IETF Logo Mail Archive

Re: [TLS] Forged RST (was: About encrypting SNI)

Eric Rescorla <ekr@rtfm.com> Sat, 19 April 2014 19:51 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5A6451A00CB for <tls@ietfa.amsl.com>; Sat, 19 Apr 2014 12:51:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.977
X-Spam-Level:
X-Spam-Status: No, score=-1.977 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AlQDXz6IBAv2 for <tls@ietfa.amsl.com>; Sat, 19 Apr 2014 12:51:02 -0700 (PDT)
Received: from mail-we0-f181.google.com (mail-we0-f181.google.com [74.125.82.181]) by ietfa.amsl.com (Postfix) with ESMTP id 32B531A00BD for <tls@ietf.org>; Sat, 19 Apr 2014 12:51:02 -0700 (PDT)
Received: by mail-we0-f181.google.com with SMTP id q58so2496426wes.26 for <tls@ietf.org>; Sat, 19 Apr 2014 12:50:57 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=V6b1vUylEJmWMWEOZg5DwICa/3vucH7nJR0HIu2Lq7A=; b=mwkUTWaHVx1yrz/l5USHX/LslEYkCc4/uDBv+6gjwrY1Ndm/EIr7IJF1V+0t0+ZJGu 7Wlbi09PMsAVUit+cMc7B3+TsXN4iVTcyYK6NDIEqpubhW7mD0MkNT67rYEOlN9DKPfh p2zYS6TzNE+IFrLTAzi3sKwCOlJ005DIiGM7l8qv6yDVxsb5m7XCY+7Qjy94CL14RTd5 YwZlDEoM3rWdElH2wtEZuMnhiA8S7MGDFOrFjJgGpnetgkD/Gh7FFwIb3PRlf13i3e16 8kxlM6mtYAr+Tvu6UHy50aeIq3LhJR6gANbwikv0ntHtzEvYY3bVu3Z2LwWSgkIdVZA5 K02Q==
X-Gm-Message-State: ALoCoQklU0PKJHKdzOJsEps8tuG/XW/Z4zUPAODGoPeMNEj1tkD/GbuFHJMXGqh7YtPMHpra29Gc
X-Received: by 10.194.203.170 with SMTP id kr10mr21987547wjc.19.1397937057408; Sat, 19 Apr 2014 12:50:57 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.216.218.198 with HTTP; Sat, 19 Apr 2014 12:50:17 -0700 (PDT)
X-Originating-IP: [74.95.2.168]
In-Reply-To: <CACsn0c=Qi-qkQkqj0QZpX45gYX6ZKc--eDnw9by1t7AyxDSaLg@mail.gmail.com>
References: <822C36AB-27AC-4844-8C83-449064FC345C@gmail.com> <r422Ps-1075i-12718ABB05044695BAD8DA77F4CC973F@Williams-MacBook-Pro.local> <CABcZeBM3ZntWwwYhdi8qvJRL7C8fuMUQeRJuJxptQUK9MNY-jg@mail.gmail.com> <CACsn0c=Qi-qkQkqj0QZpX45gYX6ZKc--eDnw9by1t7AyxDSaLg@mail.gmail.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Sat, 19 Apr 2014 12:50:17 -0700
Message-ID: <CABcZeBP_wAoCn-SyGebAcVsh6S4-T++=8Syi7=LASDDRu=1VgA@mail.gmail.com>
To: Watson Ladd <watsonbladd@gmail.com>
Content-Type: multipart/alternative; boundary="047d7b6d87deb9bd6504f76a9584"
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/ID_d8TBxpuWicfiLMrmxSkokGAw
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Forged RST (was: About encrypting SNI)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 19 Apr 2014 19:51:05 -0000

On Sat, Apr 19, 2014 at 12:40 PM, Watson Ladd <watsonbladd@gmail.com> wrote:

> On Sat, Apr 19, 2014 at 12:20 PM, Eric Rescorla <ekr@rtfm.com> wrote:
> >
> >
> >
> > On Sat, Apr 19, 2014 at 8:55 AM, Bill Frantz <frantz@pwpconsult.com>
> wrote:
> >>
> >> On 4/17/14 at 1:27 AM, ynir.ietf@gmail.com (Yoav Nir) wrote:
> >>
> >> > Those who won't use TCP are doomed to re-create it. To get a UDP-based
> >> > protocol to replace TCP for
> >> > the web you'd need all of reliable delivery through (selective?)
> >> > retransmissions, bandwidth
> >> > detection, replay protection, a whole lot of things that took the
> >> > transport community years to get
> >> > right. Yes, there have been many attempts, but there's a reason TCP is
> >> > still the protocol everyone
> >> > uses for pretty much any type of bulk transfer. And this is before we
> >> > even begin to talk about
> >> > middleboxes dropping unrecognized UDP services.
> >>
> >> Absolutely correct.
> >>
> >> However, one could set up a DTLS session and then initialize the TCP
> >> protocol within that session.
> >>
> >> I don't think anyone has considered this inversion before. It may not be
> >> useful, but..
> >
> >
> > This is how WebRTC DataChannels work, except that it's SCTP rather than
> TCP.
> >
> > http://tools.ietf.org/html/draft-ietf-tsvwg-sctp-dtls-encaps-03
> >
> > The WG did consider TCP but selected SCTP for a variety of reasons that
> > probably
> > don't bear going into here. You certainly could build the same thing with
> > TCP.
>
> This is also how MinimaLT, CurveCP, and indeed TCP over IPSec
> (assuming we fix the issues that stop IPSec at the application layer
> from working) work. The flow control issues are easy: copy the
> algorithm from TCP. The firewall issues are not.
>

Yes, the firewall issues are fairly complicated. The good news is that
they're quite a bit easier in client-server type applications because
servers generally have public IP addresses (otherwise you pretty
much cannot connect to them via TCP). Basically, either the client
is behind a network element (firewall/NAT) which lets UDP in and
out or it's not. If it is (estimates for this vary, but rumors are ~95%),
then client-server TCP over UDP variants should work.

The situation is of course much more complicated for P2P
applications, and in such applications you need ICE and generally
a media relay server.

-Ekr

v2.23.0 | Report a Bug | By Email