Re: [TLS] Encryption of TLS 1.3 content type

Peter Gutmann <pgut001@cs.auckland.ac.nz> Mon, 28 July 2014 04:08 UTC

Return-Path: <pgut001@cs.auckland.ac.nz>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5F7231A0072 for <tls@ietfa.amsl.com>; Sun, 27 Jul 2014 21:08:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RP_MATCHES_RCVD=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NDveEdukCsa5 for <tls@ietfa.amsl.com>; Sun, 27 Jul 2014 21:08:41 -0700 (PDT)
Received: from mx2.auckland.ac.nz (mx2.auckland.ac.nz [130.216.125.245]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 751651A0055 for <tls@ietf.org>; Sun, 27 Jul 2014 21:08:40 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=auckland.ac.nz; i=@auckland.ac.nz; q=dns/txt; s=uoa; t=1406520522; x=1438056522; h=from:to:subject:date:message-id: content-transfer-encoding:mime-version; bh=QBlAthxDB80DNMBAbzEJptvlr5MbMKcFucpm7XbHbOY=; b=E9JcExQ3nC1V14fZjPX46aF5AODfGyuj4yX+CNRQCsnoBettJ+xu5Q/P I3fu7qWltIUytRcuinUwo0RWBTDiRwU7jki9qwcHZWXEHeyu3GiXJ2Hul 3ESFTCvrUHhgnHYZusv3E8mFJTOx0wPmimviVpwTw8JW+AMaSjhK6r381 s=;
X-IronPort-AV: E=Sophos;i="5.01,746,1399982400"; d="scan'208";a="265987150"
X-Ironport-HAT: MAIL-SERVERS - $RELAYED
X-Ironport-Source: 130.216.4.171 - Outgoing - Outgoing
Received: from uxchange10-fe4.uoa.auckland.ac.nz ([130.216.4.171]) by mx2-int.auckland.ac.nz with ESMTP/TLS/AES128-SHA; 28 Jul 2014 16:08:36 +1200
Received: from UXCN10-5.UoA.auckland.ac.nz ([169.254.5.247]) by uxchange10-fe4.UoA.auckland.ac.nz ([169.254.109.63]) with mapi id 14.03.0174.001; Mon, 28 Jul 2014 16:08:35 +1200
From: Peter Gutmann <pgut001@cs.auckland.ac.nz>
To: "<tls@ietf.org>" <tls@ietf.org>
Thread-Topic: [TLS] Encryption of TLS 1.3 content type
Thread-Index: Ac+qGZpc4i+lw1JpT8OTgodQhMzdfw==
Date: Mon, 28 Jul 2014 04:08:35 +0000
Message-ID: <9A043F3CF02CD34C8E74AC1594475C738EFB1969@uxcn10-5.UoA.auckland.ac.nz>
Accept-Language: en-NZ, en-GB, en-US
Content-Language: en-NZ
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [130.216.158.4]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/Io-KuN9otpcsY7aZhyg1Y2WFxcI
Subject: Re: [TLS] Encryption of TLS 1.3 content type
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 28 Jul 2014 04:08:47 -0000

Yoav Nir <ynir.ietf@gmail.com> writes:

>I believe that changing the 5-byte record header will cause us trouble. 
>Passive IDS/IPS devices follow TLS streams to detect certain attacks. They 
>will cut connections. 

Is it really up to the TLS WG to break (or at least constrain) our designs
in order to accomodate broken middleboxes?  They're not going to understand
any of TLS 1.3 anyway and will need to be updated when it comes along, so why
keep this legacy header just for them?

Peter.