Re: [TLS] Fwd: New Version Notification for draft-schwartz-tls-lb-00.txt
Stephen Farrell <stephen.farrell@cs.tcd.ie> Fri, 28 June 2019 19:22 UTC
Return-Path: <stephen.farrell@cs.tcd.ie>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 86406120850 for <tls@ietfa.amsl.com>; Fri, 28 Jun 2019 12:22:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.299
X-Spam-Level:
X-Spam-Status: No, score=-4.299 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cs.tcd.ie
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TdxH0gvlIK1U for <tls@ietfa.amsl.com>; Fri, 28 Jun 2019 12:22:44 -0700 (PDT)
Received: from mercury.scss.tcd.ie (mercury.scss.tcd.ie [134.226.56.6]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4E058120473 for <tls@ietf.org>; Fri, 28 Jun 2019 12:22:43 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mercury.scss.tcd.ie (Postfix) with ESMTP id 018FABE39; Fri, 28 Jun 2019 20:22:41 +0100 (IST)
X-Virus-Scanned: Debian amavisd-new at scss.tcd.ie
Received: from mercury.scss.tcd.ie ([127.0.0.1]) by localhost (mercury.scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bJteyW3Iqo1T; Fri, 28 Jun 2019 20:22:38 +0100 (IST)
Received: from [10.244.2.138] (95-45-153-252-dynamic.agg2.phb.bdt-fng.eircom.net [95.45.153.252]) by mercury.scss.tcd.ie (Postfix) with ESMTPSA id 21483BE2E; Fri, 28 Jun 2019 20:22:38 +0100 (IST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cs.tcd.ie; s=mail; t=1561749758; bh=J/V85x4MxhLBMA6hWylcJxV2DIsgnx3CkNBel1ny+eM=; h=To:Cc:References:From:Subject:Date:In-Reply-To:From; b=PJv9uOgU+zHYOneuH7j+BCL14RCNTMtC0eTRKyI2LE4B2kq3aujLAJoXD1CfKsC2l XGR78Mu9t34SywUc6qTrLy4b08jNOCl+9qDZszZfVAqANjvG6v02TO9ZaDFCQYDwbf F1Hh9glX6cZe2pt0mMfzMmB5Qy6urKn+/Ay1wi4s=
To: Ben Schwartz <bemasc@google.com>
Cc: "<tls@ietf.org>" <tls@ietf.org>
References: <156173339678.20700.10472293883370612968.idtracker@ietfa.amsl.com> <CAHbrMsA3zHDQFG-ffZBTFP7be52GKbqcZjcrZzqKHMVFkQ=PNg@mail.gmail.com> <c5d5625d-a314-cd7a-9cb0-2505105c165e@cs.tcd.ie> <CAHbrMsCw7qH4CCLC3N_WkrWYOLMC9x0Lh5-2E-L2-29G+7XUKg@mail.gmail.com>
From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Openpgp: id=5BB5A6EA5765D2C5863CAE275AB2FAF17B172BEA; url=
Autocrypt: addr=stephen.farrell@cs.tcd.ie; prefer-encrypt=mutual; keydata= mQINBFo9UDIBEADUH4ZPcUnX5WWRWO4kEkHea5Y5eEvZjSwe/YA+G0nrTuOU9nemCP5PMvmh 5Cg8gBTyWyN4Z2+O25p9Tja5zUb+vPMWYvOtokRrp46yhFZOmiS5b6kTq0IqYzsEv5HI58S+ QtaFq978CRa4xH9Gi9u4yzUmT03QNIGDXE37honcAM4MOEtEgvw4fVhVWJuyy3w//0F2tzKr EMjmL5VGuD/Q9+G/7abuXiYNNd9ZFjv4625AUWwy+pAh4EKzS1FE7BOZp9daMu9MUQmDqtZU bUv0Q+DnQAB/4tNncejJPz0p2z3MWCp5iSwHiQvytYgatMp34a50l6CWqa13n6vY8VcPlIqO Vz+7L+WiVfxLbeVqBwV+4uL9to9zLF9IyUvl94lCxpscR2kgRgpM6A5LylRDkR6E0oudFnJg b097ZaNyuY1ETghVB5Uir1GCYChs8NUNumTHXiOkuzk+Gs4DAHx/a78YxBolKHi+esLH8r2k 4LyM2lp5FmBKjG7cGcpBGmWavACYEa7rwAadg4uBx9SHMV5i33vDXQUZcmW0vslQ2Is02NMK 7uB7E7HlVE1IM1zNkVTYYGkKreU8DVQu8qNOtPVE/CdaCJ/pbXoYeHz2B1Nvbl9tlyWxn5Xi HzFPJleXc0ksb9SkJokAfwTSZzTxeQPER8la5lsEEPbU/cDTcwARAQABtDJTdGVwaGVuIEZh cnJlbGwgKDIwMTcpIDxzdGVwaGVuLmZhcnJlbGxAY3MudGNkLmllPokCQAQTAQgAKgIbAwUJ CZQmAAULCQgHAgYVCAkKCwIEFgIDAQIeAQIXgAUCWj6jdwIZAQAKCRBasvrxexcr6o7QD/9m x9DPJetmW794RXmNTrbTJ44zc/tJbcLdRBh0KBn9OW/EaAqjDmgNJeCMyJTKr1ywaps8HGUN hLEVkc14NUpgi4/Zkrbi3DmTp25OHj6wXBS5qVMyVynTMEIjOfeFFyxG+48od+Xn7qg6LT7G rHeNf+z/r0v9+8eZ1Ip63kshQDGhhpmRMKu4Ws9ZvTW2ACXkkTFaSGYJj3yIP4R6IgwBYGMz DXFX6nS4LA1s3pcPNxOgrvCyb60AiJZTLcOk/rRrpZtXB1XQc23ZZmrlTkl2HaThL6w3YKdi Ti1NbuMeOxZqtXcUshII45sANm4HuWNTiRh93Bn5bN6ddjgsaXEZBKUBuUaPBl7gQiQJcAlS 3MmGgVS4ZoX8+VaPGpXdQVFyBMRFlOKOC5XJESt7wY0RE2C8PFm+5eywSO/P1fkl9whkMgml 3OEuIQiP2ehRt/HVLMHkoM9CPQ7t6UwdrXrvX+vBZykav8x9U9M6KTgfsXytxUl6Vx5lPMLi 2/Jrsz6Mzh/IVZa3xjhq1OLFSI/tT2ji4FkJDQbO+yYUDhcuqfakDmtWLMxecZsY6O58A/95 8Qni6Xeq+Nh7zJ7wNcQOMoDGj+24di2TX1cKLzdDMWFaWzlNP5dB5VMwS9Wqj1Z6TzKjGjru q8soqohwb2CK9B3wzFg0Bs1iBI+2RuFnxLkCDQRaPVAyARAA+g3R0HzGr/Dl34Y07XqGqzq5 SU0nXIu9u8Ynsxj7gR5qb3HgUWYEWrHW2jHOByXnvkffucf5yzwrsvw8Q8iI8CFHiTYHPpey 4yPVn6R0w/FOMcY70eTIu/k6EEFDlDbs09DtKcrsT9bmN0XoRxITlXwWTufYqUnmS+YkAuk+ TLCtUin7OdaS2uU6Ata3PLQSeM2ZsUQMmYmHPwB9rmf+q2I005AJ9Q1SPQ2KNg/8xOGxo13S VuaSqYRQdpV93RuCOzg4vuXtR+gP0KQrus/P2ZCEPvU9cXF/2MIhXgOz207lv3iE2zGyNXld /n8spvWk+0bH5Zqd9Wcba/rGcBhmX9NKKDARZqjkv/zVEP1X97w1HsNYeUFNcg2lk9zQKb4v l1jx/Uz8ukzH2QNhU4R39dbF/4AwWuSVkGW6bTxHJqGs6YimbfdQqxTzmqFwz3JP0OtXX5q/ 6D4pHwcmJwEiDNzsBLl6skPSQ0Xyq3pua/qAP8MVm+YxCxJQITqZ8qjDLzoe7s9X6FLLC/DA L9kxl5saVSfDbuI3usH/emdtn0NA9/M7nfgih92zD92sl1yQXHT6BDa8xW1j+RU4P+E0wyd7 zgB2UeYgrp2IIcfG+xX2uFG5MJQ/nYfBoiALb0+dQHNHDtFnNGY3Oe8z1M9c5aDG3/s29QbJ +w7hEKKo9YMAEQEAAYkCJQQYAQgADwUCWj1QMgIbDAUJCZQmAAAKCRBasvrxexcr6qwvD/9b Rek3kfN8Q+jGrKl8qwY8HC5s4mhdDJZI/JP2FImf5J2+d5/e8UJ4fcsT79E0/FqX3Z9wZr6h sofPqLh1/YzDsYkZDHTYSGrlWGP/I5kXwUmFnBZHzM3WGrL3S7ZmCYMdudhykxXXjq7M6Do1 oxM8JofrXGtwBTLv5wfvvygJouVCVe87Ge7mCeY5vey1eUi4zSSF1zPpR6gg64w2g4TXM5qt SwkZVOv1g475LsGlYWRuJV8TA67yp1zJI7HkNqCo8KyHX0DPOh9c+Sd9ZX4aqKfqH9HIpnCL AYEgj7vofeix7gM3kQQmwynqq32bQGQBrKJEYp2vfeO30VsVx4dzuuiC5lyjUccVmw5D72J0 FlGrfEm0kw6D1qwyBg0SAMqamKN6XDdjhNAtXIaoA2UMZK/vZGGUKbqTgDdk0fnzOyb2zvXK CiPFKqIPAqKaDHg0JHdGI3KpQdRNLLzgx083EqEc6IAwWA6jSz+6lZDV6XDgF0lYqAYIkg3+ 6OUXUv6plMlwSHquiOc/MQXHfgUP5//Ra5JuiuyCj954FD+MBKIj8eWROfnzyEnBplVHGSDI ZLzL3pvV14dcsoajdeIH45i8DxnVm64BvEFHtLNlnliMrLOrk4shfmWyUqNlzilXN2BTFVFH 4MrnagFdcFnWYp1JPh96ZKjiqBwMv/H0kw==
Message-ID: <9b845420-91a6-d8aa-54d2-4300bdf53e68@cs.tcd.ie>
Date: Fri, 28 Jun 2019 20:22:36 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.7.1
MIME-Version: 1.0
In-Reply-To: <CAHbrMsCw7qH4CCLC3N_WkrWYOLMC9x0Lh5-2E-L2-29G+7XUKg@mail.gmail.com>
Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="gVC2mNrf6QWQtskhS1eckXPiANeao359L"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/XzfJgGnQCwYBT9-HtsXZ0vwykBY>
Subject: Re: [TLS] Fwd: New Version Notification for draft-schwartz-tls-lb-00.txt
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 28 Jun 2019 19:22:48 -0000
Hiya, On 28/06/2019 19:47, Ben Schwartz wrote: > On Fri, Jun 28, 2019 at 1:34 PM Stephen Farrell <stephen.farrell@cs.tcd.ie> > wrote: > >> >> Hi Ben, >> >> Thanks for posting that - good to see a start on plugging >> that gap. >> >> On 28/06/2019 17:52, Ben Schwartz wrote: >>> Hi TLS, >>> >>> This is a proposal for a very simple new protocol whose main purpose is >> to >>> enable ESNI "split mode". Ultimately, I hope that this protocol can also >>> enable more end-to-end TLS, by reducing the need for load-balancers to >>> terminate TLS. >> >> I guess an alternative would be to wrap this metadata and >> the TLS session in another possibly long-lived TLS session >> between the LB and backend. That'd have the benefit of not >> requiring a PSK, making correlation of the CH etc from TLS >> client to LB with the LB to backend non-trivial(*), but I >> guess at the cost of more CPU and per-packet overhead. >> > > I agree with this analysis. There's also a significant memory overhead to > maintain the extra TLS state. Fair point. > > The fact that a network observer can so easily correlate >> the inbound TLS packets to the LB with those outbound seems >> like a fairly major downside of this approach to me. >> > > This seems to me to be a threat modeling question, or maybe a question of > how to trade off an expanded threat model against performance > considerations. > > Overall, my feeling is that > (1) This is an area where performance sensitivity is high (both at the load > balancer and on the backend). > (2) It's worth aiming for wide deployment, because the state of the art is > TLS termination or metadata in plaintext :-(. > (3) The effectiveness of layered encryption against a pervasive passive > adversary is low, as you mention. Specifically, because > client->load-balancer connection initiation triggers a > load-balancer->backend connection setup, there is only ambiguity among the > few connections that are initiated within milliseconds of each other, and > subsequent traffic patterns are likely to disambiguate them. That's a reasonable argument. I'm not yet convinced it's where we want to land myself though. > > If you want to build an anonymizing TLS forwarder it would need long-lived > connections, padding, chaff, and probably multiplexing. This is all within > the realm of possibility but it seems like a much more difficult > proposition. Right. A TLS-in-TLS approach to split mode ESNI could be a step on that road. I'm not arguing that's a winning argument but I do think we ought tease it out. If we go back 2 or 3 years we concluded ESNI wasn't doable, but turns out it was. Not sure if there's anything practical we can do about the correlation problem in split-mode ESNI but we should think about it, and recognise it as a real issue. That reminds me: if you put out a -01, describing all that in the (missing:-) security considerations section would be a fine thing. > > If you just want obfuscation, a possible middle ground would be to > initialize a stream cipher from the PSK and let it run. For a small CPU > cost and zero size overhead, this would give you defense against basic > byte-matching. I think this is probably not worth it, but you can propose > it to the group :-). Nah, don't think I'd go for that either. Either a light-weight prepend-stuff approach like yours (but with better than a PSK), or else a TLS-in-TLS with the associated costs and benefits seem like the options here. > > The PSK would also make it hard to offer ESNI fronting to >> random backends without pre-arrangement between the LB and >> backend, should that be something someone wanted to do. I >> think that would allow less centralised deployment of ESNI, >> which I think is a pretty desirable option to preserve. >> > > This is an interesting observation. Given that TLS-in-TLS is not TLS, the > backend would still have to opt in to this system, but in principle it > might accept incoming connections from anywhere. It's not obvious how > clients would learn about these alternative ESNI hosts, but never mind that. Not a problem. The LB/fronter just has to publish it's ESNIKeys and then the backend publishes that RR value in the DNS. So the TLS client doesn't need to know that the LB/public_name and backend do/don't have a prearranged deal. > > I think this goal is reasonably achievable in the current 00 draft > protocol. A site that wants to opt in just has to publish a PSK-vending > endpoint wherever they would otherwise opt in. Then each load balancer can > reach out to acquire a unique PSK. Not sure I get what you mean there, but yes, if we follow the approach taken in your I-D, I would argue that such a key establishment mechanism would be needed, and I'd be shocked if that wasn't based on TLS:-) Cheers, S. > > Also: a diagram would really help make the draft easier to >> grok:-) >> > > Point taken. > > Cheers, >> S. >> >> (*) When I say non-trivial here I don't mean "very hard":-) >> >> >> >>> >>> Please discuss. >>> >>> Thanks, >>> Ben Schwartz >>> >>> ---------- Forwarded message --------- >>> >>> A new version of I-D, draft-schwartz-tls-lb-00.txt >>> has been successfully submitted by Benjamin M. Schwartz and posted to the >>> IETF repository. >>> >>> Name: draft-schwartz-tls-lb >>> Revision: 00 >>> Title: TLS Metadata for Load Balancers >>> Document date: 2019-06-28 >>> Group: Individual Submission >>> Pages: 8 >>> URL: >>> https://www.ietf.org/internet-drafts/draft-schwartz-tls-lb-00.txt >>> Status: https://datatracker.ietf.org/doc/draft-schwartz-tls-lb/ >>> Htmlized: https://tools.ietf.org/html/draft-schwartz-tls-lb-00 >>> Htmlized: >> https://datatracker.ietf.org/doc/html/draft-schwartz-tls-lb >>> >>> >>> Abstract: >>> A load balancer that does not terminate TLS may wish to provide some >>> information to the backend server, in addition to forwarding TLS >>> data. This draft proposes a protocol between load balancers and >>> backends that enables secure, efficient delivery of TLS with >>> additional information. The need for such a protocol has recently >>> become apparent in the context of split mode ESNI. >>> >>> >>> >>> >>> Please note that it may take a couple of minutes from the time of >> submission >>> until the htmlized version and diff are available at tools.ietf.org. >>> >>> The IETF Secretariat >>> >>> >>> _______________________________________________ >>> TLS mailing list >>> TLS@ietf.org >>> https://www.ietf.org/mailman/listinfo/tls >>> >> >
- [TLS] Fwd: New Version Notification for draft-sch… Ben Schwartz
- Re: [TLS] Fwd: New Version Notification for draft… Stephen Farrell
- Re: [TLS] Fwd: New Version Notification for draft… Ben Schwartz
- Re: [TLS] Fwd: New Version Notification for draft… Stephen Farrell
- Re: [TLS] Fwd: New Version Notification for draft… Martin Thomson
- Re: [TLS] Fwd: New Version Notification for draft… Ben Schwartz
- Re: [TLS] Fwd: New Version Notification for draft… Martin Thomson
- Re: [TLS] Fwd: New Version Notification for draft… Stephen Farrell
- Re: [TLS] Fwd: New Version Notification for draft… Ben Schwartz