IETF Logo Mail Archive

Re: [TLS] Closing on 0-RTT

Sean Turner <sean@sn3rd.com> Mon, 03 July 2017 19:36 UTC

Return-Path: <sean@sn3rd.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A14D6131756 for <tls@ietfa.amsl.com>; Mon, 3 Jul 2017 12:36:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.698
X-Spam-Level:
X-Spam-Status: No, score=-2.698 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=sn3rd.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AmTs0KgvY-yx for <tls@ietfa.amsl.com>; Mon, 3 Jul 2017 12:36:00 -0700 (PDT)
Received: from mail-qk0-x235.google.com (mail-qk0-x235.google.com [IPv6:2607:f8b0:400d:c09::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0AD9A13175E for <tls@ietf.org>; Mon, 3 Jul 2017 12:35:59 -0700 (PDT)
Received: by mail-qk0-x235.google.com with SMTP id v143so69392633qkb.0 for <tls@ietf.org>; Mon, 03 Jul 2017 12:35:58 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sn3rd.com; s=google; h=content-transfer-encoding:from:mime-version:date:message-id:subject :in-reply-to:references:to; bh=0GgmooTEzlja/dqPVA0J7+It7bVrWGvz8+NLPNg83jo=; b=S3KbmzNTEW0WZ0hqR2rn7Grpc9/53b/2Lx5fPmCphs/2Wauz35ZllEZVXONoRagpbz amOOE9VDVjA3bQ/aj2pr32zJv/H2I7hL0zByAwG1CKvHa0nxjolkATxGiXm0ziLwWTDI K8g/WrFNFTI5eAGFEA711uubjeVHuapTV3BGA=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:content-transfer-encoding:from:mime-version:date :message-id:subject:in-reply-to:references:to; bh=0GgmooTEzlja/dqPVA0J7+It7bVrWGvz8+NLPNg83jo=; b=RdIlWqDJPPOrjQpqdqpWcQwvkKr/B3TIi86hQVbzInDdxLjNlS08nujogYbKJqHG0M tI/HgByb3mqLqyAwDeLy8V+QbprTOzYaRIB+Ia4KdVKZ0yPMee4uIdbCyYU6GbeckAoB GHWJ30lmUQGTSpkrQIL+fLTBPiFvj0xTQipVG0g/jw6hVQ7pHGTeIrDRAxIASWcdpq+p dx0IxgPWwUuQApVqqNtG/lmzupkSniRImlygB5aYc727gEKOitvBWmNyhcNM89O9st1t gmhKUCfnIIhEEtj2UjowZQDwDomuuVtEHtQEnshSCSjo6yjfY6X0KBUs2983y8IV1sBk k5uQ==
X-Gm-Message-State: AKS2vOzdNjeJalQa2D73sSUhwIS038rcKUvCfQ31Jw4eQEs09STNIXx8 eJBzA0rq5pA0kceKIijiog==
X-Received: by 10.55.20.156 with SMTP id 28mr40647894qku.191.1499110557919; Mon, 03 Jul 2017 12:35:57 -0700 (PDT)
Received: from [10.73.144.181] (mobile-166-170-30-26.mycingular.net. [166.170.30.26]) by smtp.gmail.com with ESMTPSA id b81sm9589663qkj.62.2017.07.03.12.35.56 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 03 Jul 2017 12:35:56 -0700 (PDT)
Content-Transfer-Encoding: 7bit
Content-Type: multipart/alternative; boundary="Apple-Mail-B6FA33BD-1FBA-4D3C-8E5F-C02FBF7C3C8E"
From: Sean Turner <sean@sn3rd.com>
Mime-Version: 1.0 (1.0)
Date: Mon, 03 Jul 2017 15:35:56 -0400
Message-Id: <B4718BC6-AAC8-45FD-B905-8798AB744BEF@sn3rd.com>
In-Reply-To: <CABcZeBOq5qeFqXYPZd-JM98dJfMHVSoMfhd9PAq_ADb3JimiQw@mail.gmail.com>
References: <CABcZeBNLo51y4-MYS6NTQn9OWg5jTYYpwxn1fiKKNL5bWA37TA@mail.gmail.com> <CABcZeBNtcvATyd=jhm4GxeyY9xP5CTUp0MLUf9c-ApBFVNvWoQ@mail.gmail.com> <7b5b28f1-60d5-0979-f789-0471df33dba9@akamai.com> <CABcZeBN0B8G3UZrLsfRakO0Vuhg=6w+aHsht4Co5pMLMWsy5-Q@mail.gmail.com> <CAKC-DJiEy75Hx1fMRm6_E_rptuRNRTZBZ+SQmR6XQg8+sbshqw@mail.gmail.com> <CABcZeBOq5qeFqXYPZd-JM98dJfMHVSoMfhd9PAq_ADb3JimiQw@mail.gmail.com>
To: Eric Rescorla <ekr@rtfm.com>, tls@ietf.org
X-Mailer: iPhone Mail (14F89)
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/dcGio-WSRWNC5dq24JCr0C3lFOs>
Subject: Re: [TLS] Closing on 0-RTT
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 03 Jul 2017 19:36:04 -0000

It looks like we're ready to merge this PR please do so.

Please note that we will redo WGLC to make ensure that the changes incorporated since the 1st WGLC are the consensus of the WG.

spt

Sent from my iPhone

> On Jun 30, 2017, at 13:23, Eric Rescorla <ekr@rtfm.com> wrote:
> 
> 
> 
>> On Fri, Jun 30, 2017 at 10:19 AM, Erik Nygren <nygren@akamai.com> wrote:
>>> On Fri, Jun 30, 2017 at 12:53 PM, Eric Rescorla <ekr@rtfm.com> wrote:
>>> 
>>>> On Fri, Jun 30, 2017 at 9:32 AM, Benjamin Kaduk <bkaduk@akamai.com> wrote:
>>>>> On 06/29/2017 03:53 PM, Eric Rescorla wrote:
>>>>> I have updated the PR to match people's comments. I would like to merge this soon, so please get any final comments in.
>>>> 
>>>> I made a couple comments on the PR that are more appropriate for the list, so I'll repeat them here and hopefully get replies from the broader audience.
>>>> 
>>>> 
>>>> First off, I think we should MUST-level require servers to implement a hard limit on the number of replays accepted.  However, it doesn't quite seem realistic to require "MUST use either [single-use tickets] or [ClientHello recording]".  My preference would be "MUST use either [single-use tickets], [ClientHello recording], or equivalently strong protection", but I don't know what level of support we have for such a strong requirement.  As an alternative, I will also put out "MUST limit replays to at most the number of endpoints capable of accepting connections for a given identity, and SHOULD provide even stronger replay protections, such as [single-use tickets] or [ClientHello recording]."  I think we have general agreement that strong anti-replay as described in the document is feasible for a single-server deployment, and this last formulation is achievable in multi-server environments by just giving each server its own local per-server protection.  (My main reason for wanting a MUST-level hard cap is that I worry that millions/billions of replays will have really nasty consequences in terms of DoS and side channel issues.)
>>>> 
>>>> But, this has been quite a long thread spread out over multiple forums/email subjects, so I've also probably forgotten some of the arguments presented against having MUST-level strong anti-replay requirements; I'd greatly appreciate if someone could repeat them here for everyone's consideration.
>>>> 
>>>> 
>>>> The pull request also has some text:
>>>> 
>>>> +If the expected arrival time is in the window, then the server
>>>> +checks to see if it has recorded a matching ClientHello. It
>>>> +either aborts the handshake with an "illegal_parameter" alert
>>>> +or accepts the PSK but reject 0-RTT. If no matching ClientHello
>>>> +is found, then it accepts 0-RTT and then stores the ClientHello for
>>>> +as long as the expected_arrival_time is inside the window.
>>>> +Servers MAY also implement data stores with false positives, such as
>>>> +Bloom filters, in which case they MUST respond to apparent replay by
>>>> +rejecting 0-RTT but MUST NOT abort the handshake.
>>>> 
>>>> I am not sure why we are giving servers a choice between aborting and accepting the PSK but rejecting 0-RTT (if a matching ClientHello is found), especially not without giving guidance as to why they might choose one or the other.  My natural inclination would be to have the expected behavior be to abort and only fall back to the other behavior if using a scheme with false positives, but Ekr thinks Erik Nygren was in support of just continuing on with 1-RTT.  It looks like this was     https://github.com/tlswg/tls13-spec/pull/1005#discussion_r114924733 , where I ... took the opposite position from what I just said my "natural inclination" was, amusingly enough.  But still, why does this need to be a choice?  Rejecting 0-RTT and continuing on to 1-RTT seems like it would be reasonable in all the cases mentioned so far.
>>> 
>>> Well, my reason for not wanting to do that is that it's a clear replay and so should
>>> be a hard failure. So, I'd be happy to mandate abort the handshake, but if we can't
>>> agree on that, I'd rather have a choice.
>> 
>> Are there scenarios where the duplication might be accidental rather than a malicious attack?
>> For example, one might see cases where combining 0RTT with TFO and network packet
>> duplication could result in two initial 0RTT flights.  One could also see "TCP accelerator"
>> middleboxes doing similar things where the first flight gets replayed.
> 
> Sure, and this is a good reason to hard fail because it helps us find stuff like that.
> 
> 
>> In both of these cases, only one will actually successfully establish a TLS connection
>> and move forwards, but if the successful one is the one that is aborted then 
>> the connection will fail.
> 
> Sure, though of course clients can also retry.
> 
> -Ekr
> 
> 
>  
>>   If 0RTT is rejected and both are allowed to proceed,
>> then the bogus accidental replay will be dropped and the legit connection will succeed.
>> 
>>         Erik
> 
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls

v2.23.0 | Report a Bug | By Email