IETF Logo Mail Archive

Re: [TLS] ALPN or NPN ?

Andrei Popov <Andrei.Popov@microsoft.com> Wed, 13 March 2013 19:59 UTC

Return-Path: <Andrei.Popov@microsoft.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A7B9721F8614 for <tls@ietfa.amsl.com>; Wed, 13 Mar 2013 12:59:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.533
X-Spam-Level:
X-Spam-Status: No, score=0.533 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, UNRESOLVED_TEMPLATE=3.132]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zx6XizURcCbk for <tls@ietfa.amsl.com>; Wed, 13 Mar 2013 12:59:32 -0700 (PDT)
Received: from na01-bl2-obe.outbound.protection.outlook.com (mail-bl2lp0207.outbound.protection.outlook.com [207.46.163.207]) by ietfa.amsl.com (Postfix) with ESMTP id 7C27821F84B2 for <tls@ietf.org>; Wed, 13 Mar 2013 12:59:32 -0700 (PDT)
Received: from BY2FFO11FD022.protection.gbl (10.1.15.204) by BY2FFO11HUB029.protection.gbl (10.1.14.114) with Microsoft SMTP Server (TLS) id 15.0.620.12; Wed, 13 Mar 2013 19:45:06 +0000
Received: from TK5EX14HUBC103.redmond.corp.microsoft.com (131.107.125.37) by BY2FFO11FD022.mail.protection.outlook.com (10.1.15.211) with Microsoft SMTP Server (TLS) id 15.0.620.12 via Frontend Transport; Wed, 13 Mar 2013 19:45:06 +0000
Received: from DB8EHSOBE042.bigfish.com (157.54.51.114) by mail.microsoft.com (157.54.86.9) with Microsoft SMTP Server (TLS) id 14.2.318.3; Wed, 13 Mar 2013 19:44:18 +0000
Received: from mail206-db8-R.bigfish.com (10.174.8.245) by DB8EHSOBE042.bigfish.com (10.174.4.105) with Microsoft SMTP Server id 14.1.225.23; Wed, 13 Mar 2013 19:43:55 +0000
Received: from mail206-db8 (localhost [127.0.0.1]) by mail206-db8-R.bigfish.com (Postfix) with ESMTP id 9EAF94C0140 for <tls@ietf.org.FOPE.CONNECTOR.OVERRIDE>; Wed, 13 Mar 2013 19:43:54 +0000 (UTC)
X-Forefront-Antispam-Report-Untrusted: CIP:157.56.240.21; KIP:(null); UIP:(null); (null); H:BL2PRD0310HT005.namprd03.prod.outlook.com; R:internal; EFV:INT
X-SpamScore: -22
X-BigFish: PS-22(zzbb2dI98dI9371I542Idb82hzz1f42h1ee6h1de0h1202h1e76h1d1ah1d2ahzz1033IL17326ah8275dhz31h2a8h668h839h93fhd24hf0ah1288h12a5h12a9h12bdh137ah13b6h1441h1504h1537h153bh162dh1631h1758h18e1h1946h19b5h1ad9h1b0ah9a9j1155h)
Received-SPF: softfail (mail206-db8: transitioning domain of microsoft.com does not designate 157.56.240.21 as permitted sender) client-ip=157.56.240.21; envelope-from=Andrei.Popov@microsoft.com; helo=BL2PRD0310HT005.namprd03.prod.outlook.com ; .outlook.com ;
X-Forefront-Antispam-Report-Untrusted: SFV:SKI; SFS:; DIR:OUT; SFP:; SCL:-1; SRVR:BN1PR03MB069; H:BN1PR03MB072.namprd03.prod.outlook.com; LANG:en;
Received: from mail206-db8 (localhost.localdomain [127.0.0.1]) by mail206-db8 (MessageSwitch) id 1363203831986258_27968; Wed, 13 Mar 2013 19:43:51 +0000 (UTC)
Received: from DB8EHSMHS009.bigfish.com (unknown [10.174.8.251]) by mail206-db8.bigfish.com (Postfix) with ESMTP id BD5593C004C; Wed, 13 Mar 2013 19:43:51 +0000 (UTC)
Received: from BL2PRD0310HT005.namprd03.prod.outlook.com (157.56.240.21) by DB8EHSMHS009.bigfish.com (10.174.4.19) with Microsoft SMTP Server (TLS) id 14.1.225.23; Wed, 13 Mar 2013 19:43:47 +0000
Received: from BN1PR03MB069.namprd03.prod.outlook.com (10.255.225.153) by BL2PRD0310HT005.namprd03.prod.outlook.com (10.255.97.40) with Microsoft SMTP Server (TLS) id 14.16.275.5; Wed, 13 Mar 2013 19:43:44 +0000
Received: from BN1PR03MB072.namprd03.prod.outlook.com (10.255.225.156) by BN1PR03MB069.namprd03.prod.outlook.com (10.255.225.153) with Microsoft SMTP Server (TLS) id 15.0.620.20; Wed, 13 Mar 2013 19:43:44 +0000
Received: from BN1PR03MB072.namprd03.prod.outlook.com ([169.254.7.90]) by BN1PR03MB072.namprd03.prod.outlook.com ([169.254.7.102]) with mapi id 15.00.0620.020; Wed, 13 Mar 2013 19:43:44 +0000
From: Andrei Popov <Andrei.Popov@microsoft.com>
To: Daniel Kahn Gillmor <dkg@fifthhorseman.net>, Xiaoyong Wu <X.Wu@F5.com>
Thread-Topic: [TLS] ALPN or NPN ?
Thread-Index: Ac4fS4/pCw0qsUTCSMOaz+CCsKSG8gAmfUcAAACwbgAAC7LVAAABsXqAAAA0DZA=
Date: Wed, 13 Mar 2013 19:43:43 +0000
Message-ID: <833d8576911745a3a4837dcb4047f7a2@BN1PR03MB072.namprd03.prod.outlook.com>
References: <32599_1363111393_513F6DE1_32599_8557_1_5AE9CCAA1B4A2248AB61B4C7F0AD5FB90CE2F4@PEXCVZYM14.corporate.adroot.infra.ftgroup> <7C9A0DF1-8BE4-47EF-B3F2-5D1F9E087326@vpnc.org> <CALR0uiLbSsrX1ZzDCBxNo4s98LKSegaescb-tHGmdxspdE8pTw@mail.gmail.com> <E774C81546D66E429BF56B1474C7EBBAD97A2D4E@SEAEMBX01.olympus.F5Net.com> <5140CE2B.5020006@fifthhorseman.net>
In-Reply-To: <5140CE2B.5020006@fifthhorseman.net>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.255.124.4]
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OrganizationHeadersPreserved: BN1PR03MB069.namprd03.prod.outlook.com
X-FOPE-CONNECTOR: Id%0$Dn%*$RO%0$TLS%0$FQDN%$TlsDn%
X-FOPE-CONNECTOR: Id%59$Dn%PIRONTI.EU$RO%2$TLS%6$FQDN%corpf5vips-237160.customer.frontbridge.com$TlsDn%
X-FOPE-CONNECTOR: Id%59$Dn%IETF.ORG$RO%2$TLS%6$FQDN%corpf5vips-237160.customer.frontbridge.com$TlsDn%
X-FOPE-CONNECTOR: Id%59$Dn%VPNC.ORG$RO%2$TLS%6$FQDN%corpf5vips-237160.customer.frontbridge.com$TlsDn%
X-FOPE-CONNECTOR: Id%59$Dn%FIFTHHORSEMAN.NET$RO%2$TLS%6$FQDN%corpf5vips-237160.customer.frontbridge.com$TlsDn%
X-FOPE-CONNECTOR: Id%59$Dn%F5.COM$RO%2$TLS%6$FQDN%corpf5vips-237160.customer.frontbridge.com$TlsDn%
X-CrossPremisesHeadersPromoted: TK5EX14HUBC103.redmond.corp.microsoft.com
X-CrossPremisesHeadersFiltered: TK5EX14HUBC103.redmond.corp.microsoft.com
X-Forefront-Antispam-Report: CIP:131.107.125.37; CTRY:US; IPV:CAL; IPV:NLI; EFV:NLI; SFV:NSPM; SFS:(189002)(479174001)(199002)(24454001)(377454001)(13464002)(31966008)(6806001)(56816002)(46102001)(23676001)(51856001)(16676001)(47776003)(63696002)(20776003)(80022001)(50466001)(4396001)(50986001)(54356001)(65816001)(79102001)(49866001)(15202345001)(54316002)(47976001)(76482001)(33646001)(561944001)(53806001)(74662001)(56776001)(59766001)(47446002)(69226001)(5343655001)(44976002)(74502001)(47736001)(77982001)(24736002); DIR:OUT; SFP:; SCL:1; SRVR:BY2FFO11HUB029; H:TK5EX14HUBC103.redmond.corp.microsoft.com; RD:InfoDomainNonexistent; MX:1; A:1; LANG:en;
X-OriginatorOrg: microsoft.onmicrosoft.com
X-Forefront-PRVS: 0784C803FD
Cc: Paul Hoffman <paul.hoffman@vpnc.org>, Alfredo Pironti <alfredo@pironti.eu>, "TLS@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] ALPN or NPN ?
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 13 Mar 2013 19:59:33 -0000

NPN draft (http://tools.ietf.org/id/draft-agl-tls-nextprotoneg-04.txt) says:
"  ... after a handshake has been performed for a
   given connection, renegotiations on the same connection MUST NOT
   include the "next_protocol_negotiation" extension."

So NPN extension cannot be used as part of a renegotiation on the same connection.
It looks like one can't have true confidentiality guarantees with NPN, as defined.

There is a broad spectrum of opinions in the WG regarding the need for hiding application protocol information:
- List of protocols and\or the negotiated protocol need to be truly confidential.
- It is enough to protect  application protocol data from passive MITM attack.
- Application protocol data should be visible to the network elements for optimal routing/accounting/filtering etc.

Clearly there are multiple scenarios that need to be supported. Perhaps it will be easier for all the parties involved to come to an agreement if we decouple the problem of negotiating an application protocol from the problem of making various contents of the TLS handshake confidential (or protected from passive attack, obfuscated, etc.)

There are separate proposals that address the confidentiality issue in a systemic way, such that the protection would apply not only to the application protocol data, but also the client cert, SNI information, etc. (see http://tools.ietf.org/id/draft-ray-tls-encrypted-handshake-00.txt is an example).

Cheers,

Andrei

-----Original Message-----
From: tls-bounces@ietf.org [mailto:tls-bounces@ietf.org] On Behalf Of Daniel Kahn Gillmor
Sent: Wednesday, March 13, 2013 12:06 PM
To: Xiaoyong Wu
Cc: Paul Hoffman; Alfredo Pironti; TLS@ietf.org
Subject: Re: [TLS] ALPN or NPN ?

On 03/13/2013 02:17 PM, Xiaoyong Wu wrote:
> +1 on this. A false sense of security is no better than no security. If we believe the NPN information is sensitive and should be protected, we should have this after the Finished message.

It's worth remembering that there is actually a practical, real-world distinction between "in the clear" and "accessible to a MITM who is willing to cause a connection handshake to fail".

Client software can at least observe that the information leaked in the latter case, and can advise the user.  (how helpful this is in the face of a malicious adversary might be hard to assess without thinking through the full user experience)

Note also that moving the NPN information after the Finished message is already possible in some sense by doing a second handshake.  Or is there some restriction on renegotiation that says you MUST not supply NPN on subsequent handshakes if it was not supplied initially?

However, moving the NPN info after the handshake means that the server won't have an opportunity to select different credentials based on the NPN info.

	--dkg

v2.23.0 | Report a Bug | By Email