IETF Logo Mail Archive

Re: [TLS] Connection ID Draft

Eric Rescorla <ekr@rtfm.com> Fri, 13 October 2017 15:59 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DDA49126B71 for <tls@ietfa.amsl.com>; Fri, 13 Oct 2017 08:59:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wtDEbAGkAbGN for <tls@ietfa.amsl.com>; Fri, 13 Oct 2017 08:59:06 -0700 (PDT)
Received: from mail-qt0-x230.google.com (mail-qt0-x230.google.com [IPv6:2607:f8b0:400d:c0d::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7834A126E64 for <tls@ietf.org>; Fri, 13 Oct 2017 08:59:06 -0700 (PDT)
Received: by mail-qt0-x230.google.com with SMTP id 8so20446602qtv.1 for <tls@ietf.org>; Fri, 13 Oct 2017 08:59:06 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=pk7ZHhTfBkbKe2P7GHbLX+m/OPOpxBOrOsHqgTKnD40=; b=hrPInjA6S0VydltjtANsgQWFApDyWDSQ68KidFnBVawpPJXbUwTHpYn603IrXKc/d6 DOhFlcoMQBJM6GvIbCUdiIabNs6tnBLDQBBQ6Hz7trR8LimnfaP/EcN+ktngRKO5+98G zQWBG47F+5M60QXyaDfsXQWqBRQXfORIrYqDyVzGL/4W+gSx0Tov5u8maP6CTsyOwwzl 5VcgyRmy3wxmY5kPDb5UxJEKxwIsR29ae6W17L6S3pSl68sX8duqCDAm1KMZZUgPxk+6 OUXH/Q64UEhGwBzYRhPQ2T12gk9KoLx8hQ/Jv9ldx4oAFr/6G0ZKmOdHmr3gYTCIdcA3 WSgw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=pk7ZHhTfBkbKe2P7GHbLX+m/OPOpxBOrOsHqgTKnD40=; b=NwNj/5L9qk1QYqug4NQBWmz3gOfRPYrqLkP7AwUIZ+gLCpmYvAilIjOJxY+oIUbcHR NmB925UIVZT4Uo7SXJz/HMQi+eEEMKySNaxnlbtjHZjEj2Xl/yKP3TPJ2PVXAnFXaU4L 8mqft/Itpa69o6CXZ7EVRjJUND/6kiStEvoYojS70yWNWuvyhevxZ8J6UIPpMYXeJ2Pm hNbTEr8TFJq+rHBkWLlovF7scBGCgV3m+IZBoDc6EgMN1xy7/wxfVfGZv0Sc5+kUBxu4 XfB7DdxgoRByzhAyo+mlAwTviEX7MU2NmxD6s5Wki1PCj351/AA++g2cpuAnyNdR1jvG 3cug==
X-Gm-Message-State: AMCzsaXNhpV6z/xaU3c/C56mTpkbvLC8ZqvkLDeRcvOHCGYDGq2PImDJ Uu/hGl/WA3eFhrDDiZnbvk+PcKMRsOzU5m7tdKfGqQ==
X-Google-Smtp-Source: AOwi7QAiRGNzFzTuY+im2OgFoKZ7YTuR8RrDLsPuqPPdjBV6rhvNJhMt+xIwOjTGj1IjcItR+DAn5sz8YMb28xVB69g=
X-Received: by 10.129.86.212 with SMTP id k203mr1231976ywb.155.1507910345517; Fri, 13 Oct 2017 08:59:05 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.129.75.194 with HTTP; Fri, 13 Oct 2017 08:58:24 -0700 (PDT)
In-Reply-To: <016ec9b6-d59e-531a-0930-9f355edb34be@cs.tcd.ie>
References: <CABcZeBPXB6cOSztzDHtKSWUCJrgET+9cF_rAiiE8CYCUSY_uLA@mail.gmail.com> <574d133f-0531-2206-c7d3-825ebaffacdd@cs.tcd.ie> <CABcZeBM_xUadFDnAK-FLGjqciDOLGoePv8xhSFkmBYS5nooXxQ@mail.gmail.com> <765bb5b0-2129-9ea8-2c51-b6b4163748e8@cs.tcd.ie> <CABcZeBNbt-ZB=8jsp=pKkDfS9qKOogfmjeAieN6KC9KBNkWnrg@mail.gmail.com> <016ec9b6-d59e-531a-0930-9f355edb34be@cs.tcd.ie>
From: Eric Rescorla <ekr@rtfm.com>
Date: Fri, 13 Oct 2017 08:58:24 -0700
Message-ID: <CABcZeBP_a_tLkMz87CBNzsv7LCpPCHYMTk2asN8hHHtgN1ZRFQ@mail.gmail.com>
To: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Cc: "tls@ietf.org" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="001a11431f927f8ce5055b6fbcfd"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/aO96_GcAiB1zsBeC7u5nAp2orDY>
Subject: Re: [TLS] Connection ID Draft
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 13 Oct 2017 15:59:09 -0000

On Fri, Oct 13, 2017 at 7:52 AM, Stephen Farrell <stephen.farrell@cs.tcd.ie>
wrote:

>
> Hiya,
>
> On 13/10/17 15:29, Eric Rescorla wrote:
> > There are a number of cases where this is actually much harder to
> implement
> > than a design where one side dictates the connection ID. For instance,
> > consider a design where you have a pool of servers P1, P2, ... P_n with a
> > load balancer in front.
> > Each server i generates connection IDs of the form i || Random. The load
> > balancer then just looks at the first byte and routes to the appropriate
> > load balancer [0]. In this design, the LB can be totally stateless,
> whereas
> > in the design you propose, it has to (a) have a back-channel to the
> server
> > to get the initial conn-id (b), do crypto (c) store state for all the
> live
> > connections.
>
> Pre-pending a fixed length (known to both sides) load-balancer
> ID would be fine, sure. That'd change the function to something
> like:
>     next-id = lb-id || H(foo||prev-id)
>
> So long as each load balancer is busy enough that still has the
> hard-to-link property I think. The length of the lb-id could be
> fixed or part of the negotiation, with zero being a fine length
> when there's no lb-id needed.
>

Well, this is a lot more complicated for the client and unless you place
very strict limits on lb-id, it ends up with the server just dictating an
identifier to the client so you have the scheme in this draft.



> I think this'd work ok regardless of who controls the initial id
> value, so long as we don't need ids to work like tickets (where
> the id value would be the ciphertext of some state info).
>

That's actually a design that people consider quite often and has been
discussed
for QUIC.



> In addition, consider what happens when you get a CID you don't recognize.
> > It might be nonsense but it might be that there was a cryptic CID change
> > (e.g., the client did two changes but you missed a packet). You need to
> > decide the number of changes you're willing to tolerate and then the
> table
> > has to be that big times the number of connections (or you need to fill
> it
> > in whenever you get an unknown CID, which the attacker can send you at
> any
> > time).
>
> Yes, schemes like this can be worse when packets go missing
> around the time of an id change.
>
> However, I think with this scheme (which isn't even on a napkin
> yet, just these mails:-),


Sure but we contemplated a number of these designs for QUIC, so we're not
starting from scratch here.




> he sending side would just make the
> change when they want, and wouldn't signal that it's changed the
> id. So, in some cases (say if receivers store current and next,
> and id changes and packet losses are infrequent) a single packet
> drop would be just that and the id change wouldn't affect things
> at all. In the putative nb-IoT case I mentioned before then it
> could be a good bit worse unless the receiver stores a bunch of
> future ids. (I agree some work is needed to figure out if there's
> an acceptable scheme here, so for now I'm arguing that we not
> preclude such schemes when adopting your draft.)
>
> In figuring this out, I'd argue that we ought be comparing ideas
> like this against two things: 1) the simplest solution that does
> allow linkabillity and 2) the costs of setting up a new TLS
> session to avoid linkability. While this or similar schemes will
> look bad compared to (1), they will likely look pretty good
> compared to (2).
>
> Of course, how one evaluates such comparisons will depend on how
> serious a threat one considers linkabillity. I'd argue that many
> devices that'll need connections ids will be devices where the
> possibility of linkability could be a significant threat and where
> new TLS session establishment will be rare, so we therefore ought
> provide some good method of avoiding linkability.
>

I'd say three things here:

1. First, as I said we considered a lot of different designs for providing
better unlinkability than the design in this draft, and none of the
ones that did significantly better had reasonable scaling properties.

2. The precise point of designing this as an extension is that if we
had a better design we could drop it in with a new extension code point,
so accepting this design doesn't preclude anything.

3. You seem to be claiming that your design has better linkability
properties than the design in this draft, but as far as I can tell that's
not correct. In both cases, either side can occasionally change
conn-ids (you can't change in each packet for the scaling reasons
I indicated). In your design one side does so unilaterally, but there
are packet loss concerns, and in the draft, you have to solicit new
conn-ids from the peer but as long as you have one you can change
unilaterally.

The primary difference in your design is that the IDs are opaque
rather than containing data contributed by the other side, but that
difference is immediately weakened as soon as you try to introduce
structure to handle things like the server topology and also comes
at the cost of needing a much larger ID space in each packet to
avoid hash collisions.

-Ekr


> Cheers,
> S.
>
>
>
>
>

v2.23.0 | Report a Bug | By Email