Re: [TLS] ALPN concerns
Yoav Nir <ynir@checkpoint.com> Wed, 06 November 2013 01:19 UTC
Return-Path: <ynir@checkpoint.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E11D611E818C for <tls@ietfa.amsl.com>; Tue, 5 Nov 2013 17:19:37 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.514
X-Spam-Level:
X-Spam-Status: No, score=-10.514 tagged_above=-999 required=5 tests=[AWL=0.085, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6p1I5EBMAaGY for <tls@ietfa.amsl.com>; Tue, 5 Nov 2013 17:19:28 -0800 (PST)
Received: from smtp.checkpoint.com (smtp.checkpoint.com [194.29.34.68]) by ietfa.amsl.com (Postfix) with ESMTP id ADEA111E811A for <tls@ietf.org>; Tue, 5 Nov 2013 17:19:27 -0800 (PST)
Received: from DAG-EX10.ad.checkpoint.com ([194.29.34.150]) by smtp.checkpoint.com (8.13.8/8.13.8) with ESMTP id rA61JQ6k031509 for <tls@ietf.org>; Wed, 6 Nov 2013 03:19:26 +0200
X-CheckPoint: {527997B5-0-1B221DC2-1FFFF}
Received: from IL-EX10.ad.checkpoint.com ([169.254.2.106]) by DAG-EX10.ad.checkpoint.com ([169.254.3.213]) with mapi id 14.03.0123.003; Wed, 6 Nov 2013 03:19:26 +0200
From: Yoav Nir <ynir@checkpoint.com>
To: "tls@ietf.org list" <tls@ietf.org>
Thread-Topic: [TLS] ALPN concerns
Thread-Index: AQHO2nVrisyeONraYE22idIo0fVZhpoXRgSA
Date: Wed, 06 Nov 2013 01:19:26 +0000
Message-ID: <699721CA-EF4F-4FBA-B1FA-B2AC8EC4303F@checkpoint.com>
References: <CAFewVt7-+e-e82LA3iPWOuoudRqCCk23uyf0w5+aXSFsAv64GA@mail.gmail.com>
In-Reply-To: <CAFewVt7-+e-e82LA3iPWOuoudRqCCk23uyf0w5+aXSFsAv64GA@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [172.31.24.11]
x-kse-antivirus-interceptor-info: scan successful
x-kse-antivirus-info: Clean
Content-Type: text/plain; charset="us-ascii"
Content-ID: <E717C3C0AD45324C8E131CB89DD61995@ad.checkpoint.com>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Subject: Re: [TLS] ALPN concerns
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 06 Nov 2013 01:19:38 -0000
Hi A few data points: Currently (with NPN but without ALPN), the length of a ClientHello is about 17x bytes for both Chrome and FF, not including the hostname in SNI. Removing NPN saves 4 bytes, and adding ALPN may add 10-20 bytes, and the SNI is unbounded anyways [1]. That doesn't usually get to you 255. But session resumption may add the session ID, which is about 32 bytes. Can we assume that the old BigIP don't support ALPN? If so, you could avoid either ALPN or session resumption with a server that did not return ALPN. Wouldn't this solve the problem? Yoav
- Re: [TLS] ALPN concerns Nico Williams
- [TLS] ALPN concerns Brian Smith
- Re: [TLS] ALPN concerns Yoav Nir
- Re: [TLS] ALPN concerns Martin Thomson
- Re: [TLS] ALPN concerns Yoav Nir
- Re: [TLS] ALPN concerns Geoffrey Keating
- Re: [TLS] ALPN concerns Yoav Nir
- Re: [TLS] ALPN concerns Peter Gutmann
- Re: [TLS] ALPN concerns John Mattsson
- Re: [TLS] ALPN concerns Yoav Nir
- Re: [TLS] ALPN concerns Xiaoyong Wu
- Re: [TLS] ALPN concerns Adam Langley
- Re: [TLS] ALPN concerns Yoav Nir
- Re: [TLS] ALPN concerns Dr Stephen Henson
- Re: [TLS] ALPN concerns Yutaka OIWA
- Re: [TLS] ALPN concerns Andrei Popov
- Re: [TLS] ALPN concerns Dr Stephen Henson
- Re: [TLS] ALPN concerns Adam Langley
- Re: [TLS] ALPN concerns Mark Nottingham
- Re: [TLS] ALPN concerns Wan-Teh Chang
- Re: [TLS] ALPN concerns Wan-Teh Chang
- Re: [TLS] ALPN concerns Xiaoyong Wu
- Re: [TLS] ALPN concerns Brian Smith
- Re: [TLS] ALPN concerns Andrei Popov
- Re: [TLS] ALPN concerns Brian Smith
- Re: [TLS] ALPN concerns Nikos Mavrogiannopoulos
- Re: [TLS] ALPN concerns Andrei Popov
- Re: [TLS] ALPN concerns Pascal Urien