IETF Logo Mail Archive

Re: [TLS] Connection ID Draft

Eric Rescorla <ekr@rtfm.com> Fri, 13 October 2017 12:53 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 31449133080 for <tls@ietfa.amsl.com>; Fri, 13 Oct 2017 05:53:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id buu2YOjEeWco for <tls@ietfa.amsl.com>; Fri, 13 Oct 2017 05:53:57 -0700 (PDT)
Received: from mail-qt0-x22a.google.com (mail-qt0-x22a.google.com [IPv6:2607:f8b0:400d:c0d::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 18D0213207A for <tls@ietf.org>; Fri, 13 Oct 2017 05:53:57 -0700 (PDT)
Received: by mail-qt0-x22a.google.com with SMTP id 8so19357319qtv.1 for <tls@ietf.org>; Fri, 13 Oct 2017 05:53:57 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=DE2fOSYid0M1oehKBoJY3VOgtGsgDaS8mNoS7C/RuxU=; b=yGFjhylgHNyPegHkUqIB6UX6Ndt55jz/J+sihSrHbuDqNcqz55JvihGfc6jHWs8Lxk Jdnq67c3hUitYERmMFKqKQdw8nUa3N3Ym0mwxe5c9LgnCEZATgkOorWIvnFPhawun1BZ 4XO9nkduvGRT1OGPeMLeQ6azqXyrDiCvd4AMdS4vQmO6sQpITijMXI9izOHo+u+Hu81d PxW6rcvRJtZeSeQ4DImNwnj22owUsqPGpcpr6qjZ3KcZnJOHxCBjesVJQKSPsGik9Yio mhw9B49t33R/IZGZWmQsRM6WQVygHGdzo466n3lY3i8tAxgFEKzhoI/72guurYDgU846 dRwA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=DE2fOSYid0M1oehKBoJY3VOgtGsgDaS8mNoS7C/RuxU=; b=fHbHSvsaH3oQDvh7ORj3pznIwAJi792MeGnC7xpmbegAt9JrrmsuYeazbdngj1tSCc 8U17eyFmX+k64zIxQxYluVAgTPBYM0SgBTSoeHFPyRRWsd4NlhGn5pPaTDSNNUHpVimI XxEPJ2iWTszj3S175/8NzIAzPVAmcDKPKTjuhgLAP2/dUo85p1WIqYxkRUv6oyPSwlxE Xwv4Q/qL2yuVFnsDYYgbxc1KFN8qOQiYq+aEwEERC5brWJcHEkBxZxXtOlQi5gApMRow exldqahPemNhR1Wqf8nNSyxyuyymLipqbwiMACtEiuklRPV13oYISOLu/3/+OacTBmdB 5XjA==
X-Gm-Message-State: AMCzsaU9DBdxfToSVkqQFycZUeQKfMznRV38obg0Db+QKFPDp2MWPVs6 bRc1poZxfMc5PorGeD4l0bCiFs8GFHCbKWd6PTEX+g==
X-Google-Smtp-Source: AOwi7QDNGsVme7+/5q7elbjDN9WKuUx57DazKmvGuKV6aamVsFgUCKE8Ij5KtqSK0rSM9DeC+rO9cTZJBGXLRfbSH6Q=
X-Received: by 10.129.167.66 with SMTP id e63mr868427ywh.294.1507899235988; Fri, 13 Oct 2017 05:53:55 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.129.75.194 with HTTP; Fri, 13 Oct 2017 05:53:15 -0700 (PDT)
In-Reply-To: <1507875665.3178.19.camel@redhat.com>
References: <CABcZeBPXB6cOSztzDHtKSWUCJrgET+9cF_rAiiE8CYCUSY_uLA@mail.gmail.com> <1507875665.3178.19.camel@redhat.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Fri, 13 Oct 2017 05:53:15 -0700
Message-ID: <CABcZeBOQygfoRApi4st6Qv56V26D1qRyX8vfTYH15xCMezcmRw@mail.gmail.com>
To: Nikos Mavrogiannopoulos <nmav@redhat.com>
Cc: "tls@ietf.org" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="94eb2c079026518fbe055b6d26b2"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/W9JbbLYHPPCzgewdUmw4mzQV1FQ>
Subject: Re: [TLS] Connection ID Draft
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 13 Oct 2017 12:53:59 -0000

On Thu, Oct 12, 2017 at 11:21 PM, Nikos Mavrogiannopoulos <nmav@redhat.com>
wrote:

> On Thu, 2017-10-12 at 16:13 -0700, Eric Rescorla wrote:
> > Hi folks,
> >
> > I have just posted a first cut at a connection ID draft.
> > https://tools.ietf.org/html/draft-rescorla-tls-dtls-connection-id-00
>
> I believe the major issue with that is the fact that the record packet
> format changes, but there is no way for a party in between to be able
> to determine the record packet format without keeping session state.
> Think not only of middle boxes, but of super-servers which may receive
> of a stray udp packet which they have to forward to the appropriate
> server [0]. With that change, they cannot figure whether the packet
> contains the CID or not in a deterministic way for a random CID.
>
> One can hack around that limitation by providing a CID which starts
> with 0xffff which is an illegal size currently for TLS or DTLS, but
> would have to worry with future extensions to the protocol which may
> increase the maximum size.


Yes, Thomas raised this issue as well. Unfortunately, we need to take the
structure of existing TLS records as it is, and at least in DTLS 1.3 we're
going to effort to shorten the header and I'm not eager to make everyone
pay on the wire whether they want to use connection ids or not.

In DTLS 1.2, as you say, it seems most straightforward to just provide
what would be an illegal length, as it seems pretty unlikely that any
future DTLS extension is going to allow 65k-sized packets. In DTLS 1.3,
we could probably steal one code point for this if we had to.


Another worrying feature is that the client can make the server send up
> to 255 verbatim bytes on the wire of his choice. Why was this feature
> added? Are there use cases related with it (intro doesn't mention any),
> or it was only thought as a make it as generic as possible approach? If
> it is the latter, I'd recommend to provide a simple approach that
> covers the described use cases.
>

Well, any connection ID feature of this type involves forcing the other
side to
send a certain amount of fixed verbatim data, so we're really just debating
how long that value ought to be. There are good reasons to allow at least
16 octets (in the super-server case you suggest, you might want the
connection ID
to to be an encrypted label for the actual server, and it's much more
convenient
to encrypt 16-byte quantities because that's AES's block size and many of
those machines will have AES-NI). And once you're carrying 16 bytes,
I don't see a big point in minimizing it below that. If people want an upper
limit that is greater than 16 (32?) I would be fine with that.

-Ekr


The same argument applies to the server being able to set such a long
> sequence of verbatim bytes to each of the client packets.
>
> regards,
> Nikos
>
> [0]. That was exactly my use case for introducing the CID info, as in
> openconnect server, the super-server receives the stray UDP packets
> arriving after a NAT disassociates existing connections.
>
>

v2.23.0 | Report a Bug | By Email