IETF Logo Mail Archive

[TLS] Alert type for connection limit or server busy?

Chris Newman <chris.newman@oracle.com> Tue, 01 April 2014 19:35 UTC

Return-Path: <chris.newman@oracle.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D59431A09AD for <tls@ietfa.amsl.com>; Tue, 1 Apr 2014 12:35:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.211
X-Spam-Level:
X-Spam-Status: No, score=-4.211 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kLlBPgOAHsXU for <tls@ietfa.amsl.com>; Tue, 1 Apr 2014 12:35:43 -0700 (PDT)
Received: from aserp1040.oracle.com (aserp1040.oracle.com [141.146.126.69]) by ietfa.amsl.com (Postfix) with ESMTP id 937B91A06BC for <tls@ietf.org>; Tue, 1 Apr 2014 12:35:43 -0700 (PDT)
Received: from acsinet22.oracle.com (acsinet22.oracle.com [141.146.126.238]) by aserp1040.oracle.com (Sentrion-MTA-4.3.2/Sentrion-MTA-4.3.2) with ESMTP id s31JZdCA007237 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK) for <tls@ietf.org>; Tue, 1 Apr 2014 19:35:39 GMT
Received: from gotmail.us.oracle.com (gotmail.us.oracle.com [10.133.152.174]) by acsinet22.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id s31JZdR1029287 for <tls@ietf.org>; Tue, 1 Apr 2014 19:35:39 GMT
MIME-version: 1.0
Content-transfer-encoding: 7bit
Content-disposition: inline
Content-type: text/plain; CHARSET="US-ASCII"
Received: from [10.145.239.205] (dhcp-whq-twvpn-1-vpnpool-10-159-156-15.vpn.oracle.com [10.159.156.15]) by gotmail.us.oracle.com (Oracle Communications Messaging Server 7.0.5.31.0 64bit (built Jan 22 2014)) with ESMTPA id <0N3D00G1JAFD2C00@gotmail.us.oracle.com> for tls@ietf.org; Tue, 01 Apr 2014 12:35:38 -0700 (PDT)
Date: Tue, 01 Apr 2014 12:35:38 -0700
From: Chris Newman <chris.newman@oracle.com>
To: tls@ietf.org
Message-id: <EBC54843816A0E9AD64C880F@96B2F16665FF96BAE59E9B90>
X-Mailer: Mulberry/4.0.8 (Mac OS X)
X-Source-IP: acsinet22.oracle.com [141.146.126.238]
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/M3voNUOek5o6RguVlpeD9tROwNA
Subject: [TLS] Alert type for connection limit or server busy?
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 01 Apr 2014 19:35:45 -0000

Is there a TLS Alert type that can be used by a TLS server to reject a TLS
client connection based on a per-IP-address connection limit?

The idea would be to have the server reject the connection before spending
cycles on the TLS negotiation. But it's important to inform the client why the
connection is rejected in order to reduce the number and severity of support
calls that might be generated by such a limit if the connections were silently
dropped.

Another case that's interesting is when the server is temporarily overloaded
and wants to reserve CPU cycles for existing connections rather than spending
cycles accepting new connections. Again, it's desirable to indicate to the
client the cause of this connection failure in an attempt to reduce the number
and severity of support calls and also desirable not to spend unnecessary
server time on the TLS negotiation.

With the STARTTLS model, applications could just reject at the banner with a
text error message. But with the separate-port-for-TLS model, this needs to be
done in the TLS layer.

I didn't see appropriate alerts in RFC 5246 section 7.2.

Could alerts for these two cases be added as an extension or a TLS 1.3 feature?

		- Chris

v2.23.0 | Report a Bug | By Email