Re: [TLS] ESNI PRs #124 and #125: Improving ESNI Robustness and GREASE
David Benjamin <davidben@chromium.org> Thu, 14 February 2019 20:13 UTC
Return-Path: <davidben@google.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0F1D612867A for <tls@ietfa.amsl.com>; Thu, 14 Feb 2019 12:13:28 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.499
X-Spam-Level:
X-Spam-Status: No, score=-9.499 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=chromium.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ssC0gVLu2Jak for <tls@ietfa.amsl.com>; Thu, 14 Feb 2019 12:13:25 -0800 (PST)
Received: from mail-qk1-x732.google.com (mail-qk1-x732.google.com [IPv6:2607:f8b0:4864:20::732]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 069F3128D52 for <tls@ietf.org>; Thu, 14 Feb 2019 12:13:25 -0800 (PST)
Received: by mail-qk1-x732.google.com with SMTP id i5so4356083qkd.13 for <tls@ietf.org>; Thu, 14 Feb 2019 12:13:24 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=ljgc82odNCC8dxeP/iudbHGB8gu5KqhLTGGvlJGhflM=; b=B9EZ4oFvYYSrcRoFEMnuMG17Z5qmaEH9kcYWxBar3831x4PbVuyi3QvzcP4i2AMiyF Orft/I+PZw5hGhy4THhROW7i7GRBAQI5rw0AWsQz3cytegZ4CZYdsT0xHsjezMbAemEI YVNIDpLBvVDjlZN6FGpxjK1R2hy427euh2jxU=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=ljgc82odNCC8dxeP/iudbHGB8gu5KqhLTGGvlJGhflM=; b=eDpzow/gYc5allewyzz1aIeueUZDSMvngYq1nf8+V7bsCsMd/fh19VibNYieJSNVId t4D9sdTziT3RrqE82BbR8eDTHFsGHjXzMJ8SQzF6uiW+AvI2TiLYIwt3xj5sw+znB/Ji P1i3BqOVD5AKzpsU6t+6riCx8s/K0lhStfroZdjz1CEIT3gEw0SW7SoRiZa9jmLkstFo Letze0o0DxgvSERLHVVJub+FKl26YXWXfypJnIunccuvknCvyp76J8Ntc60OyTuUtiL2 veS/gmGF8mL/YXVfZCkV4H97zNuy6rrn5cLtF+RNqLBtL04UnsqPizu7fjv6c2fy5tDW tBPg==
X-Gm-Message-State: AHQUAubo/Q0p7LHrj+SvJEomHq8E/c6v/2bZnyJGa7//iQDIjRmbzVFa bi6EhAyvYqvxadn4ZtvnCI3/4HIhlagDKAIdpgHY
X-Google-Smtp-Source: AHgI3IaNttCxAqVV17yoBcNLpm1BQ4T+HHVfRmC6jPG5bp+i/la+6CgzPnnOUzK+gAvq7Xzen6+2d3MOtUJvVU3NQTQ=
X-Received: by 2002:a37:98c6:: with SMTP id a189mr4167106qke.31.1550175203859; Thu, 14 Feb 2019 12:13:23 -0800 (PST)
MIME-Version: 1.0
References: <714E43FA-3660-485A-8E50-04EE43F8DA2E@gmail.com> <168e9a61d1e.cce5c9ea206228.28832954982140191@nerd.ninja> <CAF8qwaD1qSZWs-14WF3sYo1cKK4jjSoce3JaQzfj7HqmWOTKjA@mail.gmail.com> <168ed8bb0f5.1026877c920218.3245439195642672251@nerd.ninja>
In-Reply-To: <168ed8bb0f5.1026877c920218.3245439195642672251@nerd.ninja>
From: David Benjamin <davidben@chromium.org>
Date: Thu, 14 Feb 2019 14:13:11 -0600
Message-ID: <CAF8qwaBdQeZS=bmFC955XzrVyNubB7h0WPiAQp0eZnf__Xov3Q@mail.gmail.com>
To: Roelof DuToit <r@nerd.ninja>
Cc: Christopher Wood <christopherwood07@gmail.com>, TLS WG <tls@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000005e0ce90581e04a19"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/ZIJ6Amwe7NrbkR8fKTCBopBzZeE>
Subject: Re: [TLS] ESNI PRs #124 and #125: Improving ESNI Robustness and GREASE
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 14 Feb 2019 20:13:28 -0000
On Thu, Feb 14, 2019 at 1:46 PM Roelof DuToit <r@nerd.ninja> wrote: > > > > ---- On Thu, 14 Feb 2019 13:00:16 -0500 *David Benjamin > <davidben@chromium.org <davidben@chromium.org>>* wrote ---- > > On Wed, Feb 13, 2019 at 7:37 PM Roelof DuToit <r@nerd.ninja> wrote: > >> >> Questions for PR [1]: >> >> * Regarding this text: >> The client MUST NOT use the server-provided retry keys until the >> handshake completes successfully. On success, it MUST NOT overwrite the >> DNS-provided keys with the retry keys. It MUST use the retry keys at most >> once and continue offering DNS-provided keys for subsequent connections. >> This avoids introducing a tracking vector, should a malicious server >> present client-specific retry keys. >> >> .. specifically this part: ".. use the retry keys at most once". >> Q1: Are you saying the client should persistently remember which >> public_name values triggered retry keys? For how long? >> > > No, exactly the opposite. You use the retry key for just the retry and > then forget about it. > https://mailarchive.ietf.org/arch/msg/tls/xBEHe1_CcYEYinZQHxWGq8vjA0Q > > > I understood that part. Let my clarify my question with an example: > > A1. Client uses DNS-provided keys, and server returns retry keys > A2. Client uses retry keys, and everything works.. > A3. Client restarts > A4. Client uses DNS-provided keys, and server returns the same retry keys > as in A1 > A5. Client violates spec by using those retry keys for a second time? > > And what about this example: > > B1. Client uses DNS-provided keys, and server returns retry keys > B2. Client uses retry keys, and everything works.. > B3. Client uses DNS-provided keys, and server returns retry keys > B4. Client violates spec by using those retry keys for a second time? > Oh, I see. Yeah, that's just a mistake in the text. A5 and B4 aren't meant to be violations, since the client saw the retry keys again. I'll wordsmith that too in the next iteration. > > > >> Q2: What happens if fronting server A sent retry keys, and the subsequent >> transport connection ends up on server B, which also sends retry keys? >> > > You keep retrying. And hen you hit the text which says: > > > Clients SHOULD implement a limit on retries caused by > "esni_retry_request" or > > servers which do not acknowledge the "encrypted_server_name" extension. > > This is an error-correcting mechanism to avoid deployment risks. If your > TLS deployment is so out of sync with itself that: > > - It deployed ESNI keys in the DNS that your servers do not understand. > - Even on a retry to presumably the same IP address, you hit a different > server node. > - Your load balancer keeps bouncing between different server nodes > connections right after each other. > - Each of your server nodes believes in a totally disjoint set of ESNI > keys. > > Then I think giving up and failing the connection is not the end of the > world. > > > >> >> --Roelof >> >> >> ---- On Wed, 13 Feb 2019 17:15:57 -0500 *Christopher Wood >> <christopherwood07@gmail.com <christopherwood07@gmail.com>>* wrote ---- >> >> >> Hi folks, >> >> PRs [1] and [2] need a little more review before we merge since >> they’re non-trivial changes. Please have a look and let the list know >> if you have objections with the contents therein. Otherwise, we will >> merge them by the end of the next week. >> >> Thanks! >> Chris (no hat) >> >> [1] https://github..com/tlswg/draft-ietf-tls-esni/pull/124 >> <https://github.com/tlswg/draft-ietf-tls-esni/pull/124> >> >> [2] https://github.com/tlswg/draft-ietf-tls-esni/pull/125 >> >> _______________________________________________ >> TLS mailing list >> TLS@ietf.org >> https://www.ietf.org/mailman/listinfo/tls >> >> _______________________________________________ >> TLS mailing list >> TLS@ietf.org >> https://www.ietf.org/mailman/listinfo/tls >> > >
- [TLS] ESNI PRs #124 and #125: Improving ESNI Robu… Christopher Wood
- Re: [TLS] ESNI PRs #124 and #125: Improving ESNI … Stephen Farrell
- Re: [TLS] ESNI PRs #124 and #125: Improving ESNI … David Benjamin
- Re: [TLS] ESNI PRs #124 and #125: Improving ESNI … Stephen Farrell
- Re: [TLS] ESNI PRs #124 and #125: Improving ESNI … Mike Bishop
- Re: [TLS] ESNI PRs #124 and #125: Improving ESNI … David Benjamin
- Re: [TLS] ESNI PRs #124 and #125: Improving ESNI … Roelof DuToit
- Re: [TLS] ESNI PRs #124 and #125: Improving ESNI … David Benjamin
- Re: [TLS] ESNI PRs #124 and #125: Improving ESNI … David Benjamin
- Re: [TLS] ESNI PRs #124 and #125: Improving ESNI … Salz, Rich
- Re: [TLS] ESNI PRs #124 and #125: Improving ESNI … Stephen Farrell
- Re: [TLS] ESNI PRs #124 and #125: Improving ESNI … Roelof DuToit
- Re: [TLS] ESNI PRs #124 and #125: Improving ESNI … Stephen Farrell
- Re: [TLS] ESNI PRs #124 and #125: Improving ESNI … David Benjamin
- Re: [TLS] ESNI PRs #124 and #125: Improving ESNI … Roelof DuToit
- Re: [TLS] ESNI PRs #124 and #125: Improving ESNI … David Benjamin