Re: [TLS] Encryption of TLS 1.3 content type

Fabrice Gautier <fabrice.gautier@gmail.com> Fri, 25 July 2014 21:06 UTC

Return-Path: <fabrice.gautier@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4F2831A0392 for <tls@ietfa.amsl.com>; Fri, 25 Jul 2014 14:06:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zgPBOPSEvVSX for <tls@ietfa.amsl.com>; Fri, 25 Jul 2014 14:06:20 -0700 (PDT)
Received: from mail-wi0-x230.google.com (mail-wi0-x230.google.com [IPv6:2a00:1450:400c:c05::230]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2061A1A0371 for <tls@ietf.org>; Fri, 25 Jul 2014 14:06:19 -0700 (PDT)
Received: by mail-wi0-f176.google.com with SMTP id bs8so1657196wib.9 for <tls@ietf.org>; Fri, 25 Jul 2014 14:06:18 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type:content-transfer-encoding; bh=mCAiLtn4hdsCUkwVM0CeuoyviDuypxr9lD24dLI4l94=; b=qheiZfIksrENjhtGwymjd2OcWW8UKBL16F1aGGA6QQexbioOqlNGFlY1EEJ5euxp8Q K1WPUXzUxJswd+zONMxkG+YLrmDl0ExBPtoESQwnWokLZQSlKKEpPF7AB6adP+Ce2aaK uHOz1WPcQv2VuQIIZdySi7SlKlWeb49fVLkdQUOBcpH3z36YtbUiFuGSwnL6meZJMXuO LflYX+T1VDnKeg6UDGxPijKKxYOtmYgMB9i4j2Xk1FGSAu0XtZTk3BwlsQOwt3DcOxFF paBbzbVQk+TiY+fagoRUzDgmkRqZCh+rs3nccngHC2FEMIiHzQNTNLYtx6tgJAHhgKD1 mDEw==
X-Received: by 10.194.6.101 with SMTP id z5mr25914490wjz.79.1406322378664; Fri, 25 Jul 2014 14:06:18 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.216.253.200 with HTTP; Fri, 25 Jul 2014 14:05:58 -0700 (PDT)
In-Reply-To: <578C0CCE-DD3C-41B9-A8D7-19D5B799F643@gmail.com>
References: <DD255E31-FA87-40CE-AF13-0F43A7DD54CF@cisco.com> <578C0CCE-DD3C-41B9-A8D7-19D5B799F643@gmail.com>
From: Fabrice Gautier <fabrice.gautier@gmail.com>
Date: Fri, 25 Jul 2014 14:05:58 -0700
Message-ID: <CANOyrg8rB_X4y4uOOkYQ4TqNaV39xu6Es+Q=wtTNE6eShSmZyw@mail.gmail.com>
To: Yoav Nir <ynir.ietf@gmail.com>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/YNyvPG9ds8GEd9cpXDMmeRa7L14
Cc: "<tls@ietf.org>" <tls@ietf.org>
Subject: Re: [TLS] Encryption of TLS 1.3 content type
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 25 Jul 2014 21:06:22 -0000

I also object this proposal

I'm not too familiar with IETF process, but shouldn't we have test
results first before we actually update the draft ?
I know its just a draft and it can be probably be changed back if the
test results are bad, but it seems it might be an uphill battle then.

Also I haven't seen a discussion of what the tests would be, or what
would be considered acceptable results. I didn't think the IETF
process usually involve testing in any formal manner. I'm assuming
that this would be up to individual contributors to test this with
their own TLS 1.3 draft implementations and then raise issues if they
appear later ?

If thats correct, it seems that this proposal is to update the draft
and see if anybody complains later based on actual tests.


On Fri, Jul 25, 2014 at 1:57 PM, Yoav Nir <ynir.ietf@gmail.com> wrote:
> Hi.
>
> I believe that changing the 5-byte record header will cause us trouble. Passive IDS/IPS devices follow TLS streams to detect certain attacks. They will cut connections. I also believe that it is impossible to “run some tests” because there are literally dozens of different such middleboxes, with multiple software/firmware versions available for each type.
>
> I therefore support leaving the 5-byte header as it is, fixing the ContentType value to 23 for all encrypted records, and having another contentType byte within the encrypted record.
>
> Yoav
>
> On Jul 25, 2014, at 1:37 PM, Joseph Salowey (jsalowey) <jsalowey@cisco.com> wrote:
>
>> At the interim meeting on July 20, 2014 there was general consensus to support the encryption of TLS 1.3 content type.  The favored approach was to remove the content type and version from the TLS record layer header and add the content type to the encrypted data.   The proposal is to update the draft to document this approach and try to run some tests to see if this causes much grief with middle boxes.  If you object to this proposal please respond to the list by Friday, August 01, 2014.
>> _______________________________________________
>> TLS mailing list
>> TLS@ietf.org
>> https://www.ietf.org/mailman/listinfo/tls
>
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls