Re: [TLS] Add max_early_data_size to TicketEarlyDataInfo
David Benjamin <davidben@chromium.org> Fri, 07 October 2016 22:06 UTC
Return-Path: <davidben@google.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C2893128E19 for <tls@ietfa.amsl.com>; Fri, 7 Oct 2016 15:06:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.995
X-Spam-Level:
X-Spam-Status: No, score=-4.995 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001, RP_MATCHES_RCVD=-2.996, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=chromium.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Rmak-knmBbZZ for <tls@ietfa.amsl.com>; Fri, 7 Oct 2016 15:06:46 -0700 (PDT)
Received: from mail-it0-x22b.google.com (mail-it0-x22b.google.com [IPv6:2607:f8b0:4001:c0b::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B1D31129431 for <tls@ietf.org>; Fri, 7 Oct 2016 15:06:46 -0700 (PDT)
Received: by mail-it0-x22b.google.com with SMTP id z65so20496282itc.0 for <tls@ietf.org>; Fri, 07 Oct 2016 15:06:46 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=czwPt+bakc0o3rv2CTWt6C9vyA8eelgF6NWq1w9y4SI=; b=FN8gpu4oDm8hLDmSu4WH0UMsLEK7saK6c3Bh11SKCVXa3RPB1TjSbdf9ANCt6CgPLu uUdea8jp4+Jgu9nd110FeytGjp/LcL3NjCrmzdoPKT/N/6CdPjsItPV7AiC+yTG8GfOs P77HtOReyQKmoz5I5H9Qqo1yDMXjhCjR2+EEU=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=czwPt+bakc0o3rv2CTWt6C9vyA8eelgF6NWq1w9y4SI=; b=YhhD2SRInbvNcooEYn5OdHtIZCUBwU6p08T/HdSwrPDOotTzjvPMNu0YyXMiR6YttO Jr1a7BbOS+LQTIS/8cHGFoDZpv9Oby1sv9onGLAldEubQWAGa5AWp//+7QSY8FsN1QAv 8nTGPS1MMCMHCuWGPUsqv/wZaw1bob1z7jOJN0UtJxKEPwTVSB+hI+oHJdblYCtF1o8a yX1p/fldfnUIEQPlyNEUF/H1do5EJ1dK0tOhC4A+0eo1kM3/mtm4o/xcXAS2MJdeHh/k NGWY6V2IThB2JN8NZVZb9fcW9mij0KGLFFMh69+v7Bmh87fnUxtAuhMpUyy/np9tgj2K 3qLw==
X-Gm-Message-State: AA6/9Rl7nbLf2452qymzM+xjzieSrUVLMFMzzJQVqn1T57V5AeHlq5LQtBScPefIT4jmDji7Q/Q2JAnFKU/vQnL9
X-Received: by 10.36.20.9 with SMTP id 9mr931122itg.24.1475878005715; Fri, 07 Oct 2016 15:06:45 -0700 (PDT)
MIME-Version: 1.0
References: <1475859457.3070375.749089329.59EED0F8@webmail.messagingengine.com> <82f39c83-0040-cf87-94ae-16c321eecc95@akamai.com>
In-Reply-To: <82f39c83-0040-cf87-94ae-16c321eecc95@akamai.com>
From: David Benjamin <davidben@chromium.org>
Date: Fri, 07 Oct 2016 22:06:35 +0000
Message-ID: <CAF8qwaBhVdxyXUc=p0kFHrB=bfE7KaXf229nEfFh_uFSEiHTjw@mail.gmail.com>
To: Benjamin Kaduk <bkaduk@akamai.com>, Filippo Valsorda <ml@filippo.io>, tls@ietf.org
Content-Type: multipart/alternative; boundary="001a11446af84386fc053e4da058"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/b5GpGR9QQpBV3tbxCspdHVJs8HU>
Cc: filippo@cloudflare.com, aaspring@umich.edu
Subject: Re: [TLS] Add max_early_data_size to TicketEarlyDataInfo
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 07 Oct 2016 22:06:49 -0000
We were also expecting to want to bound how much traffic a server could be compelled to skip over without making progress. It actually didn't occur to me we could let the client know the bounds, rather than just making up a conservative bound (there's only so much data you can get into an RTT) and hoping nothing breaks. That's a good idea. Units is a little interesting. For those purposes, this limit would kick in whether or not the early data could be decrypted, so the server-side limit would be measured in ciphertext, possibly even including record headers. (Although any inaccuracies in converting could be done by just advertising an underestimate and breaking peers that send pathologically silly things like all one-byte records. So it doesn't matter much.) On Fri, Oct 7, 2016 at 5:45 PM Benjamin Kaduk <bkaduk@akamai.com> wrote: On 10/07/2016 11:57 AM, Filippo Valsorda wrote: Hello, Cloudflare's current (not definitive) plan for 0-RTT is essentially to decide whether or not to answer to requests in the 0.5 flight on a case-by-case basis. That obviously requires reading all of them and caching the ones we don't want to answer. To mitigate the obvious DoS concern we plan to use the ticket age and a per-machine replay cache. However, chatting with Drew (cc'd) we realized that clients could still send huge amounts of 0-RTT data that we would have to buffer. Once a Well, "have to" is perhaps a bit of a stretch; the client should be prepared to cope reasonably if you abort the connection arbitrarily. I think the concern is that a well-meaning client may not necessarily do a retry here and instead read this even as a network error. And if it did, the next attempt, if there is still a 0-RTT-able ticket available, may hit this again anyway... client sent early data, there's no way to accept only a part of it or to verify that the client is not replaying before reading it all. But if we were to close the connection after a given amount of data we risk failing connections from legal clients. I propose to add a field max_early_data_size to TicketEarlyDataInfo, to inform clients about the maximum amount of 0-RTT data they are allowed to send, allowing servers to safely terminate connections that exceed it. But this seems like a good idea; I left a couple of ~editorial notes on github. -Ben https://github.com/tlswg/tls13-spec/pull/674 [Please keep me in the CC of replies] _______________________________________________ TLS mailing listTLS@ietf.orghttps://www.ietf.org/mailman/listinfo/tls _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
- [TLS] Add max_early_data_size to TicketEarlyDataI… Filippo Valsorda
- Re: [TLS] Add max_early_data_size to TicketEarlyD… Benjamin Kaduk
- Re: [TLS] Add max_early_data_size to TicketEarlyD… David Benjamin
- Re: [TLS] Add max_early_data_size to TicketEarlyD… Eric Rescorla
- Re: [TLS] Add max_early_data_size to TicketEarlyD… Filippo Valsorda
- Re: [TLS] Add max_early_data_size to TicketEarlyD… Eric Rescorla