Re: [TLS] PR#1091: Changes to provide middlebox robustness

Andrei Popov <Andrei.Popov@microsoft.com> Wed, 22 November 2017 19:22 UTC

Return-Path: <Andrei.Popov@microsoft.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 40B84129B77 for <tls@ietfa.amsl.com>; Wed, 22 Nov 2017 11:22:28 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.02
X-Spam-Level:
X-Spam-Status: No, score=-2.02 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H4=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sVqUUFS47ZQh for <tls@ietfa.amsl.com>; Wed, 22 Nov 2017 11:22:26 -0800 (PST)
Received: from NAM01-BY2-obe.outbound.protection.outlook.com (mail-by2nam01on0108.outbound.protection.outlook.com [104.47.34.108]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EF8591296C9 for <tls@ietf.org>; Wed, 22 Nov 2017 11:22:25 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=YZssHoEZ9D/GLDVW+Hnm+qnDL2Rd4JO5XN4rwGR2SlY=; b=GAaIOtWpwJQ9xIB01u0lvtll0HFg4YujFlA3lKeeyFJ+apFK2Y+al60WRs1h0EEGeKgfcH5FZ8AOQ8PhmAaRDsaEeF3rUef8wiwpDadOtQs/PrMpCI0+XNCec6yQcwDkwYahFBnVnC7SXrSsy1kkuif6u9KJJSIa0l3VB6hBavQ=
Received: from CY4PR21MB0120.namprd21.prod.outlook.com (10.173.189.14) by CY4PR21MB0469.namprd21.prod.outlook.com (10.172.121.147) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id 15.20.282.3; Wed, 22 Nov 2017 19:22:24 +0000
Received: from CY4PR21MB0120.namprd21.prod.outlook.com ([10.173.189.14]) by CY4PR21MB0120.namprd21.prod.outlook.com ([10.173.189.14]) with mapi id 15.20.0260.003; Wed, 22 Nov 2017 19:22:24 +0000
From: Andrei Popov <Andrei.Popov@microsoft.com>
To: Yuhong Bao <yuhongbao_386@hotmail.com>, Peter Saint-Andre <stpeter@stpeter.im>, Eric Rescorla <ekr@rtfm.com>
CC: "tls@ietf.org" <tls@ietf.org>, Tapio Sokura <tapio.sokura@iki.fi>
Thread-Topic: [TLS] PR#1091: Changes to provide middlebox robustness
Thread-Index: AQHTVyvnGkBu16gvEUib9Q78H5YjdqMfyD2AgACtp4CAAFEuAIAABigAgAAAdoCAAAzmgIAAAHeAgAAAU5A=
Date: Wed, 22 Nov 2017 19:22:23 +0000
Message-ID: <CY4PR21MB0120491DD143B64AAFFCF84D8C200@CY4PR21MB0120.namprd21.prod.outlook.com>
References: <CABcZeBNm4bEMx0L6Kx-v7R+Tog9WLXxQLwTwjutapRWWW_x9+w@mail.gmail.com> <389abe54-41d3-30e9-4cca-caa8b1469ae7@iki.fi> <CAF8qwaC8bJhKoZBraoqM9qTStQxAkouV5=qXXurX8yPMDppV3A@mail.gmail.com> <MWHPR1801MB206198CC227AB64BEBFC92E6C3200@MWHPR1801MB2061.namprd18.prod.outlook.com> <CABcZeBNbBqFddrHrnGNAqCm0M3p7=waWwSX6PJPAcw2jjfKNvA@mail.gmail.com> <MWHPR1801MB206196E1CEF6FD868F15DFADC3200@MWHPR1801MB2061.namprd18.prod.outlook.com>, <f9afe56e-2ef5-4c59-f6dc-0788ed4773db@stpeter.im> <MWHPR1801MB20618683F0167A821EAA1A73C3200@MWHPR1801MB2061.namprd18.prod.outlook.com>
In-Reply-To: <MWHPR1801MB20618683F0167A821EAA1A73C3200@MWHPR1801MB2061.namprd18.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [2001:4898:80e8:3::4ca]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; CY4PR21MB0469; 6:5zohZ+rB/PhRXLWF2tKcVlY4k1u8FLd0EvCUaC2BJR1J/h1g3pcEHZ8fNxYdiQky4Zt1o5LM+RVcJacGzooWKVLEJJtbVKn/X35nwVc69jHXrouyEXiXVLxXZNUl9t8HPNHOV1DKtC8wNbs4Xjz5Tl/rkaQxys/P0LmKJUTFBS5smR6TpIQSQHo9jpB8ATvsWEH3rTNGze5e84WE8u+1RaLvL7OJRo3S6Q0XfD6Eai0u4/5a9H3uVuacg0wg19xs/2z5TPLsSvUPgXvmNbuOxWrWhRn0j1W2Q42LMsCd9oElx802ZV6gHWyxlQxRSmUfRJtF/mm+Aj/o4elx1kDYbcN9zNbzViWWjtab9Oujvew=; 5:X1/zN5uanZa1C1r4g1wiNDs+316GvmajFHms3+fDknFB/iLfgAi0sfp2dnzFleHrSeguEWMP7KdsV3dTZyIdDZtbWh7EM1EULrEf0Ak1mTcOrxQ45Z0EfUEWMeFuIqDXzreOR+lBW2OiWntK5D0GLeNSCvLdfQ05PlbCAkGrXpo=; 24:QPb3fO7sclKdFiooEACTaz0zrh4WENt3lTUAxVd6jI26Ev8bRorAnJWUjnZnHdQrOsQv0kV+zarQRJqXAm35z4SKK2Y8Qjl97eRkaBZyq2U=; 7:tIu92IQaeMTYRTXidGJneMXVwKgzM6E2nB4WrtP4TWtOh6kW7H0WebaQKpI3HQOlumCm4Hq8TDKifCsnzsbM9A1hMaVsPCUsLP0imgL9FAVyFh0O/5vlI2jkOMswxrmvONNvOW5wDnnVGiDtppi1VAM997l7Pi0NwWfeNEz84c1XqTduRWMnV83ssHdbquPtEqzVAAzdFrxWBFe7NsdTFC7HifaqcXJFJ6GMLl4mntWWKepEqCCQxjcs1z6AzXIm
x-ms-exchange-antispam-srfa-diagnostics: SSOS;
x-ms-office365-filtering-ht: Tenant
x-ms-office365-filtering-correlation-id: 189892c3-69f6-484f-5c27-08d531de5c2b
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(48565401081)(4534020)(4602075)(4627115)(201703031133081)(201702281549075)(5600022)(4604075)(2017052603258); SRVR:CY4PR21MB0469;
x-ms-traffictypediagnostic: CY4PR21MB0469:
x-microsoft-antispam-prvs: <CY4PR21MB046969CC911B139A650361D48C200@CY4PR21MB0469.namprd21.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(189930954265078)(219752817060721);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(100000700101)(100105000095)(100000701101)(100105300095)(100000702101)(100105100095)(61425038)(6040450)(2401047)(5005006)(8121501046)(10201501046)(3231022)(100000703101)(100105400095)(3002001)(93006095)(93001095)(6055026)(61426038)(61427038)(6041248)(20161123562025)(201703131423075)(201702281528075)(201703061421075)(201703061406153)(20161123564025)(20161123555025)(20161123558100)(20161123560025)(6072148)(201708071742011)(100000704101)(100105200095)(100000705101)(100105500095); SRVR:CY4PR21MB0469; BCL:0; PCL:0; RULEID:(100000800101)(100110000095)(100000801101)(100110300095)(100000802101)(100110100095)(100000803101)(100110400095)(100000804101)(100110200095)(100000805101)(100110500095); SRVR:CY4PR21MB0469;
x-forefront-prvs: 0499DAF22A
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(6009001)(346002)(376002)(39860400002)(47760400005)(13464003)(24454002)(199003)(189002)(3280700002)(76176999)(54356999)(22452003)(6116002)(7696004)(4326008)(102836003)(8936002)(33656002)(39060400002)(5660300001)(101416001)(106356001)(966005)(105586002)(25786009)(6246003)(110136005)(97736004)(316002)(2950100002)(478600001)(14454004)(229853002)(2906002)(53936002)(54906003)(3660700001)(50986999)(72206003)(77096006)(8676002)(6306002)(9686003)(6436002)(8990500004)(55016002)(10090500001)(6506006)(10290500003)(93886005)(7736002)(81156014)(575784001)(68736007)(86362001)(305945005)(189998001)(53546010)(74316002)(2900100001)(86612001)(81166006)(99286004); DIR:OUT; SFP:1102; SCL:1; SRVR:CY4PR21MB0469; H:CY4PR21MB0120.namprd21.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; A:1; MX:1; LANG:en;
received-spf: None (protection.outlook.com: microsoft.com does not designate permitted sender hosts)
authentication-results: spf=none (sender IP is ) smtp.mailfrom=Andrei.Popov@microsoft.com;
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 189892c3-69f6-484f-5c27-08d531de5c2b
X-MS-Exchange-CrossTenant-originalarrivaltime: 22 Nov 2017 19:22:23.9608 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CY4PR21MB0469
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/SrhWSb2h4Aw-e60Xaq91T94-LM4>
Subject: Re: [TLS] PR#1091: Changes to provide middlebox robustness
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 22 Nov 2017 19:22:28 -0000

The idea was for the client to randomly add non-existent TLS versions to supported_versions.
Presumably, this will exercise the extensibility joint and prevent it from becoming unusable.

I'm not convinced this new approach will help, but we know the old one required fallbacks every time a new protocol version was introduced.

Cheers,

Andrei

-----Original Message-----
From: TLS [mailto:tls-bounces@ietf.org] On Behalf Of Yuhong Bao
Sent: Wednesday, November 22, 2017 11:04 AM
To: Peter Saint-Andre <stpeter@stpeter.im>; Eric Rescorla <ekr@rtfm.com>
Cc: tls@ietf.org; Tapio Sokura <tapio.sokura@iki.fi>
Subject: Re: [TLS] PR#1091: Changes to provide middlebox robustness

They are basically doing a supported_versions extension with only one entry in the ServerHello.
The problem with future middleboxes should be obvious.

________________________________________
From: Peter Saint-Andre <stpeter@stpeter.im>
Sent: Wednesday, November 22, 2017 11:02:39 AM
To: Yuhong Bao; Eric Rescorla
Cc: tls@ietf.org; Tapio Sokura
Subject: Re: [TLS] PR#1091: Changes to provide middlebox robustness

On 11/22/17 11:16 AM, Yuhong Bao wrote:
> The problem is not TLS 1.3, the problem is future versions of TLS.

Would you mind explaining that in more detail?

Peter

_______________________________________________
TLS mailing list
TLS@ietf.org
https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Fmailman%2Flistinfo%2Ftls&data=02%7C01%7CAndrei.Popov%40microsoft.com%7C71d594d28d4241b8757f08d531dbdbb2%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636469742719473989&sdata=fCAZVB8XHK3IJQAoSf%2FUwSDlHYiy2tm0WBktCGS%2BPW8%3D&reserved=0