IETF Logo Mail Archive

Re: [TLS] ESNI robustness and GREASE PRs - client tracking concerns?

Ilari Liusvaara <ilariliusvaara@welho.com> Tue, 18 December 2018 21:40 UTC

Return-Path: <ilariliusvaara@welho.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 572F7130F1D for <tls@ietfa.amsl.com>; Tue, 18 Dec 2018 13:40:14 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jcBCPLNdWVb2 for <tls@ietfa.amsl.com>; Tue, 18 Dec 2018 13:40:12 -0800 (PST)
Received: from welho-filter2.welho.com (welho-filter2.welho.com [83.102.41.24]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D8DCB130934 for <tls@ietf.org>; Tue, 18 Dec 2018 13:40:11 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by welho-filter2.welho.com (Postfix) with ESMTP id 5BCF6C3F79; Tue, 18 Dec 2018 23:40:09 +0200 (EET)
X-Virus-Scanned: Debian amavisd-new at pp.htv.fi
Received: from welho-smtp2.welho.com ([IPv6:::ffff:83.102.41.85]) by localhost (welho-filter2.welho.com [::ffff:83.102.41.24]) (amavisd-new, port 10024) with ESMTP id T94_E8qFahgd; Tue, 18 Dec 2018 23:40:08 +0200 (EET)
Received: from LK-Perkele-VII (87-92-19-27.bb.dnainternet.fi [87.92.19.27]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by welho-smtp2.welho.com (Postfix) with ESMTPSA id C326228E; Tue, 18 Dec 2018 23:40:05 +0200 (EET)
Date: Tue, 18 Dec 2018 23:40:05 +0200
From: Ilari Liusvaara <ilariliusvaara@welho.com>
To: David Benjamin <davidben@chromium.org>
Cc: tls@ietf.org
Message-ID: <20181218214005.GC592@LK-Perkele-VII>
References: <CAF8qwaAh-eCLOR3YX3KoVWPe8=uquO+9wwbiSYpOyxvizBSeEg@mail.gmail.com> <20181218044251.bk7em26vvvcamq24@bamsoftware.com> <CAF8qwaA0UZrKA_Vn0hLan9Tb498PKq5roXpLEq2+7dU80qjjFg@mail.gmail.com> <20181218072727.GT79754@straasha.imrryr.org> <CAF8qwaCAW2Ag_xAzOFdxkC9Vco0auOhVo0w9VquLo8+mKvjQ=A@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
In-Reply-To: <CAF8qwaCAW2Ag_xAzOFdxkC9Vco0auOhVo0w9VquLo8+mKvjQ=A@mail.gmail.com>
User-Agent: Mutt/1.10.1 (2018-07-13)
Sender: ilariliusvaara@welho.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/bcbiFWXXFv5fRHt_wZra6YxSiao>
Subject: Re: [TLS] ESNI robustness and GREASE PRs - client tracking concerns?
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 18 Dec 2018 21:40:14 -0000

On Tue, Dec 18, 2018 at 03:01:07PM -0600, David Benjamin wrote:
> On Tue, Dec 18, 2018 at 1:27 AM Viktor Dukhovni <ietf-dane@dukhovni.org>
> wrote:
> 
> > Also connection re-establishment has considerable cost, additional
> > TCP roundtrips on top of the extra TLS roundtrips.
> >
> 
> Agreed. The other cost is that it cannot be implemented entirely within the
> TLS stack, since most TLS stacks do not establish connections. (Though ESNI
> already needs caller involvement anyway to get the ESNI keys out of DNS,
> and the perf overhead can be fine if you believe it's rare.)

Looks like the missed ESNI penalty with this proposal is 2RTT (1 RTT
from new TCP setup, 1 RTT from unusable handshake; Yes I know that
both TCP setup and handshake are three-way, but seems like some flights
can be merged). 

> Is the HRR idea being explored in the parallel thread not viable?
> > [ That'd be fine by me, one less thing to worry about, but it did
> > seem worth exploring at first blush...  The suggestion of using it
> > as a fallback when there are either no keys in DNS, or they don't
> > work also seems like it could be viable. ]
> >
> 
> I actually still need to fully digest in that thread. I hadn't even
> realized when I sent this how much the two had in common, or I would have
> acknowledged it in the mail. Sorry about that. I imagine my email probably
> looked odd to you. I'm glad to see we had similar ideas!
> 
> There might be some version that works? We never came up with a formulation
> we really liked, and the single-connection version made a lot of things
> simpler. Some of the nuisances with doing it together:
> 
> - Sticking two full handshakes on the same connection introduces several
> new key changes, which will frustrate QUIC and DTLS.
> 
> - Joining two handshakes at the ServerHello or so frustrates existing
> analysis, split mode, and any servers with SNI-dependent cipher parameters.
> (Everyone seems to keep asking their hosting providers for silly little
> checkboxes to configure TLS parameters.)

I had idea of joining at server Finished (with key state left as-is),
which would be only 1RTT penalty (unuseable handshake), but this has
the same issues with QUIC and DTLS. And trying to make it compatible
with dummy ESNI does some rather annoying things to the TLS state
machine.


-Ilari

v2.23.0 | Report a Bug | By Email