Re: [TLS] ESNIKeys over complex

Eric Rescorla <ekr@rtfm.com> Wed, 21 November 2018 01:00 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8CDE6130E11 for <tls@ietfa.amsl.com>; Tue, 20 Nov 2018 17:00:12 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RWzk_p7hSL3J for <tls@ietfa.amsl.com>; Tue, 20 Nov 2018 17:00:09 -0800 (PST)
Received: from mail-lj1-x233.google.com (mail-lj1-x233.google.com [IPv6:2a00:1450:4864:20::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A84BC1252B7 for <tls@ietf.org>; Tue, 20 Nov 2018 17:00:08 -0800 (PST)
Received: by mail-lj1-x233.google.com with SMTP id c19-v6so3308875lja.5 for <tls@ietf.org>; Tue, 20 Nov 2018 17:00:08 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=AVAS0HDBA9Z3XvojTjSvl2tZLtnJ3zb0jbAR24azxF4=; b=rnGig647VOz62AMdE7fQfqNdTC+WjArxZStcnf44lceJPABxdw7nMt86Qp4fTtpMII 6VYAqZLkJP6YjOvTerzCqV/IJCLgc8rexUa9ngouj8W+J2u5J6xEVBXqj4jmyL7XiyiO 3vo1rcN7pdmYYeqPcRMHS5Ul7hKLKiStHQZ2GAY5f+gAvse4OKRLq7xc5VR0cxDy6sWM 2S3CGDOm9giH9gjH7pW5cC1Kkd4ExrgmTcnQ4iwCfIAQO1jFCue427hR3DpoA1bvVUBP lR6I1QHglCWnfa5wlrOHoAZAGGiOh17mIsZSohVm7nxMpwh7AEKIQdwN4E2w+/Tdtp1U pc/A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=AVAS0HDBA9Z3XvojTjSvl2tZLtnJ3zb0jbAR24azxF4=; b=sxFEBcqoadW5f9RDJXSiRILrlq4kIe7t/6Y7rFycI7w2cT4392SzxO/2PKxWjVBs4g jNG8WL0hsOwxI5uVlMBPer/TpvhhJvgM500WYTzAr0+HSI6OvjXjWBPg4MUdSzsnc/mW 00NBRyvlLC9ru7WV9lh0OnfnVP/BF4NRMht78MxwqmDSsjsDKtyMYIeFMc8aebujDund I4T1ZkhfXkvQ6mOdPpGgcEDPMSbEyYhKoyizpEJMI4XbIFuHPL/+aNn78COsGXqhtipj +JD0XQzXQytS1WYPaNtlrqvuaKcZE+jYh1QnLHMhk96MSwPOVwHjv/Mb5hj6s6Haqo4J PU8Q==
X-Gm-Message-State: AA+aEWaiwy+FXg+IRMpMF976i/u1zjpweaqGkLP2ZEb9mjVgJPXWQRFH CmsrMHQArlPWM4az8sLywANKAdsukqrVKQhATRqs+s9y
X-Google-Smtp-Source: AFSGD/UfM0AUHls2qbhCGRRw9Q/C8Xsh3erZuaTcnHbirkQ2zeyfgzM3cLOX9UydxYVk94FJCeJWanpmo/pNpS+rk6o=
X-Received: by 2002:a2e:5418:: with SMTP id i24-v6mr2771998ljb.51.1542762006834; Tue, 20 Nov 2018 17:00:06 -0800 (PST)
MIME-Version: 1.0
References: <797cd94d-b5be-24fd-923c-53b614cbc2c5@cs.tcd.ie> <CABcZeBMNqkepLzdoPFV7UTuKUqPU6_AJjU7iMnUhDpdK6qr6RA@mail.gmail.com> <70290643-cf98-44de-ca6e-2cae4584d750@cs.tcd.ie>
In-Reply-To: <70290643-cf98-44de-ca6e-2cae4584d750@cs.tcd.ie>
From: Eric Rescorla <ekr@rtfm.com>
Date: Tue, 20 Nov 2018 16:59:30 -0800
Message-ID: <CABcZeBOp+auFAwc7_+DjEy0JJbvqzs-1Z30h-tFveesm9gwHEg@mail.gmail.com>
To: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Cc: "<tls@ietf.org>" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000640f8e057b22456a"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/gyiWjgsk17hEUGIMujd7HAfWBCA>
Subject: Re: [TLS] ESNIKeys over complex
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 21 Nov 2018 01:00:13 -0000

On Tue, Nov 20, 2018 at 4:36 PM Stephen Farrell <stephen.farrell@cs.tcd.ie>;
wrote:

>
> Hiya,
>
> On 20/11/2018 23:30, Eric Rescorla wrote:
> > On Tue, Nov 20, 2018 at 1:46 PM Stephen Farrell <
> stephen.farrell@cs.tcd.ie>;
> > wrote:
> >
> >>
> >> Hiya,
> >>
> >> I've started to try code up an openssl version of this. [1]
> >> (Don't be scared though, it'll likely be taken over by a
> >> student in the new year:-)
> >>
> >
> > Thanks for your comments. Responses below.
>
> Ditto.
>
> >
> >>From doing that I think the ESNIKeys structure is too
> >> complicated and could do with a bunch of changes. The ones
> >> I'd argue for would be:
> >>
> >> - use a new RR, not TXT
> >>
> >
> > This is likely to happen.
> >
> > - have values of ESNIKey each only encode a single option
> >>   (so no lists at all) since >1 value needs to be supported
> >>   at the DNS level anyway
> >>    - that'd mean exactly one ciphersuite
> >>    - exactly one key share
> >>
> >
> > I don't agree with this. It is going to lead to a lot of redundancy
> because
> > many
> > servers will support >1 cipher suite with the same key share. Moreover,
> from
> > an implementation perspective, supporting >1 RR would be quite a bit more
> > work.
>
> Aren't DNS answers RRsets? I may be wrong but I thought DNS
> clients have to handle that anyway,


Not really, because any of them is co-valid. We currently permit >1 RR, but
actually
I suspect that it would be better to try to restrict this. This would be
especially
true if we get rid of expiry, because then there would be no good reason to
have
>1 ESNIKeys record with a given version.


and I'd expect use of
> RRsets to be a part of figuring out a multi-CDN stpry.
>

That's not at all obvious.


> That said, >1 ciphersuite wouldn't be so bad if that were
> the only list per RData instance. Or maybe one could get
> rid of it entirely via some conditional link the to set
> of suites in the CH, not sure. (Or just go fully experimental
> and say everyone doing esni for now has to use the same
> suite all the time.)
>

I've implemented this and did not find it to be a major obstacle.
I do not think unnecessary duplication is a good tradeoff for
such a trivial implementation complexity reduction.


>    - no extensions (make an even newer RR or version-bump:-)
> >>
> >
> > Again, not a fan of this. It leads to redundancy.
>
> That's reasonable. OTOH, it's equally reasonable to say that
> we're dealing with an experimental draft and a future PS
> version could use another RRytpe and add extensions if they
> end up needed.
>

I don't see any advantage to choosing a suboptimal design, just
based on it being Experimental.

Incidentally, there seems to be some uncertainty about the status.
I'm not quite sure why this is marked Experimental (I think it may
have just been a thinko on my part), and the chairs didn't
ask at call for acceptance time, so I'd encourage them to sort that
out.




> >
> >
> > - get rid of not_before/not_after - I don't believe those
> >>   are useful given TTLs and they'll just lead to failures
> >>
> >
> > I'm mostly ambivalent on this, but on balance, I think these are useful,
> > as they are not tied to potentially fragile DNS TTLs.
>
> If there were a justification offered for 'em I'd be
> ok with it, but TBH, I'm not seeing it. And my main
> experience of the similar dates on RRSIGs are that they
> just break things and don't help.


This has a totally different expiry behavior from RRSIGs, so I'm
not sure that's that useful an analogy.



> Put another way, I
> don't know what sensible code to write to decide between
> not connecting or sending SNI in clear if one of these
> dates is out of whack. (I be tempted to just ignore the
> time constraints and try send the SNI encrypted instead.)
>

You should connect with SNI in the clear.


And having to deploy a cron job equivalent for the DNS
> data is an order of magnitude harder than not.
>

Nothing stops you having an infinite expiry.

>
> >
> > - get rid of padded_length - just say everyone must
> >>   always use the max (260?) -
> >
> >
> > I'm not in favor of this. The CH is big enough as it is, and this has a
> > pretty big impact on that, especially for QUIC. There are plenty of
> > scenarios where the upper  limit is known and << 160.
>
> True, big CH's are a bit naff, but my (perhaps wrong)
> assumption was that nobody cared since the F5 bug.


This has nothing to do with the F5 bug. It's about not exceeding one
packet in the QUIC CH.


It
> seems a bit wrong though to have every domain that's
> behind the same front have to publish this.


They also have to publish the key, so I don't really see a problem.


I'm also
> not sure it'll work well if we ever end up with cases
> where domains A and B both use fronts/CDNs x and y and
> can't figure out a good value as x prefers 132 and y
> prefers 260.
>

They will also use different keys for x and y, so they will
have different records and can have different pad lengghts.


How about rounding up to the nearest power of 2 that's
> bigger than 5? (Or some such.)


I don't know what this means.



> > that needs to be the same
> >>   for all encrypted sni values anyway so depending on
> >>   'em all to co-ordinate the same value in DNS seems
> >>   fragile
> >>
> >
> > It only has to be the same for all the ones in the anonymity set, and
> they
> > already need to coordinate on the key.
>
> Saying that every key share in DNS needs to be published
> with the same padded_length would be ok actually.


Sure, I can make that explicit.

(As a
> nasty hack, you could even derive the padded_length
> from the value of the key_share and fronters could just
> keep generating shares until they get one that works:-)
>

I thought you were complaining about complexity

-Ekr


> > - I'm not convinced the checksum is useful, but it's not
> >>   hard to handle
> >> - (Possibly) drop the base64 encoding, make it DNS operator
> >>   friendly text (or else binary with a zonefile text format
> >>   defined in addition)
> >>
> >
> > We are likely to drop the base64 encoding.
>
> Ack.
>
> And just to note again - I suspect a bunch of the above would
> be better sorted out as ancillary changes once a multi-CDN
> proposal is figured out.
>
> Cheers,
> S.
>
> >
> > -Ekr
> >
> >
> >
> >> [1] https://github.com/sftcd/openssl/tree/master/esnistuff
> >> _______________________________________________
> >> TLS mailing list
> >> TLS@ietf.org
> >> https://www.ietf.org/mailman/listinfo/tls
> >>
> >
>