Re: [TLS] ALPN concerns

Yoav Nir <ynir@checkpoint.com> Wed, 06 November 2013 01:19 UTC

Return-Path: <ynir@checkpoint.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E11D611E818C for <tls@ietfa.amsl.com>; Tue, 5 Nov 2013 17:19:37 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.514
X-Spam-Level:
X-Spam-Status: No, score=-10.514 tagged_above=-999 required=5 tests=[AWL=0.085, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6p1I5EBMAaGY for <tls@ietfa.amsl.com>; Tue, 5 Nov 2013 17:19:28 -0800 (PST)
Received: from smtp.checkpoint.com (smtp.checkpoint.com [194.29.34.68]) by ietfa.amsl.com (Postfix) with ESMTP id ADEA111E811A for <tls@ietf.org>; Tue, 5 Nov 2013 17:19:27 -0800 (PST)
Received: from DAG-EX10.ad.checkpoint.com ([194.29.34.150]) by smtp.checkpoint.com (8.13.8/8.13.8) with ESMTP id rA61JQ6k031509 for <tls@ietf.org>; Wed, 6 Nov 2013 03:19:26 +0200
X-CheckPoint: {527997B5-0-1B221DC2-1FFFF}
Received: from IL-EX10.ad.checkpoint.com ([169.254.2.106]) by DAG-EX10.ad.checkpoint.com ([169.254.3.213]) with mapi id 14.03.0123.003; Wed, 6 Nov 2013 03:19:26 +0200
From: Yoav Nir <ynir@checkpoint.com>
To: "tls@ietf.org list" <tls@ietf.org>
Thread-Topic: [TLS] ALPN concerns
Thread-Index: AQHO2nVrisyeONraYE22idIo0fVZhpoXRgSA
Date: Wed, 6 Nov 2013 01:19:26 +0000
Message-ID: <699721CA-EF4F-4FBA-B1FA-B2AC8EC4303F@checkpoint.com>
References: <CAFewVt7-+e-e82LA3iPWOuoudRqCCk23uyf0w5+aXSFsAv64GA@mail.gmail.com>
In-Reply-To: <CAFewVt7-+e-e82LA3iPWOuoudRqCCk23uyf0w5+aXSFsAv64GA@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [172.31.24.11]
x-kse-antivirus-interceptor-info: scan successful
x-kse-antivirus-info: Clean
Content-Type: text/plain; charset="us-ascii"
Content-ID: <E717C3C0AD45324C8E131CB89DD61995@ad.checkpoint.com>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Subject: Re: [TLS] ALPN concerns
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 06 Nov 2013 01:19:38 -0000

Hi

A few data points:

Currently (with NPN but without ALPN), the length of a ClientHello is about 17x bytes for both Chrome and FF, not including the hostname in SNI.

Removing NPN saves 4 bytes, and adding ALPN may add 10-20 bytes, and the SNI is unbounded anyways [1]. That doesn't usually get to you 255. But session resumption may add the session ID, which is about 32 bytes. 

Can we assume that the old BigIP don't support ALPN?  If so, you could avoid either ALPN or session resumption with a server that did not return ALPN. Wouldn't this solve the problem?

Yoav