IETF Logo Mail Archive

[TLS] NextProtoNeg concerns

Yoav Nir <ynir@checkpoint.com> Fri, 18 November 2011 05:18 UTC

Return-Path: <ynir@checkpoint.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 75D5621F91CE for <tls@ietfa.amsl.com>; Thu, 17 Nov 2011 21:18:06 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.405
X-Spam-Level:
X-Spam-Status: No, score=-10.405 tagged_above=-999 required=5 tests=[AWL=0.194, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AyxcrY9abcOt for <tls@ietfa.amsl.com>; Thu, 17 Nov 2011 21:18:00 -0800 (PST)
Received: from michael.checkpoint.com (smtp.checkpoint.com [194.29.34.68]) by ietfa.amsl.com (Postfix) with ESMTP id 835A921F916D for <tls@ietf.org>; Thu, 17 Nov 2011 21:17:59 -0800 (PST)
X-CheckPoint: {4EC5EA24-0-1B221DC2-1FFFF}
Received: from il-ex01.ad.checkpoint.com (il-ex01.ad.checkpoint.com [194.29.34.26]) by michael.checkpoint.com (8.13.8/8.13.8) with ESMTP id pAI5HwCR023002 for <tls@ietf.org>; Fri, 18 Nov 2011 07:17:58 +0200
Received: from il-ex03.ad.checkpoint.com (194.29.34.71) by il-ex01.ad.checkpoint.com (194.29.34.26) with Microsoft SMTP Server (TLS) id 8.3.213.0; Fri, 18 Nov 2011 07:17:58 +0200
Received: from il-ex01.ad.checkpoint.com ([126.0.0.2]) by il-ex03.ad.checkpoint.com ([194.29.34.71]) with mapi; Fri, 18 Nov 2011 07:17:58 +0200
From: Yoav Nir <ynir@checkpoint.com>
To: "tls@ietf.org List" <tls@ietf.org>
Date: Fri, 18 Nov 2011 07:17:56 +0200
Thread-Topic: NextProtoNeg concerns
Thread-Index: AcylsW8hZhsVyNjQRMSnysc4pAM9ng==
Message-ID: <4F26370A-E4DA-4EDF-8D33-D77F2D9C89FB@checkpoint.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
x-kse-antivirus-interceptor-info: scan successful
x-kse-antivirus-info: Clean
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-KSE-AntiSpam-Interceptor-Info: protection disabled
Subject: [TLS] NextProtoNeg concerns
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 18 Nov 2011 05:18:06 -0000

Hi

I'm all for the working group accepting this item. I agree with EKR that traffic analysis will probably be able to distinguish all protocols, so I don't think it matters very much one way or the other whether the NextProtocol handshake is encrypted or not. I don't even thing that the NextProto handshake message is even necessary, as both sides have agreed on the capability, and can send the selected_protocol as the first few bytes of the application data, but again, I don't think this makes much of a difference one way or another.

What I really don't like about this proposal, is this text in section 3:
   The "extension_data" field in a "ServerHello" and the "NextProtocol"
   message contain opaque bytes to be used by the application layer to
   negotiate the application layer protocol.  The format of this data is
   not specified in this draft.

If you are defining a new extension/handshake message to carry a new kind of data (application type) there is no value to this without a definition of the format, either in the same document or in a companion document.

The examples in the slides show a very specific format: "\x06spdy/2\x08http/1.1\x08http/1.0". I don't see why this would not be specified in the document. Of course, you would need to set up a registry for these strings. For example, I can see how Microsoft would want to register SSTP, and other vendors would register their own SSL-VPN protocols as well.

With that section added, I support adoption of this document.

Yoav

v2.23.0 | Report a Bug | By Email