Re: [TLS] ESNIKeys over complex

Eric Rescorla <ekr@rtfm.com> Wed, 21 November 2018 04:06 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 70ECF130E7A for <tls@ietfa.amsl.com>; Tue, 20 Nov 2018 20:06:42 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lTzq962wHsRw for <tls@ietfa.amsl.com>; Tue, 20 Nov 2018 20:06:40 -0800 (PST)
Received: from mail-lf1-x12d.google.com (mail-lf1-x12d.google.com [IPv6:2a00:1450:4864:20::12d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 81423130DE4 for <tls@ietf.org>; Tue, 20 Nov 2018 20:06:40 -0800 (PST)
Received: by mail-lf1-x12d.google.com with SMTP id l10so2936091lfh.9 for <tls@ietf.org>; Tue, 20 Nov 2018 20:06:40 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=DhhCeC9hR58qjEEU1PQiMdOTtSAtDEifvfFz8CmLyF0=; b=HNpJbVLZCU8J9e/uPiKiVhj9Rt6R6I1Vuqe8mKdt+npHZqGM+TxNwr+EVDju2T5fsN mh2u1P7bCgrLDB40Y7nY1WgdHNPv6c+PCjdf32aekYWUbbXaCGri5rsvVM/TNOCCNEf+ OLWr0JqfH18lhpWNokLAwwO6Z1fz9hxGSQDG7gQGOYv37pb7m7bzHZevuMiDilk3S/IV rGamIjHqbv6vC3ej77SmSPg1ypW2Xa6hAE/U3TBXQXZ5st6M1vyIoxh2Li6JoX4Ecr5q mAjGhApM3UNZT60OTHP0wt77kgkE1jE0V25BrfRFlKXKyhTP2QsFtuD39ZhgGW6u6UAO XtuQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=DhhCeC9hR58qjEEU1PQiMdOTtSAtDEifvfFz8CmLyF0=; b=EQfZTlffdCSJrqH3JkUzQJuKqWUTOAX0NpSkPcxMyiXk7DzXiTaXw9Zqps3Civgcjr rMPFkNLgAZq1d82Maomi8/duSDUWOqG621O8SkvGC7S3wZmc+rNbIIy6MOYaH9Zz+1gv Usbq6xUt30t42+U36ZuEEgbgQ+dyEZcIf1QWzNUF/o9ovIXC/8x8pA2gPeIrD3X6zm4y x8mT2l7ZJMDsKZAhESJBVDayBp8qcA4Bir2GqP4f61uJjnro/Qyw5+H16h6iEHEE+I4r yQU5vagcIj4z1R2DkFOOMS1zUY1gr9iKxWDqvqWtjXeuJBQTJV0+wONNlgDyUDHYZQxq zVOA==
X-Gm-Message-State: AGRZ1gK5SbyFw1/CRQ/PF3CE8ULeREQaTHbI9OrJEvxQh9q8u0YW2EFm 17gUKsvr9rFFhiuokBpgJbO6tDmQYaqKnqx2Y93LOA==
X-Google-Smtp-Source: AJdET5e6bHKMWLKpKi9j3wJ1z4ZK7kOtoACrIh77b12SBJhGGuuPkPXGoEp6cfugKcsZ+l99mM/HNvCuOxexG8iqmEw=
X-Received: by 2002:a19:54d7:: with SMTP id b84mr2508541lfl.131.1542773198615; Tue, 20 Nov 2018 20:06:38 -0800 (PST)
MIME-Version: 1.0
References: <797cd94d-b5be-24fd-923c-53b614cbc2c5@cs.tcd.ie> <CABcZeBMNqkepLzdoPFV7UTuKUqPU6_AJjU7iMnUhDpdK6qr6RA@mail.gmail.com> <70290643-cf98-44de-ca6e-2cae4584d750@cs.tcd.ie> <CABcZeBOp+auFAwc7_+DjEy0JJbvqzs-1Z30h-tFveesm9gwHEg@mail.gmail.com> <8546c227-a5e1-e17b-edce-ca173c8cfa81@cs.tcd.ie> <99AAA0DC-8C1C-451D-9F41-5BF1744EB6EF@akamai.com> <CABcZeBPvEAFZ6mn2-DmBygti2SkGmVThkL45Dk49DrZ9x9Ja_g@mail.gmail.com> <1E8AA9CB-3BCE-45EF-A454-74D547E80397@akamai.com>
In-Reply-To: <1E8AA9CB-3BCE-45EF-A454-74D547E80397@akamai.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Tue, 20 Nov 2018 20:06:01 -0800
Message-ID: <CABcZeBNVW3am4XQd2SB-TgwDdfXu932rdXTyTVR=H6Et3ne4mA@mail.gmail.com>
To: "Salz, Rich" <rsalz@akamai.com>
Cc: Stephen Farrell <stephen.farrell@cs.tcd.ie>, "<tls@ietf.org>" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000790b23057b24e0af"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/Mz6E5sBj69zhcB6VEv_L_8mkMDY>
Subject: Re: [TLS] ESNIKeys over complex
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 21 Nov 2018 04:06:42 -0000

On Tue, Nov 20, 2018 at 7:40 PM Salz, Rich <rsalz@akamai.com>; wrote:

>
>    - No, I don't think so. The server might choose to not support one of
>    the TLS 1.3 ciphers, for instance. And even if that weren't true, how would
>    we add new ciphers?
>
>
>
> Standard TLS negotiation. I don’t see that we need to specify ciphers at
> the DNS layer. A client with new ciphers will add it in the hello message
> and the server will pick one it supports.  It seems complex and fragile
> (keeping the server cipher config, not just the fronted hosts, in sync with
> DNS).
>

I'm sorry, I'm not quite following. In this draft, ESNI ciphers are
orthogonal to the ciphers used to encrypt the TLS records.This is perhaps
easier to see in a split configuration, where (for instance) the
client-facing server might support only AES-128-GCM and the back-end server
might support only ChaCha/Poly1305. As you say, the negotiation works well
for the TLS records, but that doesn't influence the ESNI encryption cipher
suite selection (because that happens before the Hello exchange). So, if we
don't provide a list of the ESNI ciphers in the ESNIKeys record, then we
are effectively creating a fixed list.

Am I missing something here?

-Ekr


>