Re: [TLS] Network Tokens I-D and TLS / ESNI

Yiannis Yiakoumis <yiannis@selfienetworks.com> Wed, 29 July 2020 23:51 UTC

Return-Path: <yiannis@selfienetworks.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E6C163A0A56 for <tls@ietfa.amsl.com>; Wed, 29 Jul 2020 16:51:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=selfienetworks-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id I96wuPpNPknI for <tls@ietfa.amsl.com>; Wed, 29 Jul 2020 16:51:18 -0700 (PDT)
Received: from mail-vs1-xe2b.google.com (mail-vs1-xe2b.google.com [IPv6:2607:f8b0:4864:20::e2b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 856B23A0A64 for <tls@ietf.org>; Wed, 29 Jul 2020 16:51:18 -0700 (PDT)
Received: by mail-vs1-xe2b.google.com with SMTP id j186so13009476vsd.10 for <tls@ietf.org>; Wed, 29 Jul 2020 16:51:18 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=selfienetworks-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:from:to:date:message-id:subject:cc :references; bh=kjVBM5JPuhmaNnBkZBFxyLGuIHOO84rx2mtXBKGQGrg=; b=c5/mVPH7vEjHFG1wjqTEpYvTAnYV4psUsLiAcLHRB75WfFRJmQpzVS10RKmuNSTPqb la44lJnceb/lx91qisfPIsliA4Kh2FxkTV59AhC33BWFI14iNbZZfDxicRKoDXYpQzfZ KtL03mrIimkcpXBQXKO3c9hyQqXBkrjpBgirLfFfKD7N2g3LrChBFQKK+beZDtD8e+NG PEFe+NLHar3/ZZ7EF0IotgOzartXgcF29r7ZHZTZ5yic/rYnjl0+WXiRXo0uIhcvoLWG Ne8EM4g1NWj67hxxevqpHse5Sshg/ywsmedq78qlplsL0fy8fXI/GZ0UuYCN6b8UYpVD e/Tg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:from:to:date:message-id :subject:cc:references; bh=kjVBM5JPuhmaNnBkZBFxyLGuIHOO84rx2mtXBKGQGrg=; b=Tnn8i5NjGN6pTb2BUHu3NYy3BwwpOn2By0fvCiCN+dfEXU+UJ8+VjVzOMU+x/yrc0F HaDGx5mof2+dYUZApCR39/HhZ7NQB7eUcBnU0V7xoDrkCE4ltdkqFqAeF4dJryCFKl3h mQOtlchv1hQeCwyka8w5x849yOg8VPWOz5Xk+98YWbDJbd55ruyOixIGUpauP/b8tuOf K3vG8N6Eqggbw18LBIMXZ/1npXDgjhxZWQMaGkPSj2ZOtBe/3fotOPVAC4T8IkWNYDqE J5WF/D3L+p4JgzLBDcdksanmbQyflpsLA3wTNxb0gL+mdRUgpWe/fEOArBu91TexOrp7 wiCQ==
X-Gm-Message-State: AOAM530YxDNn/esMTZjz/Fu1j78FiiKDUcXkAoUwHMH7W28o3cs0WTEH IT5t0WxKSX9Z9foRx7ILsIJ5W06vz6I=
X-Google-Smtp-Source: ABdhPJzo1yK+GoGGIN0wh8Tcnp5zu9VkIIE9i2j9lC4B+ScvO84bb2JCmrDZJg/m/W4O1cVHvggvbA==
X-Received: by 2002:a67:310a:: with SMTP id x10mr77631vsx.48.1596066677067; Wed, 29 Jul 2020 16:51:17 -0700 (PDT)
Received: from localhost (0.92.231.35.bc.googleusercontent.com. [35.231.92.0]) by smtp.gmail.com with ESMTPSA id j20sm475037uan.13.2020.07.29.16.51.16 for <tls@ietf.org> (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Wed, 29 Jul 2020 16:51:16 -0700 (PDT)
Mime-Version: 1.0
X-Superhuman-ID: kd80vkc9.42105bac-f924-46a6-99bf-24d396a890dc
X-Superhuman-Draft-ID: draft00fcb7a481c64637
In-Reply-To: <CAHbrMsDfS+oBcJjTQ77r9uAUDESFZ_QhQOz2f=GGsoJVdpcB9A@mail.gmail.com>
From: "Yiannis Yiakoumis" <yiannis@selfienetworks.com>
To: "Ben Schwartz" <bemasc@google.com>
X-Mailer: Superhuman Desktop (2020-07-28T22:06:12Z)
Date: Wed, 29 Jul 2020 23:51:15 +0000
Message-ID: <kd7z5bh8.4b00046a-77e4-4d6d-b6e6-60fbbd78dfe7@we.are.superhuman.com>
Cc: network-tokens@ietf.org, "<tls@ietf.org>" <tls@ietf.org>, "Christian Huitema" <huitema@huitema.net>
References: <kbsy4785.3cb5b3af-12b1-4d09-9944-6e4e487b103d@we.are.superhuman.com> <CAKC-DJjRBZujxoLNtNCTe40Gwta9KbdCORVzJ1V54UTGpYP8xQ@mail.gmail.com> <87e6e635-d1ec-9f36-41c3-339774f510ca@nomountain.net> <38d4885d-71f0-e69c-e78c-608482036956@huitema.net> <kbwgjics.3e327ce5-1d5c-4ba4-9d8e-ae9cb79f3003@we.are.superhuman.com> <8a6e6520-9f7b-586b-42b4-3b1cab387ccb@huitema.net> <CAHbrMsDfS+oBcJjTQ77r9uAUDESFZ_QhQOz2f=GGsoJVdpcB9A@mail.gmail.com>
Content-Type: multipart/alternative; boundary=21a598affa915774e0650c630dda6ed3f17fbebb34032dabfae57523ba40
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/TwtQUfsjU0-buRDqvdbkETIJJKI>
Subject: Re: [TLS] Network Tokens I-D and TLS / ESNI
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 29 Jul 2020 23:51:22 -0000

Hi Ben,

Thanks for your comments. Please find some responses inline.

On Wed, Jul 29, 2020 at 1:48 PM, Ben Schwartz < bemasc@google.com > wrote:

> 
> This proposal is highly ossifying.  Application protocols that are
> included in this scheme become very difficult to update.  For example, in
> the case of zero-rating, this proposal would only be able to zero-rate
> application protocols that are understood by the network's token-parsing
> appliance.  This seems likely to have serious negative consequences for
> protocol innovation, as these applications would no longer be able to
> implement novel protocols without losing whatever advantage the network
> token offers.  For TLS, this proposal would ossify the extension format,
> which could no longer evolve in future TLS versions without risking loss
> of network services.
> 
> 

In an ideal world, everything beyond IP would be encrypted and opaque to the network, and network tokens would be embedded in IPv6 extension headers. In practice, this has several (well-known) issues, here is my take on the trade-offs:

Tokens as IPv6 extension headers have the benefit that they are applicable to all traffic/applications, and could potentially be enforced by the network in a stateless, per-packet manner. The problems are that i) IPv6 extension headers are often dropped by network operators, ii) there are no good APIs to expose L3 socket APIs to the app developers who would eventually acquire and insert tokens, and iii) it doesn't work with IPv4.

Tokens as TLS extensions address the major shortcomings for IPv6, i.e., they have integrity protection so they cannot be dropped by intermediary nodes, they are closer to the app developer and can therefore expose APIs for them to add/remove tokens, and iii) they work across both IPv4 and IPv6. Obviously, they will support only the specific type of transport which limits the scope.

Specifically on your comment about protocol innovation, and using ESNI as an example: my understanding, is that dependency on existing network services will be an issue for ESNI adoption, and I agree that this is frustrating. I will counter argue though, that the problem is not that the network appliance doesn't adopt to a new format or novel protocol, but rather that there is no protocol and means in place for endpoints to explicitly coordinate with the network. In that sense, having a thin mechanism to do this coordination can accelerate innovation in all other aspects.

Does the group have any sense on the impact of existing DPI-based services on adoption of new ideas on TLS?

Also note that something like network tokens would be implemented in programmable hardware and/or software, and in principle should be much quicker to adopt to format changes comparing to fixed-silicon appliances.

> 
> The proposal also violates the TLS Protocol Invariants, by attempting to
> process the ServerHello after forwarding an arbitrary ClientHello.
> 
> 

Not sure I understand this. Can you explain what you mean by arbitrary ClientHello, or point me to the related TLS section?

> 
> It would also fail for QUIC, as previously noted, due to QUIC's mobility
> support, which is important for performance on mobile devices.
> 
> 

Not very familiar with QUIC, will have to read on this.

> 
> Additionally, storing this information in the TLS handshake causes an
> unnecessary privacy loss: it forces the token to be visible across the
> whole internet, even though it is only relevant on the near-client network
> segment.
> 
> 

The token is not necessarily relevant only to the near-client network segment. For example, in a zero-rating scenario where the token comes from the server, there are intermediary networks that are not relevant for charging.

> 
> Even if the token is entirely opaque, a pervasive surveillance adversary
> could distinguish between connections with and without tokens, likely
> differentiating certain applications from others.
> 
> 

You can already infer use of applications just by using IP addresses. Also, the amount of information you can extract from the presence of tokens decreases rapidly with the number of users that participate in them.

> 
> I recommend that the authors focus on the draft's proposal to use an IPv6
> extension header, and remove the other proposed encapsulations.  Also,
> please remove the specific extension number from Section 7.1 unless and
> until IANA has allocated a number.  For testing, you should use a value
> from the Private Use range, 65282-65535.
> 
> 

OK - I'll pick one from them private range - thanks.

Best,

Yiannis

> 
> On Fri, Jun 26, 2020 at 1:43 PM Christian Huitema < huitema@ huitema. net (
> huitema@huitema.net ) > wrote:
> 
> 
>> 
>> 
>> 
>> 
>> 
>> On 6/26/2020 10:16 AM, Yiannis Yiakoumis wrote:
>> 
>> 
>>> 
>>> 
>>> 
>>> 
>>> 
>>> 
>>> On Fri, Jun 26 , 2020 at 7:29 AM, Christian Huitema < huitema@ huitema. net
>>> ( huitema@huitema.net ) > wrote:
>>> 
>>> 
>>> 
>>> 
>>>> 
>>>> 
>>>> On 6/25/2020 11:11 PM, Melinda Shore wrote:
>>>> 
>>>> 
>>>> 
>>>>> 
>>>>> 
>>>>> On 6/25/20 3:29 PM, Erik Nygren wrote:
>>>>> 
>>>>> 
>>>>> 
>>>>>> 
>>>>>> 
>>>>>> 
>>>>>> 
>>>>>> One quick comment is that binding tokens to IP addresses is strongly
>>>>>> counter-recommended.
>>>>>> 
>>>>>> It doesn't survive NATs or proxies, mobility, and it is especially
>>>>>> problematic in IPv6+IPv4 dual-stack environments.
>>>>>> 
>>>>>> 
>>>>>> 
>>>>>> 
>>>>>> 
>>>>>> 
>>>>> 
>>>>> 
>>>>> 
>>>>> There's been a bunch of past work done developing similar sorts of
>>>>> protocols, and for what it's worth I wrote up a mechanism for using
>>>>> address tags and address rewrites, but unfortunately Cisco decided to
>>>>> patent it. Anyway, there are ways of dealing with this problem that don't
>>>>> require binding the address to the token ("all technical problems can be
>>>>> solved by introducing a layer of indirection").
>>>>> 
>>>>> 
>>>>> 
>>>> 
>>>> 
>>>> 
>>>> There is also an interesting privacy issue. The token is meant to let a
>>>> provider identify some properties of the connection. I suppose there are
>>>> ways to do that without having it become a unique identifier that can be
>>>> tracked by, well, pretty much everybody. But you have better spell out
>>>> these ways.
>>>> 
>>>> 
>>>> 
>>>> 
>>> 
>>> 
>>> 
>>> You are right that for the duration of a token, one could use it to
>>> identify an endpoint (either application or most likely a combination of
>>> user/application). Tokens expire and intermediary nodes cannot correlate
>>> tokens with each other as they are encrypted. So tracking cannot happen
>>> across different tokens (of the same user), or between token-enabled and
>>> non-token-enabled traffic. I guess similar type of tracking happens when
>>> users are not behind a NAT and their IP address can be used to track them.
>>> Would it make sense to have the user add a random value to a token, and
>>> then encrypt it with the network's public key, so that each token becomes
>>> unique and cannot be tracked. Would that address the privacy concerns
>>> better?
>>> 
>>> 
>> 
>> 
>> 
>> That would certainly be better. The basic rule is that any such identifier
>> should be used only once. Pretty much the same issue as the session resume
>> tickets.
>> 
>> 
>> 
>>> 
>>> 
>>> 
>>>> 
>>>> 
>>>> Then, there are potential interactions with ESNI/ECH. The whole point of
>>>> ECH is to keep private extensions private. The token extension would need
>>>> to be placed in the outer envelope, which is public but does not expose
>>>> seemingly important information like the SNI or the ALPN.
>>>> 
>>>> 
>>>> 
>>>> 
>>> 
>>> 
>>> 
>>> Ah, I was not aware that ESNI can now include all CH extensions - thanks
>>> for the pointer. Yes, the token would have to stay on the outer envelope
>>> so the network can process it. The main idea is you can encrypt everything
>>> that is client-server specific, and just keep a token to explicitly
>>> exchange information with trusted networks.
>>> 
>>> 
>>> 
>>> 
>>>> 
>>>> 
>>>> There are also implications for QUIC, in which the TLS data is part of an
>>>> encrypted payload. The encryption key of the TLS carrying initial packets
>>>> is not secret in V1, but it might well become so in a future version.
>>>> 
>>>> 
>>>> 
>>>> 
>>> 
>>> 
>>> 
>>> Haven't looked into QUIC yet, but is on the list of things to do. If
>>> anyone is interested to help us explore this, please let me know.
>>> 
>>> 
>> 
>> 
>> 
>> You may want to have that discussion in the QUIC WG. If you are building
>> some kind of QoS service, you probably want it to work with QUIC too.
>> 
>> 
>> 
>> 
>> -- Christian Huitema
>> 
>> 
>> 
>> _______________________________________________
>> 
>> TLS mailing list
>> 
>> TLS@ ietf. org ( TLS@ietf.org )
>> 
>> https:/ / www. ietf. org/ mailman/ listinfo/ tls (
>> https://www.ietf.org/mailman/listinfo/tls )
>> 
>> 
> 
>