IETF Logo Mail Archive

Re: [TLS] Record header size?

"Short, Todd" <tshort@akamai.com> Thu, 19 November 2015 12:08 UTC

Return-Path: <tshort@akamai.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1C46C1ACE2D for <tls@ietfa.amsl.com>; Thu, 19 Nov 2015 04:08:10 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.585
X-Spam-Level:
X-Spam-Status: No, score=-2.585 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RP_MATCHES_RCVD=-0.585, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jQ3We8-Du5Cs for <tls@ietfa.amsl.com>; Thu, 19 Nov 2015 04:08:08 -0800 (PST)
Received: from prod-mail-xrelay07.akamai.com (prod-mail-xrelay07.akamai.com [23.79.238.175]) by ietfa.amsl.com (Postfix) with ESMTP id 23C3C1ACE29 for <tls@ietf.org>; Thu, 19 Nov 2015 04:08:08 -0800 (PST)
Received: from prod-mail-xrelay07.akamai.com (localhost.localdomain [127.0.0.1]) by postfix.imss70 (Postfix) with ESMTP id 8E481433482; Thu, 19 Nov 2015 12:08:07 +0000 (GMT)
Received: from prod-mail-relay10.akamai.com (prod-mail-relay10.akamai.com [172.27.118.251]) by prod-mail-xrelay07.akamai.com (Postfix) with ESMTP id 78014433401; Thu, 19 Nov 2015 12:08:07 +0000 (GMT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=akamai.com; s=a1; t=1447934887; bh=24DoEwmEi/uahZp4nxP6yLdDCPAzaLKA//LmnkVeg3U=; l=21771; h=From:To:CC:Date:References:In-Reply-To:From; b=Dx031rA90MNPDJsEKcLtv2KjzXCD3NN+s3h6gyn2mitZavum0wvIR+YmKoPa3ceeg Es0L5YGY05w3neD6rX5eA/PrdbOS6xWpiw2iYTWhB2eZYY54jISs48+Hh1PgGvcb+r p4781dxbBmldVG4aHgtR+BBIQI3VvrsccqYD9bZ0=
Received: from email.msg.corp.akamai.com (ecp.msg.corp.akamai.com [172.27.123.33]) by prod-mail-relay10.akamai.com (Postfix) with ESMTP id 7516D203B; Thu, 19 Nov 2015 12:08:07 +0000 (GMT)
Received: from USMA1EX-DAG1MB5.msg.corp.akamai.com (172.27.123.105) by usma1ex-dag1mb6.msg.corp.akamai.com (172.27.123.65) with Microsoft SMTP Server (TLS) id 15.0.1076.9; Thu, 19 Nov 2015 04:08:06 -0800
Received: from USMA1EX-DAG1MB5.msg.corp.akamai.com ([172.27.123.105]) by usma1ex-dag1mb5.msg.corp.akamai.com ([172.27.123.105]) with mapi id 15.00.1076.000; Thu, 19 Nov 2015 07:08:06 -0500
From: "Short, Todd" <tshort@akamai.com>
To: "tls@ietf.org" <tls@ietf.org>
Thread-Topic: [TLS] Record header size?
Thread-Index: AQHRIUwqfC6IjHws+EWK+zLpB/KhZp6gxqoAgACMgACAAH9MgIAAxNaAgABXk4CAAAM2gIAAeywAgAAp3QA=
Date: Thu, 19 Nov 2015 12:08:06 +0000
Message-ID: <986EBDF9-AC6D-4D64-A9CA-CE49C43D5025@akamai.com>
References: <20151119093816.B6B891A382@ld9781.wdf.sap.corp>
In-Reply-To: <20151119093816.B6B891A382@ld9781.wdf.sap.corp>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [172.19.41.126]
Content-Type: multipart/alternative; boundary="_000_986EBDF9AC6D4D64A9CACE49C43D5025akamaicom_"
MIME-Version: 1.0
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/PQ_sH4tyle3jMvkFy3j2AA5Dkgw>
Subject: Re: [TLS] Record header size?
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 19 Nov 2015 12:08:10 -0000

Yes, this has to do with encrypted records. The non-encrypted handshake records are already hard enough to parse that the 5-byte header doesn’t mean much. I have worked on designs where the general-purpose processor handled the handshake and non-encrypted records, and a crypto co-processor handled the encryption.
--
-Todd Short
// tshort@akamai.com<mailto:tshort@akamai.com>
// "One if by land, two if by sea, three if by the Internet."

On Nov 19, 2015, at 4:38 AM, Martin Rex <mrex@sap.com<mailto:mrex@sap.com>> wrote:

Viktor Dukhovni wrote:
On Thu, Nov 19, 2015 at 12:05:55PM +1000, Michael Gray wrote:

With several TLS implementations it is possible to completely seperate
network communication (of the application) from the processing of
TLS records (performed by the TLS protocol stack).  For some TLS
implementations (e.g. Microsoft SChannel) this seems to be the only
possible mode of operation.

We have the same kind of IO separation and I have observed a few times that
some products either interleave/multiplex TLS records with other
application data flow or route/buffer TLS traffic based on TLS record
header checking.  Padding the header to 8 bytes, as above, would probably
be OK.

Before we seriously consider going there, we should make sure that
this really addresses the problems that the hardware vendors
reputedly have.

Is it enough to pad just the application-data records (effectively
prepend 3-nul bytes to every application data record, and think of
it as either a longer record header, or initial data padding)?  Or
do the vendors in question need alignment of the handshake packets
too?  My guess is that changing the alignment of the handshake
packets would not be as useful, and would reduce interoperability
(confuse more middle-boxes).  But this guess could be wrong.

Can anyone definitively confirm the actual requirements?


The padding issue was about inplace or hardware-based encryption/decryption
and would depends on whether the TLS record payload is encrypted (ciphertext)
or not (cleartext) -- the content type (handshake or app data) is irrelevant.
There is no need to pad cleartext TLS records (aka initial handshake
messages).

-Martin

_______________________________________________
TLS mailing list
TLS@ietf.org<mailto:TLS@ietf.org>
https://www.ietf.org/mailman/listinfo/tls

v2.23.0 | Report a Bug | By Email