IETF Logo Mail Archive

Re: [TLS] ESNI robustness and GREASE PRs

Stephen Farrell <stephen.farrell@cs.tcd.ie> Tue, 18 December 2018 01:58 UTC

Return-Path: <stephen.farrell@cs.tcd.ie>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 349F7130F66 for <tls@ietfa.amsl.com>; Mon, 17 Dec 2018 17:58:25 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.3
X-Spam-Level:
X-Spam-Status: No, score=-4.3 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cs.tcd.ie
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dE-YgLc1Gmqn for <tls@ietfa.amsl.com>; Mon, 17 Dec 2018 17:58:21 -0800 (PST)
Received: from mercury.scss.tcd.ie (mercury.scss.tcd.ie [134.226.56.6]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 647FD130F6A for <tls@ietf.org>; Mon, 17 Dec 2018 17:58:20 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by mercury.scss.tcd.ie (Postfix) with ESMTP id 74D6DBE38; Tue, 18 Dec 2018 01:58:18 +0000 (GMT)
X-Virus-Scanned: Debian amavisd-new at scss.tcd.ie
Received: from mercury.scss.tcd.ie ([127.0.0.1]) by localhost (mercury.scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id enkqRoh2PX1j; Tue, 18 Dec 2018 01:58:16 +0000 (GMT)
Received: from [192.168.1.8] (95-45-153-252-dynamic.agg2.phb.bdt-fng.eircom.net [95.45.153.252]) by mercury.scss.tcd.ie (Postfix) with ESMTPSA id 6AD72BE24; Tue, 18 Dec 2018 01:58:16 +0000 (GMT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cs.tcd.ie; s=mail; t=1545098296; bh=1xXCpnqmIeFjWdak5PjpzCl7ehpt2fcvH74yMIjLo/8=; h=To:Cc:References:From:Subject:Date:In-Reply-To:From; b=bM7GyvwFcUXyjeQQ3jlvaEy9/LlBW6ElrbM+JJ6aaaHjIiF+rFWaf9qzZjo1j0rQO bnSvbdOENbrQKTlVDDPzQPhnujZGRp+G8hXerwzw5ozbZdN3eDeYUGXI5ENT9l+VbF soytMJdIvLPfe8YQcr5kETvBpBrLI8lb6h8Yy8R4=
To: David Benjamin <davidben@chromium.org>, "<tls@ietf.org>" <tls@ietf.org>
Cc: Steven Valdez <svaldez@google.com>, Brad Lassey <lassey@google.com>, Adam Langley <agl@google.com>
References: <CAF8qwaAh-eCLOR3YX3KoVWPe8=uquO+9wwbiSYpOyxvizBSeEg@mail.gmail.com>
From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Openpgp: id=5BB5A6EA5765D2C5863CAE275AB2FAF17B172BEA; url=
Autocrypt: addr=stephen.farrell@cs.tcd.ie; prefer-encrypt=mutual; keydata= mQINBFo9UDIBEADUH4ZPcUnX5WWRWO4kEkHea5Y5eEvZjSwe/YA+G0nrTuOU9nemCP5PMvmh 5Cg8gBTyWyN4Z2+O25p9Tja5zUb+vPMWYvOtokRrp46yhFZOmiS5b6kTq0IqYzsEv5HI58S+ QtaFq978CRa4xH9Gi9u4yzUmT03QNIGDXE37honcAM4MOEtEgvw4fVhVWJuyy3w//0F2tzKr EMjmL5VGuD/Q9+G/7abuXiYNNd9ZFjv4625AUWwy+pAh4EKzS1FE7BOZp9daMu9MUQmDqtZU bUv0Q+DnQAB/4tNncejJPz0p2z3MWCp5iSwHiQvytYgatMp34a50l6CWqa13n6vY8VcPlIqO Vz+7L+WiVfxLbeVqBwV+4uL9to9zLF9IyUvl94lCxpscR2kgRgpM6A5LylRDkR6E0oudFnJg b097ZaNyuY1ETghVB5Uir1GCYChs8NUNumTHXiOkuzk+Gs4DAHx/a78YxBolKHi+esLH8r2k 4LyM2lp5FmBKjG7cGcpBGmWavACYEa7rwAadg4uBx9SHMV5i33vDXQUZcmW0vslQ2Is02NMK 7uB7E7HlVE1IM1zNkVTYYGkKreU8DVQu8qNOtPVE/CdaCJ/pbXoYeHz2B1Nvbl9tlyWxn5Xi HzFPJleXc0ksb9SkJokAfwTSZzTxeQPER8la5lsEEPbU/cDTcwARAQABtDJTdGVwaGVuIEZh cnJlbGwgKDIwMTcpIDxzdGVwaGVuLmZhcnJlbGxAY3MudGNkLmllPokCQAQTAQgAKgIbAwUJ CZQmAAULCQgHAgYVCAkKCwIEFgIDAQIeAQIXgAUCWj6jdwIZAQAKCRBasvrxexcr6o7QD/9m x9DPJetmW794RXmNTrbTJ44zc/tJbcLdRBh0KBn9OW/EaAqjDmgNJeCMyJTKr1ywaps8HGUN hLEVkc14NUpgi4/Zkrbi3DmTp25OHj6wXBS5qVMyVynTMEIjOfeFFyxG+48od+Xn7qg6LT7G rHeNf+z/r0v9+8eZ1Ip63kshQDGhhpmRMKu4Ws9ZvTW2ACXkkTFaSGYJj3yIP4R6IgwBYGMz DXFX6nS4LA1s3pcPNxOgrvCyb60AiJZTLcOk/rRrpZtXB1XQc23ZZmrlTkl2HaThL6w3YKdi Ti1NbuMeOxZqtXcUshII45sANm4HuWNTiRh93Bn5bN6ddjgsaXEZBKUBuUaPBl7gQiQJcAlS 3MmGgVS4ZoX8+VaPGpXdQVFyBMRFlOKOC5XJESt7wY0RE2C8PFm+5eywSO/P1fkl9whkMgml 3OEuIQiP2ehRt/HVLMHkoM9CPQ7t6UwdrXrvX+vBZykav8x9U9M6KTgfsXytxUl6Vx5lPMLi 2/Jrsz6Mzh/IVZa3xjhq1OLFSI/tT2ji4FkJDQbO+yYUDhcuqfakDmtWLMxecZsY6O58A/95 8Qni6Xeq+Nh7zJ7wNcQOMoDGj+24di2TX1cKLzdDMWFaWzlNP5dB5VMwS9Wqj1Z6TzKjGjru q8soqohwb2CK9B3wzFg0Bs1iBI+2RuFnxLkCDQRaPVAyARAA+g3R0HzGr/Dl34Y07XqGqzq5 SU0nXIu9u8Ynsxj7gR5qb3HgUWYEWrHW2jHOByXnvkffucf5yzwrsvw8Q8iI8CFHiTYHPpey 4yPVn6R0w/FOMcY70eTIu/k6EEFDlDbs09DtKcrsT9bmN0XoRxITlXwWTufYqUnmS+YkAuk+ TLCtUin7OdaS2uU6Ata3PLQSeM2ZsUQMmYmHPwB9rmf+q2I005AJ9Q1SPQ2KNg/8xOGxo13S VuaSqYRQdpV93RuCOzg4vuXtR+gP0KQrus/P2ZCEPvU9cXF/2MIhXgOz207lv3iE2zGyNXld /n8spvWk+0bH5Zqd9Wcba/rGcBhmX9NKKDARZqjkv/zVEP1X97w1HsNYeUFNcg2lk9zQKb4v l1jx/Uz8ukzH2QNhU4R39dbF/4AwWuSVkGW6bTxHJqGs6YimbfdQqxTzmqFwz3JP0OtXX5q/ 6D4pHwcmJwEiDNzsBLl6skPSQ0Xyq3pua/qAP8MVm+YxCxJQITqZ8qjDLzoe7s9X6FLLC/DA L9kxl5saVSfDbuI3usH/emdtn0NA9/M7nfgih92zD92sl1yQXHT6BDa8xW1j+RU4P+E0wyd7 zgB2UeYgrp2IIcfG+xX2uFG5MJQ/nYfBoiALb0+dQHNHDtFnNGY3Oe8z1M9c5aDG3/s29QbJ +w7hEKKo9YMAEQEAAYkCJQQYAQgADwUCWj1QMgIbDAUJCZQmAAAKCRBasvrxexcr6qwvD/9b Rek3kfN8Q+jGrKl8qwY8HC5s4mhdDJZI/JP2FImf5J2+d5/e8UJ4fcsT79E0/FqX3Z9wZr6h sofPqLh1/YzDsYkZDHTYSGrlWGP/I5kXwUmFnBZHzM3WGrL3S7ZmCYMdudhykxXXjq7M6Do1 oxM8JofrXGtwBTLv5wfvvygJouVCVe87Ge7mCeY5vey1eUi4zSSF1zPpR6gg64w2g4TXM5qt SwkZVOv1g475LsGlYWRuJV8TA67yp1zJI7HkNqCo8KyHX0DPOh9c+Sd9ZX4aqKfqH9HIpnCL AYEgj7vofeix7gM3kQQmwynqq32bQGQBrKJEYp2vfeO30VsVx4dzuuiC5lyjUccVmw5D72J0 FlGrfEm0kw6D1qwyBg0SAMqamKN6XDdjhNAtXIaoA2UMZK/vZGGUKbqTgDdk0fnzOyb2zvXK CiPFKqIPAqKaDHg0JHdGI3KpQdRNLLzgx083EqEc6IAwWA6jSz+6lZDV6XDgF0lYqAYIkg3+ 6OUXUv6plMlwSHquiOc/MQXHfgUP5//Ra5JuiuyCj954FD+MBKIj8eWROfnzyEnBplVHGSDI ZLzL3pvV14dcsoajdeIH45i8DxnVm64BvEFHtLNlnliMrLOrk4shfmWyUqNlzilXN2BTFVFH 4MrnagFdcFnWYp1JPh96ZKjiqBwMv/H0kw==
Message-ID: <7a048bc5-4a31-2fed-ca52-293289a34b4e@cs.tcd.ie>
Date: Tue, 18 Dec 2018 01:58:15 +0000
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.2.1
MIME-Version: 1.0
In-Reply-To: <CAF8qwaAh-eCLOR3YX3KoVWPe8=uquO+9wwbiSYpOyxvizBSeEg@mail.gmail.com>
Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="RRKNzkv7Fo6S75LK062I6MVlyqunzTtyp"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/gabirWYXZmgKCSmrBMmh_2zneGQ>
Subject: Re: [TLS] ESNI robustness and GREASE PRs
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 18 Dec 2018 01:58:25 -0000

Hiya,

On 17/12/2018 23:17, David Benjamin wrote:
> Hi folks,
> 
> We[*] wrote up some proposed changes for draft-ietf-tls-esni that we'd like
> the group's thoughts on. The goal is to make ESNI more robust and eliminate
> a bunch of deployment risks. The PRs are linked below:
> 
> https://github.com/tlswg/draft-ietf-tls-esni/pull/124

I like chunks of that. I'm unsure about others 'till I grok
'em better.

I like the bits that add detail of required behaviour, e.g.
handling resumption, which has been puzzling me:-)

The idea of a "public name" is possibly good, but I'll need
to ponder it more. (Being slow, as I am:-)

Would it be fair to say that that concept isolates ESNI from
a likely DNS ops failure mode at the expense of adding another
way in which ESNI could be defeated via abuses of the Web PKI?
If so, is there any way to make using a "public name" require
that the entity who can authenticate as the "public name" also
has the private part of the public value published in DNS?
(Apologies if your scheme does that already and I missed it, or
if that's exactly the sync breakage you're trying to mitigate;-)

At first sight though, it does look like there's an interesting
overlap between this and what Nico/Viktor were proposing about
using HRRs. (In the sense that maybe you're all heading towards
a not-bad idea, modulo what I think is ekr's winning argument
that always requiring an extra RTT would be disqualifying.)

[On a different point, changes like these (or other breaking
changes) may be easier if we do that "pick an implementation
draft" thing that's been done in other more complex cases. I'm
not sure if ESNI justifies that, but given my coding resources,
(and abilities:-) it'd help me if people wanted to do something
like that. E.g. to decide we noodle about with a -03 and try
code up to a -04 or similar (or -05 or whatever version is
appropriate). For example, there's another kind of change that
I think we want before doing interop on a later version: I'd
argue the value published in DNS needs to be DNS/zonefile friendly
and not primarily TLS-presentation-layer friendly - we're not
there now and getting there (or deciding that's not needed) may
require discussion of published drafts and not just issues/PRs.]

> https://github.com/tlswg/draft-ietf-tls-esni/pull/125

Greasing like this seems like a fine plan. I'm not sure if
greasing is still quite the appropriate term, as this is doing
more than that, but I like it lots - without something like
this ESNI will stick out a lot. I do wonder if people will
be willing to emit so many useless bytes though?

A possible alternative way to get a similar "don't stand out"
effect might be to re-do the CH changes for ESNI so that they're
encoded to look like a real key-share (maybe with some other
bits of the CH serving dual purposes) - I think that might be
just about doable, but a) likely ends up as a total hack, b) is
pretty limited (e.g. for looooong names),  and c) requires
servers to guess if a CH does or doesn't contain ESNI stuff.
Could be fun if it worked though, but has anyone looked at
that alternative way to not stand out?

Cheers,
S.

> 
> The first tries to make ESNI more robust. It introduces the notion of a
> "public name" which gives the client an authenticated signal to retry with
> new keys or without ESNI at all. This mitigates DNS/server mismatches (a
> concern on each key rotation), and partial rollouts or rollbacks (a concern
> when first enabling it, plus some scenarios with TLS-terminating
> middleboxes).
> 
> The second recommends clients to send GREASE ESNI extensions when they do
> not have cached ESNIKeys available. This better meets the "Do not stick
> out" goal. The server behavior in the first PR gives us this for free.
> 
> Details are in the PRs.
> 
> (The two PRs were originally written up together. I split them in two based
> on some feedback, but since they touch the same text, the GREASE PR
> includes the robustness PR. If the WG wishes to go with one but not the
> other, the text and details can be adjusted accordingly.)
> 
> Thoughts?
> 
> David
> 
> [*] Steven and I wrote the text itself, with input from Adam, Ben, and
> Brad, all CC'd.
> 
> 
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls
>

v2.23.0 | Report a Bug | By Email