[TLS]Re: Meta deploying -hybrid-design
Kyle Nekritz <knekritz@meta.com> Tue, 13 August 2024 15:18 UTC
Return-Path: <prvs=3955e41126=knekritz@meta.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 07F94C1CAE80 for <tls@ietfa.amsl.com>; Tue, 13 Aug 2024 08:18:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.102
X-Spam-Level:
X-Spam-Status: No, score=-2.102 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=meta.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id U5RpieMeY-ge for <tls@ietfa.amsl.com>; Tue, 13 Aug 2024 08:18:29 -0700 (PDT)
Received: from mx0a-00082601.pphosted.com (mx0b-00082601.pphosted.com [67.231.153.30]) by ietfa.amsl.com (Postfix) with ESMTP id 0C55FC180B54 for <tls@ietf.org>; Tue, 13 Aug 2024 08:18:28 -0700 (PDT)
Received: from pps.filterd (m0089730.ppops.net [127.0.0.1]) by m0089730.ppops.net (8.18.1.2/8.18.1.2) with ESMTP id 47D7xNjs026141; Tue, 13 Aug 2024 08:18:27 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=meta.com; h=from :to:subject:date:message-id:references:in-reply-to:mime-version :content-type:content-transfer-encoding; s=s2048-2021-q4; bh=frX zH1dafqHewSyaTVRaezxkgs26k0O6OxUB4MBr4j0=; b=TzC+QBWNUWjJHsTEio8 vi+myb/8BFU0ue/YcrLnose4wEWttj2ym4wOcUSncHZqSvdQnZswnDKdNcmu35rg v3a5K8TPJiga/4vvm2m+5RFMf60Bmftceb0KjZTYf0HBtcFuMj6Ffq8dRH2mvCOY CzbMqzqCuI+hJHwOU+vzXRkDi5NmBzs44mfM5othUYr4BnHMhdgM5aMAEd7eMZkv tT76SvVQ1TDl/Z485gtBOg0mAjnvdiewqVTBzVX+UgXh7L301ZB+Fcun6qgNJsev GMF8aEx3P243jVlJjTcZ0OL6A9FD2xCEmY0OvEFgGD/WVNovnNBb8kbOZZoRffHq jGA==
Received: from nam04-dm6-obe.outbound.protection.outlook.com (mail-dm6nam04lp2041.outbound.protection.outlook.com [104.47.73.41]) by m0089730.ppops.net (PPS) with ESMTPS id 4103k327jd-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 13 Aug 2024 08:18:27 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=EW8wc+XhrtfcwB+bEwGUUg8xpOUE193votctOefIw/EyfvFxaiT38K1i+wZreyisRClr2LyKn8Mstld8b8DL2NyPoo93z6cQb7b5IbpV5jvTvyD4HqdYDsx/L3QOqiFpNlUekXoErBTxtPkty/FZeimEqV5uqTM1KkAVolLQR9kNFVZPWMoG0988U6PyxYVXU96hkZLYF62axW7QSMnN+c6rt7oxSGjusKlWuiBbt9FsVTlLRC4Fl+/uWbdgIB8DKzU4ts6WUCNY0vY4E8SrL7B2a8OBie7uxZO+JKKZvcMeUS1UIocOhf//eUYpDwiqn/7zVtiWsxLREz4hku3VlQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=wxuWlZF8hauOxncDeFybHQWJJId2otNHmnBj7k68T5E=; b=qdBhJ7s0IMCzuCk1CvvtiOeqGODbfAGq4WfWj0giVLY64ier1IxujPZBXGmAFwu2/dP/rRiE/XTWHuLwVzjMsBhSLZYRuQWEdsDGYHjzs+dkKnnzFJHRMv/JKUy+DQLQPvkVrIlHHnwbg/67y2zBgwuMZjULC8lMTETUH5xfrFp6hvftOIGlKSOrBkiN6g9c+I/Y7qCMo8dEcGTBDpH0cpnmUUxJsCpypp6gUcI82563SSWBU6hD1wAUdFhZTK53nbR8KqE6gtyHoNh1gFO5xMaP4UqzXhGx2aK1YOAbxn/tymu/E7GKy7x3SpegIM6WWcYxWCqFzvrWfBnxyUAy7g==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=meta.com; dmarc=pass action=none header.from=meta.com; dkim=pass header.d=meta.com; arc=none
Received: from SJ2PR15MB5671.namprd15.prod.outlook.com (2603:10b6:a03:4c1::19) by SA6PR15MB6613.namprd15.prod.outlook.com (2603:10b6:806:41a::22) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7849.20; Tue, 13 Aug 2024 15:18:24 +0000
Received: from SJ2PR15MB5671.namprd15.prod.outlook.com ([fe80::a025:a1d3:960b:9029]) by SJ2PR15MB5671.namprd15.prod.outlook.com ([fe80::a025:a1d3:960b:9029%6]) with mapi id 15.20.7849.023; Tue, 13 Aug 2024 15:18:23 +0000
From: Kyle Nekritz <knekritz@meta.com>
To: Martin Thomson <mt@lowentropy.net>, "tls@ietf.org" <tls@ietf.org>
Thread-Topic: [TLS]Re: Meta deploying -hybrid-design
Thread-Index: AQHa7X2culD3ZAz4Qkei3Vo38gJ827IlS10w
Date: Tue, 13 Aug 2024 15:18:23 +0000
Message-ID: <SJ2PR15MB567115DDC2730B4FBD092B88B6862@SJ2PR15MB5671.namprd15.prod.outlook.com>
References: <CAFR824xj7tkQObS3QBrxm36THCRqBjm1KDjpgZpu3Ay-0HHzgg@mail.gmail.com> <3e2bd914-a10d-4393-a116-cdb968fbc5fc@app.fastmail.com>
In-Reply-To: <3e2bd914-a10d-4393-a116-cdb968fbc5fc@app.fastmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: SJ2PR15MB5671:EE_|SA6PR15MB6613:EE_
x-ms-office365-filtering-correlation-id: 536eb118-867f-4ab5-ea96-08dcbbab2c3b
x-fb-source: Internal
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;ARA:13230040|366016|1800799024|376014|4022899009|38070700018;
x-microsoft-antispam-message-info: qlx/dyFnRN9fKuamgaxOvWJHaX2pNB6uuopE9Fj4T5St7ZQuBAZ3ozViFgBeC6MFjoLvmiLj3ivjQNtlRA6FNUthjGKRSynsXdk+r384aoawjluyyNm1oDqy0goKFCf6Fce90U9u4VpOK7IafkgTjD42lUNWFSk2lZk4DWKocJlYHYR5N4eR1pA8uuf31OBqasj6TwVXJOkCqvJnANmizp/5AkH6Va+5jyJTilMQmRmdtcekDeAk7e32kwlRjbqCcNiZZ+jHoituEtYLz+F5yLFYOrpUuCm/2tlY4xrvFp+A6n+ouBoRNR5fcfpJUu+IDFemS0+Du5pf5Ih+2xYQZj8bfsHQZQ6UsND/0CTBzFIW+aLwf+SrNbXKrPKTg/oz5S04uiSPSSx+160OMpYCG1z+jNFm/FlofQvz2xH6VmcwTA6aWV4IrFDHSjEyGRIdEShej2FTozQRRHQdfa2thXiNmpEDfZaTsjwQBqZ3KGfADC6JR21DpLRJ4OWCObNXfzUlb4sgykiSH+zRHVRX1e3+uSxLnfTpFlaxrPkVp5Od2ovBjLIQFdprBpAiDU0Vn9dYbzFSBYO2yeflSf8jefMUl+8GlVX2n4zBh32t+g8vQjX5IaYzsyWmEZQB9zt7LnZSMMAw+IWXwzZpI5yRGR9pG5Glb5VisozBcD//ntUKrlNT1UfnW/qi+y5rXVZAdVnQlWSeocJZpdnr3rHqoUErv+H7ItkIDC0h7fLIdP8Q2tA4CM18PpuWIbR/LAdPavgFjJ8DsDNnYA85YRnYRQ9uaQlKFaMHr5BR7ZK/4Fw6tIbJ19085sb/dt4Rdhd1rFuIF3naxHj5Hmio0KDPXErrgEVWiSTBxFNwYxmM6d0u0IWY+cMWyeSEylqPZrS6ecJKJfZrvMxfimmLDSl7guVlPAGYtWI7YKKFaEyWNMG9KIX/KywmA5aIJ9fdSF8plqeSJxWVEEign9EKgsNh3kT3ybZ7nNMs9aVbmgaeEu+AtgGPzk9QOB7VahEd59hjnAI//wWV5yi4TDDg7qCHvpnnl/i/cUkFsbRgj5KvsTGoElKVmSr7/hgZp3QVKWq3oqRIFz/NoGjUCYQhiO1O706vwEYv5t9nUHDQ640Q53+VukMjoixnnQ9RJYgEmJ5rK96RUaCJ72FvK069EWi+ykD/jvjSx1r6TYadx0zZUdv/egKOPP4PaTsh2xBFsskg3RIXWgSyEyXEjM9d7nOV0hdtUFQhK5n87gtM6Ee5msbtI6r2RP4LwXatZhrH45lTDCPq57KLqMLc5+yzhmDFTeAUxThiLEml/zszdQDi1CNraBc+UNtIqrPL26QGeAMHm4dbuOKykQvgWy5bPAe9HslvA7kHSuPnBYMWI5vmumVgnBlIvavm9SgvPeNLXl2YqGXwWbonGL7uGFGnlN7i/g==
x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:SJ2PR15MB5671.namprd15.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230040)(366016)(1800799024)(376014)(4022899009)(38070700018);DIR:OUT;SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: c8fqpfyNcjcn0nKWc8n5TrIMYtIDlwaFaovYrui1Eoo4InvMOz1KU4/KCGEahIUaQyuj1MequxU0wGpFlBmZRCs6hoFKlcq9ljpLn/+LoEO84bLqXxVdqMyU+zGZcfdLwd440ymL6wIWTCDFiUbYXqXkQZDq1ETkszXqc2OX8CiAAz0CliWsjU+GzUGwLWpNWFmZ324H6f3jHHcy49mLmhRyO7csdXNrxNE+6iQhRUQezyhMYJd9FMtf+793/bw86GJ15KoDoy2d3zs/iSUljFGs6m8CKzytgBw5ApBt0MeXYEGFKwPLRNPe1usOhezl7SrRFli8V9nnMoo5pX3d8ylcRm9dXmsHqIaghhloKkZrIzbjxrHbWJgJEM6LsQA3A0UY4vVeMmpzBNKtA4LCUHry1oxGHuEJfjockFsFydorxmb4O05h0zS6o72yPgCnCwCrIZJyt67RPCw8DGjwSoHbdszDfnyehtih6LFfowdE6JDeoNbqIFUUBHLoOVfJww6JL6O65+UyQjm9FNb0TFgXjQBjAnQc22oZ+Sp3uAE8CnZjO2FngHEnIvedQ6QeVBukSVWEVmdFP0hyIkwKnfGvW/ev7KQtWyHHyF+UYFN1klb0Lg/Sjt5KDury8qdyv6i9fe1Gky1+m+3ElmfgUVfXoM/lGjZAs0tmmPXn1aRmJMyak69e0L5/iqcEKxnw70eFEL/ZzMergM2RL8kwfCDlhCmC0m9qg1Vcd6okg6+Ir8TjuBSDMV+SonRnU5eJHvcgDFB5j/9V834hS1ePit0v3JROvETABPVlm1tqPQiAx29q+UC3KaSfGLjPMU0qq7jnfph3gcpo00oH+4+1ZL70Ywq/y535wzKZcqFePUd2Npj8BZ4K8t8UZs+zOlZg4NPGrSrMLsKyVEWoFdm/H8Xd40k72Eu8tNUTf11cpF5dt8kaW0Sa++0Y4EUUY5H+T03Xz1RkDe7KAp1tQ6SNliPgxygXE31eUP3hFxX9GWvoz0eL35IiJP+0h/wHkbdfzI5+EjggvpP1ffSuViejKjwZ6pMLLrZdMRYbGDyAC2yjHqFskfA1jd3bB4IOszbrw4TalGOYArubisbE32yQMIyvsE7pS/rvPaDJxDNXKIgZZvCF9uhv1fwDzhXacipT6Kg/ZA26hOqv8/vFEqAsxCMuoTk8Y/+I6TxUCivE4m0/NtlguXJbtTicJ5DFO+oyqTpC+R1brXC4u9vMvYDrSQRr4OlsuVPtY9FqauyhhpzqdfgVN/fnBxmvDZZuA2mxCb9i9ozIw80wotAAMrfkuiV/e6ZZYFI1DGVzG7dIvyjLzcamS/ro2U/aKD0Hf18+LqZJ3OTiK9E7i8AUoQP8kP+55R1qShq1a9rTfh9uWU9gtwT8SHWoBhB5jqeSVmBkeh/MPI+PTrizUy/H+Yzyaa2RUMV85ZGvvC0FSEtA23BcRrIAgBir/IvVWQ0xEPculiKYg97vo9cciMO0CZBdwdZ1Ye9h5UpWiT3xJRBuUu6T9unsbm2AJvHhFL0ak6U1P6gA31LP//Oni6y0O8mDWaaWVkrmNyNDqOdwdaItN9kGdtyLPUBszvW2lIGE0XtQX7KimOEidEa1evwoDONO4w==
MIME-Version: 1.0
X-OriginatorOrg: meta.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: SJ2PR15MB5671.namprd15.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 536eb118-867f-4ab5-ea96-08dcbbab2c3b
X-MS-Exchange-CrossTenant-originalarrivaltime: 13 Aug 2024 15:18:23.5362 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 8ae927fe-1255-47a7-a2af-5f3a069daaa2
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: Y5/Va9k1u2EIIZohmGIqd3YCFNHosgP3zqfqpFvIUJd79jwHNNe5bDZYsm1pvHd3khdp/BViuVX0/YeLD23ymg==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SA6PR15MB6613
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
X-Proofpoint-ORIG-GUID: 0dk8FGV7fhnvcGLKt3JBlhi8dCd1VQxV
X-Proofpoint-GUID: 0dk8FGV7fhnvcGLKt3JBlhi8dCd1VQxV
X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1039,Hydra:6.0.680,FMLib:17.12.28.16 definitions=2024-08-13_06,2024-08-13_02,2024-05-17_01
Message-ID-Hash: BASCOTSG47FFLJTAFEBNNQYVBFD3BUM2
X-Message-ID-Hash: BASCOTSG47FFLJTAFEBNNQYVBFD3BUM2
X-MailFrom: prvs=3955e41126=knekritz@meta.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-tls.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [TLS]Re: Meta deploying -hybrid-design
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/S6izAid8QPZVmsEe57bvmrBDa5k>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Owner: <mailto:tls-owner@ietf.org>
List-Post: <mailto:tls@ietf.org>
List-Subscribe: <mailto:tls-join@ietf.org>
List-Unsubscribe: <mailto:tls-leave@ietf.org>
> This demonstrates a very common misconception about TCP. I know that some implementation choke if the TLS ClientHello spans multiple TCP segments such that it requires multiple reads. David Benjamin has written about this several times. It's rare though and a bad basis to make decisions on. TCP fast open data cannot span multiple TCP segments. -----Original Message----- From: Martin Thomson <mt@lowentropy.net> Sent: Tuesday, August 13, 2024 8:37 AM To: tls@ietf.org Subject: [TLS]Re: Meta deploying -hybrid-design On Mon, Aug 12, 2024, at 17:49, Deirdre Connolly wrote: >> In the future, an increase in MTU, or utilizing QUIC, which allows for multiple initial packets, may allow for larger ClientHellos without an additional round trip. This demonstrates a very common misconception about TCP. I know that some implementation choke if the TLS ClientHello spans multiple TCP segments such that it requires multiple reads. David Benjamin has written about this several times. It's rare though and a bad basis to make decisions on. >> To address this, we had the client split each service into different TLS session scopes – one using classical key exchange, and one using hybrid key exchange. Each session scope thus uses only one named group each, avoiding the keyshare thrashing behavior described above. The tradeoff is space consumption due to having to store more session tickets, but this has been acceptable given the small size of each session ticket (a few hundred bytes). This smells proprietary. _______________________________________________ TLS mailing list -- tls@ietf.org To unsubscribe send an email to tls-leave@ietf.org
- [TLS]Meta deploying -hybrid-design Deirdre Connolly
- [TLS]Re: Meta deploying -hybrid-design Martin Thomson
- [TLS]Re: Meta deploying -hybrid-design Kyle Nekritz