IETF Logo Mail Archive

Re: [TLS] RFC 6066 - Max fragment length negotiation

Thomas Pornin <pornin@bolet.org> Tue, 21 March 2017 13:15 UTC

Return-Path: <pornin@bolet.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 496A8129873 for <tls@ietfa.amsl.com>; Tue, 21 Mar 2017 06:15:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.902
X-Spam-Level:
X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iot76Bm193tJ for <tls@ietfa.amsl.com>; Tue, 21 Mar 2017 06:15:16 -0700 (PDT)
Received: from brontes.bolet.org (www.bolet.org [62.210.214.227]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7A489129875 for <tls@ietf.org>; Tue, 21 Mar 2017 06:15:16 -0700 (PDT)
Received: by brontes.bolet.org (Postfix, from userid 1000) id C2C252071E; Tue, 21 Mar 2017 14:15:14 +0100 (CET)
Date: Tue, 21 Mar 2017 14:15:14 +0100
From: Thomas Pornin <pornin@bolet.org>
To: Martin Thomson <martin.thomson@gmail.com>
Cc: "tls@ietf.org" <tls@ietf.org>
Message-ID: <20170321131514.GA9342@bolet.org>
References: <CAD8WAomJLs4hdaso9hT036=UORjT9=H5-oCHbdSofuv++n3rYg@mail.gmail.com> <1489706298995.98317@cs.auckland.ac.nz> <855C5079-FDA7-4E68-AE29-1E9605B495D7@broadcom.com> <1489707933992.42551@cs.auckland.ac.nz> <CABkgnnVRZBwXHZ6w=gX9pykNpXp80OLP1pe-VMg-uO-C6O8yEQ@mail.gmail.com> <1489710142144.88978@cs.auckland.ac.nz> <CABkgnnXiB5ksGbbPqDP3D=FVdQu9ht0vD8-T-5HTaEKQQE4+9w@mail.gmail.com> <1489721710740.52293@cs.auckland.ac.nz> <CABkgnnWq_5e8TJgJV+okqi6vo-_5=811pOZRtUCp0TD07SmNoQ@mail.gmail.com> <CABkgnnW=Pz+6M8UYoB+MTY8rQp9vsHyh6aqiSb3EbTT_BdWokA@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <CABkgnnW=Pz+6M8UYoB+MTY8rQp9vsHyh6aqiSb3EbTT_BdWokA@mail.gmail.com>
User-Agent: Mutt/1.5.24 (2015-08-30)
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/TCHIjwS7nvjNIwUgpOiMe5bCx_Q>
Subject: Re: [TLS] RFC 6066 - Max fragment length negotiation
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 21 Mar 2017 13:15:19 -0000

On Fri, Mar 17, 2017 at 05:24:09PM +1100, Martin Thomson wrote:
> I'd even go so far as to specify it:
> 
> https://martinthomson.github.io/tls-record-limit/
> 
> I'll submit an I-D once the blackout ends if people are interested in this.

I like this proposal. One comment, though: I think the wording in
section 4 should mandate that the value sent MUST NOT exceed the maximum
record size -- i.e. if an implementation supports records up to 16384
bytes, then it should put 16384 here, not a bigger value suc as 65535.

Rationale: last time this was discussed on this list, some people
expressed the wish to ultimately support records with more than 16384
bytes of plaintext. If such an extension ever comes to fruition (it is
certainly easy enough to do with CBC and GCM cipher suites), then
sending a record_size_limit with a limit of, say, 60000 bytes, would
serve as indication that the implementation indeed supports such larger
records. This holds only as long as no implementation sends a value
larger than 16384 if it does not really accept records of more than
16384 bytes.

Therefore, I propose to replace this paragraph:

    An endpoint that has no limit on the size of data they receive can
    set this value to any value equal to or greater than the maximum
    possible record size, such as 65535. A larger value does not allow
    the endpoint to send larger records than the protocol permits. An
    endpoint that receives a value larger than the maximum defined in
    the protocol MUST NOT exceed protocol-defined limits. For TLS 1.3
    and earlier, this limit is 2^14 octets.

with the following:

    An endpoint that supports all sizes that comply with the
    protocol-defined limits MUST send exactly that limit as value for
    maximum record size (or a lower value). For TLS 1.3 and earlier,
    that limit is 2^14 octets. Higher values are currently reserved for
    future versions of the protocol that may allow larger records; an
    endpoint MUST NOT send a value higher than 2^14 unless explicitly
    allowed by such a future version and supported by the endpoint.

    When an endpoint receives a maximum record size limit larger than
    the protocol-defined limit, that end point MUST NOT send records
    larger than the protocol-defined limit, unless explicitly allowed by
    a future TLS version.


Of course, larger-than-16384 records are not meant for constrained
systems, but for big systems. Overhead for 16384-byte records with
ChaCha20+Poly1305 is 21 bytes (for AES/GCM in TLS 1.2, this is 29
bytes), i.e. less than 0.2%, which seems small enough to me; but there
still is some demand for larger records, so it makes sense not to
prevent them from ever happening with tighter wording.

---------------

Another point which was made is that CBC cipher suites have a
variable-length padding, up to 256 bytes (length byte + padding), which
is not fully negligible: an endpoint with a 500-byte buffer would have
to send a "maximum record size" of 223 bytes only, in order to fully
support AES/CBC+HMAC/SHA-256 in all cases, while in practice most if not
all endpoints will stick to minimal-sized paddings. Maybe there should
be some extra wording saying that when a "maximum record size" was
received, with a value less than the protocol-defined limit, then an
endpoint SHOULD strive to use minimal-sized padding in cipher suites
that have a variable-sized padding. Or maybe something more convoluted
that says:

    An endpoint MUST NOT generate a protected record with plaintext
    larger than the RecordSizeLimit value received from its peer. An
    endpoint MUST NOT either generate a protected record such that the
    encrypted record length (TLSCipherText.length) exceeds the length of
    the smallest possible encrypted record that would contain exactly as
    many plaintext bytes as the received RecordSizeLimit value, in the
    currently active cipher suite.

This would be only for the benefit of CBC cipher suites with TLS 1.2 and
earlier, not for TLS 1.3, because recent AEAD cipher suites have
predictable (and small) overhead.

Arguably, pre-TLS-1.3 versions also have problem with compression, which
should be in all generality avoided, just like CBC cipher suites should
also be avoided. Maybe this is not a problem after all, and constrained
systems that are recent enough to implement this new extension will also
"naturally" avoid CBC cipher suites anyway. (In any case, if an endpoint
requires small records, then it cannot really talk with peers that don't
support the proposed maximum_record_size extension, so it needs recent
implementations that _should_ already implement at least TLS 1.2 and
some AEAD cipher suites.)


	--Thomas Pornin

v2.23.0 | Report a Bug | By Email