Re: [TLS] Forged RST (was: About encrypting SNI)
Eric Rescorla <ekr@rtfm.com> Sat, 19 April 2014 19:51 UTC
Return-Path: <ekr@rtfm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5A6451A00CB for <tls@ietfa.amsl.com>; Sat, 19 Apr 2014 12:51:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.977
X-Spam-Level:
X-Spam-Status: No, score=-1.977 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AlQDXz6IBAv2 for <tls@ietfa.amsl.com>; Sat, 19 Apr 2014 12:51:02 -0700 (PDT)
Received: from mail-we0-f181.google.com (mail-we0-f181.google.com [74.125.82.181]) by ietfa.amsl.com (Postfix) with ESMTP id 32B531A00BD for <tls@ietf.org>; Sat, 19 Apr 2014 12:51:02 -0700 (PDT)
Received: by mail-we0-f181.google.com with SMTP id q58so2496426wes.26 for <tls@ietf.org>; Sat, 19 Apr 2014 12:50:57 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=V6b1vUylEJmWMWEOZg5DwICa/3vucH7nJR0HIu2Lq7A=; b=mwkUTWaHVx1yrz/l5USHX/LslEYkCc4/uDBv+6gjwrY1Ndm/EIr7IJF1V+0t0+ZJGu 7Wlbi09PMsAVUit+cMc7B3+TsXN4iVTcyYK6NDIEqpubhW7mD0MkNT67rYEOlN9DKPfh p2zYS6TzNE+IFrLTAzi3sKwCOlJ005DIiGM7l8qv6yDVxsb5m7XCY+7Qjy94CL14RTd5 YwZlDEoM3rWdElH2wtEZuMnhiA8S7MGDFOrFjJgGpnetgkD/Gh7FFwIb3PRlf13i3e16 8kxlM6mtYAr+Tvu6UHy50aeIq3LhJR6gANbwikv0ntHtzEvYY3bVu3Z2LwWSgkIdVZA5 K02Q==
X-Gm-Message-State: ALoCoQklU0PKJHKdzOJsEps8tuG/XW/Z4zUPAODGoPeMNEj1tkD/GbuFHJMXGqh7YtPMHpra29Gc
X-Received: by 10.194.203.170 with SMTP id kr10mr21987547wjc.19.1397937057408; Sat, 19 Apr 2014 12:50:57 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.216.218.198 with HTTP; Sat, 19 Apr 2014 12:50:17 -0700 (PDT)
X-Originating-IP: [74.95.2.168]
In-Reply-To: <CACsn0c=Qi-qkQkqj0QZpX45gYX6ZKc--eDnw9by1t7AyxDSaLg@mail.gmail.com>
References: <822C36AB-27AC-4844-8C83-449064FC345C@gmail.com> <r422Ps-1075i-12718ABB05044695BAD8DA77F4CC973F@Williams-MacBook-Pro.local> <CABcZeBM3ZntWwwYhdi8qvJRL7C8fuMUQeRJuJxptQUK9MNY-jg@mail.gmail.com> <CACsn0c=Qi-qkQkqj0QZpX45gYX6ZKc--eDnw9by1t7AyxDSaLg@mail.gmail.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Sat, 19 Apr 2014 12:50:17 -0700
Message-ID: <CABcZeBP_wAoCn-SyGebAcVsh6S4-T++=8Syi7=LASDDRu=1VgA@mail.gmail.com>
To: Watson Ladd <watsonbladd@gmail.com>
Content-Type: multipart/alternative; boundary="047d7b6d87deb9bd6504f76a9584"
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/ID_d8TBxpuWicfiLMrmxSkokGAw
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Forged RST (was: About encrypting SNI)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 19 Apr 2014 19:51:05 -0000
On Sat, Apr 19, 2014 at 12:40 PM, Watson Ladd <watsonbladd@gmail.com> wrote: > On Sat, Apr 19, 2014 at 12:20 PM, Eric Rescorla <ekr@rtfm.com> wrote: > > > > > > > > On Sat, Apr 19, 2014 at 8:55 AM, Bill Frantz <frantz@pwpconsult.com> > wrote: > >> > >> On 4/17/14 at 1:27 AM, ynir.ietf@gmail.com (Yoav Nir) wrote: > >> > >> > Those who won't use TCP are doomed to re-create it. To get a UDP-based > >> > protocol to replace TCP for > >> > the web you'd need all of reliable delivery through (selective?) > >> > retransmissions, bandwidth > >> > detection, replay protection, a whole lot of things that took the > >> > transport community years to get > >> > right. Yes, there have been many attempts, but there's a reason TCP is > >> > still the protocol everyone > >> > uses for pretty much any type of bulk transfer. And this is before we > >> > even begin to talk about > >> > middleboxes dropping unrecognized UDP services. > >> > >> Absolutely correct. > >> > >> However, one could set up a DTLS session and then initialize the TCP > >> protocol within that session. > >> > >> I don't think anyone has considered this inversion before. It may not be > >> useful, but.. > > > > > > This is how WebRTC DataChannels work, except that it's SCTP rather than > TCP. > > > > http://tools.ietf.org/html/draft-ietf-tsvwg-sctp-dtls-encaps-03 > > > > The WG did consider TCP but selected SCTP for a variety of reasons that > > probably > > don't bear going into here. You certainly could build the same thing with > > TCP. > > This is also how MinimaLT, CurveCP, and indeed TCP over IPSec > (assuming we fix the issues that stop IPSec at the application layer > from working) work. The flow control issues are easy: copy the > algorithm from TCP. The firewall issues are not. > Yes, the firewall issues are fairly complicated. The good news is that they're quite a bit easier in client-server type applications because servers generally have public IP addresses (otherwise you pretty much cannot connect to them via TCP). Basically, either the client is behind a network element (firewall/NAT) which lets UDP in and out or it's not. If it is (estimates for this vary, but rumors are ~95%), then client-server TCP over UDP variants should work. The situation is of course much more complicated for P2P applications, and in such applications you need ICE and generally a media relay server. -Ekr
- [TLS] About encrypting SNI Salz, Rich
- Re: [TLS] About encrypting SNI Martin Thomson
- Re: [TLS] About encrypting SNI Salz, Rich
- Re: [TLS] About encrypting SNI Watson Ladd
- Re: [TLS] About encrypting SNI Russ Housley
- Re: [TLS] About encrypting SNI Eric Rescorla
- Re: [TLS] About encrypting SNI Brian Sniffen
- Re: [TLS] About encrypting SNI Alyssa Rowan
- Re: [TLS] About encrypting SNI Nick Mathewson
- Re: [TLS] About encrypting SNI Daniel Kahn Gillmor
- Re: [TLS] About encrypting SNI Sniffen, Brian
- Re: [TLS] About encrypting SNI Yoav Nir
- Re: [TLS] About encrypting SNI Salz, Rich
- Re: [TLS] About encrypting SNI Seth David Schoen
- Re: [TLS] About encrypting SNI Nico Williams
- Re: [TLS] About encrypting SNI Watson Ladd
- Re: [TLS] About encrypting SNI Salz, Rich
- Re: [TLS] About encrypting SNI Yoav Nir
- Re: [TLS] About encrypting SNI Salz, Rich
- Re: [TLS] About encrypting SNI Watson Ladd
- Re: [TLS] About encrypting SNI Salz, Rich
- Re: [TLS] About encrypting SNI Eric Rescorla
- Re: [TLS] About encrypting SNI Alyssa Rowan
- Re: [TLS] About encrypting SNI Salz, Rich
- Re: [TLS] About encrypting SNI Martin Rex
- Re: [TLS] About encrypting SNI Eric Rescorla
- Re: [TLS] About encrypting SNI Eric Rescorla
- Re: [TLS] About encrypting SNI Andy Lutomirski
- Re: [TLS] About encrypting SNI Eric Rescorla
- Re: [TLS] About encrypting SNI Tom Ritter
- Re: [TLS] About encrypting SNI Brian Sniffen
- Re: [TLS] About encrypting SNI Andy Lutomirski
- Re: [TLS] About encrypting SNI Andy Lutomirski
- Re: [TLS] About encrypting SNI Salz, Rich
- Re: [TLS] About encrypting SNI Eric Rescorla
- Re: [TLS] About encrypting SNI Watson Ladd
- Re: [TLS] About encrypting SNI Brian Sniffen
- Re: [TLS] About encrypting SNI Andy Lutomirski
- Re: [TLS] About encrypting SNI Andy Lutomirski
- Re: [TLS] About encrypting SNI Sniffen, Brian
- Re: [TLS] About encrypting SNI Andy Lutomirski
- Re: [TLS] About encrypting SNI Alyssa Rowan
- Re: [TLS] About encrypting SNI Michael D'Errico
- Re: [TLS] About encrypting SNI James Cloos
- Re: [TLS] About encrypting SNI Jacob Appelbaum
- Re: [TLS] About encrypting SNI Andy Lutomirski
- Re: [TLS] About encrypting SNI Erik Nygren
- Re: [TLS] About encrypting SNI Andy Lutomirski
- Re: [TLS] About encrypting SNI Jacob Appelbaum
- [TLS] Forged RST (was: About encrypting SNI) Alyssa Rowan
- Re: [TLS] Forged RST (was: About encrypting SNI) Eric Rescorla
- Re: [TLS] About encrypting SNI Paul Lambert
- Re: [TLS] About encrypting SNI Andy Lutomirski
- Re: [TLS] About encrypting SNI Erik Nygren
- Re: [TLS] About encrypting SNI Andy Lutomirski
- Re: [TLS] Forged RST (was: About encrypting SNI) Yoav Nir
- Re: [TLS] About encrypting SNI Sniffen, Brian
- Re: [TLS] Forged RST (was: About encrypting SNI) Erik Nygren
- Re: [TLS] About encrypting SNI James Cloos
- Re: [TLS] Forged RST Stephen Farrell
- Re: [TLS] About encrypting SNI Andy Lutomirski
- Re: [TLS] Forged RST (was: About encrypting SNI) Nico Williams
- Re: [TLS] About encrypting SNI Erik Nygren
- Re: [TLS] About encrypting SNI Sniffen, Brian
- Re: [TLS] About encrypting SNI Andy Lutomirski
- Re: [TLS] About encrypting SNI Martin Thomson
- Re: [TLS] About encrypting SNI Brian Sniffen
- Re: [TLS] About encrypting SNI Eric Rescorla
- Re: [TLS] About encrypting SNI Sniffen, Brian
- Re: [TLS] About encrypting SNI Erik Nygren
- Re: [TLS] Forged RST (was: About encrypting SNI) Bill Frantz
- Re: [TLS] Forged RST (was: About encrypting SNI) Yoav Nir
- Re: [TLS] Forged RST (was: About encrypting SNI) Bill Frantz
- Re: [TLS] Forged RST (was: About encrypting SNI) Eric Rescorla
- Re: [TLS] Forged RST (was: About encrypting SNI) Watson Ladd
- Re: [TLS] Forged RST (was: About encrypting SNI) Eric Rescorla
- Re: [TLS] About encrypting SNI Marsh Ray
- Re: [TLS] About encrypting SNI Martin Rex
- Re: [TLS] About encrypting SNI David Holmes
- Re: [TLS] About encrypting SNI Brian Sniffen
- Re: [TLS] About encrypting SNI Marsh Ray
- Re: [TLS] About encrypting SNI Marsh Ray
- Re: [TLS] About encrypting SNI Nico Williams
- Re: [TLS] About encrypting SNI Andy Lutomirski
- Re: [TLS] About encrypting SNI Michael D'Errico
- Re: [TLS] About encrypting SNI Watson Ladd
- Re: [TLS] About encrypting SNI Erik Nygren
- Re: [TLS] About encrypting SNI Salz, Rich
- Re: [TLS] About encrypting SNI Daniel Kahn Gillmor
- Re: [TLS] About encrypting SNI Salz, Rich
- Re: [TLS] About encrypting SNI - Traffic Analysis… Michael StJohns
- Re: [TLS] About encrypting SNI - Traffic Analysis… Nico Williams
- Re: [TLS] About encrypting SNI - Traffic Analysis… Stephen Farrell
- Re: [TLS] About encrypting SNI - Traffic Analysis… Martin Rex
- Re: [TLS] About encrypting SNI Nikos Mavrogiannopoulos
- Re: [TLS] About encrypting SNI Salz, Rich
- Re: [TLS] About encrypting SNI Stephen Farrell
- Re: [TLS] About encrypting SNI Andy Lutomirski
- Re: [TLS] About encrypting SNI - Traffic Analysis… Martin Thomson
- Re: [TLS] About encrypting SNI - Traffic Analysis… Tom Ritter
- Re: [TLS] About encrypting SNI Brian Sniffen
- Re: [TLS] About encrypting SNI Fabrice
- Re: [TLS] About encrypting SNI Jacob Appelbaum
- Re: [TLS] About encrypting SNI Paul Lambert
- Re: [TLS] About encrypting SNI Yoav Nir
- Re: [TLS] About encrypting SNI Daniel Kahn Gillmor
- Re: [TLS] About encrypting SNI Tim Bray
- Re: [TLS] About encrypting SNI Jacob Appelbaum
- Re: [TLS] About encrypting SNI Paul Hoffman
- Re: [TLS] About encrypting SNI Viktor Dukhovni
- Re: [TLS] About encrypting SNI Brian Sniffen
- Re: [TLS] About encrypting SNI Yoav Nir