Re: [TLS] Record header size?
"Short, Todd" <tshort@akamai.com> Thu, 19 November 2015 12:08 UTC
Return-Path: <tshort@akamai.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1C46C1ACE2D for <tls@ietfa.amsl.com>; Thu, 19 Nov 2015 04:08:10 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.585
X-Spam-Level:
X-Spam-Status: No, score=-2.585 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RP_MATCHES_RCVD=-0.585, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jQ3We8-Du5Cs for <tls@ietfa.amsl.com>; Thu, 19 Nov 2015 04:08:08 -0800 (PST)
Received: from prod-mail-xrelay07.akamai.com (prod-mail-xrelay07.akamai.com [23.79.238.175]) by ietfa.amsl.com (Postfix) with ESMTP id 23C3C1ACE29 for <tls@ietf.org>; Thu, 19 Nov 2015 04:08:08 -0800 (PST)
Received: from prod-mail-xrelay07.akamai.com (localhost.localdomain [127.0.0.1]) by postfix.imss70 (Postfix) with ESMTP id 8E481433482; Thu, 19 Nov 2015 12:08:07 +0000 (GMT)
Received: from prod-mail-relay10.akamai.com (prod-mail-relay10.akamai.com [172.27.118.251]) by prod-mail-xrelay07.akamai.com (Postfix) with ESMTP id 78014433401; Thu, 19 Nov 2015 12:08:07 +0000 (GMT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=akamai.com; s=a1; t=1447934887; bh=24DoEwmEi/uahZp4nxP6yLdDCPAzaLKA//LmnkVeg3U=; l=21771; h=From:To:CC:Date:References:In-Reply-To:From; b=Dx031rA90MNPDJsEKcLtv2KjzXCD3NN+s3h6gyn2mitZavum0wvIR+YmKoPa3ceeg Es0L5YGY05w3neD6rX5eA/PrdbOS6xWpiw2iYTWhB2eZYY54jISs48+Hh1PgGvcb+r p4781dxbBmldVG4aHgtR+BBIQI3VvrsccqYD9bZ0=
Received: from email.msg.corp.akamai.com (ecp.msg.corp.akamai.com [172.27.123.33]) by prod-mail-relay10.akamai.com (Postfix) with ESMTP id 7516D203B; Thu, 19 Nov 2015 12:08:07 +0000 (GMT)
Received: from USMA1EX-DAG1MB5.msg.corp.akamai.com (172.27.123.105) by usma1ex-dag1mb6.msg.corp.akamai.com (172.27.123.65) with Microsoft SMTP Server (TLS) id 15.0.1076.9; Thu, 19 Nov 2015 04:08:06 -0800
Received: from USMA1EX-DAG1MB5.msg.corp.akamai.com ([172.27.123.105]) by usma1ex-dag1mb5.msg.corp.akamai.com ([172.27.123.105]) with mapi id 15.00.1076.000; Thu, 19 Nov 2015 07:08:06 -0500
From: "Short, Todd" <tshort@akamai.com>
To: "tls@ietf.org" <tls@ietf.org>
Thread-Topic: [TLS] Record header size?
Thread-Index: AQHRIUwqfC6IjHws+EWK+zLpB/KhZp6gxqoAgACMgACAAH9MgIAAxNaAgABXk4CAAAM2gIAAeywAgAAp3QA=
Date: Thu, 19 Nov 2015 12:08:06 +0000
Message-ID: <986EBDF9-AC6D-4D64-A9CA-CE49C43D5025@akamai.com>
References: <20151119093816.B6B891A382@ld9781.wdf.sap.corp>
In-Reply-To: <20151119093816.B6B891A382@ld9781.wdf.sap.corp>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [172.19.41.126]
Content-Type: multipart/alternative; boundary="_000_986EBDF9AC6D4D64A9CACE49C43D5025akamaicom_"
MIME-Version: 1.0
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/PQ_sH4tyle3jMvkFy3j2AA5Dkgw>
Subject: Re: [TLS] Record header size?
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 19 Nov 2015 12:08:10 -0000
Yes, this has to do with encrypted records. The non-encrypted handshake records are already hard enough to parse that the 5-byte header doesn’t mean much. I have worked on designs where the general-purpose processor handled the handshake and non-encrypted records, and a crypto co-processor handled the encryption. -- -Todd Short // tshort@akamai.com<mailto:tshort@akamai.com> // "One if by land, two if by sea, three if by the Internet." On Nov 19, 2015, at 4:38 AM, Martin Rex <mrex@sap.com<mailto:mrex@sap.com>> wrote: Viktor Dukhovni wrote: On Thu, Nov 19, 2015 at 12:05:55PM +1000, Michael Gray wrote: With several TLS implementations it is possible to completely seperate network communication (of the application) from the processing of TLS records (performed by the TLS protocol stack). For some TLS implementations (e.g. Microsoft SChannel) this seems to be the only possible mode of operation. We have the same kind of IO separation and I have observed a few times that some products either interleave/multiplex TLS records with other application data flow or route/buffer TLS traffic based on TLS record header checking. Padding the header to 8 bytes, as above, would probably be OK. Before we seriously consider going there, we should make sure that this really addresses the problems that the hardware vendors reputedly have. Is it enough to pad just the application-data records (effectively prepend 3-nul bytes to every application data record, and think of it as either a longer record header, or initial data padding)? Or do the vendors in question need alignment of the handshake packets too? My guess is that changing the alignment of the handshake packets would not be as useful, and would reduce interoperability (confuse more middle-boxes). But this guess could be wrong. Can anyone definitively confirm the actual requirements? The padding issue was about inplace or hardware-based encryption/decryption and would depends on whether the TLS record payload is encrypted (ciphertext) or not (cleartext) -- the content type (handshake or app data) is irrelevant. There is no need to pad cleartext TLS records (aka initial handshake messages). -Martin _______________________________________________ TLS mailing list TLS@ietf.org<mailto:TLS@ietf.org> https://www.ietf.org/mailman/listinfo/tls
- [TLS] Record header size? Short, Todd
- Re: [TLS] Record header size? Peter Gutmann
- Re: [TLS] Record header size? Short, Todd
- Re: [TLS] Record header size? Eric Rescorla
- Re: [TLS] Record header size? Daniel Kahn Gillmor
- Re: [TLS] Record header size? Eric Rescorla
- Re: [TLS] Record header size? Short, Todd
- Re: [TLS] Record header size? Eric Rescorla
- Re: [TLS] Record header size? Short, Todd
- Re: [TLS] Record header size? Viktor Dukhovni
- Re: [TLS] Record header size? Peter Gutmann
- Re: [TLS] Record header size? Peter Gutmann
- Re: [TLS] Record header size? Yoav Nir
- Re: [TLS] Record header size? Short, Todd
- Re: [TLS] Record header size? Viktor Dukhovni
- Re: [TLS] Record header size? Short, Todd
- Re: [TLS] Record header size? Martin Rex
- Re: [TLS] Record header size? Michael Gray
- Re: [TLS] Record header size? Viktor Dukhovni
- Re: [TLS] Record header size? Peter Gutmann
- Re: [TLS] Record header size? Martin Rex
- Re: [TLS] Record header size? Short, Todd