Re: [TLS] Fwd: New Version Notification for draft-schwartz-tls-lb-00.txt

Stephen Farrell <stephen.farrell@cs.tcd.ie> Fri, 28 June 2019 19:22 UTC

Return-Path: <stephen.farrell@cs.tcd.ie>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 86406120850 for <tls@ietfa.amsl.com>; Fri, 28 Jun 2019 12:22:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.299
X-Spam-Level:
X-Spam-Status: No, score=-4.299 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cs.tcd.ie
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TdxH0gvlIK1U for <tls@ietfa.amsl.com>; Fri, 28 Jun 2019 12:22:44 -0700 (PDT)
Received: from mercury.scss.tcd.ie (mercury.scss.tcd.ie [134.226.56.6]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4E058120473 for <tls@ietf.org>; Fri, 28 Jun 2019 12:22:43 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mercury.scss.tcd.ie (Postfix) with ESMTP id 018FABE39; Fri, 28 Jun 2019 20:22:41 +0100 (IST)
X-Virus-Scanned: Debian amavisd-new at scss.tcd.ie
Received: from mercury.scss.tcd.ie ([127.0.0.1]) by localhost (mercury.scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bJteyW3Iqo1T; Fri, 28 Jun 2019 20:22:38 +0100 (IST)
Received: from [10.244.2.138] (95-45-153-252-dynamic.agg2.phb.bdt-fng.eircom.net [95.45.153.252]) by mercury.scss.tcd.ie (Postfix) with ESMTPSA id 21483BE2E; Fri, 28 Jun 2019 20:22:38 +0100 (IST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cs.tcd.ie; s=mail; t=1561749758; bh=J/V85x4MxhLBMA6hWylcJxV2DIsgnx3CkNBel1ny+eM=; h=To:Cc:References:From:Subject:Date:In-Reply-To:From; b=PJv9uOgU+zHYOneuH7j+BCL14RCNTMtC0eTRKyI2LE4B2kq3aujLAJoXD1CfKsC2l XGR78Mu9t34SywUc6qTrLy4b08jNOCl+9qDZszZfVAqANjvG6v02TO9ZaDFCQYDwbf F1Hh9glX6cZe2pt0mMfzMmB5Qy6urKn+/Ay1wi4s=
To: Ben Schwartz <bemasc@google.com>
Cc: "<tls@ietf.org>" <tls@ietf.org>
References: <156173339678.20700.10472293883370612968.idtracker@ietfa.amsl.com> <CAHbrMsA3zHDQFG-ffZBTFP7be52GKbqcZjcrZzqKHMVFkQ=PNg@mail.gmail.com> <c5d5625d-a314-cd7a-9cb0-2505105c165e@cs.tcd.ie> <CAHbrMsCw7qH4CCLC3N_WkrWYOLMC9x0Lh5-2E-L2-29G+7XUKg@mail.gmail.com>
From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Openpgp: id=5BB5A6EA5765D2C5863CAE275AB2FAF17B172BEA; url=
Autocrypt: addr=stephen.farrell@cs.tcd.ie; prefer-encrypt=mutual; keydata= mQINBFo9UDIBEADUH4ZPcUnX5WWRWO4kEkHea5Y5eEvZjSwe/YA+G0nrTuOU9nemCP5PMvmh 5Cg8gBTyWyN4Z2+O25p9Tja5zUb+vPMWYvOtokRrp46yhFZOmiS5b6kTq0IqYzsEv5HI58S+ QtaFq978CRa4xH9Gi9u4yzUmT03QNIGDXE37honcAM4MOEtEgvw4fVhVWJuyy3w//0F2tzKr EMjmL5VGuD/Q9+G/7abuXiYNNd9ZFjv4625AUWwy+pAh4EKzS1FE7BOZp9daMu9MUQmDqtZU bUv0Q+DnQAB/4tNncejJPz0p2z3MWCp5iSwHiQvytYgatMp34a50l6CWqa13n6vY8VcPlIqO Vz+7L+WiVfxLbeVqBwV+4uL9to9zLF9IyUvl94lCxpscR2kgRgpM6A5LylRDkR6E0oudFnJg b097ZaNyuY1ETghVB5Uir1GCYChs8NUNumTHXiOkuzk+Gs4DAHx/a78YxBolKHi+esLH8r2k 4LyM2lp5FmBKjG7cGcpBGmWavACYEa7rwAadg4uBx9SHMV5i33vDXQUZcmW0vslQ2Is02NMK 7uB7E7HlVE1IM1zNkVTYYGkKreU8DVQu8qNOtPVE/CdaCJ/pbXoYeHz2B1Nvbl9tlyWxn5Xi HzFPJleXc0ksb9SkJokAfwTSZzTxeQPER8la5lsEEPbU/cDTcwARAQABtDJTdGVwaGVuIEZh cnJlbGwgKDIwMTcpIDxzdGVwaGVuLmZhcnJlbGxAY3MudGNkLmllPokCQAQTAQgAKgIbAwUJ CZQmAAULCQgHAgYVCAkKCwIEFgIDAQIeAQIXgAUCWj6jdwIZAQAKCRBasvrxexcr6o7QD/9m x9DPJetmW794RXmNTrbTJ44zc/tJbcLdRBh0KBn9OW/EaAqjDmgNJeCMyJTKr1ywaps8HGUN hLEVkc14NUpgi4/Zkrbi3DmTp25OHj6wXBS5qVMyVynTMEIjOfeFFyxG+48od+Xn7qg6LT7G rHeNf+z/r0v9+8eZ1Ip63kshQDGhhpmRMKu4Ws9ZvTW2ACXkkTFaSGYJj3yIP4R6IgwBYGMz DXFX6nS4LA1s3pcPNxOgrvCyb60AiJZTLcOk/rRrpZtXB1XQc23ZZmrlTkl2HaThL6w3YKdi Ti1NbuMeOxZqtXcUshII45sANm4HuWNTiRh93Bn5bN6ddjgsaXEZBKUBuUaPBl7gQiQJcAlS 3MmGgVS4ZoX8+VaPGpXdQVFyBMRFlOKOC5XJESt7wY0RE2C8PFm+5eywSO/P1fkl9whkMgml 3OEuIQiP2ehRt/HVLMHkoM9CPQ7t6UwdrXrvX+vBZykav8x9U9M6KTgfsXytxUl6Vx5lPMLi 2/Jrsz6Mzh/IVZa3xjhq1OLFSI/tT2ji4FkJDQbO+yYUDhcuqfakDmtWLMxecZsY6O58A/95 8Qni6Xeq+Nh7zJ7wNcQOMoDGj+24di2TX1cKLzdDMWFaWzlNP5dB5VMwS9Wqj1Z6TzKjGjru q8soqohwb2CK9B3wzFg0Bs1iBI+2RuFnxLkCDQRaPVAyARAA+g3R0HzGr/Dl34Y07XqGqzq5 SU0nXIu9u8Ynsxj7gR5qb3HgUWYEWrHW2jHOByXnvkffucf5yzwrsvw8Q8iI8CFHiTYHPpey 4yPVn6R0w/FOMcY70eTIu/k6EEFDlDbs09DtKcrsT9bmN0XoRxITlXwWTufYqUnmS+YkAuk+ TLCtUin7OdaS2uU6Ata3PLQSeM2ZsUQMmYmHPwB9rmf+q2I005AJ9Q1SPQ2KNg/8xOGxo13S VuaSqYRQdpV93RuCOzg4vuXtR+gP0KQrus/P2ZCEPvU9cXF/2MIhXgOz207lv3iE2zGyNXld /n8spvWk+0bH5Zqd9Wcba/rGcBhmX9NKKDARZqjkv/zVEP1X97w1HsNYeUFNcg2lk9zQKb4v l1jx/Uz8ukzH2QNhU4R39dbF/4AwWuSVkGW6bTxHJqGs6YimbfdQqxTzmqFwz3JP0OtXX5q/ 6D4pHwcmJwEiDNzsBLl6skPSQ0Xyq3pua/qAP8MVm+YxCxJQITqZ8qjDLzoe7s9X6FLLC/DA L9kxl5saVSfDbuI3usH/emdtn0NA9/M7nfgih92zD92sl1yQXHT6BDa8xW1j+RU4P+E0wyd7 zgB2UeYgrp2IIcfG+xX2uFG5MJQ/nYfBoiALb0+dQHNHDtFnNGY3Oe8z1M9c5aDG3/s29QbJ +w7hEKKo9YMAEQEAAYkCJQQYAQgADwUCWj1QMgIbDAUJCZQmAAAKCRBasvrxexcr6qwvD/9b Rek3kfN8Q+jGrKl8qwY8HC5s4mhdDJZI/JP2FImf5J2+d5/e8UJ4fcsT79E0/FqX3Z9wZr6h sofPqLh1/YzDsYkZDHTYSGrlWGP/I5kXwUmFnBZHzM3WGrL3S7ZmCYMdudhykxXXjq7M6Do1 oxM8JofrXGtwBTLv5wfvvygJouVCVe87Ge7mCeY5vey1eUi4zSSF1zPpR6gg64w2g4TXM5qt SwkZVOv1g475LsGlYWRuJV8TA67yp1zJI7HkNqCo8KyHX0DPOh9c+Sd9ZX4aqKfqH9HIpnCL AYEgj7vofeix7gM3kQQmwynqq32bQGQBrKJEYp2vfeO30VsVx4dzuuiC5lyjUccVmw5D72J0 FlGrfEm0kw6D1qwyBg0SAMqamKN6XDdjhNAtXIaoA2UMZK/vZGGUKbqTgDdk0fnzOyb2zvXK CiPFKqIPAqKaDHg0JHdGI3KpQdRNLLzgx083EqEc6IAwWA6jSz+6lZDV6XDgF0lYqAYIkg3+ 6OUXUv6plMlwSHquiOc/MQXHfgUP5//Ra5JuiuyCj954FD+MBKIj8eWROfnzyEnBplVHGSDI ZLzL3pvV14dcsoajdeIH45i8DxnVm64BvEFHtLNlnliMrLOrk4shfmWyUqNlzilXN2BTFVFH 4MrnagFdcFnWYp1JPh96ZKjiqBwMv/H0kw==
Message-ID: <9b845420-91a6-d8aa-54d2-4300bdf53e68@cs.tcd.ie>
Date: Fri, 28 Jun 2019 20:22:36 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.7.1
MIME-Version: 1.0
In-Reply-To: <CAHbrMsCw7qH4CCLC3N_WkrWYOLMC9x0Lh5-2E-L2-29G+7XUKg@mail.gmail.com>
Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="gVC2mNrf6QWQtskhS1eckXPiANeao359L"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/XzfJgGnQCwYBT9-HtsXZ0vwykBY>
Subject: Re: [TLS] Fwd: New Version Notification for draft-schwartz-tls-lb-00.txt
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 28 Jun 2019 19:22:48 -0000

Hiya,

On 28/06/2019 19:47, Ben Schwartz wrote:
> On Fri, Jun 28, 2019 at 1:34 PM Stephen Farrell <stephen.farrell@cs.tcd.ie>
> wrote:
> 
>>
>> Hi Ben,
>>
>> Thanks for posting that - good to see a start on plugging
>> that gap.
>>
>> On 28/06/2019 17:52, Ben Schwartz wrote:
>>> Hi TLS,
>>>
>>> This is a proposal for a very simple new protocol whose main purpose is
>> to
>>> enable ESNI "split mode".  Ultimately, I hope that this protocol can also
>>> enable more end-to-end TLS, by reducing the need for load-balancers to
>>> terminate TLS.
>>
>> I guess an alternative would be to wrap this metadata and
>> the TLS session in another possibly long-lived TLS session
>> between the LB and backend. That'd have the benefit of not
>> requiring a PSK, making correlation of the CH etc from TLS
>> client to LB with the LB to backend non-trivial(*), but I
>> guess at the cost of more CPU and per-packet overhead.
>>
> 
> I agree with this analysis.  There's also a significant memory overhead to
> maintain the extra TLS state.

Fair point.

> 
> The fact that a network observer can so easily correlate
>> the inbound TLS packets to the LB with those outbound seems
>> like a fairly major downside of this approach to me.
>>
> 
> This seems to me to be a threat modeling question, or maybe a question of
> how to trade off an expanded threat model against performance
> considerations.
> 
> Overall, my feeling is that
> (1) This is an area where performance sensitivity is high (both at the load
> balancer and on the backend).
> (2) It's worth aiming for wide deployment, because the state of the art is
> TLS termination or metadata in plaintext :-(.
> (3) The effectiveness of layered encryption against a pervasive passive
> adversary is low, as you mention.  Specifically, because
> client->load-balancer connection initiation triggers a
> load-balancer->backend connection setup, there is only ambiguity among the
> few connections that are initiated within milliseconds of each other, and
> subsequent traffic patterns are likely to disambiguate them.

That's a reasonable argument. I'm not yet convinced it's
where we want to land myself though.

> 
> If you want to build an anonymizing TLS forwarder it would need long-lived
> connections, padding, chaff, and probably multiplexing.  This is all within
> the realm of possibility but it seems like a much more difficult
> proposition.

Right. A TLS-in-TLS approach to split mode ESNI could be a
step on that road. I'm not arguing that's a winning argument
but I do think we ought tease it out. If we go back 2 or 3
years we concluded ESNI wasn't doable, but turns out it was.
Not sure if there's anything practical we can do about the
correlation problem in split-mode ESNI but we should think
about it, and recognise it as a real issue.

That reminds me: if you put out a -01, describing all that
in the (missing:-) security considerations section would be
a fine thing.

> 
> If you just want obfuscation, a possible middle ground would be to
> initialize a stream cipher from the PSK and let it run.  For a small CPU
> cost and zero size overhead, this would give you defense against basic
> byte-matching.  I think this is probably not worth it, but you can propose
> it to the group :-).

Nah, don't think I'd go for that either. Either a light-weight
prepend-stuff approach like yours (but with better than a PSK),
or else a TLS-in-TLS with the associated costs and benefits
seem like the options here.

> 
> The PSK would also make it hard to offer ESNI fronting to
>> random backends without pre-arrangement between the LB and
>> backend, should that be something someone wanted to do. I
>> think that would allow less centralised deployment of ESNI,
>> which I think is a pretty desirable option to preserve.
>>
> 
> This is an interesting observation.  Given that TLS-in-TLS is not TLS, the
> backend would still have to opt in to this system, but in principle it
> might accept incoming connections from anywhere.  It's not obvious how
> clients would learn about these alternative ESNI hosts, but never mind that.

Not a problem. The LB/fronter just has to publish it's ESNIKeys
and then the backend publishes that RR value in the DNS. So
the TLS client doesn't need to know that the LB/public_name
and backend do/don't have a prearranged deal.

> 
> I think this goal is reasonably achievable in the current 00 draft
> protocol.  A site that wants to opt in just has to publish a PSK-vending
> endpoint wherever they would otherwise opt in.  Then each load balancer can
> reach out to acquire a unique PSK.

Not sure I get what you mean there, but yes, if we follow the
approach taken in your I-D, I would argue that such a key
establishment mechanism would be needed, and I'd be shocked
if that wasn't based on TLS:-)

Cheers,
S.

> 
> Also: a diagram would really help make the draft easier to
>> grok:-)
>>
> 
> Point taken.
> 
> Cheers,
>> S.
>>
>> (*) When I say non-trivial here I don't mean "very hard":-)
>>
>>
>>
>>>
>>> Please discuss.
>>>
>>> Thanks,
>>> Ben Schwartz
>>>
>>> ---------- Forwarded message ---------
>>>
>>> A new version of I-D, draft-schwartz-tls-lb-00.txt
>>> has been successfully submitted by Benjamin M. Schwartz and posted to the
>>> IETF repository.
>>>
>>> Name:           draft-schwartz-tls-lb
>>> Revision:       00
>>> Title:          TLS Metadata for Load Balancers
>>> Document date:  2019-06-28
>>> Group:          Individual Submission
>>> Pages:          8
>>> URL:
>>> https://www.ietf.org/internet-drafts/draft-schwartz-tls-lb-00.txt
>>> Status:         https://datatracker.ietf.org/doc/draft-schwartz-tls-lb/
>>> Htmlized:       https://tools.ietf.org/html/draft-schwartz-tls-lb-00
>>> Htmlized:
>> https://datatracker.ietf.org/doc/html/draft-schwartz-tls-lb
>>>
>>>
>>> Abstract:
>>>    A load balancer that does not terminate TLS may wish to provide some
>>>    information to the backend server, in addition to forwarding TLS
>>>    data.  This draft proposes a protocol between load balancers and
>>>    backends that enables secure, efficient delivery of TLS with
>>>    additional information.  The need for such a protocol has recently
>>>    become apparent in the context of split mode ESNI.
>>>
>>>
>>>
>>>
>>> Please note that it may take a couple of minutes from the time of
>> submission
>>> until the htmlized version and diff are available at tools.ietf.org.
>>>
>>> The IETF Secretariat
>>>
>>>
>>> _______________________________________________
>>> TLS mailing list
>>> TLS@ietf.org
>>> https://www.ietf.org/mailman/listinfo/tls
>>>
>>
>