[TLS] 答复: Connection ID Draft
yinxinxing <yinxinxing@huawei.com> Sat, 14 October 2017 02:28 UTC
Return-Path: <yinxinxing@huawei.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F3A3B132944 for <tls@ietfa.amsl.com>; Fri, 13 Oct 2017 19:28:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.22
X-Spam-Level:
X-Spam-Status: No, score=-4.22 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4GOLeE-TiaTB for <tls@ietfa.amsl.com>; Fri, 13 Oct 2017 19:28:46 -0700 (PDT)
Received: from lhrrgout.huawei.com (lhrrgout.huawei.com [194.213.3.17]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D63D21241F3 for <tls@ietf.org>; Fri, 13 Oct 2017 19:28:45 -0700 (PDT)
Received: from 172.18.7.190 (EHLO lhreml709-cah.china.huawei.com) ([172.18.7.190]) by lhrrg01-dlp.huawei.com (MOS 4.3.7-GA FastPath queued) with ESMTP id DXR69321; Sat, 14 Oct 2017 02:28:44 +0000 (GMT)
Received: from DGGEMI403-HUB.china.huawei.com (10.3.17.136) by lhreml709-cah.china.huawei.com (10.201.108.32) with Microsoft SMTP Server (TLS) id 14.3.301.0; Sat, 14 Oct 2017 03:28:43 +0100
Received: from DGGEMI508-MBS.china.huawei.com ([169.254.3.228]) by dggemi403-hub.china.huawei.com ([10.3.17.136]) with mapi id 14.03.0301.000; Sat, 14 Oct 2017 10:28:34 +0800
From: yinxinxing <yinxinxing@huawei.com>
To: Hannes Tschofenig <hannes.tschofenig@gmx.net>, Eric Rescorla <ekr@rtfm.com>, "tls@ietf.org" <tls@ietf.org>
Thread-Topic: [TLS] Connection ID Draft
Thread-Index: AdND9UCTy0qV4eX+RfS1VDVqmNEmOwAAVQkAACcLt3A=
Date: Sat, 14 Oct 2017 02:28:33 +0000
Message-ID: <DBDF9AE44733284D808F0E585E1919022C7AAC48@dggemi508-mbs.china.huawei.com>
References: <DBDF9AE44733284D808F0E585E1919022C7A77E2@dggemi508-mbx.china.huawei.com> <9800fbbc-f23f-139d-b5a9-ef6515123f73@gmx.net>
In-Reply-To: <9800fbbc-f23f-139d-b5a9-ef6515123f73@gmx.net>
Accept-Language: zh-CN, en-US
Content-Language: zh-CN
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.184.225.248]
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-CFilter-Loop: Reflected
X-Mirapoint-Virus-RAPID-Raw: score=unknown(0), refid=str=0001.0A090203.59E1765C.0029, ss=1, re=0.000, recu=0.000, reip=0.000, cl=1, cld=1, fgs=0, ip=169.254.3.228, so=2013-06-18 04:22:30, dmn=2013-03-21 17:37:32
X-Mirapoint-Loop-Id: 4be5258770b575f21713cf51650b7029
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/Juvs_4ehSgWkWf9KLio1oKPUgO0>
Subject: [TLS] 答复: Connection ID Draft
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 14 Oct 2017 02:28:48 -0000
Hi Hannes, "exchange new CIDs and switch between them every day" may not be a good choice for power constrained IOT devices. From the point of saving battery, it is better to transfer the new CID to the other peer in the application responding message in passing, instead of sending an independent updating CID message. In addition, like what Stephen mentioned, it is essential to avoid linkability between new CID and old CID. This is not covered in this draft. For 1.2, in this draft, there is no NewConnectionID and RequestConnectionID message, how can the CID be updated. This is what I mean "worse". Regards, Yin Xinxing -----邮件原件----- 发件人: Hannes Tschofenig [mailto:hannes.tschofenig@gmx.net] 发送时间: 2017年10月13日 23:41 收件人: yinxinxing; Eric Rescorla; tls@ietf.org 主题: Re: [TLS] Connection ID Draft I would like to focus on one of the points raised below: > 3. We have a practical usecase in IoT. The IOT device, like > intelligent water meter, sends one message per day, and goes to sleep. > It wakes up in the second day and sends a message and then goes to > sleep. If it always (or for a long time) use the same CID, there may > be a risk of tracing IOT device or the owner of this device. > Therefore, it is important to recommend user to update CID once it > finishes sending message. For the CID in DTLS1.2, this becomes worse. The user is typically not doing anything. Without this CID extension you would send a full exchange or use session resumption. This would allow someone in the middle to see the handshake. In DTLS/TLS 1.2 this would reveal the client certificate. With DTLS 1.3 and this extension you would hide the certificate and you could echange new CIDs and switch between them every day. The source IP address will most likely still reveal the subscriber (if you consider some cooperation with the ISP). So, you actually get pretty good privacy properties with DTLS 1.3 & CID (unless some of the data center folks destroy it again with their fancy extensions). With DTLS 1.2 there is only a performance benefit but the privacy properties remain the same IMHO. Ciao Hannes > > > > Regards, > > Yin Xinxing > > > > *发件人:*TLS [mailto:tls-bounces@ietf.org] *代表 *Eric Rescorla > *发送时间:*2017年10月13日7:14 > *收件人:*tls@ietf.org > *主题:*[TLS] Connection ID Draft > > > > Hi folks, > > > > I have just posted a first cut at a connection ID draft. > > https://tools.ietf.org/html/draft-rescorla-tls-dtls-connection-id-00 > > > > Comments welcome. > > > > -Ekr > > > > > > > > > > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls >
- [TLS] Connection ID Draft Eric Rescorla
- Re: [TLS] Connection ID Draft Martin Thomson
- Re: [TLS] Connection ID Draft Eric Rescorla
- Re: [TLS] Connection ID Draft Martin Thomson
- Re: [TLS] Connection ID Draft Eric Rescorla
- Re: [TLS] Connection ID Draft Martin Thomson
- Re: [TLS] Connection ID Draft Eric Rescorla
- Re: [TLS] Connection ID Draft Nikos Mavrogiannopoulos
- Re: [TLS] Connection ID Draft Fossati, Thomas (Nokia - GB/Cambridge, UK)
- Re: [TLS] Connection ID Draft yinxinxing
- Re: [TLS] Connection ID Draft Eric Rescorla
- Re: [TLS] Connection ID Draft Eric Rescorla
- Re: [TLS] Connection ID Draft Matt Caswell
- Re: [TLS] Connection ID Draft Stephen Farrell
- Re: [TLS] Connection ID Draft Eric Rescorla
- Re: [TLS] Connection ID Draft Stephen Farrell
- Re: [TLS] Connection ID Draft Eric Rescorla
- Re: [TLS] Connection ID Draft Stephen Farrell
- Re: [TLS] Connection ID Draft Hannes Tschofenig
- Re: [TLS] Connection ID Draft Eric Rescorla
- [TLS] 答复: Connection ID Draft yinxinxing
- [TLS] 答复: Connection ID Draft yinxinxing
- Re: [TLS] 答复: Connection ID Draft Eric Rescorla
- Re: [TLS] 答复: Connection ID Draft Eric Rescorla
- [TLS] 答复: Connection ID Draft yinxinxing
- Re: [TLS] 答复: Connection ID Draft Eric Rescorla
- [TLS] 答复: 答复: Connection ID Draft yinxinxing
- Re: [TLS] Connection ID Draft Benjamin Kaduk
- Re: [TLS] Connection ID Draft Eric Rescorla
- Re: [TLS] Connection ID Draft Fossati, Thomas (Nokia - GB/Cambridge, UK)
- Re: [TLS] Connection ID Draft Eric Rescorla
- Re: [TLS] Connection ID Draft Martin Thomson
- Re: [TLS] Connection ID Draft Christian Huitema
- Re: [TLS] Connection ID Draft Fossati, Thomas (Nokia - GB/Cambridge, UK)
- Re: [TLS] Connection ID Draft Martin Thomson
- Re: [TLS] Connection ID Draft Fossati, Thomas (Nokia - GB/Cambridge, UK)
- Re: [TLS] Connection ID Draft Fossati, Thomas (Nokia - GB/Cambridge, UK)
- Re: [TLS] Connection ID Draft Martin Thomson
- Re: [TLS] Connection ID Draft Nikos Mavrogiannopoulos
- Re: [TLS] Connection ID Draft Simon Bernard
- Re: [TLS] Connection ID Draft Eric Rescorla
- Re: [TLS] Connection ID Draft Fossati, Thomas (Nokia - GB/Cambridge, UK)
- Re: [TLS] Connection ID Draft yinxinxing
- Re: [TLS] Connection ID Draft Stephen Farrell
- Re: [TLS] Connection ID Draft Eric Rescorla
- Re: [TLS] Connection ID Draft Stephen Farrell
- Re: [TLS] Connection ID Draft yinxinxing
- Re: [TLS] Connection ID Draft Eric Rescorla
- Re: [TLS] Connection ID Draft Stephen Farrell
- Re: [TLS] Connection ID Draft Eric Rescorla
- Re: [TLS] Connection ID Draft Benjamin Kaduk
- Re: [TLS] Connection ID Draft Eric Rescorla
- Re: [TLS] Connection ID Draft yinxinxing
- Re: [TLS] Connection ID Draft Eric Rescorla
- Re: [TLS] Connection ID Draft yinxinxing
- Re: [TLS] Connection ID Draft Matt Caswell
- Re: [TLS] Connection ID Draft Martin Thomson
- Re: [TLS] Connection ID Draft yinxinxing
- Re: [TLS] Connection ID Draft Matt Caswell
- Re: [TLS] Connection ID Draft Martin Thomson
- Re: [TLS] Connection ID Draft Fossati, Thomas (Nokia - GB/Cambridge, UK)
- Re: [TLS] Connection ID Draft Matt Caswell
- Re: [TLS] Connection ID Draft Simon Bernard