IETF Logo Mail Archive

Re: [TLS] Connection ID Draft

Christian Huitema <huitema@huitema.net> Tue, 17 October 2017 02:54 UTC

Return-Path: <huitema@huitema.net>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1F82713304A for <tls@ietfa.amsl.com>; Mon, 16 Oct 2017 19:54:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uMvTvDxid0Kx for <tls@ietfa.amsl.com>; Mon, 16 Oct 2017 19:54:40 -0700 (PDT)
Received: from mx43-out1.antispamcloud.com (mx43-out1.antispamcloud.com [138.201.61.189]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E3C75132949 for <tls@ietf.org>; Mon, 16 Oct 2017 19:54:39 -0700 (PDT)
Received: from xsmtp05.mail2web.com ([168.144.250.245]) by mx26.antispamcloud.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.89) (envelope-from <huitema@huitema.net>) id 1e4I1d-0004RL-8n for tls@ietf.org; Tue, 17 Oct 2017 04:54:37 +0200
Received: from [10.5.2.17] (helo=xmail07.myhosting.com) by xsmtp05.mail2web.com with esmtps (TLS-1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.63) (envelope-from <huitema@huitema.net>) id 1e4I1X-0004Ym-S2 for tls@ietf.org; Mon, 16 Oct 2017 22:54:35 -0400
Received: (qmail 8116 invoked from network); 17 Oct 2017 02:54:30 -0000
Received: from unknown (HELO [192.168.1.103]) (Authenticated-user:_huitema@huitema.net@[172.56.42.187]) (envelope-sender <huitema@huitema.net>) by xmail07.myhosting.com (qmail-ldap-1.03) with ESMTPA for <tls@ietf.org>; 17 Oct 2017 02:54:30 -0000
To: Eric Rescorla <ekr@rtfm.com>, Stephen Farrell <stephen.farrell@cs.tcd.ie>
Cc: "tls@ietf.org" <tls@ietf.org>
References: <CABcZeBPXB6cOSztzDHtKSWUCJrgET+9cF_rAiiE8CYCUSY_uLA@mail.gmail.com> <574d133f-0531-2206-c7d3-825ebaffacdd@cs.tcd.ie> <CABcZeBM_xUadFDnAK-FLGjqciDOLGoePv8xhSFkmBYS5nooXxQ@mail.gmail.com> <765bb5b0-2129-9ea8-2c51-b6b4163748e8@cs.tcd.ie> <CABcZeBNbt-ZB=8jsp=pKkDfS9qKOogfmjeAieN6KC9KBNkWnrg@mail.gmail.com>
From: Christian Huitema <huitema@huitema.net>
Message-ID: <1deda3f5-870f-7bfa-4acb-389d7ab46be0@huitema.net>
Date: Mon, 16 Oct 2017 19:54:28 -0700
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.4.0
MIME-Version: 1.0
In-Reply-To: <CABcZeBNbt-ZB=8jsp=pKkDfS9qKOogfmjeAieN6KC9KBNkWnrg@mail.gmail.com>
Content-Type: multipart/alternative; boundary="------------98F42EE374D0D39A326BA850"
Content-Language: en-US
X-Originating-IP: 168.144.250.245
X-SpamExperts-Domain: xsmtpout.mail2web.com
X-SpamExperts-Username: 168.144.250.0/24
Authentication-Results: antispamcloud.com; auth=pass smtp.auth=168.144.250.0/24@xsmtpout.mail2web.com
X-SpamExperts-Outgoing-Class: unsure
X-SpamExperts-Outgoing-Evidence: Combined (0.32)
X-Recommended-Action: accept
X-Filter-ID: EX5BVjFpneJeBchSMxfU5k+Zo4f92G7xuSTs6mBJD8sXv9krsgRhBn0ayn6qsUc7RO6saVKtiei5 uUZjs8uJrOfHzJ6mVE7ewsipSVIfs4ZOxLzzMqsj18EIE7iDUvYlLB67TLnlh9i6Dr2tTQ7u+vvY qRKjl4d7q5m2gyZzYYWZ3JKVmi72ocgY5kMQSjs7Pk8VxOtUn7O9m8cCuN8HIa1B2N+xwNIm4bky rJMaAA/itEW1aHIJYDvx6uGLOm1Bi99Or0uXh6FskGQ3mtr4LUU/Qweyn+lg7TbDa2rNOWNaHCnN rMSSA7xor9tnUlOY8pSJo/Vkdr+FbBdda40x5B/NGyVcjXsZLVHUb2pmaEmDh4PRiBbRliPgaurB TRjstfheF24EjrGuHVHIMu1lYZhMr2sR3cQs/oU/axm99b2jdwip2wrbEvxHA2swIjN6PhFSfsse t38tyDP81cDf6vvg7iEFLP+SSY+Av5+AiC5mpw6R6T6fxWZ9NABSr2NGXbs4x/QizkoGwYIF2vLk MP/BJIXWfDOHfh6sRd9UMgGBQ5eKj6MUa9KfPAvxvWyWT4RXC/v261lNS3iZqUf5OA4U9Xw5Uo2K LQdKsYidsA0RFZ4oobg8BBg3Jq+ntzj03+ntCUYBCPpj1kdMCef1cQQQ/nsetUhuYMuf7MD+XoqO mNfYeZV2hhJL8IbQ/hmZFWaxSGfJU6M2WecjfLQquYool8X0+BvzGRRfxR+ffygb+fXMHzh3GvdL obcVeVRtcYBRSAmgD/ruOCD7mIOayLGEL8Yk8iee0Qz/7JNkz28DO2rOsK3hNn/Au26Nj+2lUGlP 9nCUO1/T3hbtM3dprmUVrBsPGnNiJ83AD/4JscDdpjPAXF36ccukK2jUdhJTBUmsltvK9h2NrJzJ uG6g9+lNC4wc2LkM7XQE4YLVklOcIA9nWuJMoxLUn/yzif+v
X-Report-Abuse-To: spam@quarantine5.antispamcloud.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/H_7Qek0jmHV6J1gGCExwFsMVD_0>
Subject: Re: [TLS] Connection ID Draft
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 17 Oct 2017 02:54:42 -0000


On 10/13/2017 7:29 AM, Eric Rescorla wrote:
>
>
> On Fri, Oct 13, 2017 at 7:16 AM, Stephen Farrell
> <stephen.farrell@cs.tcd.ie <mailto:stephen.farrell@cs.tcd.ie>> wrote:
>
>
>     Hiya,
>
>     On 13/10/17 14:56, Eric Rescorla wrote:
>     > I've seen a number of designs like these, but in general they
>     > have quite poor scaling properties. Can you describe the precise
>     > design you have in mind so that we can analyze it.
>
>     Sure, I can try...
>
>     What I'm suggesting is that we define a way that a TLS
>     node can change the connection ID to a new value that
>     is hard to link to the old, as a function that can be
>     used when the implementation chooses to use it.
>     ...
>     To change an id, pick a value foo that depends on the TLS
>     session, e.g. like an extractor, and that is not visible
>     to the network. Then set next-id to H(foo||prev-id) or
>     some similar construct.
>

The problem with these encrypted or hashed schemes is the scaling part.
When you receive a packet from a yet-uncategorized 5-tuple, you have to
find the context. It can be "any of the contexts currently establish",
so you end up having to try them all, or maybe 1/2 of them in average.
That can be a lot of hashes or encryptions. If the sender can only send
some token that the recipient already expects, the demuxing becomes much
simpler.

I  like EKR's design. But it is a scheme that can be implemented, and
will work. There are edge cases, like controlling how many connection ID
a peer is willing to provide in advance.  And it tends to fall in the
"sharp knife" category of tools, i.e., you have better understand what
you are doing. In particular, you need a strategy for breaking the
linkability of sequence numbers, otherwise connection-id changes will
not accomplish much. But there may well be other issues, like time
correlation, or traffic patterns.

By the way, the often considered scenario is "what happens if the NAT
rebinds and the client does not know." I think a simple heuristic of
changing the connection ID when coming out of long sleeps would help a
lot there. NAT  bindings don't change much if the traffic is sustained.
But if the last packet was many seconds ago, the client would be wise to
just rotate the connection ID before sending anything new.

The other often considered scenarios are variations of the "mobile
network". The NAT rebinds because the mobile router moved to a new
connection, but the client does not know. I can't think of a good
heuristic there, but it certainly would be helpful if the mobile router
somehow informed the clients. That's probably easier to engineer than
changing connection ID on every packet.

-- 
Christian Huitema

v2.23.0 | Report a Bug | By Email