[TLS] A readthrough of draft-ietf-tls-esni
Watson Ladd <watsonbladd@gmail.com> Sat, 17 February 2024 21:24 UTC
Return-Path: <watsonbladd@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1D2F9C14F5EF for <tls@ietfa.amsl.com>; Sat, 17 Feb 2024 13:24:31 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.108
X-Spam-Level:
X-Spam-Status: No, score=-2.108 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3ETDecUUBeOO for <tls@ietfa.amsl.com>; Sat, 17 Feb 2024 13:24:30 -0800 (PST)
Received: from mail-wm1-x32d.google.com (mail-wm1-x32d.google.com [IPv6:2a00:1450:4864:20::32d]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A2174C14F5EE for <tls@ietf.org>; Sat, 17 Feb 2024 13:24:30 -0800 (PST)
Received: by mail-wm1-x32d.google.com with SMTP id 5b1f17b1804b1-4126100126bso807025e9.1 for <tls@ietf.org>; Sat, 17 Feb 2024 13:24:30 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1708205069; x=1708809869; darn=ietf.org; h=to:subject:message-id:date:from:mime-version:from:to:cc:subject :date:message-id:reply-to; bh=zgKxeG/aVGBHMbvH1qXPW5tN/dFXrAGI1UprYrRPfC4=; b=WywUjKmM0Nn0F0GwnoN6862K9Tx2YEf60VEW8WM8RQtKoIB1LQfZVRqSHXG4D/ibnG lz9YIK/FmiysFzZG4RbNFxN+pd0Tzz9Svsc98MxMaGj/m3pkfMuPeupwZjJV02ulSYPx oFYso/2wZw44yWoppYApTgZ4chYhiCcZUq2wbMytZt391SRUgPZo13diMJFQSybRDMKo 5yFLwGXpjaq3075XqsRKUDLnViS82bD3hfJQhm8SUEHUfYCvKemb2b9gYIWa3tsL7Ysq JRHO1KOWDK+ekyXF/S1OTtsI5PaF+qV9oqtzAkuZ5uidu7O/czh9hKVvE7yXATv6FHMy LyuA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1708205069; x=1708809869; h=to:subject:message-id:date:from:mime-version:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=zgKxeG/aVGBHMbvH1qXPW5tN/dFXrAGI1UprYrRPfC4=; b=aBkGJJp7jUwoKf6OBEkDd4od0xuLdWt4RP/gmfbnCz1jdAG4c3oo2zMTsoyRdpHgxL /vqHEuw2J6cCQ5da+onYnDDfAx7iqI0Uw7i+OCl0Cz+ko2epvhZaVlfw5y1lL3lXJS/g PYx9DeO1jYV7IR+Xs9MCXmKeFfUZZjl6PLgR+XWfUBiD6TJmskHZb76RrPMAAL+o/EcN 2nV7j+vNEK05I89yclG7wjlbk9+3ZLc/Kb6BlDJemIlnbdHYpy+8NKr7eALjE45gLA1G Vi8qBij1YJADg2i7OSqFGvgr2tB89+dMMNivmm/0ADDJOztlFaTGaitvCeO6pBJcqf6J 7bFA==
X-Gm-Message-State: AOJu0YygDHmiEiXACEcc3tBk96jdX/8WdY/Jqr6QolKuCq2ML0c15BMC Cd+GvKDIW4Lmob270C/Y+HNPWl5zN1FPlIaS8eKLAhKjugKbki7IakW2YaNXkU+ECL24om6CSq1 vzStn5pt5lI2sSRbDt3C82uwA2tsAisBfA9A=
X-Google-Smtp-Source: AGHT+IGIPu4Y8my9nWJQ0tuHYg0fTqgqaepupz73cnet39PvLlxxT9zLKClojWOeUtcJ2vAvRzuQzbuBBtb7p/FTrVk=
X-Received: by 2002:a05:600c:1e10:b0:412:6020:acac with SMTP id ay16-20020a05600c1e1000b004126020acacmr581834wmb.36.1708205068627; Sat, 17 Feb 2024 13:24:28 -0800 (PST)
MIME-Version: 1.0
From: Watson Ladd <watsonbladd@gmail.com>
Date: Sat, 17 Feb 2024 13:24:17 -0800
Message-ID: <CACsn0c=zW_729nmCzS1PAjpWG5ZDNX4BgxQ7AxLCWf6K9aFVrw@mail.gmail.com>
To: TLS List <tls@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/XUCFuNBSQfSJclkhLW-14DZ0ETg>
Subject: [TLS] A readthrough of draft-ietf-tls-esni
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 17 Feb 2024 21:24:31 -0000
Based on the github version. Comments are in order of spotting, not seriousness. I understand Martin Thompson has a clever way to format these emails I have tried to follow but with little success. This is almost all editorial nits. # Introduction I would reorder the 3 and 4th paragraphs, with appropriate modifications. Currently what the draft does is buried pretty far down, and I think pulling it up is better. YMMV. # Overview I think we can say a little bit more to prepare the reader for the Topology section, happy to suggest text. ## Topologies "These are the same entity in Shared Mode, but in Split Mode, the client-facing and backend servers are physically separated." - I think we want to say in Split Mode the client-facing and backend servers are logically separated and may be physically separated. The concept of server and physical is a very messy one. ## encrypted-client-hello It might be worth saying the rational for including the empty extension in ClientHelloInner. I think the payload field description might need tweaking: Should it say "EncodedClientHelloInner " instead of "ClientHelloInner"? ## encoding-inner I find the last paragraph a bit confusing. Instead of "Implementations SHOULD bound the time to compute a ClientHelloInner proportionally to the ClientHelloOuter size.", can we be more explicit alnogn the lines of "Implementations SHOULD construct the ClientHelloInner in linear time. Quadratic time implementations (such as may happen via naive copying) create a denial of service risk" ## authenticating-outer Reader isn't prepared for this bit IMHO. More to follow. ## real-ech Here I have my first more crosscutting issue. After #authenticating-outer the reader might have an idea that AAD is going to be used here with HPKE. There's a bunch of material here that could be moved back to {{authenticating-outer}} to make this one flow better and keep the flow of topics, and we might also want to say that the ClientHelloOuter is going to be authenticated back in {{encrypted-client hello}}. ## grease-psk Should we use RFC 2119 language for the server as well? Right now we only say what the client must do when the server violates the rules. ## padding I found this section very confusing. On a casual read it's not clear if the ClientHelloInner is having its extensions padded, or, as is actually intended, we're adding to the size of EncodedClientHello inner based on estimating the size of each extension. I think part of this is due to my confusion about what we're trying to hide from whom. A little more text can solve this # server behavior. I'm confused by this section, which seems to imply the client picks what role the server plays, not the configuration of the server. This text also plays badly with the shared-mode topology, where the same server plays both roles. Yeah, I knew what was probably meant, but a little bit of TLC can clear this up. ## client-facing server Some uncapitalized RFC 2119 language ## misconfiguration I think either here or in {{rejected-configs}} we need to say a little bit more about the way servers are supposed to do rollouts. In particular the retry configuration needs to be supported on all servers where the connection might hit, so it's not the most recent that the server has. # Security considerations ## goals I think we should have a doc about split mode security or some indication about how to set this up. Otherwise it won't work. Not saying this RFC should be it, but without something no one will be able to get interoperability. For a very complex protocol that's taken quite some years to develop this document is in pretty good shape. Sincerely, Watson Ladd -- Astra mortemque praestare gradatim
- [TLS] A readthrough of draft-ietf-tls-esni Watson Ladd