Re: [TLS] TLS message limits
John Mattsson <john.mattsson@ericsson.com> Tue, 30 October 2018 11:37 UTC
Return-Path: <john.mattsson@ericsson.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2178612D4EC for <tls@ietfa.amsl.com>; Tue, 30 Oct 2018 04:37:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.301
X-Spam-Level:
X-Spam-Status: No, score=-4.301 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com header.b=fmmRbpy8; dkim=pass (1024-bit key) header.d=ericsson.com header.b=ZFbItKJz
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id f29J2nMStqGv for <tls@ietfa.amsl.com>; Tue, 30 Oct 2018 04:37:36 -0700 (PDT)
Received: from sessmg23.ericsson.net (sessmg23.ericsson.net [193.180.251.45]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5C3FB128B14 for <tls@ietf.org>; Tue, 30 Oct 2018 04:37:36 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; d=ericsson.com; s=mailgw201801; c=relaxed/simple; q=dns/txt; i=@ericsson.com; t=1540899454; x=1543491454; h=From:Sender:Reply-To:Subject:Date:Message-ID:To:Cc:MIME-Version:Content-Type: Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=0NW58IXZV6He24YvB/6qjAHBPV37bd/7+bvqL3PpBr0=; b=fmmRbpy8YH9IAGrLv5kA4K+2LeWH250GhF68bRYQemzVjItkwjCqJ5ZU1aONFoHr L5p2wJ8eM49rzQ8fKg6XqIGpV+1xXqE9Zdy/tD4iAcPLi7QFlIO2QBxhMaNkHTQ0 13bIPGhm7507pVu/7JGNFK/b02iVeBI/3kV/2UcdBL4=;
X-AuditID: c1b4fb2d-425ff7000000434d-e3-5bd8427ec134
Received: from ESESSMB501.ericsson.se (Unknown_Domain [153.88.183.119]) by sessmg23.ericsson.net (Symantec Mail Security) with SMTP id 4C.26.17229.E7248DB5; Tue, 30 Oct 2018 12:37:34 +0100 (CET)
Received: from ESESSMR505.ericsson.se (153.88.183.127) by ESESSMB501.ericsson.se (153.88.183.119) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1466.3; Tue, 30 Oct 2018 12:37:34 +0100
Received: from ESESSMB502.ericsson.se (153.88.183.163) by ESESSMR505.ericsson.se (153.88.183.127) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1466.3; Tue, 30 Oct 2018 12:37:34 +0100
Received: from EUR04-VI1-obe.outbound.protection.outlook.com (153.88.183.157) by ESESSMB502.ericsson.se (153.88.183.163) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1466.3 via Frontend Transport; Tue, 30 Oct 2018 12:37:34 +0100
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=0NW58IXZV6He24YvB/6qjAHBPV37bd/7+bvqL3PpBr0=; b=ZFbItKJz/U93WI/ehvu66+FV4pOLl3oLYdieJhc5gu54v7jpfAemU3CnT0huzNS1vpSa7ActZKwIzWshDYAfWU/TIcfed3fEvu4+SuqLVULA5e65INiwrAvdMry1pwByMW8vhX51AuF2tJ+DeAwTZv3U9xClCgSiWiUVwRDGWrw=
Received: from HE1PR07MB4169.eurprd07.prod.outlook.com (20.176.166.22) by HE1PR07MB4441.eurprd07.prod.outlook.com (20.176.167.146) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1294.16; Tue, 30 Oct 2018 11:37:33 +0000
Received: from HE1PR07MB4169.eurprd07.prod.outlook.com ([fe80::fcb5:ca45:9e56:1910]) by HE1PR07MB4169.eurprd07.prod.outlook.com ([fe80::fcb5:ca45:9e56:1910%2]) with mapi id 15.20.1294.018; Tue, 30 Oct 2018 11:37:33 +0000
From: John Mattsson <john.mattsson@ericsson.com>
To: Martin Thomson <martin.thomson@gmail.com>, "<tls@ietf.org>" <tls@ietf.org>
Thread-Topic: [TLS] TLS message limits
Thread-Index: AQHUcAwZY+ts8iPxHUC4mOe4KMqEPqU3uowA
Date: Tue, 30 Oct 2018 11:37:32 +0000
Message-ID: <8550C52C-9A63-4946-B5A9-C76C5DF87516@ericsson.com>
References: <153947914453.12405.8323044666882273582.idtracker@ietfa.amsl.com> <BF9EA353-C4D8-483F-9552-822D34780207@apple.com> <CABkgnnXZny2X4VRZDQTpAJaa7jfYf=kSPQ8DJ1rtfCzNNMgt6A@mail.gmail.com>
In-Reply-To: <CABkgnnXZny2X4VRZDQTpAJaa7jfYf=kSPQ8DJ1rtfCzNNMgt6A@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/10.11.0.180909
x-originating-ip: [192.176.1.81]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; HE1PR07MB4441; 6:/+f8Cbx63vTAROSbeJW6cZJXQJ95+2+E4lmm7ZM/VRE/mmd4OtZ8y7gIm0GFjaQ3lZpka5mkO/p8S8MInlF5UR/hpyuExPBQr01t5wSPsWENTR6kdivUrP69zAruYyjZi47a1XeguTAuefnKTmW+NuZSqW1b8J4w9D2vf/ZB32Qc4BpHOfNRCeAKuIinRjcZnrbrDSa3jl65SErdbnXYzLboKsOOLEgLWfCmIGkriweQgBY9WL8Ws1rRDM8+ZtZbNlrUhf8asaC2jw1kDE4CvIas2yWJU2ehd+5PSNDA9I3afb9CvjVCFxZ1ZtSK18hMS6IRSB/vURRW+CMgBWzdvMGLUGHLZyOEyWKDP9HK6EQva8iAdKvtBaXELzBfUPVUqnALGE9y96PMjnpTKJbpuCDZE8W71RlmI9ITrqYqms+pM6wbe4s2GmxSbj9bZYg/ufHtlzRVTwzMpiofSpx/CQ==; 5:Ra23hAEb/zn4x6ja1iP+wF/MeVyubepr2c/WGV2oPAp+xofe7iDxqqM0ciQkn8XsA4cq8dVqwekbwTCqi5SmC7WlcO9CtB0QO0IdQFJqwE1trMPGbrVz04Y79U898GuNLUTYBuFqZ7i3ecB52gQKMbw0KP8HuKusV/XRevruy1g=; 7:XTNLFOCMt02KHFdkisC8QhTmk8YBz1u50J01YzENBDUt+ySTsSPJcmtM08WwT+mmwwTJq8pGL+IrEzz+So5gZ88AcwLcY3suGilQQ8g7UMn0St/Zsg23sq+KvSx9omEFJ7+VpMpFr6Y7O2LgzeRCXQ==
x-ms-exchange-antispam-srfa-diagnostics: SOS;
x-ms-office365-filtering-correlation-id: 5b53cdfe-7073-4bf6-0f2e-08d63e5c150a
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600074)(711020)(2017052603328)(7153060)(7193020); SRVR:HE1PR07MB4441;
x-ms-traffictypediagnostic: HE1PR07MB4441:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=john.mattsson@ericsson.com;
x-microsoft-antispam-prvs: <HE1PR07MB44412841ECFB9C82677AEAFA89CC0@HE1PR07MB4441.eurprd07.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(166708455590820)(85827821059158);
x-ms-exchange-senderadcheck: 1
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(8211001083)(6040522)(2401047)(5005006)(8121501046)(3231382)(944501410)(52105095)(93006095)(93001095)(10201501046)(3002001)(148016)(149066)(150057)(6041310)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(20161123558120)(20161123562045)(20161123564045)(20161123560045)(201708071742011)(7699051)(76991095); SRVR:HE1PR07MB4441; BCL:0; PCL:0; RULEID:; SRVR:HE1PR07MB4441;
x-forefront-prvs: 08417837C5
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(376002)(366004)(346002)(396003)(39860400002)(136003)(13464003)(189003)(199004)(36756003)(53936002)(66066001)(82746002)(106356001)(966005)(105586002)(5250100002)(7736002)(14454004)(2906002)(305945005)(2900100001)(15650500001)(39060400002)(76176011)(68736007)(8936002)(8676002)(81166006)(81156014)(86362001)(99286004)(256004)(102836004)(53546011)(26005)(6506007)(33656002)(6116002)(3846002)(25786009)(478600001)(476003)(11346002)(44832011)(14444005)(486006)(2616005)(186003)(83716004)(71190400001)(71200400001)(58126008)(5660300001)(6246003)(6306002)(97736004)(110136005)(316002)(6436002)(446003)(6512007)(6486002)(229853002)(491001); DIR:OUT; SFP:1101; SCL:1; SRVR:HE1PR07MB4441; H:HE1PR07MB4169.eurprd07.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: ericsson.com does not designate permitted sender hosts)
x-microsoft-antispam-message-info: U1uF//j21VHUdDaGV6AONdlMU5KJeUICtZp/XsFr6jGPQWJAtGZtIZeWFPwBuIaZ0SGMFRvL8oKfBHzdTbE80dWvyYA+1AV13qYrL3OnkEgLppXSXl+3CWQh1AP1qbvgTjU2gaDQLmVG8hio4in6arWDZyK4SM+WYEBj3u6QFQyhFwQ+MWifBZtPUfxqXbS2EfuUX8+7/oeVQLY0BDtrKVAzJAi48hRczm1xuePYWrXmmu+zUgzA4WVpZwpXRBA3VtmbBCTiz+RsZ7DDJmjpG6DUt6ae+JxKvAQAved5wVImGYqWGArGFffw8XeCWFzubAsLTHWCtPUDtIHIxc82wX5S3HE2QvLUuIi8TmBg3tM=
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="utf-8"
Content-ID: <C4B8C40995E6C64BBA1AB9866FEC6733@eurprd07.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: 5b53cdfe-7073-4bf6-0f2e-08d63e5c150a
X-MS-Exchange-CrossTenant-originalarrivaltime: 30 Oct 2018 11:37:32.8376 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-Transport-CrossTenantHeadersStamped: HE1PR07MB4441
X-OriginatorOrg: ericsson.com
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFprMKsWRmVeSWpSXmKPExsUyM2J7uW6d041og9Y+BYtrZ/4xWnw638Xo wOSxc9Zddo8lS34yBTBFcdmkpOZklqUW6dslcGXM+HmcqWCORMXnL+9ZGxjPiHcxcnJICJhI TF48namLkYtDSOAIo8SjmbMZIZxvjBIPds9jhXOWr73FBuEsYZI4tmk/M4jDIjCBWeLj1WnM EJkpTBKv/ryHGvCIUeJN/1cmkDVsAgYSc/c0sIHYIgJ+Escn3GEGsYUFVCUmtC5j72LkAIqr Sby+7gFRYiSxeFUTWDkLUMnlawvZQWxeAXuJzk29UGccZ5TYsvMT2BxOgUCJndN+gNmMAmIS 30+tAdvLLCAucevJfCaIVwUkluw5zwxhi0q8fPyPFcQWFdCXmP+ggxUiriBxbMZKFghbVuLS /G6wZyQErrFJLDwxGWqQrsSHqVOhBvlK3Os5wQZRBHTRs+9z2SESWhI/Dk6CuihWorV1OtSG bIl5M5dC1XhLrF/zmXkCo/EsJMfOAgYGs4CmxPpd+hBhD4nd/w+xQNiKElO6H7LPAgeGoMTJ mU9YFjCyrmIULU4tLs5NNzLWSy3KTC4uzs/Ty0st2cQITCoHt/zW3cG4+rXjIUYBDkYlHt4b OjeihVgTy4orcw8xSnAwK4nwujsChXhTEiurUovy44tKc1KLDzFKc7AoifPqrdoTJSSQnliS mp2aWpBaBJNl4uCUamBcavFQQH5iu7Pa23V1E/l11epzb82Rr7s254mo6fNptx91GwduYqg+ K3Whvunn3PJymeo3b91WyH8sbb+hOG/HochnGqfVKz/ctbnMkjB3XeXtVGdm0WtJ/czXnFym HpgVm5x46vtHjxCTsrgLghZFBRcPNTt/WuD3r335qVecAvPVn6xpTWJUYinOSDTUYi4qTgQA 3LmsECYDAAA=
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/bm8pZ-95byZHOloCT051_Cq5L_g>
Subject: Re: [TLS] TLS message limits
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 30 Oct 2018 11:37:39 -0000
>Of secondary concern for QUIC and DTLS, but not TLS, is the total amount of data that can be sent in handshake messages. The total amount of data sent in the TLS handshake is quite a big concern when TLS is used in EAP-TLS. Many authenticator (access point) implementations will drop the EAP session if it hasn't finished after 40 - 50 packets or approximately 60 kB. 255 tickets would make many EAP-TLS session to fail, but the suggested mechanism where the client indicates the desired number of tickets seems good. Cheers, John -----Original Message----- From: TLS <tls-bounces@ietf.org> on behalf of Martin Thomson <martin.thomson@gmail.com> Date: Tuesday, 30 October 2018 at 05:50 To: "TLS@ietf.org" <tls@ietf.org> Subject: [TLS] TLS message limits There is an ongoing discussion on the QUIC issue tracker that might benefit from some attention here. https://github.com/quicwg/base-drafts/issues/1834 Of most interest here is that there is no mechanism by which a TLS endpoint can limit the size of handshake messages. This wasn't a problem prior to TLS 1.3, renegotiation notwithstanding, but if an endpoint needs to buffer a 16Mb message it will probably be unhappy. And many TLS implementations buffer. Knowing where short of 16Mb is safe to send is tricky. Right now, all we do is rely on the natural pressure to keep tickets small and the fact that tickets are pure overhead to keep things under control, but it's a hole that is a little irritating to leave unpatched. Of secondary concern for QUIC and DTLS, but not TLS, is the total amount of data that can be sent in handshake messages. If that data arrives out of order, it would be nice to bound the amount of memory that is apportioned for receiving and reassembling handshake messages. I mention this only because the same solution might be used to fix both problems. (I was motivated to post this after reading the ticket requests draft from Chris, which we should publish. That draft doesn't run really cause this problem, but it made me think that 255 tickets might make a bit of a mess if sent all at once.) _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
- [TLS] Fwd: New Version Notification for draft-woo… Christopher Wood
- [TLS] TLS message limits Martin Thomson
- Re: [TLS] TLS message limits John Mattsson
- Re: [TLS] TLS message limits Peter Gutmann