IETF Logo Mail Archive

Re: [TLS] Connection ID Draft

Matt Caswell <frodo@baggins.org> Fri, 13 October 2017 13:15 UTC

Return-Path: <frodo@baggins.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 32F4313295C for <tls@ietfa.amsl.com>; Fri, 13 Oct 2017 06:15:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.1
X-Spam-Level:
X-Spam-Status: No, score=-2.1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_SORBS_SPAM=0.5] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6EFHZLXCzE7y for <tls@ietfa.amsl.com>; Fri, 13 Oct 2017 06:15:06 -0700 (PDT)
Received: from mx496502.smtp-engine.com (mx496502.smtp-engine.com [IPv6:2001:8d8:968:7d00::19:7e53]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8736313207A for <tls@ietf.org>; Fri, 13 Oct 2017 06:15:06 -0700 (PDT)
Received: from mail-it0-f50.google.com (mail-it0-f50.google.com [209.85.214.50]) by mx496502.smtp-engine.com (Postfix) with ESMTPSA id 8F1031679 for <tls@ietf.org>; Fri, 13 Oct 2017 14:15:04 +0100 (BST)
Received: by mail-it0-f50.google.com with SMTP id l196so10517653itl.4 for <tls@ietf.org>; Fri, 13 Oct 2017 06:15:04 -0700 (PDT)
X-Gm-Message-State: AMCzsaWIP7XM4PFbIdGLONFGRYcDPRlUioun6ZtBQ/yltsx2cCY2ynL/ zVs/GCBTn/LNm8M4bDwVEUWfJzQUOkoueSmE5qA=
X-Google-Smtp-Source: ABhQp+RcT1F/2t563QhXoLURMXfonWjN/gpDYzO97OkIue0gonJdHDJXxCit7PSGefMRfnDYXMH9cjv8ojpM0METP8Y=
X-Received: by 10.36.206.65 with SMTP id v62mr535949itg.104.1507900503004; Fri, 13 Oct 2017 06:15:03 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.79.44.200 with HTTP; Fri, 13 Oct 2017 06:15:02 -0700 (PDT)
In-Reply-To: <B286EFDE-24D3-4B50-A0DE-1A87563A962E@nokia.com>
References: <CABcZeBPXB6cOSztzDHtKSWUCJrgET+9cF_rAiiE8CYCUSY_uLA@mail.gmail.com> <B286EFDE-24D3-4B50-A0DE-1A87563A962E@nokia.com>
From: Matt Caswell <frodo@baggins.org>
Date: Fri, 13 Oct 2017 14:15:02 +0100
X-Gmail-Original-Message-ID: <CAMoSCWap6hRk6RPzBZuLgG=5_9EwY2Fb3NKw2JvHLM1PSrc67g@mail.gmail.com>
Message-ID: <CAMoSCWap6hRk6RPzBZuLgG=5_9EwY2Fb3NKw2JvHLM1PSrc67g@mail.gmail.com>
To: "tls@ietf.org" <tls@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/RD9Vuq9llSFvFZSPUVprZMZIrVw>
Subject: Re: [TLS] Connection ID Draft
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 13 Oct 2017 13:15:08 -0000

On 13 October 2017 at 07:31, Fossati, Thomas (Nokia - GB/Cambridge,
UK) <thomas.fossati@nokia.com> wrote:
> To solve this, we'd need a place in the wire image of the record with
> semantics: "I'm carrying a CID."
>
> In 1.2, we could use CT or version.  (In 1.3, that would not be possible
> because the diet header doesn't have them - too bad.)  To me it'd make
> slightly more sense to use the version. (I had previous discussions on this
> topic with Nikos and he told me that though anyconnect does this version
> override for some reasons, there is no reported conflict with middle-boxes.)
> Also, there would be only one code-point to allocate, instead of separate
> code-points for each CID-enabled content type variant.  I'm happy to be
> convinced of the opposite, though.

Recently I met with Yin Xinxing and we have had much the same
conversation about what a Connection ID draft would need to do, and
how we could detect its use on the wire. Mechanisms we talked about
included setting something in the "length" field, using ContentType or
using version. IMO using "length" is just horrible. I'm also not keen
on version - it further complicates the "is this version greater than,
equal to, or less than this other version" question. It's already
slightly complicated in code that implements both TLS and DTLS due to
DTLS versions being high and decrementing for a new version. I foresee
lots of subtle bugs and problems from reusing "version". In my mind
ContentType is the way to go.


> I guess my main point here is to make sure we do as much as we can to allow
> simple, efficient, robust implementations, which are also, en passant,
> Wireshark-friendly, and leave heuristics-based approaches only for when
> there is no real alternative.

I fully agree here! It does occur to me that we could go further along
that road by swapping the order of the "length" and "cid" fields in
the new record header format, so that the new fields appear at the
end. Middlebox/wireshark code would then still be able to interpret it
because the beginning of the header is identical. The length would be
wrong of course (too short by cid_length bytes), but it would still be
parseable. That could be fixed (by adding the cid_length to the
payload length) but I'm not sure if its worth it.

Matt

v2.23.0 | Report a Bug | By Email