Re: [TLS] Is stateless HelloRetryRequest worthwhile? (was Re: TLS 1.3 Problem?)

Hannes.Tschofenig@gmx.net Wed, 30 September 2020 17:27 UTC

Return-Path: <Hannes.Tschofenig@gmx.net>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A89953A0A49 for <tls@ietfa.amsl.com>; Wed, 30 Sep 2020 10:27:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=gmx.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id E9gQ3gXI_bYM for <tls@ietfa.amsl.com>; Wed, 30 Sep 2020 10:27:46 -0700 (PDT)
Received: from mout.gmx.net (mout.gmx.net [212.227.15.19]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 557223A0A38 for <tls@ietf.org>; Wed, 30 Sep 2020 10:27:46 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=gmx.net; s=badeba3b8450; t=1601486860; bh=dkCRhQoj2IW62xU3ZLr9MORHI3GXS/nq/k60cC9adPo=; h=X-UI-Sender-Class:From:To:References:In-Reply-To:Subject:Date; b=J4zuGhryXBGPKaQMV3Off4Xj0bEIUVOa/2wPiUd1HlnWsOxrM8cI3337fv3JHOh+u pTxgLNqY5VDflCRb+5+5j4ppBIvYQJDAnm5o6bkXAfj74L8UovDeNefBNzpkQiKS+4 bqruCJHLn3+DBUGGUSw8YMGD1Ci5tL2gk2HxAW6E=
X-UI-Sender-Class: 01bb95c1-4bf8-414a-932a-4f6e2808ef9c
Received: from E119863 ([185.176.157.144]) by mail.gmx.com (mrgmx004 [212.227.17.190]) with ESMTPSA (Nemesis) id 1MbAcs-1kywa42tmS-00bfeR; Wed, 30 Sep 2020 19:27:40 +0200
From: <Hannes.Tschofenig@gmx.net>
To: "'Michael D'Errico'" <mike-list@pobox.com>, <tls@ietf.org>
References: <0c31f2d6-5f8e-2fd6-9a1a-08b7902dd135@pobox.com> <AM0PR08MB37164F2D0E0CE5FB6D62D461FA350@AM0PR08MB3716.eurprd08.prod.outlook.com> <1c7e2f31-8a9e-4bd8-9e80-ab18ebeb609f@www.fastmail.com> <CACsn0cmbDz3ML8o5moAacqfXqYQo-Hqi53XQL6UoGYcZBwy-Mg@mail.gmail.com> <96777977-7707-4311-9876-ca3d53f57f3e@www.fastmail.com> <9b2bb784-5895-bc8a-fae5-1c2056972f97@pobox.com> <eaace566-4fe2-4e86-8382-e0583ce43435@www.fastmail.com> <24f5cd7e-4fff-ce47-f9d9-840dff3f23aa@pobox.com> <3b48fa2d-f923-40ee-a93f-e0896a96fc1b@www.fastmail.com> <ba70c2ba-9023-4cc8-974a-01a64a60de2d@www.fastmail.com> <82488341-a4c6-2ed9-d8e2-6479151a5f90@pobox.com>
In-Reply-To: <82488341-a4c6-2ed9-d8e2-6479151a5f90@pobox.com>
Date: Wed, 30 Sep 2020 19:27:39 +0200
Message-ID: <03ba01d6974e$ffaefe30$ff0cfa90$@gmx.net>
MIME-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Mailer: Microsoft Outlook 16.0
Content-Language: en-us
Thread-Index: AQENHY4oM9Gncf3xDJusovVsGka6XwJ7J7XlAZq3kYoBs7cNiwClLSWOAYYeJegCKJEYVAGl8T25Ahxx4BMBc157cALsBjEXqoJokVA=
x-ts-tracking-id: 3FEA78183D86CB40833BFE74EED64D3B.0
x-checkrecipientchecked: true
X-Provags-ID: V03:K1:ggRW2FwdRMCwDW2V2aoobovCimnBy3EYiTYQq1fOa8+ESdv8Qrk cOaLUVSNvxRK8Du0IMpTeDQTA8uudddATxkRnpDgC/T/Zxzte0RZBpydCr44yhV+p5e5MRk toQmDvd6yN9yZfMNo5vLWGBz4Wht5cGfvHbU5GxJoklHpoFmO8ULiklkQ+jlsYa7Emuy5Mi KOWu44EY0k1nqbLzMw2sw==
X-UI-Out-Filterresults: notjunk:1;V03:K0:u5J2SGwyetM=:d69lRInkw2VXbtf/d7R3bE szeUQOfahP6Guq0U5tVkMy88HhfGcsYvQOtzSzOyKC+wQ6sC62Wns8p6UzTF3nmDikyGNWrrw JYbfnuNLEeFrBfIvsT9aTsa2CNgNK0AiSjBLmiC2YVuSgGP92wIeoaRimMAe8GcUw41287x5n EpGHQpw15rpDAWjS5mGNZuPnIBqX6X/hLC7MF2gUpKA7LGTG515C+HCtqBhLqOQ2VoWPTAFEM sB0dysK5/6RZJrFnXPTVLQ4I8fqFH6s/Jq9w2ssPjzno0UpZ2TdPd13slytrOr21mriCp2ABx aAzvVxCZjVd0rgzVGNgEReVbnXxPQcTT61h1DM60SUG0Kfg1oey8nE5D6fIVUPR5XvsMHzgxg R1JhrKwMSqopiEthwLUnGsr5kUg/2jRoJMKm1KIiugFMzMd0dgN8w5Z5vjfcgSU7xKXkUJztG 9Q475e79KdQrn8igiImenBBJh7si5N5JQ8tIC17dRb7lyexPcMjw/VRLSsM7tXbWSFXVYjkR7 SDzH2kQdzOR7Ik+aZF//i2tHEVbDSBKa64iPegCfuO3EZncxIQZQMHVLfLWyFSGKdannEVBfI kRZ/ABvm9q+GGKdc4RvJMP8Jc6TgVosvBjDOKjWIZ7CcmUCZXhU++peHvkKlw4sOYz+ypdMyv voMo/l7KW5Y3D2d2WZUpInTpyAZjfjJ6shncZ2AfvJRvRdW+s7o+rHz/VYdG/yQM4G8ZnOi0U iSrDBfjGZOGCWnmP+U7dxYF4kkHyeIlFqIFr3BT67cNvHM7C7IS9SnHDNzYBzs+4KEuhYJMvf VoX7haHg41lja2X3k6/I6XJg2ru8j7ZW3QGpuGwUCgtf26QIiSPnaui6xRGHmKqVwh7tJgbL+ nEzMzQ81kSa57DDYHVXSwXIGCUqC/YqznGJEFMqw9ux4pKCycdpP2Z3jjfUHYYXxibMc9pFrx rvwmaCuXnZyAtX86E/XHpjnWyvOBiEMlkiSkJvYhblFxA7ftZULZTB5ffF6HW+56cBhEQ8+Yj EjBcADNVeQNnoq/LDkCKXU1Dq8P4uubZzriPgaujx6u+hwAH5f3YMXAqcZJCXNZqx6/awkLvU NzAGmdkWPXr7uMAUKoijPfzlNkoe/nBnFXtvyDsGHlPIP4legOcfCmNFA/wg+DBoUutp0mGAJ Izg1rKuvRM0/29BKk2uD4Cn3Lkw50wNsGRV3XXMjfHxnp8gAIH648S21JtZLHoLkb6BqiyztC BLIVLkTj8Yc1nSUtBrhlofsWozfGhkrOuwdWFmg==
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/_f6HfyhUi2SghDP5b4gaET5Tz6Q>
Subject: Re: [TLS] Is stateless HelloRetryRequest worthwhile? (was Re: TLS 1.3 Problem?)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 30 Sep 2020 17:27:49 -0000

Mike, 

DTLS 1.3 can be found here: 
https://tools.ietf.org/html/draft-ietf-tls-dtls13-38

The HRR is used in DTLS 1.3 for DDoS prevention. 

Ciao
Hannes

-----Original Message-----
From: TLS <tls-bounces@ietf.org> On Behalf Of Michael D'Errico
Sent: Wednesday, September 30, 2020 7:21 PM
To: tls@ietf.org
Subject: Re: [TLS] Is stateless HelloRetryRequest worthwhile? (was Re: TLS 1.3 Problem?)

 > The costs you describe are trivial.

The general idea among developers these days that CPU cycles are free is a huge problem.

You didn't answer my biggest question, though, which was whether you (or anybody else!) has had success using stateless HelloRetryRequest to increase the number of connections a datacenter can handle due to the fact that the servers were memory-bound.  The amount of memory to hold the first ClientHello message is trivial.  But if doing stateless HRR has measurably increased the performance of a data center's web serving capability, I'll change my mind about it.

 > We also implement DTLS where this is properly useful.

I can't find the DTLS 1.3 spec.  Which RFC is it?

Mike

_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls