IETF Logo Mail Archive

Re: [TLS] should we say anything about ECH in the face of fragmentation?

Stephen Farrell <stephen.farrell@cs.tcd.ie> Sat, 16 March 2024 06:43 UTC

Return-Path: <stephen.farrell@cs.tcd.ie>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C9211C14F61A for <tls@ietfa.amsl.com>; Fri, 15 Mar 2024 23:43:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.008
X-Spam-Level:
X-Spam-Status: No, score=-7.008 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=cs.tcd.ie
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lFd9BdCFrwjM for <tls@ietfa.amsl.com>; Fri, 15 Mar 2024 23:42:57 -0700 (PDT)
Received: from EUR04-VI1-obe.outbound.protection.outlook.com (mail-vi1eur04on2131.outbound.protection.outlook.com [40.107.8.131]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 661CDC14F60A for <tls@ietf.org>; Fri, 15 Mar 2024 23:42:56 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=aUSdvSDRx4SrXVoWeW7FfLMSC7V3PDU/WjIkqtObSy8QowCoTnBjRm5qVg2/IidTAy+KwuiYy3kyveee8obLaB5x0jgMZvJDXiOb7f29OzBdE9hgpNWpS6ZtfAPBu9msrIqAFWms3BouSXxA3iqT+WfgD1OtPLxlrpnb8lizUEM0Yi46L9b6RI4aeYRO3/4rEaceZAqZFS3zsUC9bQdpozfgTJLJureh7MGJ2Pb77AsSBql1GufUJ6Is3yVoAylrl3spQ/xo5CXegGJQ7ZLRNdjzKMR9QAitgi99H9mcNpYQrgDK2ZEhJ+qSHKkq22IP12irXdrehPrc6XkEwfdbMQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=cxvB9a5D1uyWNdZLTyCb16rqE+4YZof5WtoYAAX7TJc=; b=JhJO84NvTSfL5DnoSwrLD9ZDtpX38OowmfjsqDGk0HZ4A0GfCmPHrREW27fmhYt6fWJCm3+x6taYonHUDCmwkm2Pi8hCylY5WKJ5HBu3W/ENz9GRqnCLeGVBNkQfCe6pqEgwGk8j0OzLOwGan9OmK8MhIk/CyZIcUlgsqMimX5X3O8WJNNl9+TdQu6+0Y8jHsS/mCauNnNoH97jfna+i9S4Y8KAji4HQ0YY1gubVUD4pHKFJ72Dn0pwLrzDfcMt0f4Ftp3t9Swd48K9JSHrWWV7PRP8+g5g50EM7s+U9LYxHbV46y25riJvhtOqRyUpzquQgOTr1obpINdYQf1uksA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cs.tcd.ie; dmarc=pass action=none header.from=cs.tcd.ie; dkim=pass header.d=cs.tcd.ie; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cs.tcd.ie; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=cxvB9a5D1uyWNdZLTyCb16rqE+4YZof5WtoYAAX7TJc=; b=ESnQozydS1qpdFli/vMf+7HxX2O9aSSLVrmfBQLb+wOsbc24oy4QaLmf79Z5VZJppHk+vgMZ5UR+MkcNKksbbJWnP3CwHXdf+w0syCW4ToUY86XUChciUX1TWMsKtESGf4IkcHrfT70sGDCc9tgfNOtTa4wbpQjBDR1DhZWe7WV9CRSkadL0jz64ajYlQY2CZuJPcFyy+uLZ32YVQ6tygJHY0g583kgufS02HeKS4m01HmR33IVRKXMjsQGleg2XWx5vVQSxKmOk+9MYireo4rWyNDTjXEc62e/pcCr6pNWqVEZ243n7OdNtJvMlGzhThtAM3z9lLIqOQC3bpNFxqg==
Authentication-Results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=cs.tcd.ie;
Received: from DB7PR02MB5113.eurprd02.prod.outlook.com (2603:10a6:10:77::15) by GV1PR02MB10837.eurprd02.prod.outlook.com (2603:10a6:150:170::18) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7386.22; Sat, 16 Mar 2024 06:42:52 +0000
Received: from DB7PR02MB5113.eurprd02.prod.outlook.com ([fe80::4421:1ca6:59b4:20c9]) by DB7PR02MB5113.eurprd02.prod.outlook.com ([fe80::4421:1ca6:59b4:20c9%7]) with mapi id 15.20.7386.022; Sat, 16 Mar 2024 06:42:52 +0000
Message-ID: <c08063ab-172d-4fcf-a768-073d197d51e4@cs.tcd.ie>
Date: Sat, 16 Mar 2024 06:42:43 +0000
User-Agent: Mozilla Thunderbird
Content-Language: en-US
To: Watson Ladd <watsonbladd@gmail.com>
Cc: "tls@ietf.org" <tls@ietf.org>
References: <71dfb248-1f03-4066-a8cf-6e5439d7db94@cs.tcd.ie> <CACsn0cmXD8RCwwiN7jdACXLOOBtv_e1aa3QxKGBYsgKAzpT8zw@mail.gmail.com>
From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Autocrypt: addr=stephen.farrell@cs.tcd.ie; keydata= xjMEY9GzphYJKwYBBAHaRw8BAQdAo6JvjmSbxHdQWPZdvciQYsHhM1NxQBU398Mmimoy4p7N M1N0ZXBoZW4gRmFycmVsbCAoMjU1MTkpIDxzdGVwaGVuLmZhcnJlbGxAY3MudGNkLmllPsKQ BBMWCAA4FiEEMG54R8tZDyZFrDOn5Njp+ZeoM90FAmPRs6YCGwMFCwkIBwIGFQoJCAsCBBYC AwECHgECF4AACgkQ5Njp+ZeoM93bogEA25ElRyX0wwg+kGEN1AoL60MoZfvQZ/VtmXY6IC5j +csBAIBpkL5ySuzJK2zLNZn9qQGht8IaUcA7cvDcLvS2uHUEzjgEY9GzphIKKwYBBAGXVQEF AQEHQILCPWOwW36e8D3pY8GmvvtItIT+A5uV80ist+WokVsQAwEIB8J4BBgWCAAgFiEEMG54 R8tZDyZFrDOn5Njp+ZeoM90FAmPRs6YCGwwACgkQ5Njp+ZeoM92bcAEA8R+8cpqRUIS+SoAN iO05xE6O/wEx8/e88BqzAYki3SoBAOQdwiPX+MQrAxkWD8xxOsdMOAtxYKpkD1n8aPJUw6QJ
In-Reply-To: <CACsn0cmXD8RCwwiN7jdACXLOOBtv_e1aa3QxKGBYsgKAzpT8zw@mail.gmail.com>
Content-Type: multipart/signed; micalg="pgp-sha256"; protocol="application/pgp-signature"; boundary="------------vaennD3asoPa0mFXq0QCkUoM"
X-ClientProxiedBy: SY6PR01CA0161.ausprd01.prod.outlook.com (2603:10c6:10:1ba::23) To DB7PR02MB5113.eurprd02.prod.outlook.com (2603:10a6:10:77::15)
MIME-Version: 1.0
X-MS-Exchange-MessageSentRepresentingType: 1
X-MS-PublicTrafficType: Email
X-MS-TrafficTypeDiagnostic: DB7PR02MB5113:EE_|GV1PR02MB10837:EE_
X-MS-Office365-Filtering-Correlation-Id: 7b5a14f6-d80b-4376-840f-08dc45844d8c
X-MS-Exchange-SharedMailbox-RoutingAgent-Processed: True
X-TCD-Routed-via-EOP: Routed via EOP
X-TCD-ROUTED: Passed-Transport-Routing-Rules
X-MS-Exchange-SenderADCheck: 1
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: GeQMkw3ZaWPKBkzHt16zdKLrNq4Wb4HPsW4N/hlomkavujdwYa+EVVXBOLP50N+riDWfcDlCOaf7SLmLiMvc6ThXlqCv6C9v4IsPGNJRDO3e3LkdjE4Eq29rhf4w7vUQmcd6UzrztNY3LkVwI+saG1GeuFRV0+h59+LTPBEMR9LFbsxSCwUqhhZHiMfSXW8afyZYOzeobfnLxRmGgpDPftz0V+X4yyVQTzUc/6y2N+mKjR8W8QHZhN5YNu+qUubRD2gXAhitTW3fLyBiTk1PsgurFLhc3E3n246Xct0t5mhQ0ypShWDE6+EQ7WuHfzSFY/rI6Im7Tgsu4tCwUKyzrw/Ynn2da9de7RGWv5z2MYSmKujcnEG0VKmOzeahZL3ynq1WY3JNzV/5Rxwd97K+nCrw48ViDa9QC5e32yniylpRRMehfrlgvTuW+FevdYOuF/ocxkrRyI8pPx1tW5YpWiSS71MAh51rHJ2n+9S17BeyF+mH2A6BLMzytmySCTIRu9E2giuIT08/J2otxE2YLsg4o6/8yAXk1rAx+XK5a3jnjoGtrAnJSJanQ0FfP8g4vhH0WHRmObPcjj0vM3FYxSUZOy/Znk3484xstv5YQW0=
X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DB7PR02MB5113.eurprd02.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230031)(366007)(376005)(1800799015); DIR:OUT; SFP:1102;
X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1
X-MS-Exchange-AntiSpam-MessageData-0: vTu6yipPNaAyrnvT4jt3cysxKXyZXHYfXgZVLcnrDwwt7yHmckNexU2/mLUc213LfosNcJns4Y9Avx/ZT92NDMUaTsGOPpqi/zEgY50QvQ8mKfPyHdhJQH+1kwIVrstCjqZcMRws7d6npHTbWzn0Y/uq74GetEhChiQIMUD5TW2ihjDaAmHXASrheE+EC2WbQU47hQPMNH3qaMCosOYToEyWnJHmXdboNcaoq2v029eJ2iINaWzI/tg48s3du5wNgazv9xzbKhhuNKN3wCBIT14saseqm3AkoldawC9lTRhQz/gygk9fU4SuVqVxHS76BE8zzd30LSV49KNTu2XwyPsrOBrOI59wMGrdH6Oj4MfLkTNOcvHRBx2oESE7XCMrD9MsQhE3zuJl5UPjs9YBz8fV3QK146lbeOlrAT1U/2+Ouz3DdpFukxAW9+q2yNcnoubbmI0ivHw6d94WzMVtdJdQG8unRDOFijxBNOP3yktBzoidrcWPRS8F7uYsvbiFOdOu0o1bGn9mbWmxrGzjN8MxV0WdKLAAg5D4wVtZkV4HSjTDwZRx0SQfQD/hSntv0djpvWSwrKx9BfCwakjb22Tv8BRl1Cwy/3xLu6L27m01HW6l+ulHb4l3g6sxsAphADgwr9r9RxewTTdSXb4N8d/GZFwoBO1cDlNw8Sy9QWkugf9rEKx1XB3gjaW0gr85Qtd3jPpued8JC4c2rRINJUcO8QZDemjQPU4QAfhgciue3kDoroI0mUNnWB7tbZ3BIRzYVZ6PzEG9r+2MbCO9zzoDuGIBpduFwOPCDOeBGgw4FPUwbeD1mJpkfqpgOGoo5yL+XZOIE5htuwJM5vCLLv8nRclBt3h8VRiRDUou2CVsOzK9Ys4E4Qc5a1zs0q6M20CQmHNYUypetob+2KHK0cJZbUKh38dMR0pMFMrz+BW4dZCqlSzQJ3qyK4vqqfWi50brz3nZ+jPVwVXSQFoI/NfqKYvYrfugl8hG7mb4y8fpSFZ5H8Z1OZSQP5sR9Lwskb0E3EJN2SZxpurbmUzTFtcv1ai8pcrCVbOKDAtoOvr1NUVhT35cxT5ZN35b7wyXXDHLsfQvEqyrn79neTCGBK9RGMuJqT8bsXjKM/BN3d7BbgEb98wlMZ7N+37ihpp/IdogvkmIp1Nk0JvjY/otQNmRik35ONVKT4MT6jRuM74j/yI11sqIhkd5v5/xnVogMsTVqr2ZQ67lGe2uWad6U/Cm9tKskONNYlt6V9BuYEWDvGg/00vlLUpUXir/Ae+ZIsGyY8lzsxGESQvGJOWFv4RoQ8iXK9ZBp8QE+TbA6qOHy4WY1DztucPOg2DIkebPi6LonQh/givxMzP9F2jVxzTWkfex8GWQhve8w2cMCaoFClJjRbWZ8pR6d0+vifFYVrTFytBHz0JuXSIZbSqVUYQZb5OAxH2bqVgotXiJfwYOPhA6m6cx1SqsQPrwVdGqwLt/l6GB32zm18gHn+i4b96J+3YpUdmfNOgVG/6IQtiNeayqahGqUpqwjrAxN4GkbojKhp0NWK2JRjn4rvOkOidq8WMtOySd5xHiIx0jMygz1fkSc7axC3PIvayRU2MSAlEQOan01XhfSoS0rqm+5FYc0zJBkGnwZrIFQMUQWDgr0zNToZTMhvqlgC8SnlRz
X-OriginatorOrg: cs.tcd.ie
X-MS-Exchange-CrossTenant-Network-Message-Id: 7b5a14f6-d80b-4376-840f-08dc45844d8c
X-MS-Exchange-CrossTenant-AuthSource: DB7PR02MB5113.eurprd02.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 16 Mar 2024 06:42:52.4654 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: d595be8d-b306-45f4-8064-9e5b82fbe52b
X-MS-Exchange-CrossTenant-MailboxType: HOSTED
X-MS-Exchange-CrossTenant-UserPrincipalName: tURnbv2nfKbVwJlLCpRgSlwo38Ys5WSB3jHptTQXmsLsaOB0vwDEJX+rTyWT4vvt
X-MS-Exchange-Transport-CrossTenantHeadersStamped: GV1PR02MB10837
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/h5OGY17Y3yAPMrJfpQVDR_nCdoY>
Subject: Re: [TLS] should we say anything about ECH in the face of fragmentation?
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 16 Mar 2024 06:43:01 -0000

Hiya,

On 15/03/2024 21:55, Watson Ladd wrote:
> On Fri, Mar 15, 2024 at 2:23 PM Stephen Farrell
> <stephen.farrell@cs.tcd.ie> wrote:
>>
>>
>> Hiya,
>>
>> I think the outcome here is maybe most likely to do nothing but
>> since the WGLC is ongoing I figured it best to bring it up in
>> case others have better ideas.
>>
>> I got a mail yesterday from someone who had played with the nginx
>> "stream module" setup ECH-split-mode PoC stuff we've done and found
>> a difference in how IP fragmentation affected that configuration,
>> depending on whether or not ECH was enabled.
> 
> I am very confused here. Is this over TCP? 

Yeah, sorta, but...

TBH  I only looked at how to get ECH split-mode decryption working but
IIUC the nginx stream modules enable examining packets for load
balancing so that the TCP (and TLS) session ends up between the client
and back-end. So in that mode, nginx (or haproxy similarly) is mostly
looking into the 1st packet seen, maybe for a CH with an SNI, and
then uses what it finds to route the packet to some back-end. It
(nginx) then also sets itself as a proxy between the client and
server for remaining packets in the connection.

If the 1st packet has an outer CH then we can attempt to ECH decrypt
that and then do whatever nginx would've done in stream-mode and that
does work.

I never did look at what else nginx does at the IP or TCP layer,
once I got stuff to work, but I suppose I should, to do it right.

Handling split-more + HRR was even more fun so I'd not be surprised
if IP fragmentation caused issues there too.

All that said, I'm still not sure that even attempting to support
split-mode ECH in the face of IP fragmentation would be a good plan
though.

Cheers,
S.

> If so, why isn't the MSS
> preventing IP fragmentation? Is this in QUIC?
> 
>>
>> The pcaps I've seen show fragmentation of the CH after 588 octets.
>>
>> In the ECH-using case, nginx aborts the connection as it sees a
>> malformed outer CH. In the non-ECH case, nginx can decide how to
>> forward the packets as it can decode into the partially rx'd CH
>> and see the SNI (which is what's used to decide where to fwd the
>> connection). I don't (yet) know what'd happen if fragmentation
>> happened in the middle of the SNI in the non-ECH case. (I'd bet
>> it'd not be good though:-)
> 
> This sounds like an NGINX bug/misfeature. How the data ends up on the
> wire below TCP shouldn't affect what happens beyond e.g. timing out.
> 
>>
>> The reason for the difference is relatively obvious but I guess
>> could be stated in the draft: an ECH split-mode front-end can't
>> decrypt the ECH until it's seen the entire CH, due to the use of
>> the ClientHelloOuterAAD as aad.
>>
>> I've not yet thought about whether it'd make sense to try to
>> buffer up partially rx'd fragments to see if those eventually
>> do turn out to be a nicely encoded outer CH - I suspect that
>> may be more of a footgun than useful;-(
>>
>> I think all the exact same things would happen with our haproxy
>> split-mode PoC, so this isn't an nginx specific issue.
>>
>> Cheers,
>> S.
>>
>> _______________________________________________
>> TLS mailing list
>> TLS@ietf.org
>> https://www.ietf.org/mailman/listinfo/tls
> 
> 
> 
> --
> Astra mortemque praestare gradatim

v2.23.0 | Report a Bug | By Email