Re: [TLS] Encryption of TLS 1.3 content type

Yoav Nir <ynir.ietf@gmail.com> Fri, 25 July 2014 20:57 UTC

Return-Path: <ynir.ietf@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9FCA11A0252 for <tls@ietfa.amsl.com>; Fri, 25 Jul 2014 13:57:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.23
X-Spam-Level:
X-Spam-Status: No, score=-1.23 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_SORBS_WEB=0.77, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id C2HxpIPVCcTG for <tls@ietfa.amsl.com>; Fri, 25 Jul 2014 13:57:40 -0700 (PDT)
Received: from mail-ig0-x230.google.com (mail-ig0-x230.google.com [IPv6:2607:f8b0:4001:c05::230]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7577F1A024E for <tls@ietf.org>; Fri, 25 Jul 2014 13:57:40 -0700 (PDT)
Received: by mail-ig0-f176.google.com with SMTP id hn18so1368186igb.9 for <tls@ietf.org>; Fri, 25 Jul 2014 13:57:39 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=content-type:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=0SIadBXYRONu1tIxk/noGULawT2GrzlnZWHtRhz4W7g=; b=XauyLmqaDAQfqn9akgD61Iw3DoE+Ci/uspgfPGZ6LJe/UMtGy9XgUXQE7UgFLstDkF FFELYDK/VgBil62eAQtPc38e7xg9IS2M8/iXEJoXVNkctZ4tbNAHrwIVJoyU0dLqiEFY UJ6sHEYgN41HgoavTQP64AKayPjgebmP6bOs3lxPZp90LZCreB9AjSkUVn6FH8IvXthq dYYKTb2nq20jyM45A5NQKNt4rLbtJTke9RfEdM8KgX01y/+/J+ThYFCrMyjrjw3GT0T4 3AmDLsNqP7jWuHNGpbgQPWI1oqsI7a56OiEqEJxelbWQJIO7S9wyPIJ+e9Xnd1uy7TgI mj+A==
X-Received: by 10.42.47.140 with SMTP id o12mr2404413icf.4.1406321859709; Fri, 25 Jul 2014 13:57:39 -0700 (PDT)
Received: from [10.205.142.219] ([209.226.201.241]) by mx.google.com with ESMTPSA id n10sm7901709igv.21.2014.07.25.13.57.37 for <multiple recipients> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Fri, 25 Jul 2014 13:57:38 -0700 (PDT)
Content-Type: text/plain; charset=windows-1252
Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.6\))
From: Yoav Nir <ynir.ietf@gmail.com>
In-Reply-To: <DD255E31-FA87-40CE-AF13-0F43A7DD54CF@cisco.com>
Date: Fri, 25 Jul 2014 16:57:35 -0400
Content-Transfer-Encoding: quoted-printable
Message-Id: <578C0CCE-DD3C-41B9-A8D7-19D5B799F643@gmail.com>
References: <DD255E31-FA87-40CE-AF13-0F43A7DD54CF@cisco.com>
To: "Joseph Salowey (jsalowey)" <jsalowey@cisco.com>
X-Mailer: Apple Mail (2.1878.6)
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/N3skB7VbwCBZRDu_u_xQE-ggdYw
Cc: "<tls@ietf.org>" <tls@ietf.org>
Subject: Re: [TLS] Encryption of TLS 1.3 content type
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 25 Jul 2014 20:57:41 -0000

Hi.

I believe that changing the 5-byte record header will cause us trouble. Passive IDS/IPS devices follow TLS streams to detect certain attacks. They will cut connections. I also believe that it is impossible to “run some tests” because there are literally dozens of different such middleboxes, with multiple software/firmware versions available for each type.

I therefore support leaving the 5-byte header as it is, fixing the ContentType value to 23 for all encrypted records, and having another contentType byte within the encrypted record.

Yoav

On Jul 25, 2014, at 1:37 PM, Joseph Salowey (jsalowey) <jsalowey@cisco.com> wrote:

> At the interim meeting on July 20, 2014 there was general consensus to support the encryption of TLS 1.3 content type.  The favored approach was to remove the content type and version from the TLS record layer header and add the content type to the encrypted data.   The proposal is to update the draft to document this approach and try to run some tests to see if this causes much grief with middle boxes.  If you object to this proposal please respond to the list by Friday, August 01, 2014.  
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls