLMLkut8PimZ3slfZqPhRyKrGRc ybg3d2GsGcc/JL5uRw/xtKNupcuqcSblChtAnTeXjgIZZCzLobAEP6h/sTFur81hq38B uqH+puPnXMn0EObWMWMVaUaOeibgm7P4tO9TTMWejiZMQrBJ3WXJCBhLI/hWpUG0Ldw8 KT8LGPHNv+OUYBS5Ta/777Mm/iF8mnk55gIkqykyV1tPbHqzgJEZ8qe1tegr9WTgtsnN IXEg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=r80s3NPQ3akBE1T04HivuM812yj6baYVBTaoZKznR8Q=; b=sq9cLE4he10moTTR2aptEkC4ARLbObZPiuxU0ZDfsZaMSYERGxzuNy/7/CtRcmon+g PZZ0e2OiZW3TFXhiBq1THzfsE5bK9X55ibOn3fHlqSZ4ZQMdguEmfe2AcRllMiud/lGT 6Er0eIdLbWBMeLc4BBIeZz8dtINY5fx/sOU3gfC1C1K8ym0IIM0tP9EYc/Bs+0QedT5V TUBxAjhl1JN9zTlN0MTZmyMfSsGYUl5S1UoE/IKhKVYXL/+6s67ipwVjnfOUG3fiQqAY WAEMul23zeig+JW8wLV748N0Rh7Oxv06F+DBALYpqNpWi3mbEcM25kBHACEtaMF4X6Ps edyQ==
X-Gm-Message-State: AFeK/H0q2OZyIA8TydulXn0784SVpIx7w6m482yGGXcTVq4dtoLBX7Lxw/kiwW5wv/7amyYU35mKiqwwkYmEcw==
X-Received: by 10.13.250.67 with SMTP id k64mr2450556ywf.125.1489751170072; Fri, 17 Mar 2017 04:46:10 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.129.154.210 with HTTP; Fri, 17 Mar 2017 04:45:29 -0700 (PDT)
In-Reply-To: <CAMoSCWZTj_zRuQ8XzWvJ-OZCP40naqoUng1xXnvu5FjRELSgjg@mail.gmail.com>
References: <CABcZeBPjry16=zpwajosiKtiA3ADeFsgZdkN+cFBdg6iTjQrfQ@mail.gmail.com> <CAMoSCWbtzm49uyg8qTgEnhcRox5Bx4vi=rQ56GcDG9fj_RmL8w@mail.gmail.com> <CABkgnnVEPstEUMfh1umbS8=10ubei9Ka22H6uuBjcGvR_rwpfA@mail.gmail.com> <CAMoSCWZTj_zRuQ8XzWvJ-OZCP40naqoUng1xXnvu5FjRELSgjg@mail.gmail.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Fri, 17 Mar 2017 04:45:29 -0700
Message-ID: <CABcZeBMwpVv0yqLqAOcj5=VE_CdqWvKg3ajOdP5zj+EM1Rvb0Q@mail.gmail.com>
To: Matt Caswell <frodo@baggins.org>
Cc: Martin Thomson <martin.thomson@gmail.com>, "tls@ietf.org" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="94eb2c07f34a4bda58054aebb929"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/FLjb2rJ0KNpNYB_JaWY4dfVkd2k>
Subject: Re: [TLS] Updated DTLS draft
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 17 Mar 2017 11:46:13 -0000
On Fri, Mar 17, 2017 at 4:32 AM, Matt Caswell <frodo@baggins.org> wrote: > On 17 March 2017 at 00:03, Martin Thomson <martin.thomson@gmail.com> > wrote: > > On 17 March 2017 at 10:58, Matt Caswell <frodo@baggins.org> wrote: > >> In DTLS1.3 the cookie is now (potentially) much larger and appears much > later in > >> the ClientHello, making it much more likely that it will not fall > >> fully within the > >> first fragment. This could mean a fully stateless solution is > impossible. > > > > > > I think that it is feasible to simply require that ClientHello be > > contained in a single datagram. > > Yes, this is one of several solutions - although it is possibly a > retrograde step. With the assumptions that I currently have for > DTLSv1.2, even with max size cookie and session id the full cookie > will always be contained within the first 346 bytes of the record (if > I did my sums right) - which doesn't seem unreasonable. So as long as > the first fragment isn't smaller than that then, with our current > implementation, we are good. > > By stating that the *whole* ClientHello must be within the first > fragment we are placing some significant restrictions on the > extensibility of the protocol and how much we can stuff into it. > Fragmenting the initial ClientHello does happen even in DTLS1.2 > (before we've added extra ciphersuites and extensions for DTLSv1.3) - > we had a recent report of someone having problems when receiving > fragmented ClientHellos: > > https://mta.openssl.org/pipermail/openssl-users/2017-February/005332.html > > Another option is to say that the cookie extension must be fully > contained within the first fragment - which avoids the above > extensibility concerns. This option is much better but is still > retrograde from DTLS1.2 because the extensions block appears later in > the ClientHello (most importantly after ciphersuites, which could be > quite long). > > A third option is to retain use of the cookie field in DTLSv1.3 and > require that the first fragment contains it, i.e. the server sends the > cookie in the HRR and the client reflects it back in the cookie field. > This would solve all of the above problems but introduces a new one - > the TLSv1.3 max cookie length is bigger than the length of the cookie > field. There are a couple of ways around that that I can think of - > the simplest being that DTLS1.3 could restrict the max cookie length - > but that in itself could cause some problems due to the fact that more > data needs to be stored in the cookie for DTLS1.3 (i.e. the transcript > hash). > > > QUIC does this and when we did the > > sums it wasn't completely unreasonable, even assuming several key > > shares and a big-ish cookie. And then we made it possible to make the > > cookie even smaller in -19. > > Did we? How did we do that? > By making the hash state you needed to store a hash value rather than a hash checkpoint. -Ekr > > Matt >
- [TLS] Updated DTLS draft Eric Rescorla
- Re: [TLS] Updated DTLS draft Matt Caswell
- Re: [TLS] Updated DTLS draft Martin Thomson
- Re: [TLS] Updated DTLS draft Matt Caswell
- Re: [TLS] Updated DTLS draft Eric Rescorla
- Re: [TLS] Updated DTLS draft Ilari Liusvaara
- Re: [TLS] Updated DTLS draft Martin Thomson