IETF Logo Mail Archive

Re: [TLS] Fwd: Re: AD review of draft-ietf-tls-dtls-connection-id-07

Eric Rescorla <ekr@rtfm.com> Tue, 27 October 2020 00:39 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 814603A0EC6 for <tls@ietfa.amsl.com>; Mon, 26 Oct 2020 17:39:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Level:
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SN5MCJCgxhSf for <tls@ietfa.amsl.com>; Mon, 26 Oct 2020 17:39:11 -0700 (PDT)
Received: from mail-lj1-x241.google.com (mail-lj1-x241.google.com [IPv6:2a00:1450:4864:20::241]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EBECB3A111A for <tls@ietf.org>; Mon, 26 Oct 2020 17:39:10 -0700 (PDT)
Received: by mail-lj1-x241.google.com with SMTP id a4so12692293lji.12 for <tls@ietf.org>; Mon, 26 Oct 2020 17:39:10 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=w01KomIBDoN9H7Uewms9T/QnaCNwx36gwZSjqPzB504=; b=13XNisKRHWISPMxytFpbfxfDbdTqJCvGyzSUioe9BMSkoNKGlfozVx5lGvH+kSxfZ+ +eWc5Mi2JZLhFYp7EYX8pOH/Kq7aLf0L0oXQbSR9R/0qff6OI6kdu4DgFTUQdFjVSiwd mlSn9VBgTn2lO/k7kV1ad1pcYtrvmr15AWa8S4rTOyZp7aL99EIBWTHLAg4v+akz7iNB CwDOq6Jm+S7XWsUWDB/w09bfWr34hX8t5OgXJNlvkwdP/MZUHIfx+1NtTgq7rwstdUAI shlUjPrLkW4/ehU/WrFTcOWBbZtHnNSx81QmSWXyxuZBRgdZT6bH2v47+sjky39wRzAY 9eIw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=w01KomIBDoN9H7Uewms9T/QnaCNwx36gwZSjqPzB504=; b=FWXaBFXVoDnZizJmiHH9rJdrwjkK2dW8k/K+/YbdFqbvwif808yJKN14UR8JBaWerH KII0RRDbgVIWBNz/XMrgf2PQfSJyHQ5GISLnpJ/wsswv9jxU9r9F7bjQpxT5P4NvOTmV zLIblsCw51W9zXB0AeTnP5ZgccG59URQ18XWEAGKBFokPlUzRyd41RoP8QjiiVyctiOf XEWNSGzG+IzNjWLdeDAKepzHDHM+/dhH+hhr594YJI2E8Txj/A/JtlYoE0llELRR/T4n 6nP5/wzZNntnNKI+VyaqPF9pb7x5XvpqXPI1AR+TTUrxafcfC2iP7qv4C4/8YeqptHW9 vnIg==
X-Gm-Message-State: AOAM533+oWSdT9lgm/9F1+MPTDaGrvyFUW4y3O3tQ06qRebgXj16MDjt BvyMZYvy1hkOrsGnFcA+OwKiaEeihg4/+CTVjv2AfA==
X-Google-Smtp-Source: ABdhPJyIbDR2sLtmFA8OY1gmPpJmDYrbS7Nn0bn3cOXNG6nFfSCjGAX6TVp/cIUNYDJrvtFiyRUM8UzSciSDX6+5aqY=
X-Received: by 2002:a05:651c:130d:: with SMTP id u13mr7855547lja.265.1603759149204; Mon, 26 Oct 2020 17:39:09 -0700 (PDT)
MIME-Version: 1.0
References: <fe7eab66-a14a-5f18-46be-7bae471c3b20@gmx.net> <CAOgPGoBWRyqQUNk3JQx2_Cna-7s-A7gENVwW-sh8+tRoJ_=V_Q@mail.gmail.com> <13a821d3-30cc-94b8-842c-22a87d280f09@gmx.net> <CACsn0cn4QcnaoocQeoiUXgGoAvfOs+1+Ei76z1Kuq8MMqNEh3Q@mail.gmail.com> <0327abb0-6317-b848-28d0-1fc50f4bf50e@gmx.net> <20201012200548.GD1212@kduck.mit.edu> <bab402e6-3353-d750-a849-21c91081f94e@gmx.net> <20201014212428.GP50845@kduck.mit.edu> <a7110178-6220-175e-869d-fcc44400f773@gmx.net> <CABcZeBNocUYZO9yxuG-DYh33ss+Dum1EOxHYEdww5OCR=rKFXw@mail.gmail.com> <20201024021316.GN39170@kduck.mit.edu>
In-Reply-To: <20201024021316.GN39170@kduck.mit.edu>
From: Eric Rescorla <ekr@rtfm.com>
Date: Mon, 26 Oct 2020 17:38:33 -0700
Message-ID: <CABcZeBPP_PFWtaNB4Wr+2MoY2+8Mh1Vxt9A-Hp5LaCg9DiLCFw@mail.gmail.com>
To: Benjamin Kaduk <kaduk@mit.edu>
Cc: Achim Kraus <achimkraus@gmx.net>, Watson Ladd <watsonbladd@gmail.com>, Joseph Salowey <joe@salowey.net>, "tls@ietf.org" <tls@ietf.org>, draft-ietf-tls-dtls-connection-id@ietf.org
Content-Type: multipart/alternative; boundary="00000000000064db5605b29c463d"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/h0epLMsWFlHumhftUG3UAlGGhQQ>
Subject: Re: [TLS] Fwd: Re: AD review of draft-ietf-tls-dtls-connection-id-07
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 27 Oct 2020 00:39:14 -0000

On Fri, Oct 23, 2020 at 7:13 PM Benjamin Kaduk <kaduk@mit.edu> wrote:

> Hi Ekr,
>
> Thanks for chiming in.
>
> On Thu, Oct 15, 2020 at 08:59:43AM -0700, Eric Rescorla wrote:
> >
> > - I agree with Ben that the current construction has some awkward
> > properties and that prefixing the length field would remedy that. It's
> > been quite some time since we had this discussion but as I recall the
> > rationale was to protect the bits on the wire as-is rather than some
> > reconstructed version of them (see a number of long discussions on
> > this topic), so just prefixing the CID length is also not ideal.
>
> I think the current scheme is unfortunately using fields put together in a
> rather different order than the actual bits on the wire (more below).
>

Right. I forgot that we also preserved the TLS order of the seqnum.


> >
> > This is a little goofy but it has (I think) the properties that (1) the
> > bytes appear
> > in the MAC in the order they appear on the wire (2) fixed-length metadata
> > appears in
> > the front (the seq_num already does) (3) the duplicated tls12_cid in the
> > front avoids confusion with MAC input for other records.
>
> I like (1) and (2) and agree with (3), though I'm having a little trouble
> lining up your figure with the DTLSCiphertext structure, which I'll repeat
> here so I'm not flipping back and forth as much:
>
>         struct {
>             ContentType special_type = tls12_cid;
>             ProtocolVersion version;
>             uint16 epoch;
>             uint48 sequence_number;
>             opaque cid[cid_length];               // New field
>             uint16 length;
>             opaque enc_content[DTLSCiphertext.length];
>         } DTLSCiphertext;
>
> Ah, your proposal looks more natural if I compare it to the current AEAD
> "additional_data" from the -07:
>
> #      additional_data = seq_num +
> #                        tls12_cid +
> #                        DTLSCipherText.version +
> #                        cid +
> #                        cid_length +
> #                        length_of_DTLSInnerPlaintext;
>
> If I could try to synthesize your key points (as I understand them), hewing
> more strictly to the "bits on the wire" philosophy would suggest having us
> use:
>
> additional_data:
> struct {
>   uint8 marker = tls12_cid;
>   uint8 cid_len;
>   uint8 content_type = tls12_cid;      \
>   uint16 DTLSCiphertext.version;       |  appears on wire
>   uint64 seq_num; // includes epoch    |
>   opaque cid[cid_len];                 /
>   uint16 length_of_DTLSInnerPlaintext;
> };
>
>
Mostly.

I would expect the length here to not be DTLSInnerPlaintext but rather the
length field that appears on the wire, as in TLS 1.3. Do you agree with
that? If not, let's discuss. If so, we can talk about the others.

-Ekr

v2.29.0 | Report a Bug | By Email | System Status