Re: [TLS] Mirja Kühlewind's No Objection on draft-ietf-tls-grease-03: (with COMMENT)

Mirja Kuehlewind <ietf@kuehlewind.net> Fri, 16 August 2019 07:39 UTC

Return-Path: <ietf@kuehlewind.net>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3BB23120125; Fri, 16 Aug 2019 00:39:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Level:
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HkyZTxGs1OSU; Fri, 16 Aug 2019 00:39:16 -0700 (PDT)
Received: from wp513.webpack.hosteurope.de (wp513.webpack.hosteurope.de [IPv6:2a01:488:42:1000:50ed:8223::]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CD7E612011A; Fri, 16 Aug 2019 00:39:15 -0700 (PDT)
Received: from [129.192.10.3] (helo=[10.149.1.218]); authenticated by wp513.webpack.hosteurope.de running ExIM with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) id 1hyWpN-0003Qd-Ro; Fri, 16 Aug 2019 09:39:13 +0200
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.11\))
From: Mirja Kuehlewind <ietf@kuehlewind.net>
In-Reply-To: <CAF8qwaC7CvyrzrS=SWD9OT9Eq6BGirha2cjut5P-Wz5bz6NQAg@mail.gmail.com>
Date: Fri, 16 Aug 2019 09:39:13 +0200
Cc: Benjamin Kaduk <kaduk@mit.edu>, draft-ietf-tls-grease@ietf.org, "<tls@ietf.org>" <tls@ietf.org>, The IESG <iesg@ietf.org>, Sean Turner <sean@sn3rd.com>, tls-chairs <tls-chairs@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <6BD4AC5B-BA54-4BED-8B9B-ECA298E8BF0F@kuehlewind.net>
References: <156588205271.15865.9243229289426203471.idtracker@ietfa.amsl.com> <20190815152405.GS88236@kduck.mit.edu> <44BDC996-0E18-48BE-A700-C49A101330F8@kuehlewind.net> <CAF8qwaC7CvyrzrS=SWD9OT9Eq6BGirha2cjut5P-Wz5bz6NQAg@mail.gmail.com>
To: David Benjamin <davidben@google.com>
X-Mailer: Apple Mail (2.3445.104.11)
X-bounce-key: webpack.hosteurope.de;ietf@kuehlewind.net;1565941155;c0845f8a;
X-HE-SMSGID: 1hyWpN-0003Qd-Ro
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/Res-xfN2Mvu7qSEGU1Qc9kEz2rI>
Subject: Re: [TLS] Mirja Kühlewind's No Objection on draft-ietf-tls-grease-03: (with COMMENT)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 16 Aug 2019 07:39:18 -0000

Hi David,

See below.

> On 15. Aug 2019, at 20:52, David Benjamin <davidben@google.com> wrote:
> 
> On Thu, Aug 15, 2019 at 11:30 AM Mirja Kuehlewind <ietf@kuehlewind.net> wrote:
> Hi Ben,
> 
> See line.
> 
> > On 15. Aug 2019, at 17:24, Benjamin Kaduk <kaduk@mit.edu> wrote:
> > 
> > On Thu, Aug 15, 2019 at 08:14:12AM -0700, Mirja Kühlewind via Datatracker wrote:
> >> Mirja Kühlewind has entered the following ballot position for
> >> draft-ietf-tls-grease-03: No Objection
> >> 
> >> When responding, please keep the subject line intact and reply to all
> >> email addresses included in the To and CC lines. (Feel free to cut this
> >> introductory paragraph, however.)
> >> 
> >> 
> >> Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html
> >> for more information about IESG DISCUSS and COMMENT positions.
> >> 
> >> 
> >> The document, along with other ballot positions, can be found here:
> >> https://datatracker.ietf.org/doc/draft-ietf-tls-grease/
> >> 
> >> 
> >> 
> >> ----------------------------------------------------------------------
> >> COMMENT:
> >> ----------------------------------------------------------------------
> >> 
> >> One comment/question: I think I didn't quite understand what a client is
> >> supposed to do if the connection fails with use of greasing values...? The
> >> security considerations seems to indicate that you should not try to re-connect
> >> without use of grease but rather just fail completely...? Also should you cache
> >> the information that greasing failed maybe?
> > 
> > I'll let the authors chime in, but I think the sense of the security
> > considerations is more that we are preventing the fallback from being
> > needed "in production due to "real" negotiation failures.  Falling back on
> > GREASE failure is not as bad, provided that you follow-up with the failing
> > peer out of band to try to get it fixed.
> > I don't know how much value there would be in caching the grease-intolerate
> > status; ideally it would almost-never happen.
> 
> Okay, then I think it would be nice to say something more in the document, about fallback at least.
> 
> Ben's description is right. If deploying a new TLS feature results in too many interop failures with existing buggy servers, that feature becomes difficult to deploy and there is a lot of pressure to apply some sort of mitigation like a fallback. That's no good. GREASE's goal is to avoid the interop failures to begin with. The text was not meant to imply that you should do any sort of fallback.
> 
> What change did you have in mind? The current text says:
> 
> > Historically, when interoperability problems arise in deploying new TLS features, implementations have used a fallback retry on error with the feature disabled. This allows an active attacker to silently disable the new feature. By preventing a class of such interoperability problems, GREASE reduces the need for this kind of fallback.
> 
> That reads to me as describing historical fallbacks, rather than recommending new ones. (Indeed you shouldn't do fallbacks. Fallbacks are bad. They break downgrade protection.)

I was thinking about adding some new text somewhere else in the document that give a recommendation if you should fallback on grease and when.


>  
> > 
> >> And a note on normative language:
> >> 
> >> "Implementations sending multiple
> >>   GREASE extensions in a single block thus must ensure the same value
> >>   is not selected twice."
> >> Should this be a "MUST"?
> > 
> > I asked for this to be changed away from a "MUST" -- RFC 8466 already has
> > this prohibition on duplicated values; we're just calling it out again here
> > since randomly picking values (with replacement, which is the easy way to
> > code it) can result in collisions, that are forbidden by 8446.
> 
> Ah okay, that’s fine. Didn’t check 8446.
> > 
> >> Also this is an interesting MUST:
> >> "... MUST correctly ignore unknown values..."
> >> While this is the whole point of the document, I assume this is already
> >> normatively specified in RFC8446 and therefore it could make sense to use
> >> non-formative language here...
> > 
> > I think you are correct, but I personally do not mind the extra normative
> > force in this case.
> 
> I just found this actually particularly weird because of the “correctly”. To me it reads like “please, please finally follow normative specification we do in RFCs”… anyway… I after all don't really mind if you pick on or the other.
> 
> Mirja
> 
> 
> 
> > 
> > -Ben
> > 
> > 
>