Re: [TLS] TLS 1.3 and max_fragment_length
Ilari Liusvaara <ilariliusvaara@welho.com> Tue, 14 March 2017 11:04 UTC
Return-Path: <ilariliusvaara@welho.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3C9F812954C for <tls@ietfa.amsl.com>; Tue, 14 Mar 2017 04:04:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, RP_MATCHES_RCVD=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uSRoihNAP0yI for <tls@ietfa.amsl.com>; Tue, 14 Mar 2017 04:04:54 -0700 (PDT)
Received: from welho-filter2.welho.com (welho-filter2.welho.com [83.102.41.24]) by ietfa.amsl.com (Postfix) with ESMTP id D0C5D12953D for <tls@ietf.org>; Tue, 14 Mar 2017 04:04:53 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by welho-filter2.welho.com (Postfix) with ESMTP id 12FE01ED83; Tue, 14 Mar 2017 13:04:51 +0200 (EET)
X-Virus-Scanned: Debian amavisd-new at pp.htv.fi
Received: from welho-smtp1.welho.com ([IPv6:::ffff:83.102.41.84]) by localhost (welho-filter2.welho.com [::ffff:83.102.41.24]) (amavisd-new, port 10024) with ESMTP id u0QcfMzx-HMk; Tue, 14 Mar 2017 13:04:50 +0200 (EET)
Received: from LK-Perkele-V2 (87-92-51-204.bb.dnainternet.fi [87.92.51.204]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by welho-smtp1.welho.com (Postfix) with ESMTPSA id B178FC4; Tue, 14 Mar 2017 13:04:50 +0200 (EET)
Date: Tue, 14 Mar 2017 13:04:44 +0200
From: Ilari Liusvaara <ilariliusvaara@welho.com>
To: Yoav Nir <ynir.ietf@gmail.com>
Message-ID: <20170314110443.GB18882@LK-Perkele-V2.elisa-laajakaista.fi>
References: <CABkgnnWZgo5xs=+26j6C=o+AMgWHmyQwuMWw7vL=+xvRnpZgog@mail.gmail.com> <ECEFBB0A-43C5-4DB2-8C2D-75763669957B@gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <ECEFBB0A-43C5-4DB2-8C2D-75763669957B@gmail.com>
User-Agent: Mutt/1.5.23 (2014-03-12)
Sender: ilariliusvaara@welho.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/FUsCo-B_6Wj7eZCqakKDn3r4Xbs>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] TLS 1.3 and max_fragment_length
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 14 Mar 2017 11:04:56 -0000
On Tue, Mar 14, 2017 at 11:10:54AM +0200, Yoav Nir wrote: > > > On 14 Mar 2017, at 5:38, Martin Thomson <martin.thomson@gmail.com> wrote: > > > > When we added padding to TLS 1.3, we created an ambiguity with the > > max_fragment_length extension. > > > > Does the limit apply to len(TLSInnerPlaintext) or does it apply to > > len(TLSInnerPlaintext.content) (i.e., TLSPlaintext.length)? That is, > > does is include the padding and content type, or not? > > > > Including the padding would recognize the limitations apply to > > handling large blobs of encrypted data (see earlier email from Thomas > > Pornin). That would be my preference. I think that we need to say > > that though. I guess the second-order question is whether to roll > > RFC6066-bis or patch these things in TLS 1.3 directly. > > > > (BTW, RFC 6066 is quite poor. It's not very precise in identifying > > what it is talking about, it also describes a negotiation design > > unlike anything else in TLS, one that can't be extended ever.) > > Well, I can’t think of a single rational argument in favor of it > *not* including the padding, so I guess I agree that it does. > > If it didn’t include the padding, then any record with length > greater than the max_fragment_length would be obviously padded. > Why leak that? Actually, even worse, then the padding would require extra memory, which the endpoint presumably does not have. If you limit padded plaintext length to 513 bytes (the minimum needed for 512 byte plaintext), with current ciphers, the record payload is at most 529 bytes (16 byte tag is added). Thus, you can receive the record into 529 byte buffer and decrypt in place. -Ilari
- [TLS] TLS 1.3 and max_fragment_length Martin Thomson
- Re: [TLS] TLS 1.3 and max_fragment_length Ilari Liusvaara
- Re: [TLS] TLS 1.3 and max_fragment_length Yoav Nir
- Re: [TLS] TLS 1.3 and max_fragment_length Ilari Liusvaara
- Re: [TLS] TLS 1.3 and max_fragment_length Yoav Nir
- Re: [TLS] TLS 1.3 and max_fragment_length Benjamin Kaduk
- Re: [TLS] TLS 1.3 and max_fragment_length Martin Thomson