IETF Logo Mail Archive

Re: [TLS] Connection ID Draft

yinxinxing <yinxinxing@huawei.com> Fri, 20 October 2017 11:39 UTC

Return-Path: <yinxinxing@huawei.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0D0D21326FE for <tls@ietfa.amsl.com>; Fri, 20 Oct 2017 04:39:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.22
X-Spam-Level:
X-Spam-Status: No, score=-4.22 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XrGs8cd7Io2I for <tls@ietfa.amsl.com>; Fri, 20 Oct 2017 04:39:15 -0700 (PDT)
Received: from lhrrgout.huawei.com (lhrrgout.huawei.com [194.213.3.17]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 01AA7133091 for <tls@ietf.org>; Fri, 20 Oct 2017 04:39:14 -0700 (PDT)
Received: from 172.18.7.190 (EHLO LHREML711-CAH.china.huawei.com) ([172.18.7.190]) by lhrrg01-dlp.huawei.com (MOS 4.3.7-GA FastPath queued) with ESMTP id DYD22560; Fri, 20 Oct 2017 11:39:12 +0000 (GMT)
Received: from DGGEML401-HUB.china.huawei.com (10.3.17.32) by LHREML711-CAH.china.huawei.com (10.201.108.34) with Microsoft SMTP Server (TLS) id 14.3.361.1; Fri, 20 Oct 2017 12:39:12 +0100
Received: from DGGEML511-MBS.china.huawei.com ([169.254.4.184]) by DGGEML401-HUB.china.huawei.com ([fe80::89ed:853e:30a9:2a79%31]) with mapi id 14.03.0301.000; Fri, 20 Oct 2017 19:39:07 +0800
From: yinxinxing <yinxinxing@huawei.com>
To: Martin Thomson <martin.thomson@gmail.com>, "Fossati, Thomas (Nokia - GB/Cambridge, UK)" <thomas.fossati@nokia.com>
CC: "tls@ietf.org" <tls@ietf.org>
Thread-Topic: [TLS] Connection ID Draft
Thread-Index: AdNJl/a2c3uKTP71RWunuMjKfcHD1g==
Date: Fri, 20 Oct 2017 11:39:06 +0000
Message-ID: <DBDF9AE44733284D808F0E585E1919022D14F30A@dggeml511-mbs.china.huawei.com>
Accept-Language: zh-CN, en-US
Content-Language: zh-CN
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.184.225.248]
Content-Type: text/plain; charset="gb2312"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-CFilter-Loop: Reflected
X-Mirapoint-Virus-RAPID-Raw: score=unknown(0), refid=str=0001.0A0B0203.59E9E061.0053, ss=1, re=0.000, recu=0.000, reip=0.000, cl=1, cld=1, fgs=0, ip=169.254.4.184, so=2013-06-18 04:22:30, dmn=2013-03-21 17:37:32
X-Mirapoint-Loop-Id: 2bb64600e8d734ca67556d1e323aff95
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/KxIQMwi9QQeFfYrIQQjJBzLwbHk>
Subject: Re: [TLS] Connection ID Draft
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 20 Oct 2017 11:39:17 -0000

Hi Martin,

According to the code you described in previous email, ISTM your idea of parsing the standard packet and CID packet is using the 5-tuple. The benefit is that no new contenttype or version is needed. But the precondition for well working is that the 5-tuple of the CID packet will not be successfully matched in the receiver's 5-tuple table. However, this condition is not always true. 

If I misunderstand your idea, please correct me. Thanks.  

Yin Xinxing

-----邮件原件-----
发件人: TLS [mailto:tls-bounces@ietf.org] 代表 Martin Thomson
发送时间: 2017年10月18日 16:08
收件人: Fossati, Thomas (Nokia - GB/Cambridge, UK)
抄送: tls@ietf.org
主题: Re: [TLS] Connection ID Draft

On Wed, Oct 18, 2017 at 5:44 PM, Fossati, Thomas (Nokia - GB/Cambridge, UK) <thomas.fossati@nokia.com> wrote:
> This is quite similar to the trial and error / heuristic that I was 
> mentioning in [1].

You didn't mention 5-tuples.  And it isn't trial and error: you use 5-tuple as your primary key and use connection ID to latch.

> Note that if A.1 and A.2's 5-tuples are swapped, the algorithm fails 
> to recognise A.1 as CID-enabled and sends it forward to the crypto 
> handler when it shouldn't.

As I said before, any connection without a connection ID monopolizes that 5-tuple making it inaccessible to other connections.  I think that in this case: too bad.

> And the already discussed limitations:
> - Fragility on corner cases (e.g., the 5-tuple swap above);

I don't see how you can avoid this in the general case.  Any connection without connection ID is going to be hard to correlate if it moves.  As for the connection that does have a connection ID but moves on top of a connection that doesn't, I don't think that is an acceptable loss.

> - Forcing middleware to keep state;
> - Breaking wireshark & co unless they can see the whole session;

Both of these are acceptable to me.  Unless you can describe a middlebox use case that needs access to this information and can't deal with the solution that I described.  Wireshark and co will need to see the handshake if they want to decrypt and that's the only case that is important.

> - (Depending on the use case, the cost of the two lookups per record
>   on the parsing might have a performance impact.)

The second lookup only happens after a migration.  I neglected to mention that successful use of a connection ID causes the 5-tuple to be assigned to that connection; there's a trick there in that you need to watch for reordering, but it saves the double lookup.

_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

v2.23.0 | Report a Bug | By Email