[TLS] A readthrough of draft-ietf-tls-esni
Watson Ladd <watsonbladd@gmail.com> Sat, 17 February 2024 21:24 UTC
Return-Path: <watsonbladd@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1D2F9C14F5EF for <tls@ietfa.amsl.com>; Sat, 17 Feb 2024 13:24:31 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.108
X-Spam-Level:
X-Spam-Status: No, score=-2.108 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3ETDecUUBeOO for <tls@ietfa.amsl.com>; Sat, 17 Feb 2024 13:24:30 -0800 (PST)
Received: from mail-wm1-x32d.google.com (mail-wm1-x32d.google.com [IPv6:2a00:1450:4864:20::32d]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A2174C14F5EE for <tls@ietf.org>; Sat, 17 Feb 2024 13:24:30 -0800 (PST)
Received: by mail-wm1-x32d.google.com with SMTP id 5b1f17b1804b1-4126100126bso807025e9.1 for <tls@ietf.org>; Sat, 17 Feb 2024 13:24:30 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1708205069; x=1708809869; darn=ietf.org; h=to:subject:message-id:date:from:mime-version:from:to:cc:subject :date:message-id:reply-to; bh=zgKxeG/aVGBHMbvH1qXPW5tN/dFXrAGI1UprYrRPfC4=; b=WywUjKmM0Nn0F0GwnoN6862K9Tx2YEf60VEW8WM8RQtKoIB1LQfZVRqSHXG4D/ibnG lz9YIK/FmiysFzZG4RbNFxN+pd0Tzz9Svsc98MxMaGj/m3pkfMuPeupwZjJV02ulSYPx oFYso/2wZw44yWoppYApTgZ4chYhiCcZUq2wbMytZt391SRUgPZo13diMJFQSybRDMKo 5yFLwGXpjaq3075XqsRKUDLnViS82bD3hfJQhm8SUEHUfYCvKemb2b9gYIWa3tsL7Ysq JRHO1KOWDK+ekyXF/S1OTtsI5PaF+qV9oqtzAkuZ5uidu7O/czh9hKVvE7yXATv6FHMy LyuA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1708205069; x=1708809869; h=to:subject:message-id:date:from:mime-version:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=zgKxeG/aVGBHMbvH1qXPW5tN/dFXrAGI1UprYrRPfC4=; b=aBkGJJp7jUwoKf6OBEkDd4od0xuLdWt4RP/gmfbnCz1jdAG4c3oo2zMTsoyRdpHgxL /vqHEuw2J6cCQ5da+onYnDDfAx7iqI0Uw7i+OCl0Cz+ko2epvhZaVlfw5y1lL3lXJS/g PYx9DeO1jYV7IR+Xs9MCXmKeFfUZZjl6PLgR+XWfUBiD6TJmskHZb76RrPMAAL+o/EcN 2nV7j+vNEK05I89yclG7wjlbk9+3ZLc/Kb6BlDJemIlnbdHYpy+8NKr7eALjE45gLA1G Vi8qBij1YJADg2i7OSqFGvgr2tB89+dMMNivmm/0ADDJOztlFaTGaitvCeO6pBJcqf6J 7bFA==
X-Gm-Message-State: AOJu0YygDHmiEiXACEcc3tBk96jdX/8WdY/Jqr6QolKuCq2ML0c15BMC Cd+GvKDIW4Lmob270C/Y+HNPWl5zN1FPlIaS8eKLAhKjugKbki7IakW2YaNXkU+ECL24om6CSq1 vzStn5pt5lI2sSRbDt3C82uwA2tsAisBfA9A=
X-Google-Smtp-Source: AGHT+IGIPu4Y8my9nWJQ0tuHYg0fTqgqaepupz73cnet39PvLlxxT9zLKClojWOeUtcJ2vAvRzuQzbuBBtb7p/FTrVk=
X-Received: by 2002:a05:600c:1e10:b0:412:6020:acac with SMTP id ay16-20020a05600c1e1000b004126020acacmr581834wmb.36.1708205068627; Sat, 17 Feb 2024 13:24:28 -0800 (PST)
MIME-Version: 1.0
From: Watson Ladd <watsonbladd@gmail.com>
Date: Sat, 17 Feb 2024 13:24:17 -0800
Message-ID: <CACsn0c=zW_729nmCzS1PAjpWG5ZDNX4BgxQ7AxLCWf6K9aFVrw@mail.gmail.com>
To: TLS List <tls@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/XUCFuNBSQfSJclkhLW-14DZ0ETg>
Subject: [TLS] A readthrough of draft-ietf-tls-esni
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 17 Feb 2024 21:24:31 -0000
Based on the github version.
Comments are in order of spotting, not seriousness. I understand
Martin Thompson has a clever way to format these emails I have tried
to follow but with little success. This is almost all editorial nits.
# Introduction
I would reorder the 3 and 4th paragraphs, with appropriate
modifications. Currently what the draft does is buried pretty far
down, and I think pulling it up is better. YMMV.
# Overview
I think we can say a little bit more to prepare the reader for the
Topology section, happy to suggest text.
## Topologies
"These are the same entity in Shared Mode, but in Split Mode, the
client-facing and backend servers are physically separated." - I think
we want to say in Split Mode the client-facing and backend servers are
logically separated and may be physically separated. The concept of
server and physical is a very messy one.
## encrypted-client-hello
It might be worth saying the rational for including the empty
extension in ClientHelloInner. I think the payload field description
might need tweaking: Should it say "EncodedClientHelloInner " instead
of "ClientHelloInner"?
## encoding-inner
I find the last paragraph a bit confusing. Instead of "Implementations
SHOULD bound the time to compute a ClientHelloInner proportionally to
the ClientHelloOuter size.", can we be more explicit alnogn the lines
of "Implementations SHOULD construct the ClientHelloInner in linear
time. Quadratic time implementations (such as may happen via naive
copying) create a denial of service risk"
## authenticating-outer
Reader isn't prepared for this bit IMHO. More to follow.
## real-ech
Here I have my first more crosscutting issue. After
#authenticating-outer the reader might have an idea that AAD is going
to be used here with HPKE. There's a bunch of material here that could
be moved back to {{authenticating-outer}} to make this one flow better
and keep the flow of topics, and we might also want to say that the
ClientHelloOuter is going to be authenticated back in
{{encrypted-client hello}}.
## grease-psk
Should we use RFC 2119 language for the server as well? Right now we
only say what the client must do when the server violates the rules.
## padding
I found this section very confusing. On a casual read it's not clear
if the ClientHelloInner is having its extensions padded, or, as is
actually intended, we're adding to the size of EncodedClientHello
inner based on estimating the size of each extension. I think part of
this is due to my confusion about what we're trying to hide from whom.
A little more text can solve this
# server behavior.
I'm confused by this section, which seems to imply the client picks
what role the server plays, not the configuration of the server. This
text also plays badly with the shared-mode topology, where the same
server plays both roles. Yeah, I knew what was probably meant, but a
little bit of TLC can clear this up.
## client-facing server
Some uncapitalized RFC 2119 language
## misconfiguration
I think either here or in {{rejected-configs}} we need to say a little
bit more about the way servers are supposed to do rollouts. In
particular the retry configuration needs to be supported on all
servers where the connection might hit, so it's not the most recent
that the server has.
# Security considerations
## goals
I think we should have a doc about split mode security or some
indication about how to set this up. Otherwise it won't work. Not
saying this RFC should be it, but without something no one will be
able to get interoperability.
For a very complex protocol that's taken quite some years to develop
this document is in pretty good shape.
Sincerely,
Watson Ladd
--
Astra mortemque praestare gradatim
- [TLS] A readthrough of draft-ietf-tls-esni Watson Ladd