Re: [TLS] Heartbeat and padding
Nico Williams <nico@cryptonector.com> Tue, 29 April 2014 01:43 UTC
Return-Path: <nico@cryptonector.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7D7DE1A8869 for <tls@ietfa.amsl.com>; Mon, 28 Apr 2014 18:43:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.044
X-Spam-Level:
X-Spam-Status: No, score=-1.044 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, IP_NOT_FRIENDLY=0.334] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VJnUAcwSSdyI for <tls@ietfa.amsl.com>; Mon, 28 Apr 2014 18:43:00 -0700 (PDT)
Received: from homiemail-a77.g.dreamhost.com (sub4.mail.dreamhost.com [69.163.253.135]) by ietfa.amsl.com (Postfix) with ESMTP id 32BE21A8855 for <tls@ietf.org>; Mon, 28 Apr 2014 18:43:00 -0700 (PDT)
Received: from homiemail-a77.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a77.g.dreamhost.com (Postfix) with ESMTP id 7E1D794065 for <tls@ietf.org>; Mon, 28 Apr 2014 18:42:59 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=cryptonector.com; h= mime-version:in-reply-to:references:date:message-id:subject:from :to:content-type; s=cryptonector.com; bh=O7bu5c9ZYzqy5C0SdKa7dku YayQ=; b=HWme9BhM+hRGDRJCTOVcet6lpSlU8zqFSLRcW+I8qTNLIQlputO6knN b04SsvHCM90uYrZZ1A48F++hv/bE0mS8Zg3Sw/2Re69rlPtYewKWp+csorhiGXbo IZ2ATMwzBePtjM//tM8I7R5yaafS00akVb+e1kXVnEK37z2z/v90=
Received: from mail-wg0-f49.google.com (mail-wg0-f49.google.com [74.125.82.49]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: nico@cryptonector.com) by homiemail-a77.g.dreamhost.com (Postfix) with ESMTPSA id 2F18C9405E for <tls@ietf.org>; Mon, 28 Apr 2014 18:42:59 -0700 (PDT)
Received: by mail-wg0-f49.google.com with SMTP id x13so2023007wgg.32 for <tls@ietf.org>; Mon, 28 Apr 2014 18:42:58 -0700 (PDT)
MIME-Version: 1.0
X-Received: by 10.181.5.6 with SMTP id ci6mr17851068wid.39.1398735778167; Mon, 28 Apr 2014 18:42:58 -0700 (PDT)
Received: by 10.216.29.200 with HTTP; Mon, 28 Apr 2014 18:42:58 -0700 (PDT)
In-Reply-To: <20140428235701.GL27883@mournblade.imrryr.org>
References: <2A0EFB9C05D0164E98F19BB0AF3708C7120C61F53E@USMBX1.msg.corp.akamai.com> <r422Ps-1075i-54C354189F5E4575A21D231C89CC8B57@Williams-MacBook-Pro.local> <20140428235701.GL27883@mournblade.imrryr.org>
Date: Mon, 28 Apr 2014 20:42:58 -0500
Message-ID: <CAK3OfOgkDnapC5WbGrGW2xj1ZWXU-fpQj2eBQccZjzvWgk-TNQ@mail.gmail.com>
From: Nico Williams <nico@cryptonector.com>
To: "tls@ietf.org" <tls@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/WzGDd_G4D-4ODP9nMu9Zb4IORYI
Subject: Re: [TLS] Heartbeat and padding
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 29 Apr 2014 01:43:01 -0000
On Mon, Apr 28, 2014 at 6:57 PM, Viktor Dukhovni <viktor1dane@dukhovni.org> wrote: > On Mon, Apr 28, 2014 at 04:10:09PM -0700, Bill Frantz wrote: > However, a heartbeat over TCP does not require any payload or > response. It can be a record-layer message with a zero-length > payload that elicits no response at all. This gets no cryptographic > protection, but that just makes it cheaper and safer. Arguably even a TCP application with keepalives might want to keep PMTUD going on idle connections (sending large keepalives from time to time to keep the PMTUD info fresh) so that when they get busy they go fast, but that might be significantly wasteful unless also coupled with an exponential idle backoff. But, sure, as to TCP I think we can remove the variable-length payload heartbeat. I'm somewhat concerned by having too many special case differences between DTLS and TLS though. We've already seen a mistake that meant that DTLS Hellos cannot carry extensions. Nico --
- [TLS] Heartbeat and padding Michael D'Errico
- Re: [TLS] Heartbeat and padding Hanno Böck
- Re: [TLS] Heartbeat and padding Watson Ladd
- Re: [TLS] Heartbeat and padding Aaron Zauner
- Re: [TLS] Heartbeat and padding Salz, Rich
- Re: [TLS] Heartbeat and padding Nikos Mavrogiannopoulos
- Re: [TLS] Heartbeat and padding Michael Tuexen
- Re: [TLS] Heartbeat and padding Bill Frantz
- Re: [TLS] Heartbeat and padding Richard Hartmann
- Re: [TLS] Heartbeat and padding Viktor Dukhovni
- Re: [TLS] Heartbeat and padding Nico Williams
- Re: [TLS] Heartbeat and padding Nico Williams