[TLS] Enforcing Protocol Invariants

David Benjamin <davidben@chromium.org> Tue, 12 June 2018 16:28 UTC

Return-Path: <davidben@google.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9F266130EEB for <tls@ietfa.amsl.com>; Tue, 12 Jun 2018 09:28:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.95
X-Spam-Level:
X-Spam-Status: No, score=-9.95 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.249, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=chromium.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4dcV2zV2AX3A for <tls@ietfa.amsl.com>; Tue, 12 Jun 2018 09:27:53 -0700 (PDT)
Received: from mail-qk0-x22e.google.com (mail-qk0-x22e.google.com [IPv6:2607:f8b0:400d:c09::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9BCAC12D949 for <tls@ietf.org>; Tue, 12 Jun 2018 09:27:53 -0700 (PDT)
Received: by mail-qk0-x22e.google.com with SMTP id a195-v6so15432729qkg.3 for <tls@ietf.org>; Tue, 12 Jun 2018 09:27:53 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=mime-version:from:date:message-id:subject:to; bh=rmRC5ttJYIgEwqLOzP6SOI6w/NNMNXJmP+hPcIgupbY=; b=Q5Weq38x6pO6cqSZkQ3qaNpKKzDhlUu5CI6SqfeZBh8HmanK+sf/9wy8RCFftg+XtY aYDWmk5iiMW3VpVeeM82RSfgJ6hpnDw/hoKPmDguQnv7iQuVmgc/XI0xQL8FzClGO7/h FdL96dAVtLKeh82mi3tPoODYxzrlVLIZq3XfU=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=rmRC5ttJYIgEwqLOzP6SOI6w/NNMNXJmP+hPcIgupbY=; b=kx4Jb198sZ7s3l/PVBtBeJILm+p1BA9lYPz9qRvywEP0KINh6CNTkeo3kO1vQqA54H K8EpVlxiSiUPWQ2rIr5J49OY6fhm6+M3MUHHeAs3efpm682hlXaHfMmMEsgWwZ4rKNcD 9EmFd8TcOqgPu0SMMqSrkZk4RczG49MEk2rYUre4DB1OJVH+bHn4PWYiSYWdiyvfAIN3 LIhNg9Dq5ssRisxOStvOQc1xrimt+7hi0dAvCHQxx7LHUAMsuWUyYxX7gA1MNcDo5A+I /pIDilO+eD9ducl94odH2NhZUGIgBV6wT7+YvH3Fefk3p/RPJurXTBUcSkmXIan2DWYE d8dw==
X-Gm-Message-State: APt69E0sNZVQbdCov4fvQp7u8dyOrFrHp5NQ8BkjhN73qqMp5qjdCuOh kEJLiQS9IXQtptcIIs0WaUIujqT5lD4jVQlRXyOE3JM=
X-Google-Smtp-Source: ADUXVKLM9AccckBJLldH9Zs+Zggy03DoaF1O4LcDcmDL8SvZ0Xp3VpgNMyHzL6Xr4fG2S2FpxJIXlajr94rJ5RbFSOU=
X-Received: by 2002:a37:7dc2:: with SMTP id y185-v6mr1163990qkc.232.1528820872290; Tue, 12 Jun 2018 09:27:52 -0700 (PDT)
MIME-Version: 1.0
From: David Benjamin <davidben@chromium.org>
Date: Tue, 12 Jun 2018 12:27:39 -0400
Message-ID: <CAF8qwaBfG2aQTMCTQ9=8Uj1yRB7PRAaZNeNQnTPtvboxfAh6HQ@mail.gmail.com>
To: "<tls@ietf.org>" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000054091056e7459ce"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/Yl1IUMwkNlJmB9wldkRJy9Mr2Do>
Subject: [TLS] Enforcing Protocol Invariants
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.26
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 12 Jun 2018 16:28:01 -0000

Hi all,

Now that TLS 1.3 is about done, perhaps it is time to reflect on the
ossification problems.

TLS is an extensible protocol. TLS 1.3 is backwards-compatible and may be
incrementally rolled out in an existing compliant TLS 1.2 deployment. Yet
we had problems. Widespread non-compliant servers broke on the TLS 1.3
ClientHello, so versioning moved to supported_versions. Widespread
non-compliant middleboxes attempted to parse someone else’s ServerHellos,
so the protocol was further hacked to weave through their many defects.

I think I can speak for the working group that we do not want to repeat
this adventure again. In general, I think the response to ossification is
two-fold:

1. It’s already happened, so how do we progress today?
2. How do we avoid more of this tomorrow?

The workarounds only answer the first question. For the second, TLS 1.3 has
a section which spells out a few protocol invariants
<https://tlswg.github.io/tls13-spec/draft-ietf-tls-tls13.html#rfc.section.9.3>;.
It is all corollaries of existing TLS specification text, but hopefully
documenting it explicitly will help. But experience has shown specification
text is only necessary, not sufficient.

For extensibility problems in servers, we have GREASE
<https://tools.ietf.org/html/draft-ietf-tls-grease-01>;. This enforces the
key rule in ClientHello processing: ignore unrecognized parameters. GREASE
enforces this by filling the ecosystem with them. TLS 1.3’s middlebox woes
were different. The key rule is: if you did not produce a ClientHello, you
cannot assume that you can parse the response. Analogously, we should fill
the ecosystem with such responses. We have an idea, but it is more involved
than GREASE, so we are very interested in the TLS community’s feedback.

In short, we plan to regularly mint new TLS versions (and likely other
sensitive parameters such as extensions), roughly every six weeks matching
Chrome’s release cycle. Chrome, Google servers, and any other deployment
that wishes to participate, would support two (or more) versions of TLS
1.3: the standard stable 0x0304, and a rolling alternate version. Every six
weeks, we would randomly pick a new code point. These versions will
otherwise be identical to TLS 1.3, save maybe minor details to separate
keys and exercise allowed syntax changes. The goal is to pave the way for
future versions of TLS by simulating them (“draft negative one”).

Of course, this scheme has some risk. It grabs code points everywhere. Code
points are plentiful, but we do sometimes have collisions (e.g. 26 and 40).
The entire point is to serve and maintain TLS’s extensibility, so we
certainly do not wish to hamper it! Thus we have some safeguards in mind:

* We will document every code point we use and what it refers to. (If the
volume is fine, we can email them to the list each time.) New allocations
can always avoid the lost numbers. At a rate of one every 6 weeks, it will
take over 7,000 years to exhaust everything.

* We will avoid picking numbers that the IETF is likely to allocate, to
reduce the chance of collision. Rolling versions will not start with 0x03,
rolling cipher suites or extensions will not be contiguous with existing
blocks, etc.

* BoringSSL will not enable this by default. We will only enable it where
we can shut it back off. On our servers, we of course regularly deploy
changes. Chrome is also regularly updated and, moreover, we will gate it on
our server-controlled field trials
<https://textslashplain.com/2017/10/18/chrome-field-trials/> mechanism. We
hope that, in practice, only the last several code points will be in use at
a time.

* Our clients would only support the most recent set of rolling parameters,
and our servers the last handful. As each value will be short-lived, the
ecosystem is unlikely to rely on them as de facto standards. Conversely,
like other extensions, implementations without them will still interoperate
fine. We would never offer a rolling parameter without the corresponding
stable one.

* If this ultimately does not work, we can stop at any time and only have
wasted a small portion of code points.

* Finally, if the working group is open to it, these values could be
summarized in regular documents to reserve them, so that they are
ultimately reflected in the registries. A new document every six weeks is
probably impractical, but we can batch them up.

We are interested in the community’s feedback on this proposal—anyone who
might participate, better safeguards, or thoughts on the mechanism as a
whole. We hope it will help the working group evolve its protocols more
smoothly in the future.

David