IETF Logo Mail Archive

Re: [TLS] Closing on 0-RTT

Erik Nygren <nygren@akamai.com> Fri, 30 June 2017 17:19 UTC

Return-Path: <nygren@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3AA3C13144A for <tls@ietfa.amsl.com>; Fri, 30 Jun 2017 10:19:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.699
X-Spam-Level:
X-Spam-Status: No, score=-1.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FREEMAIL_FORGED_FROMDOMAIN=0.199, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UE_-kjQw2xwp for <tls@ietfa.amsl.com>; Fri, 30 Jun 2017 10:19:06 -0700 (PDT)
Received: from mail-qt0-x22c.google.com (mail-qt0-x22c.google.com [IPv6:2607:f8b0:400d:c0d::22c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9C3AA131442 for <tls@ietf.org>; Fri, 30 Jun 2017 10:19:06 -0700 (PDT)
Received: by mail-qt0-x22c.google.com with SMTP id 22so9277924qtw.2 for <tls@ietf.org>; Fri, 30 Jun 2017 10:19:06 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc; bh=Ja6TMsJQcuoMA66fm7crF3zxoBJa/CNW/5qTNOF+gRg=; b=eJ4dzDPmkk4POT2FYiLtoesOovdFY3Iu3Eynw4/F2tpfxVUMfSfoggafGi13AICC5s VI1umKT1fLlTHb0emq3vFG+lvaxfFOu1r65dJlnn08eu0v+u1KrmsJ6c/BytIc18yqbR MY0E+BUGx/DDsGApTyQX4ieWMs5Pl/PuknsHa7EHmbl6z0un/8b/DbyA1hWN7p5Aa7RL Gb0OH2S74f8BZuVvd00WZSM5Z8sn5+HRO3T9gmsuZA/9UWa+nsDaueFsjozvwtk8J0ye a9sHdXIS9jilKuxVOBtFTIIMf9gpknr8zgA7TmIUd02nJbj4wobkHrCjZJB4wW1iUy6F d2PA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:cc; bh=Ja6TMsJQcuoMA66fm7crF3zxoBJa/CNW/5qTNOF+gRg=; b=qDT6817NOmXOS/A/ZgSxDyCIc8nvheHNbYF7NDbyvi2K2DmIteDSBeGKfvPSqZwaf+ oMj4lcPvuLOJRDfojU5F2jcnM6wDXe1Zv+1IoSxdszw3OP9jzZu1bCneR2beauFsdG3o ViyPOfc9CEas8JuInyMn17YF3rC8ODskUIo3bgJiDwdSqtDNLqBbYiuHkuL4gKR2clav I143IVfRtQMcP2yuZM58U23aUgH+Rve/yRIQL8qFRck0qGOvOjkOdMf5kUrPwofS3d3J CSZGN1ihBXCIWHgi2dS/X0HA4kyf+yBErwj2yHFQHl7tWbnJGVlniGUBnP2D83gpx0I0 5r9A==
X-Gm-Message-State: AKS2vOx6bnbcw4iKIWEvv68dKhmg49kg1wkTB7PN2sj9Fa3eKytcu627 DIwzONPT9xQpnyseKbCvw0eTXAMg9Q==
X-Received: by 10.237.36.11 with SMTP id r11mr29128395qtc.159.1498843145740; Fri, 30 Jun 2017 10:19:05 -0700 (PDT)
MIME-Version: 1.0
Sender: nygren@gmail.com
Received: by 10.12.169.25 with HTTP; Fri, 30 Jun 2017 10:19:05 -0700 (PDT)
In-Reply-To: <CABcZeBN0B8G3UZrLsfRakO0Vuhg=6w+aHsht4Co5pMLMWsy5-Q@mail.gmail.com>
References: <CABcZeBNLo51y4-MYS6NTQn9OWg5jTYYpwxn1fiKKNL5bWA37TA@mail.gmail.com> <CABcZeBNtcvATyd=jhm4GxeyY9xP5CTUp0MLUf9c-ApBFVNvWoQ@mail.gmail.com> <7b5b28f1-60d5-0979-f789-0471df33dba9@akamai.com> <CABcZeBN0B8G3UZrLsfRakO0Vuhg=6w+aHsht4Co5pMLMWsy5-Q@mail.gmail.com>
From: Erik Nygren <nygren@akamai.com>
Date: Fri, 30 Jun 2017 13:19:05 -0400
X-Google-Sender-Auth: T05T9dr1pHu27V4ij0NHv4Xr_gs
Message-ID: <CAKC-DJiEy75Hx1fMRm6_E_rptuRNRTZBZ+SQmR6XQg8+sbshqw@mail.gmail.com>
To: Eric Rescorla <ekr@rtfm.com>
Cc: Benjamin Kaduk <bkaduk@akamai.com>, "tls@ietf.org" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="001a11408b0446a8830553309dea"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/LAvvY0aRSl39oa6kIPwMpLalv40>
Subject: Re: [TLS] Closing on 0-RTT
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 30 Jun 2017 17:19:09 -0000

On Fri, Jun 30, 2017 at 12:53 PM, Eric Rescorla <ekr@rtfm.com> wrote:

>
> On Fri, Jun 30, 2017 at 9:32 AM, Benjamin Kaduk <bkaduk@akamai.com> wrote:
>
>> On 06/29/2017 03:53 PM, Eric Rescorla wrote:
>>
>> I have updated the PR to match people's comments. I would like to merge
>> this soon, so please get any final comments in.
>>
>>
>> I made a couple comments on the PR that are more appropriate for the
>> list, so I'll repeat them here and hopefully get replies from the broader
>> audience.
>>
>>
>> First off, I think we should MUST-level require servers to implement a
>> hard limit on the number of replays accepted.  However, it doesn't quite
>> seem realistic to require "MUST use either [single-use tickets] or
>> [ClientHello recording]".  My preference would be "MUST use either
>> [single-use tickets], [ClientHello recording], or equivalently strong
>> protection", but I don't know what level of support we have for such a
>> strong requirement.  As an alternative, I will also put out "MUST limit
>> replays to at most the number of endpoints capable of accepting connections
>> for a given identity, and SHOULD provide even stronger replay protections,
>> such as [single-use tickets] or [ClientHello recording]."  I think we have
>> general agreement that strong anti-replay as described in the document is
>> feasible for a single-server deployment, and this last formulation is
>> achievable in multi-server environments by just giving each server its own
>> local per-server protection.  (My main reason for wanting a MUST-level hard
>> cap is that I worry that millions/billions of replays will have really
>> nasty consequences in terms of DoS and side channel issues.)
>>
>> But, this has been quite a long thread spread out over multiple
>> forums/email subjects, so I've also probably forgotten some of the
>> arguments presented against having MUST-level strong anti-replay
>> requirements; I'd greatly appreciate if someone could repeat them here for
>> everyone's consideration.
>>
>>
>> The pull request also has some text:
>>
>> +If the expected arrival time is in the window, then the server
>> +checks to see if it has recorded a matching ClientHello. It
>> +either aborts the handshake with an "illegal_parameter" alert
>> +or accepts the PSK but reject 0-RTT. If no matching ClientHello
>> +is found, then it accepts 0-RTT and then stores the ClientHello for
>> +as long as the expected_arrival_time is inside the window.
>> +Servers MAY also implement data stores with false positives, such as
>> +Bloom filters, in which case they MUST respond to apparent replay by
>> +rejecting 0-RTT but MUST NOT abort the handshake.
>>
>> I am not sure why we are giving servers a choice between aborting and
>> accepting the PSK but rejecting 0-RTT (if a matching ClientHello is found),
>> especially not without giving guidance as to why they might choose one or
>> the other.  My natural inclination would be to have the expected behavior
>> be to abort and only fall back to the other behavior if using a scheme with
>> false positives, but Ekr thinks Erik Nygren was in support of just
>> continuing on with 1-RTT.  It looks like this was
>> https://github.com/tlswg/tls13-spec/pull/1005#discussion_r114924733 ,
>> where I ... took the opposite position from what I just said my "natural
>> inclination" was, amusingly enough.  But still, why does this need to be a
>> choice?  Rejecting 0-RTT and continuing on to 1-RTT seems like it would be
>> reasonable in all the cases mentioned so far.
>>
>
> Well, my reason for not wanting to do that is that it's a clear replay and
> so should
> be a hard failure. So, I'd be happy to mandate abort the handshake, but if
> we can't
> agree on that, I'd rather have a choice.
>

Are there scenarios where the duplication might be accidental rather than a
malicious attack?
For example, one might see cases where combining 0RTT with TFO and network
packet
duplication could result in two initial 0RTT flights.  One could also see
"TCP accelerator"
middleboxes doing similar things where the first flight gets replayed.

In both of these cases, only one will actually successfully establish a TLS
connection
and move forwards, but if the successful one is the one that is aborted
then
the connection will fail.  If 0RTT is rejected and both are allowed to
proceed,
then the bogus accidental replay will be dropped and the legit connection
will succeed.

        Erik

v2.23.0 | Report a Bug | By Email