[TLS] invariant or not: one TLS connection per TCP connection?

Benjamin Kaduk <bkaduk@akamai.com> Wed, 08 July 2020 10:58 UTC

Return-Path: <bkaduk@akamai.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 558F13A07E5 for <tls@ietfa.amsl.com>; Wed, 8 Jul 2020 03:58:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id F5d4FFdkzasV for <tls@ietfa.amsl.com>; Wed, 8 Jul 2020 03:58:46 -0700 (PDT)
Received: from mx0b-00190b01.pphosted.com (mx0b-00190b01.pphosted.com [67.231.157.127]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 053EB3A07E3 for <tls@ietf.org>; Wed, 8 Jul 2020 03:58:45 -0700 (PDT)
Received: from pps.filterd (m0050098.ppops.net [127.0.0.1]) by m0050098.ppops.net-00190b01. (8.16.0.42/8.16.0.42) with SMTP id 068Avjww021327 for <tls@ietf.org>; Wed, 8 Jul 2020 11:57:45 +0100
Received: from pps.reinject (localhost [127.0.0.1]) by m0050098.ppops.net-00190b01. with ESMTP id 3255gt88ds-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for <tls@ietf.org>; Wed, 08 Jul 2020 11:57:45 +0100
Received: from pps.reinject (m0050098.ppops.net [127.0.0.1]) by pps.reinject (8.16.0.36/8.16.0.36) with SMTP id 068AvgST021305 for <tls@ietf.org>; Wed, 8 Jul 2020 11:57:44 +0100
Received: from prod-mail-ppoint4 (a72-247-45-32.deploy.static.akamaitechnologies.com [72.247.45.32] (may be forged)) by mx0b-00190b01.pphosted.com with ESMTP id 322he8kdus-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for <tls@ietf.org>; Wed, 08 Jul 2020 05:22:26 +0100
Received: from pps.filterd (prod-mail-ppoint4.akamai.com [127.0.0.1]) by prod-mail-ppoint4.akamai.com (8.16.0.42/8.16.0.42) with SMTP id 06846QvY013001 for <tls@ietf.org>; Wed, 8 Jul 2020 00:22:25 -0400
Received: from prod-mail-relay18.dfw02.corp.akamai.com ([172.27.165.172]) by prod-mail-ppoint4.akamai.com with ESMTP id 322n3y03bg-1 for <tls@ietf.org>; Wed, 08 Jul 2020 00:22:25 -0400
Received: from akamai.com (unknown [172.19.16.134]) by prod-mail-relay18.dfw02.corp.akamai.com (Postfix) with ESMTP id 20C36346 for <tls@ietf.org>; Wed, 8 Jul 2020 04:22:24 +0000 (GMT)
Date: Tue, 7 Jul 2020 21:22:24 -0700
From: Benjamin Kaduk <bkaduk@akamai.com>
To: tls@ietf.org
Message-ID: <20200708042223.GB20623@akamai.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.9.4 (2018-02-28)
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.235, 18.0.687 definitions=2020-07-08_01:2020-07-08, 2020-07-08 signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=17 suspectscore=1 bulkscore=0 spamscore=17 mlxlogscore=69 phishscore=0 malwarescore=0 adultscore=0 mlxscore=17 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2004280000 definitions=main-2007080024
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.235, 18.0.687 definitions=2020-07-08_01:2020-07-08, 2020-07-08 signatures=0
X-Proofpoint-Spam-Details: rule=spam policy=default score=53 priorityscore=1501 mlxlogscore=-4 impostorscore=0 lowpriorityscore=0 suspectscore=1 phishscore=0 spamscore=53 clxscore=1015 bulkscore=0 malwarescore=0 adultscore=0 cotscore=-2147483648 mlxscore=53 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2004280000 definitions=main-2007080027
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/YEI2oOwy4TUbTbKshsCm5MfSiTA>
Subject: [TLS] invariant or not: one TLS connection per TCP connection?
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 08 Jul 2020 10:58:47 -0000

Hi all,

There's an interesting note in draft-ietf-nfsv4-rpc-tls-08 (currently
in IESG Evaluation):

   The protocol convention specified in the current document assumes
   there can be no more than one concurrent TLS session per TCP
   connection.  This is true of current generations of TLS, but might be
   different in a future version of TLS.

Can we envision wanting to do such a thing (e.g., with connection IDs for
non-D TLS)?  If not, I can give them guidance that this type of statement
is not needed.

Thanks,

Ben