Re: [TLS] Impact of draft-ietf-mptcp-api on TLS
Geoffrey Keating <geoffk@geoffk.org> Wed, 28 November 2012 19:52 UTC
Return-Path: <geoffk@geoffk.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 290F621F8853 for <tls@ietfa.amsl.com>; Wed, 28 Nov 2012 11:52:34 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.598
X-Spam-Level:
X-Spam-Status: No, score=-2.598 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, NORMAL_HTTP_TO_IP=0.001]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id H2JfNH8ufHUx for <tls@ietfa.amsl.com>; Wed, 28 Nov 2012 11:52:33 -0800 (PST)
Received: from dragaera.releasedominatrix.com (dragaera.releasedominatrix.com [216.129.118.138]) by ietfa.amsl.com (Postfix) with ESMTP id A2CFC21F84E1 for <tls@ietf.org>; Wed, 28 Nov 2012 11:52:33 -0800 (PST)
Received: by dragaera.releasedominatrix.com (Postfix, from userid 501) id 2DDDF33D04B; Wed, 28 Nov 2012 19:52:32 +0000 (UTC)
Sender: geoffk@localhost.localdomain
To: Stephen Farrell <stephen.farrell@cs.tcd.ie>
References: <20121128153650.7A2971A3BD@ld9781.wdf.sap.corp> <50B6333C.50606@cs.tcd.ie>
From: Geoffrey Keating <geoffk@geoffk.org>
Date: Wed, 28 Nov 2012 11:52:31 -0800
In-Reply-To: <50B6333C.50606@cs.tcd.ie>
Message-ID: <m2624ptshs.fsf@localhost.localdomain>
Lines: 44
User-Agent: Gnus/5.09 (Gnus v5.9.0) Emacs/21.4
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Cc: Florian Weimer <fweimer@redhat.com>, tls@ietf.org
Subject: Re: [TLS] Impact of draft-ietf-mptcp-api on TLS
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 28 Nov 2012 19:52:34 -0000
Stephen Farrell <stephen.farrell@cs.tcd.ie> writes: > Hi Martin, > > We're trying to figure out if the mptcp API document needs > to say anything about tls, and if so, what. And I'd like > to do that so mptcp doesn't have to fall back to just tcp > for all cases where you need tls, if that's ok, so that > mptcp has a chance to get used. (I figure its hard enough > being a new transport these days, but being a new transport > that is useless under TLS seems like a bit of a killer.) > On 11/28/2012 03:36 PM, Martin Rex wrote: > > The IP-address > > that the socket shows after connection establishment is > > completely irrelevant to the security of TLS, even when > > Server-Certificates with IP-Addresses in the SubjectAltName > > are used for server endpoint identification according to > > rfc2818 section 3.1. > > Well, 2818 is just http/tls/tcp and the context here is > anything/tls/mptcp so I'm not sure that solves the problem > of what to say. > > I think its true that there's no security issue, but there > might be an interop issue, if different folks implement > tls/mptcp differently. If the tls code just uses the normal > socket api then there's nothing to say, but it won't get > the benefit of mptcp. If the tls code uses the basic api > then it can see which subflows are being used and different > folks might do different comparisons to the certs used. Maybe a related example will help: suppose the user is trying to connect to https://198.51.100.3. There is an HTTP proxy configured, so what the browser actually does is make a TCP connection to 192.0.2.99, send 'CONNECT https://198.51.100.3', and then start the SSL negotiation. The certificate still has to mention 198.51.100.3, and doesn't have to mention 192.0.2.99. So, in MPTCP, if the user asks for mphttps://198.51.100.3 (or whatever), then 198.51.100.3 is the address that has to appear in the certificate, even if the connection is redirected to some other endpoint, even if the redirection happens before any data is actually sent on the connection.
- [TLS] Impact of draft-ietf-mptcp-api on TLS Sean Turner
- Re: [TLS] Impact of draft-ietf-mptcp-api on TLS Sean Turner
- Re: [TLS] Impact of draft-ietf-mptcp-api on TLS Florian Weimer
- Re: [TLS] Impact of draft-ietf-mptcp-api on TLS Stephen Farrell
- Re: [TLS] Impact of draft-ietf-mptcp-api on TLS Martin Rex
- Re: [TLS] Impact of draft-ietf-mptcp-api on TLS Stephen Farrell
- Re: [TLS] Impact of draft-ietf-mptcp-api on TLS Geoffrey Keating
- Re: [TLS] Impact of draft-ietf-mptcp-api on TLS Peter Saint-Andre
- Re: [TLS] Impact of draft-ietf-mptcp-api on TLS Stephen Farrell
- Re: [TLS] Impact of draft-ietf-mptcp-api on TLS Stephen Farrell
- Re: [TLS] Impact of draft-ietf-mptcp-api on TLS Martin Rex
- Re: [TLS] Impact of draft-ietf-mptcp-api on TLS Stephen Farrell
- Re: [TLS] Impact of draft-ietf-mptcp-api on TLS Florian Weimer
- Re: [TLS] Impact of draft-ietf-mptcp-api on TLS Geoffrey Keating
- Re: [TLS] Impact of draft-ietf-mptcp-api on TLS Florian Weimer