Re: [TLS] Connection ID in TLS

"Fossati, Thomas (Nokia - GB/Cambridge)" <thomas.fossati@nokia.com> Tue, 20 March 2018 17:15 UTC

Return-Path: <thomas.fossati@nokia.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6942E126E01 for <tls@ietfa.amsl.com>; Tue, 20 Mar 2018 10:15:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.911
X-Spam-Level:
X-Spam-Status: No, score=-2.911 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H5=-1, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nokia.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RTSojjzmajzO for <tls@ietfa.amsl.com>; Tue, 20 Mar 2018 10:15:26 -0700 (PDT)
Received: from EUR01-DB5-obe.outbound.protection.outlook.com (mail-db5eur01on0108.outbound.protection.outlook.com [104.47.2.108]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 20CEB129C56 for <TLS@ietf.org>; Tue, 20 Mar 2018 10:15:04 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nokia.onmicrosoft.com; s=selector1-nokia-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=hn5mF7+gzVzCDmjLi1eKrHC5j5JSU7O2At5Q/zm0AIs=; b=cCcl2ZG1TpALXGCDMgmumxQA2YyFmhxSnlKvFqGxRrLN9KVYkzHlpKl/56lN6BBrRrB0lUiMbFdZuvAWi3g64s7rQ1k/xyEAcdblL7u/3XB0g5MJCMufc+JJIbeaQ5x66wO/DQIyV6GzirgVtYNhfq2/DIEBjTsKuEZnK1h0Asg=
Received: from DB3PR07MB0747.eurprd07.prod.outlook.com (10.160.53.12) by DB3PR07MB219.eurprd07.prod.outlook.com (10.242.133.16) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id 15.20.609.6; Tue, 20 Mar 2018 17:15:02 +0000
Received: from DB3PR07MB0747.eurprd07.prod.outlook.com ([fe80::f0d7:f43d:bd5b:ab9e]) by DB3PR07MB0747.eurprd07.prod.outlook.com ([fe80::f0d7:f43d:bd5b:ab9e%5]) with mapi id 15.20.0609.009; Tue, 20 Mar 2018 17:15:01 +0000
From: "Fossati, Thomas (Nokia - GB/Cambridge)" <thomas.fossati@nokia.com>
To: John Mattsson <john.mattsson@ericsson.com>, "TLS@ietf.org" <TLS@ietf.org>
Thread-Topic: [TLS] Connection ID in TLS
Thread-Index: AQHTwG76506ybveZD0qR37g9lZTLFg==
Date: Tue, 20 Mar 2018 17:15:01 +0000
Message-ID: <A32E0C44-51E8-4D2D-AF1C-A55A5065E143@nokia.com>
Accept-Language: en-GB, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/10.b.0.180311
authentication-results: spf=none (sender IP is ) smtp.mailfrom=thomas.fossati@nokia.com;
x-originating-ip: [2001:67c:370:128:30ec:ebfd:8557:e238]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; DB3PR07MB219; 7:uKizbKeVsBfyxXH6INw6UBeil+zaRjvOS2kwfCpt0HMIosowqye6ugiU/u7fqB/eh+Ld4ZAcQinJfbjiZYyy3U8fVyDuItW1voYtkrpn5+qQKZbzDWMp9TRd/EP4WhjKMPe7YDqXE3t7qquHRHzEgYx+GN3A8nJUjP5EZ2i4C+gIWT6+GRzN8xfioktiKurSaC7fXtAeNUovHGgBD4Z1a6ChXtAN1IBk0XeWHf/m6bhHdxWzlpcPYEN1TmtakMKS
x-ms-exchange-antispam-srfa-diagnostics: SOS;SOR;
x-forefront-antispam-report: SFV:SKI; SCL:-1; SFV:NSPM; SFS:(10019020)(979002)(346002)(39860400002)(39380400002)(376002)(366004)(396003)(199004)(189003)(478600001)(316002)(5250100002)(5660300001)(2906002)(68736007)(33656002)(102836004)(6506007)(53546011)(14454004)(97736004)(2501003)(3280700002)(99286004)(229853002)(58126008)(36756003)(110136005)(3660700001)(305945005)(7736002)(105586002)(46003)(4326008)(966005)(6512007)(6306002)(53936002)(83716003)(107886003)(25786009)(82746002)(6116002)(8676002)(81156014)(6486002)(6246003)(186003)(6436002)(81166006)(106356001)(86362001)(2900100001)(8936002)(969003)(989001)(999001)(1009001)(1019001); DIR:OUT; SFP:1102; SCL:1; SRVR:DB3PR07MB219; H:DB3PR07MB0747.eurprd07.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; A:1; MX:1; LANG:en;
x-ms-office365-filtering-ht: Tenant
x-ms-office365-filtering-correlation-id: 8a8d1742-2b64-4e42-88dc-08d58e861d65
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(7020095)(4652020)(48565401081)(5600026)(4604075)(3008032)(4534165)(4627221)(201703031133081)(201702281549075)(2017052603328)(7193020); SRVR:DB3PR07MB219;
x-ms-traffictypediagnostic: DB3PR07MB219:
x-microsoft-antispam-prvs: <DB3PR07MB21982E5052BD51F7C81211180AB0@DB3PR07MB219.eurprd07.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(37575265505322)(120809045254105);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(6040522)(2401047)(5005006)(8121501046)(10201501046)(93006095)(93001095)(3231221)(11241501184)(806099)(944501313)(52105095)(3002001)(6055026)(6041310)(20161123558120)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(20161123564045)(20161123560045)(20161123562045)(6072148)(201708071742011); SRVR:DB3PR07MB219; BCL:0; PCL:0; RULEID:; SRVR:DB3PR07MB219;
x-forefront-prvs: 061725F016
received-spf: None (protection.outlook.com: nokia.com does not designate permitted sender hosts)
x-microsoft-antispam-message-info: OS2HbvRfJ+cyMqbKiI/OSaW9ICFFauANtnemVhbfzzF3vM8vHQG+wd8+neApUj848bViq33uBI+aMBhIcdI8zFrU7hMPjhNaObMC2PRHASgfvgQMJHdGDghwlQyqRtVRTToFzHVGnA0Ja9vEoQFnkPDi0KWjLY51rlz/qsZbshmTtzdxVZH+7msYpfk7B5COCNuXzQ5XDUd710g+86YCPHSRMVlqnA2N95tHj68PXZxF1JVbRDiGLmSp2I9CC25gR1Leoz3OV2WRWWdcjiKAAnZb14BiSHJZT/+jUwRt4Ml4JLpvUCYl2uaA+aWDnv3ARcJePTYaCOhtnJh2V33RsSQ29GPrjapuOY74ydn5dKrSwwhpI0V5ZmwLl+GNgb7B
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="utf-8"
Content-ID: <2881527E76152144B39370200471F24A@eurprd07.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: nokia.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 8a8d1742-2b64-4e42-88dc-08d58e861d65
X-MS-Exchange-CrossTenant-originalarrivaltime: 20 Mar 2018 17:15:01.1498 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5d471751-9675-428d-917b-70f44f9630b0
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB3PR07MB219
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/_17V3C4OsxXhUvt3d1NmNh4OpIA>
Subject: Re: [TLS] Connection ID in TLS
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 20 Mar 2018 17:15:28 -0000

On 20/03/2018, 16:38, "TLS on behalf of John Mattsson" <tls-bounces@ietf.org on behalf of john.mattsson@ericsson.com> wrote:
> At the Monday afternoon TLS session, it was stated that Connection ID
> in TLS was unemployable in the wild due to middleboxes. Couldn't that
> be solved by placing the cid field after the length field?

Are you referring to slide 13 of [1]?

If so, the problem is not CID-specific.  It's more generally what
could happen if we try and reuse the top bit of the length field
for other purposes.

Yoav brought up the case of an intercepting middlebox - one that needs to
pretend to be a fully-fledged TLS server.  That kind of box might
either:
- let the extension that enables repurposing the length's MSB pass
  through, and subsequently choke on the invalid length [HARD FAIL];
- eat up the unknown extension and therefore break the feature
  negotiation [SOFT FAIL].

Cheers


[1] https://datatracker.ietf.org/meeting/101/materials/slides-101-tls-sessb-record-header-extensions-for-dtls-00