Re: [TLS] draft-rescorla-tls13-new-flows-01 - Thoughts post-meeting

Erik Nygren <erik+ietf@nygren.org> Mon, 17 March 2014 15:26 UTC

Return-Path: <nygren@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DBA2C1A040E for <tls@ietfa.amsl.com>; Mon, 17 Mar 2014 08:26:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.677
X-Spam-Level:
X-Spam-Status: No, score=-0.677 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, J_CHICKENPOX_46=0.6, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dTlGcTPsyqDw for <tls@ietfa.amsl.com>; Mon, 17 Mar 2014 08:26:29 -0700 (PDT)
Received: from mail-vc0-x22d.google.com (mail-vc0-x22d.google.com [IPv6:2607:f8b0:400c:c03::22d]) by ietfa.amsl.com (Postfix) with ESMTP id CA0DE1A0409 for <tls@ietf.org>; Mon, 17 Mar 2014 08:26:28 -0700 (PDT)
Received: by mail-vc0-f173.google.com with SMTP id il7so5889292vcb.18 for <tls@ietf.org>; Mon, 17 Mar 2014 08:26:20 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:cc:content-type; bh=MmsLzFmDBArmJDv+AQO3FrvDMOcrkEPsswe+B7gS9Eo=; b=gaCMmcemCJfFY1RhjlRoHwzUq1M4v9TnmS19Nr4v7XhStiHgtGE7KfHiBhUan8kpfZ lG1z7rJvLduEP/JAL62bX79b/IaM82orD1ec4c4JLyJ0AzN5xIXVMYUT89iH7Jb393OQ K0+P+9Z9xDORhwPilrGp7HpNNzh2QrS92mvy7lvo/clFmq1dFjRt+8dnNXraa0chK8vn buDRJLnl9h+a7TBWP9KGcdlpfwjqCziKhp7xjWq5MT9Ocj7Hzgxi0zDs7lac/OAdjq/j J3+4rz9AunEZU9ZYW1ceOx2XwU4BG9kE07L1NhCmP2l9z1KwtYKClxTiO7pYTxoqX7Zn doXg==
MIME-Version: 1.0
X-Received: by 10.52.183.106 with SMTP id el10mr6205vdc.73.1395069980708; Mon, 17 Mar 2014 08:26:20 -0700 (PDT)
Sender: nygren@gmail.com
Received: by 10.220.91.132 with HTTP; Mon, 17 Mar 2014 08:26:20 -0700 (PDT)
In-Reply-To: <53263807.9020005@nthpermutation.com>
References: <5325DDA0.9030006@nthpermutation.com> <CACsn0cmLJJGw5cKmbnUT9tftEd0tn4cJQcf1WN7VQQc1GeO-aA@mail.gmail.com> <53260C51.10407@nthpermutation.com> <CAKC-DJjnyZqBN8d4emetYvdWB281bmfvunjonxTiCRF5-tznMg@mail.gmail.com> <53263807.9020005@nthpermutation.com>
Date: Mon, 17 Mar 2014 11:26:20 -0400
X-Google-Sender-Auth: 1ELrNdCv24ZBuG7LTcx37X3GN4E
Message-ID: <CAKC-DJjBEhppCTNmvnxD_COu3gJBYnZD31iCv7ACpHL08z8jVA@mail.gmail.com>
From: Erik Nygren <erik+ietf@nygren.org>
To: Michael StJohns <msj@nthpermutation.com>
Content-Type: multipart/alternative; boundary="bcaec547cb97a3178f04f4cf0a2d"
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/HdB9p7V5NZcbMKtVsl87WMlkPmI
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] draft-rescorla-tls13-new-flows-01 - Thoughts post-meeting
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 17 Mar 2014 15:26:31 -0000

As someone mentioned in London, the SNI header is layer-7 routing
information (similar to how the IP address is layer-3 routing information
and the TCP port is layer-4 routing info).  As much as we would all
(hopefully?) love to protect it from a privacy perspective, it may turn out
to be hard to do so in today's Internet without making hard trade-offs.
The cases where encrypting SNI has value is where there is a 1:many
association between IP and ServerName (including in cases where the server
with the keys is on a different physical machine and perhaps different
trust domain from the server terminating the TCP connection).  But those
are also the cases hard to implement here.  Today (due to lack of adequate
client adoption of SNI), many servers just use a 1:1 association here.

> I think what we're getting to is that if we have a system where there is
a middle box, then neither of these approaches
> makes a lot of sense for the scale you're talking about?

Right, especially in the case where the middle box is just a load-balancer
or demuxer and doesn't have the keying information.  Take the example of a
virtual hosting cloud provider that has a TCP-terminating load balancer
with public addresses that clients connect to (perhaps tens or hundreds of
IPv4 addresses?) and then has a large pool of servers behind it operated by
different entities with no shared trust (in private or IPv6 address space,
perhaps with each backend server having many hostnames).  In HTTP, the load
balancer can just use the Host header to route traffic to the right place.
With TLS without SNI, an IP address is needed per cert (which doesn't scale
in IPv4 to allow pervasive use of TLS).  With unencrypted SNI, the load
balancer can demux connections to the proper server based on the SNI
header. With encrypted SNI, this only works if there's an additional
round-trip and the SNI header (and server cert and other things we want to
protect) are covered by a key in the load balancer's trust domain (with
that key never being used for anything sensitive).  The end result of the
encrypting at the client-hello level is thus opportunistic, with the
similar effective results as if ipsec with anonymous was used to encrypt
the connection (with TLS with SNI-in-the-clear then being over the ipsec
connection).

There are hundreds of millions of websites out there, all being handled by
a highly heterogeneous mix of cloud providers, single server deployments,
CDNs, embedded devices, and more.  If we want to get pervasive TLS out
there, we need to make sure that it can be deployed in all of these.
Getting adequate TLS SNI adoption in clients is one of the gating factors
for more pervasive use of TLS, and if we break the ability to use TLS SNI
with adequate performance/cost in some of the key deployment scenarios then
it could be a barrier to adoption.

    Erik



On Sun, Mar 16, 2014 at 7:47 PM, Michael StJohns <msj@nthpermutation.com>wrote:

> On 3/16/2014 5:31 PM, Erik Nygren wrote:
>
>> Pros helping the passive anti-privacy attacker:  they also have server IP
>> address to constrain the problem space by, plus TLS 1.2 SNIs so if there
>> are a 100k hostnames behind the middlebox then that's their search space.
>>
>> Pros helping the DDoS attacker: they can just send random hash+opaque
>> values.  The middle box needs to then calculate the hash for all of the
>> hostnames (eg, perhaps 100k in the same scenario above).
>>
>
> I don't disagree with any of your points (but there's always a tradeoff
> between DOS protections and negotiation protections), but I wanted to focus
> on the 100K.
>
> The question is - if the SNI is encrypted from the client to the end
> system, how do the end systems communicate with the middle box to pass on
> their key info and keep it up to date - not on a per-box 100K basis, but on
> a 100K times the number of connections per box?
>
> I think what we're getting to is that if we have a system where there is a
> middle box, then neither of these approaches makes a lot of sense for the
> scale you're talking about?
>
> Mike
>
>