IETF Logo Mail Archive

[TLS] Record header size?

"Short, Todd" <tshort@akamai.com> Tue, 17 November 2015 15:25 UTC

Return-Path: <tshort@akamai.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4DFEA1A90F3 for <tls@ietfa.amsl.com>; Tue, 17 Nov 2015 07:25:25 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.985
X-Spam-Level:
X-Spam-Status: No, score=-1.985 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, J_CHICKENPOX_84=0.6, RP_MATCHES_RCVD=-0.585, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gnyD54eDa7XH for <tls@ietfa.amsl.com>; Tue, 17 Nov 2015 07:25:20 -0800 (PST)
Received: from prod-mail-xrelay07.akamai.com (prod-mail-xrelay07.akamai.com [23.79.238.175]) by ietfa.amsl.com (Postfix) with ESMTP id 7A5401A90FC for <tls@ietf.org>; Tue, 17 Nov 2015 07:25:20 -0800 (PST)
Received: from prod-mail-xrelay07.akamai.com (localhost.localdomain [127.0.0.1]) by postfix.imss70 (Postfix) with ESMTP id 88E9C4334A0 for <tls@ietf.org>; Tue, 17 Nov 2015 15:25:19 +0000 (GMT)
Received: from prod-mail-relay11.akamai.com (prod-mail-relay11.akamai.com [172.27.118.250]) by prod-mail-xrelay07.akamai.com (Postfix) with ESMTP id 7178D433469 for <tls@ietf.org>; Tue, 17 Nov 2015 15:25:19 +0000 (GMT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=akamai.com; s=a1; t=1447773919; bh=Ej9Si54kK7Acb8W+vUwivw9IhMWie6WfGCmkjxBtSKw=; l=7672; h=From:To:Date:From; b=mvRsTrKpYwW2d/SyC/b+8orlPXe02Bvq6R6JDISxYylLwCYp/gKNtPKAgIya0IVH2 sdThRKUym2RXUTBa34hHn0i0rAMocKKHvfjtul+/QW3Qe0cXbmg39do6kUPuZvUyBM MZ5U2X+00WyncyZl91VqnSiWl837740kb2KPosOM=
Received: from email.msg.corp.akamai.com (ecp.msg.corp.akamai.com [172.27.123.34]) by prod-mail-relay11.akamai.com (Postfix) with ESMTP id 6D9CA202F for <tls@ietf.org>; Tue, 17 Nov 2015 15:25:19 +0000 (GMT)
Received: from USMA1EX-DAG1MB5.msg.corp.akamai.com (172.27.123.105) by usma1ex-dag1mb2.msg.corp.akamai.com (172.27.123.102) with Microsoft SMTP Server (TLS) id 15.0.1076.9; Tue, 17 Nov 2015 10:25:19 -0500
Received: from USMA1EX-DAG1MB5.msg.corp.akamai.com ([172.27.123.105]) by usma1ex-dag1mb5.msg.corp.akamai.com ([172.27.123.105]) with mapi id 15.00.1076.000; Tue, 17 Nov 2015 10:25:19 -0500
From: "Short, Todd" <tshort@akamai.com>
To: "tls@ietf.org" <tls@ietf.org>
Thread-Topic: Record header size?
Thread-Index: AQHRIUwqo2PzkmG0m02LaFyKO+3dUw==
Date: Tue, 17 Nov 2015 15:25:18 +0000
Message-ID: <C5F506DC-F814-4C0B-AFAA-86CF790817A7@akamai.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [172.19.42.131]
Content-Type: multipart/alternative; boundary="_000_C5F506DCF8144C0BAFAA86CF790817A7akamaicom_"
MIME-Version: 1.0
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/NBiAsPaPb57BwkcKfGr963mYYQ0>
Subject: [TLS] Record header size?
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 17 Nov 2015 15:25:25 -0000

Apologies if this has been brought up before.

Has there been any consideration to changing the record header for encrypted traffic to be 4 bytes (i.e. 32-bits)? 5 bytes is a very awkward size, and some processors do not handle odd byte offsets well (it was a complaint I heard from Cisco router/switch engineers).

The latest TLS1.3 draft indicates that the record_version is deprecated and must be ignored. If TLSv1.3 is negotiated, then I propose that the record_version value must be { 4 } for encrypted records, making the version field is a single byte, such that the length of the record_header is reduced to 4 bytes.

Alternatively, a TLS extension could be added to negotiate the size of the record_header.

Yes, this creates a serious backwards compatibility issue, but if the record_version field is deprecated, then perhaps a change to the record_header could be made.

Thus:

   struct {
       uint8 major;
       uint8 minor;
   } ProtocolVersion;

   struct {
       ContentType type;
       ProtocolVersion record_version = { 3, 1 };    /* TLS v1.x */
       uint16 length;
       opaque fragment[TLSPlaintext.length];
   } TLSPlaintext;

   struct {
       ContentType opaque_type = application_data(23); /* see fragment.type */
       uint8 record_version = { 4 };    /* TLS v1.3 4-byte record header */
       uint16 length;
       aead-ciphered struct {
          opaque content[TLSPlaintext.length];
          ContentType type;
          uint8 zeros[length_of_padding];
       } fragment;
   } TLSCiphertext;

--
-Todd Short
// tshort@akamai.com<mailto:tshort@akamai.com>
// "One if by land, two if by sea, three if by the Internet."

v2.23.0 | Report a Bug | By Email