IETF Logo Mail Archive

Re: [TLS] Interaction between cookies and middlebox compat mode

Ilari Liusvaara <ilariliusvaara@welho.com> Sat, 30 December 2017 11:08 UTC

Return-Path: <ilariliusvaara@welho.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6DC111241F5 for <tls@ietfa.amsl.com>; Sat, 30 Dec 2017 03:08:01 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.91
X-Spam-Level:
X-Spam-Status: No, score=-1.91 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DJqTisIC7vZO for <tls@ietfa.amsl.com>; Sat, 30 Dec 2017 03:07:59 -0800 (PST)
Received: from welho-filter1.welho.com (welho-filter1.welho.com [83.102.41.23]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 97EA4120713 for <tls@ietf.org>; Sat, 30 Dec 2017 03:07:59 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by welho-filter1.welho.com (Postfix) with ESMTP id C438B53742; Sat, 30 Dec 2017 13:07:57 +0200 (EET)
X-Virus-Scanned: Debian amavisd-new at pp.htv.fi
Received: from welho-smtp3.welho.com ([IPv6:::ffff:83.102.41.86]) by localhost (welho-filter1.welho.com [::ffff:83.102.41.23]) (amavisd-new, port 10024) with ESMTP id U4mcEfZ6H21n; Sat, 30 Dec 2017 13:07:57 +0200 (EET)
Received: from LK-Perkele-VII (87-92-19-27.bb.dnainternet.fi [87.92.19.27]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by welho-smtp3.welho.com (Postfix) with ESMTPSA id 5DADE2316; Sat, 30 Dec 2017 13:07:54 +0200 (EET)
Date: Sat, 30 Dec 2017 13:07:54 +0200
From: Ilari Liusvaara <ilariliusvaara@welho.com>
To: Matt Caswell <matt@openssl.org>
Cc: Eric Rescorla <ekr@rtfm.com>, "tls@ietf.org" <tls@ietf.org>
Message-ID: <20171230110754.GA14541@LK-Perkele-VII>
References: <9a7b1178-f856-ec63-c4b7-e2b29993e133@openssl.org> <CABcZeBMS9TeR-kFem4xHiWGVyKn5LbvDomdzL6vV_3XrKkravQ@mail.gmail.com> <37a087f4-efbe-7eae-5539-d220ff67e243@openssl.org> <CABcZeBOfcKTDnc+FcTPutMazSEhg3V8_tWqzeqpv=N6ki9jN9g@mail.gmail.com> <4c37d15e-7375-d4d0-62d1-c6d295fb7080@openssl.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
In-Reply-To: <4c37d15e-7375-d4d0-62d1-c6d295fb7080@openssl.org>
User-Agent: Mutt/1.9.2 (2017-12-15)
Sender: ilariliusvaara@welho.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/bnp2BRExjo5Te3KR-tDpbGmxZ0Q>
Subject: Re: [TLS] Interaction between cookies and middlebox compat mode
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 30 Dec 2017 11:08:01 -0000

On Thu, Dec 28, 2017 at 04:12:52PM +0000, Matt Caswell wrote:
> 
> 
> The point is a stateless server will not know about CH1 at the point
> that it receives CCS. Actually, as Ilari points out, there could be any
> junk (including partial records) arriving between CH1 and CH2. So this
> feels more like a special case for stateless servers.

Stateless servers also have the problem of dealing with nasty things
like fragmented ClientHello messages (yuck) or other initial fragmented
messages (which should not happen outside attacks).

And unlike DTLS where one can detect subsequent fragments of message,
this is not possible in TLS. And since one can not commit state for
each connection, the mitigations are much more limited.

I suppose one way of handing things is to send a fatal-level 
unexpected_message alert (of course without tearing connection down,
since there is nothing to tear down) in response to any handshake
record that does not start with 0x01 byte unless there is pending
reassembly state or connection state.

The reassembly states would be limited in number (possibly to 0)
and and size to avoid DoS. What alert to use if the message is too
large to reassemble (if there are 0 reassembly states, any message
is too big to reassemble)?

Lower-layer reassembly might be possibility. That doesn't allow
ClientHello messages larger than 16kB, but that would be give
considerably more freedom with Post-Quantum key exchanges than
<1232 bytes one gets with single packets[1]. I think QUIC does
not support any kind of reassembly of Client Hello.



[1] NIST PQC Round1 has only 3 candidates (LAKE, Round2 and SIKE) that
have triple digits public key sizes at "level 3 security" below 800
bytes (in fact, all three are somewhere between 500 and 600 bytes).

Those are pretty aggressive (or slow in case of SIKE), and the sizes
might grow quite a bit as new attacks are discovered.

With 3kB space for public keys, there would be considerably more
candidates (and space for parameter adjustments). These include
even ~20 year old schemes like NTRU (which is one of the candidates).




-Ilari

v2.23.0 | Report a Bug | By Email