On Wed, Jul 27=
, 2016 at 6:11 AM Hubert Kario <hka=
rio@redhat.com> wrote:

On Tu= esday, 26 July 2016 16:27:32 CEST Brian Smith wrote:

> Hubert Kario <hkario@redhat.com> wrote:

> > TLS 1.3=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 = =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 170=C2=A0 = =C2=A0 =C2=A0 =C2=A03.8742

> > TLS 1.4=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 = =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 183=C2=A0 = =C2=A0 =C2=A0 =C2=A04.1705

> >

> > size e/1356=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 10=C2=A0 =C2=A0 =C2=A0= =C2=A0 0.2279

> > size e/1356 c/1356=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A05=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A00.= 1139

> > size e/1356 c/1357=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A05=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A00.= 1139

> > size e/2046=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 1=C2=A0 =C2=A0 =C2=A0 = =C2=A0 =C2=A00.0228

> > size e/2046 c/1979=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A01=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A00.= 0228

> > size e/2049=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 4=C2=A0 =C2=A0 =C2=A0 = =C2=A0 =C2=A00.0912

> > size e/2049 c/1153=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A01=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A00.= 0228

> > size e/2049 c/2049=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A02=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A00.= 0456

> > size e/2049 c/2050=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A01=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A00.= 0228

> > size e/2053=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 1=C2=A0 =C2=A0 =C2=A0 = =C2=A0 =C2=A00.0228

> > size e/2053 c/555=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0= =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 1=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A00.02= 28

>

> When we consider the most reasonable (initial) ClientHello sizes, it> seems that the ClientHello version number intolerance is a much more> significant problem than size intolerance, if I'm understanding yo= ur

> numbers correctly.

you've missed one more number:

> > Of those, 45 (1.03%) could not be connected to (did not receive a= Server

> > Hello/.../Server Hello Done reply) with the "Very Compatible= " client hello

so while TLS1.3 intolerance it is a bigger problem, it's a bigger probl= em by a

factor of two or three (depending what sizes you consider problematic), not= by

an order of magnitude

And given that the "best"[1] key share for post quantum crypto no= w is 1824

bytes in size, going above 2048 byte for client hello's on first connec= t is

not unreasonable. That is *if* rlwe with those parameters turns out to be g= ood

enough and we won't need something even larger.

=C2=A01 - https://www.imperialviolet.org/2015/12/= 24/rlwe.html

While we will indeed somed=
ay need to deal with that problem, it is still a ways out. Even with no int=
olerance of any kind, I do not expect any reasonable client to be willing t=
o waste that much bandwidth on a key share that the vast majority of server=
s will not use. (HelloRetryRequest exists, so there is no need to predict a=
ll groups.)

C=
hecking numbers from Chrome, the overwhelming majority of today's ECDHE=
[*] servers select P-256, though one can expect X25519 to start coming up. =
(Google servers select it today, and I believe OpenSSL 1.1.0 is expected to=
as well. Probably others too.) With no prior knowledge, those two groups s=
eem by far the most reasonable to send in an initial ClientHello. ~~For reference, our in-progress TLS 1.3 implem=
entation in Chrome does this with a 517-byte ClientHello, of which 186 byte=
s are the padding to bring it up to 5 + 512.~~

With prior knowledge, of course, many things are possible. Perhaps =
a client will remember the group a server used last time (or use the Server=
Hello.supported_groups extension) and, if we believe the server prefers an =
unpredicted group, even if much much larger, predict that one. With prior k=
nowledge, endpoint intolerance is less of a concern.

David=

[*] Negotiated FFDHE exists in TLS 1.3 and server=
-fiat DHE in TLS 1.2, but this irrelevant as those two are totally differen=
t animals anyway. All they have in common is the last three letters.

<=
/div>