Re: [TLS] RFC 6066 - Max fragment length negotiation
Thomas Pornin <pornin@bolet.org> Tue, 21 March 2017 13:15 UTC
Return-Path: <pornin@bolet.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 496A8129873 for <tls@ietfa.amsl.com>; Tue, 21 Mar 2017 06:15:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.902
X-Spam-Level:
X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iot76Bm193tJ for <tls@ietfa.amsl.com>; Tue, 21 Mar 2017 06:15:16 -0700 (PDT)
Received: from brontes.bolet.org (www.bolet.org [62.210.214.227]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7A489129875 for <tls@ietf.org>; Tue, 21 Mar 2017 06:15:16 -0700 (PDT)
Received: by brontes.bolet.org (Postfix, from userid 1000) id C2C252071E; Tue, 21 Mar 2017 14:15:14 +0100 (CET)
Date: Tue, 21 Mar 2017 14:15:14 +0100
From: Thomas Pornin <pornin@bolet.org>
To: Martin Thomson <martin.thomson@gmail.com>
Cc: "tls@ietf.org" <tls@ietf.org>
Message-ID: <20170321131514.GA9342@bolet.org>
References: <CAD8WAomJLs4hdaso9hT036=UORjT9=H5-oCHbdSofuv++n3rYg@mail.gmail.com> <1489706298995.98317@cs.auckland.ac.nz> <855C5079-FDA7-4E68-AE29-1E9605B495D7@broadcom.com> <1489707933992.42551@cs.auckland.ac.nz> <CABkgnnVRZBwXHZ6w=gX9pykNpXp80OLP1pe-VMg-uO-C6O8yEQ@mail.gmail.com> <1489710142144.88978@cs.auckland.ac.nz> <CABkgnnXiB5ksGbbPqDP3D=FVdQu9ht0vD8-T-5HTaEKQQE4+9w@mail.gmail.com> <1489721710740.52293@cs.auckland.ac.nz> <CABkgnnWq_5e8TJgJV+okqi6vo-_5=811pOZRtUCp0TD07SmNoQ@mail.gmail.com> <CABkgnnW=Pz+6M8UYoB+MTY8rQp9vsHyh6aqiSb3EbTT_BdWokA@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <CABkgnnW=Pz+6M8UYoB+MTY8rQp9vsHyh6aqiSb3EbTT_BdWokA@mail.gmail.com>
User-Agent: Mutt/1.5.24 (2015-08-30)
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/TCHIjwS7nvjNIwUgpOiMe5bCx_Q>
Subject: Re: [TLS] RFC 6066 - Max fragment length negotiation
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 21 Mar 2017 13:15:19 -0000
On Fri, Mar 17, 2017 at 05:24:09PM +1100, Martin Thomson wrote: > I'd even go so far as to specify it: > > https://martinthomson.github.io/tls-record-limit/ > > I'll submit an I-D once the blackout ends if people are interested in this. I like this proposal. One comment, though: I think the wording in section 4 should mandate that the value sent MUST NOT exceed the maximum record size -- i.e. if an implementation supports records up to 16384 bytes, then it should put 16384 here, not a bigger value suc as 65535. Rationale: last time this was discussed on this list, some people expressed the wish to ultimately support records with more than 16384 bytes of plaintext. If such an extension ever comes to fruition (it is certainly easy enough to do with CBC and GCM cipher suites), then sending a record_size_limit with a limit of, say, 60000 bytes, would serve as indication that the implementation indeed supports such larger records. This holds only as long as no implementation sends a value larger than 16384 if it does not really accept records of more than 16384 bytes. Therefore, I propose to replace this paragraph: An endpoint that has no limit on the size of data they receive can set this value to any value equal to or greater than the maximum possible record size, such as 65535. A larger value does not allow the endpoint to send larger records than the protocol permits. An endpoint that receives a value larger than the maximum defined in the protocol MUST NOT exceed protocol-defined limits. For TLS 1.3 and earlier, this limit is 2^14 octets. with the following: An endpoint that supports all sizes that comply with the protocol-defined limits MUST send exactly that limit as value for maximum record size (or a lower value). For TLS 1.3 and earlier, that limit is 2^14 octets. Higher values are currently reserved for future versions of the protocol that may allow larger records; an endpoint MUST NOT send a value higher than 2^14 unless explicitly allowed by such a future version and supported by the endpoint. When an endpoint receives a maximum record size limit larger than the protocol-defined limit, that end point MUST NOT send records larger than the protocol-defined limit, unless explicitly allowed by a future TLS version. Of course, larger-than-16384 records are not meant for constrained systems, but for big systems. Overhead for 16384-byte records with ChaCha20+Poly1305 is 21 bytes (for AES/GCM in TLS 1.2, this is 29 bytes), i.e. less than 0.2%, which seems small enough to me; but there still is some demand for larger records, so it makes sense not to prevent them from ever happening with tighter wording. --------------- Another point which was made is that CBC cipher suites have a variable-length padding, up to 256 bytes (length byte + padding), which is not fully negligible: an endpoint with a 500-byte buffer would have to send a "maximum record size" of 223 bytes only, in order to fully support AES/CBC+HMAC/SHA-256 in all cases, while in practice most if not all endpoints will stick to minimal-sized paddings. Maybe there should be some extra wording saying that when a "maximum record size" was received, with a value less than the protocol-defined limit, then an endpoint SHOULD strive to use minimal-sized padding in cipher suites that have a variable-sized padding. Or maybe something more convoluted that says: An endpoint MUST NOT generate a protected record with plaintext larger than the RecordSizeLimit value received from its peer. An endpoint MUST NOT either generate a protected record such that the encrypted record length (TLSCipherText.length) exceeds the length of the smallest possible encrypted record that would contain exactly as many plaintext bytes as the received RecordSizeLimit value, in the currently active cipher suite. This would be only for the benefit of CBC cipher suites with TLS 1.2 and earlier, not for TLS 1.3, because recent AEAD cipher suites have predictable (and small) overhead. Arguably, pre-TLS-1.3 versions also have problem with compression, which should be in all generality avoided, just like CBC cipher suites should also be avoided. Maybe this is not a problem after all, and constrained systems that are recent enough to implement this new extension will also "naturally" avoid CBC cipher suites anyway. (In any case, if an endpoint requires small records, then it cannot really talk with peers that don't support the proposed maximum_record_size extension, so it needs recent implementations that _should_ already implement at least TLS 1.2 and some AEAD cipher suites.) --Thomas Pornin
- [TLS] RFC 6066 - Max fragment length negotiation Nitin Shrivastav
- Re: [TLS] RFC 6066 - Max fragment length negotiat… Yoav Nir
- Re: [TLS] RFC 6066 - Max fragment length negotiat… Yoav Nir
- Re: [TLS] RFC 6066 - Max fragment length negotiat… Peter Gutmann
- Re: [TLS] RFC 6066 - Max fragment length negotiat… Nitin Shrivastav
- Re: [TLS] RFC 6066 - Max fragment length negotiat… Peter Gutmann
- Re: [TLS] RFC 6066 - Max fragment length negotiat… Nitin Shrivastav
- Re: [TLS] RFC 6066 - Max fragment length negotiat… Martin Thomson
- Re: [TLS] RFC 6066 - Max fragment length negotiat… Peter Gutmann
- Re: [TLS] RFC 6066 - Max fragment length negotiat… Martin Thomson
- Re: [TLS] RFC 6066 - Max fragment length negotiat… Eric Rescorla
- Re: [TLS] RFC 6066 - Max fragment length negotiat… Peter Gutmann
- Re: [TLS] RFC 6066 - Max fragment length negotiat… Martin Thomson
- Re: [TLS] RFC 6066 - Max fragment length negotiat… Martin Thomson
- Re: [TLS] RFC 6066 - Max fragment length negotiat… Peter Gutmann
- Re: [TLS] RFC 6066 - Max fragment length negotiat… Martin Thomson
- Re: [TLS] RFC 6066 - Max fragment length negotiat… Peter Gutmann
- Re: [TLS] RFC 6066 - Max fragment length negotiat… Thomas Pornin
- Re: [TLS] RFC 6066 - Max fragment length negotiat… Ilari Liusvaara
- Re: [TLS] RFC 6066 - Max fragment length negotiat… Ilari Liusvaara
- Re: [TLS] RFC 6066 - Max fragment length negotiat… Hannes Tschofenig
- Re: [TLS] RFC 6066 - Max fragment length negotiat… Hannes Tschofenig
- Re: [TLS] RFC 6066 - Max fragment length negotiat… Hannes Tschofenig
- Re: [TLS] RFC 6066 - Max fragment length negotiat… Thomas Pornin
- Re: [TLS] RFC 6066 - Max fragment length negotiat… Ilari Liusvaara
- Re: [TLS] RFC 6066 - Max fragment length negotiat… Peter Gutmann
- Re: [TLS] RFC 6066 - Max fragment length negotiat… Peter Gutmann
- Re: [TLS] RFC 6066 - Max fragment length negotiat… Peter Gutmann
- Re: [TLS] RFC 6066 - Max fragment length negotiat… Joseph Birr-Pixton
- Re: [TLS] RFC 6066 - Max fragment length negotiat… Peter Gutmann
- Re: [TLS] RFC 6066 - Max fragment length negotiat… Joseph Birr-Pixton
- Re: [TLS] RFC 6066 - Max fragment length negotiat… Martin Thomson
- Re: [TLS] RFC 6066 - Max fragment length negotiat… Hannes Tschofenig
- Re: [TLS] RFC 6066 - Max fragment length negotiat… Nitin Shrivastav
- Re: [TLS] RFC 6066 - Max fragment length negotiat… Sheehe, Charles J. (GRC-LCA0)
- Re: [TLS] RFC 6066 - Max fragment length negotiat… Thomas Pornin
- Re: [TLS] RFC 6066 - Max fragment length negotiat… Peter Gutmann
- Re: [TLS] RFC 6066 - Max fragment length negotiat… Nikos Mavrogiannopoulos
- Re: [TLS] RFC 6066 - Max fragment length negotiat… Hannes Tschofenig
- Re: [TLS] RFC 6066 - Max fragment length negotiat… Martin Thomson
- Re: [TLS] RFC 6066 - Max fragment length negotiat… Martin Thomson
- Re: [TLS] RFC 6066 - Max fragment length negotiat… Eric Rescorla
- Re: [TLS] RFC 6066 - Max fragment length negotiat… Martin Thomson
- Re: [TLS] RFC 6066 - Max fragment length negotiat… Eric Rescorla
- Re: [TLS] RFC 6066 - Max fragment length negotiat… Martin Thomson
- Re: [TLS] RFC 6066 - Max fragment length negotiat… Eric Rescorla
- Re: [TLS] RFC 6066 - Max fragment length negotiat… Peter Gutmann
- Re: [TLS] RFC 6066 - Max fragment length negotiat… Martin Rex
- Re: [TLS] RFC 6066 - Max fragment length negotiat… Peter Gutmann