Re: [TLS] Connection ID Draft
Nikos Mavrogiannopoulos <nmav@redhat.com> Fri, 13 October 2017 06:21 UTC
Return-Path: <nmav@redhat.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3DC4F1345A7 for <tls@ietfa.amsl.com>; Thu, 12 Oct 2017 23:21:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.921
X-Spam-Level:
X-Spam-Status: No, score=-1.921 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ELlCE8UCXQbn for <tls@ietfa.amsl.com>; Thu, 12 Oct 2017 23:21:11 -0700 (PDT)
Received: from mail-wm0-f53.google.com (mail-wm0-f53.google.com [74.125.82.53]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 088C2134519 for <tls@ietf.org>; Thu, 12 Oct 2017 23:21:10 -0700 (PDT)
Received: by mail-wm0-f53.google.com with SMTP id l68so18728437wmd.5 for <tls@ietf.org>; Thu, 12 Oct 2017 23:21:10 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:message-id:subject:from:to:date:in-reply-to :references:mime-version:content-transfer-encoding; bh=GhdR2Ym9zuU6vjUlDr1LdLRnYIkVZxkjbBrOdlo2PX4=; b=RNxe/7Udd3ev/ASAlTQin2bYm8NJ9KXeuhmnYUcG/5vWJkF573ZGxuO/3vaJyqdPjd /mfSe5VvYobDKXHNVvewGoWtkr8cGN6P+KDiEsGCHrYpuls9CKbRXcroaHoIWq+378mC hpWDZAEaqlbu+o3fcidmjnIa5eznAuFUfPDOxc4yWulDMdA5jdSnWvihFj9O40G/DdVN h8a3Q6/t2HTfhbGJgLvUNncwo6Hv8tJ3/wWSjMpt6SMkxEE7EP9d0GLxpB40/7xtAZRI 3T1mhUpbeCkF/2hqy7IXwIvMCB7rs+BaMStKPWcusJT6InQtCuD0CAYhx1eh5IouGLPO odFQ==
X-Gm-Message-State: AMCzsaUDxCA3azOqLbkL1pX5OLCL1CwSStt8hZaVAQaAJwaj24+T4inm YJaUEiGsRLFtepl/3sHpwOkCVUCbcJo=
X-Google-Smtp-Source: ABhQp+RNQcp45vY2BKfYP1TrWYl0zkSatqojTCWnzfe/cHDHfyqflnQfXthgI4XZJWK/z0Rl0uC5KA==
X-Received: by 10.28.111.206 with SMTP id c75mr508340wmi.123.1507875669184; Thu, 12 Oct 2017 23:21:09 -0700 (PDT)
Received: from dhcp-10-40-1-102.brq.redhat.com ([2a02:214d:8007:2600:c819:dbd5:903d:344d]) by smtp.gmail.com with ESMTPSA id r1sm565551wrr.56.2017.10.12.23.21.07 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Thu, 12 Oct 2017 23:21:08 -0700 (PDT)
Message-ID: <1507875665.3178.19.camel@redhat.com>
From: Nikos Mavrogiannopoulos <nmav@redhat.com>
To: Eric Rescorla <ekr@rtfm.com>, "tls@ietf.org" <tls@ietf.org>
Date: Fri, 13 Oct 2017 08:21:05 +0200
In-Reply-To: <CABcZeBPXB6cOSztzDHtKSWUCJrgET+9cF_rAiiE8CYCUSY_uLA@mail.gmail.com>
References: <CABcZeBPXB6cOSztzDHtKSWUCJrgET+9cF_rAiiE8CYCUSY_uLA@mail.gmail.com>
Content-Type: text/plain; charset="UTF-8"
X-Mailer: Evolution 3.24.6 (3.24.6-1.fc26)
Mime-Version: 1.0
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/K0N_bI7jcEcma5rC36-0guSE2xM>
Subject: Re: [TLS] Connection ID Draft
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 13 Oct 2017 06:21:13 -0000
On Thu, 2017-10-12 at 16:13 -0700, Eric Rescorla wrote: > Hi folks, > > I have just posted a first cut at a connection ID draft. > https://tools.ietf.org/html/draft-rescorla-tls-dtls-connection-id-00 I believe the major issue with that is the fact that the record packet format changes, but there is no way for a party in between to be able to determine the record packet format without keeping session state. Think not only of middle boxes, but of super-servers which may receive of a stray udp packet which they have to forward to the appropriate server [0]. With that change, they cannot figure whether the packet contains the CID or not in a deterministic way for a random CID. One can hack around that limitation by providing a CID which starts with 0xffff which is an illegal size currently for TLS or DTLS, but would have to worry with future extensions to the protocol which may increase the maximum size. Another worrying feature is that the client can make the server send up to 255 verbatim bytes on the wire of his choice. Why was this feature added? Are there use cases related with it (intro doesn't mention any), or it was only thought as a make it as generic as possible approach? If it is the latter, I'd recommend to provide a simple approach that covers the described use cases. The same argument applies to the server being able to set such a long sequence of verbatim bytes to each of the client packets. regards, Nikos [0]. That was exactly my use case for introducing the CID info, as in openconnect server, the super-server receives the stray UDP packets arriving after a NAT disassociates existing connections.
- [TLS] Connection ID Draft Eric Rescorla
- Re: [TLS] Connection ID Draft Martin Thomson
- Re: [TLS] Connection ID Draft Eric Rescorla
- Re: [TLS] Connection ID Draft Martin Thomson
- Re: [TLS] Connection ID Draft Eric Rescorla
- Re: [TLS] Connection ID Draft Martin Thomson
- Re: [TLS] Connection ID Draft Eric Rescorla
- Re: [TLS] Connection ID Draft Nikos Mavrogiannopoulos
- Re: [TLS] Connection ID Draft Fossati, Thomas (Nokia - GB/Cambridge, UK)
- Re: [TLS] Connection ID Draft yinxinxing
- Re: [TLS] Connection ID Draft Eric Rescorla
- Re: [TLS] Connection ID Draft Eric Rescorla
- Re: [TLS] Connection ID Draft Matt Caswell
- Re: [TLS] Connection ID Draft Stephen Farrell
- Re: [TLS] Connection ID Draft Eric Rescorla
- Re: [TLS] Connection ID Draft Stephen Farrell
- Re: [TLS] Connection ID Draft Eric Rescorla
- Re: [TLS] Connection ID Draft Stephen Farrell
- Re: [TLS] Connection ID Draft Hannes Tschofenig
- Re: [TLS] Connection ID Draft Eric Rescorla
- [TLS] 答复: Connection ID Draft yinxinxing
- [TLS] 答复: Connection ID Draft yinxinxing
- Re: [TLS] 答复: Connection ID Draft Eric Rescorla
- Re: [TLS] 答复: Connection ID Draft Eric Rescorla
- [TLS] 答复: Connection ID Draft yinxinxing
- Re: [TLS] 答复: Connection ID Draft Eric Rescorla
- [TLS] 答复: 答复: Connection ID Draft yinxinxing
- Re: [TLS] Connection ID Draft Benjamin Kaduk
- Re: [TLS] Connection ID Draft Eric Rescorla
- Re: [TLS] Connection ID Draft Fossati, Thomas (Nokia - GB/Cambridge, UK)
- Re: [TLS] Connection ID Draft Eric Rescorla
- Re: [TLS] Connection ID Draft Martin Thomson
- Re: [TLS] Connection ID Draft Christian Huitema
- Re: [TLS] Connection ID Draft Fossati, Thomas (Nokia - GB/Cambridge, UK)
- Re: [TLS] Connection ID Draft Martin Thomson
- Re: [TLS] Connection ID Draft Fossati, Thomas (Nokia - GB/Cambridge, UK)
- Re: [TLS] Connection ID Draft Fossati, Thomas (Nokia - GB/Cambridge, UK)
- Re: [TLS] Connection ID Draft Martin Thomson
- Re: [TLS] Connection ID Draft Nikos Mavrogiannopoulos
- Re: [TLS] Connection ID Draft Simon Bernard
- Re: [TLS] Connection ID Draft Eric Rescorla
- Re: [TLS] Connection ID Draft Fossati, Thomas (Nokia - GB/Cambridge, UK)
- Re: [TLS] Connection ID Draft yinxinxing
- Re: [TLS] Connection ID Draft Stephen Farrell
- Re: [TLS] Connection ID Draft Eric Rescorla
- Re: [TLS] Connection ID Draft Stephen Farrell
- Re: [TLS] Connection ID Draft yinxinxing
- Re: [TLS] Connection ID Draft Eric Rescorla
- Re: [TLS] Connection ID Draft Stephen Farrell
- Re: [TLS] Connection ID Draft Eric Rescorla
- Re: [TLS] Connection ID Draft Benjamin Kaduk
- Re: [TLS] Connection ID Draft Eric Rescorla
- Re: [TLS] Connection ID Draft yinxinxing
- Re: [TLS] Connection ID Draft Eric Rescorla
- Re: [TLS] Connection ID Draft yinxinxing
- Re: [TLS] Connection ID Draft Matt Caswell
- Re: [TLS] Connection ID Draft Martin Thomson
- Re: [TLS] Connection ID Draft yinxinxing
- Re: [TLS] Connection ID Draft Matt Caswell
- Re: [TLS] Connection ID Draft Martin Thomson
- Re: [TLS] Connection ID Draft Fossati, Thomas (Nokia - GB/Cambridge, UK)
- Re: [TLS] Connection ID Draft Matt Caswell
- Re: [TLS] Connection ID Draft Simon Bernard