IETF Logo Mail Archive

Re: [TLS] Connection ID Draft

Martin Thomson <martin.thomson@gmail.com> Mon, 16 October 2017 23:42 UTC

Return-Path: <martin.thomson@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AA6A61321D8 for <tls@ietfa.amsl.com>; Mon, 16 Oct 2017 16:42:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.699
X-Spam-Level:
X-Spam-Status: No, score=-2.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id s_bP9Hfe7h_y for <tls@ietfa.amsl.com>; Mon, 16 Oct 2017 16:42:26 -0700 (PDT)
Received: from mail-oi0-x236.google.com (mail-oi0-x236.google.com [IPv6:2607:f8b0:4003:c06::236]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 57046132397 for <tls@ietf.org>; Mon, 16 Oct 2017 16:42:26 -0700 (PDT)
Received: by mail-oi0-x236.google.com with SMTP id j126so28197298oib.8 for <tls@ietf.org>; Mon, 16 Oct 2017 16:42:26 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=6dj53Ax+i516RFxfPNJe2KQDY+TQI/T56sp8b2EXzYQ=; b=nviT6NIDhkKReJ0FZFlm2dkAgtqIL7HfAYkh3Wh30ZjL7TTbHosjBUT+90cczfUKox SI2CppKk9jxB0pDBy/W575R9Dz2obCJKzjLrKyaYaCWhW0qDaZgHDiMar4cS3W4E/7Kx SdsH2yrx++DfFqR7i/rJ0DbCV/MeguDFAHbzsd5Srxk+35P5zY+lF+cdsNhi7HniqBTv 0kAvo8EKag5NBOnsysU45AF2TFMFF2k/eg51LS8c2tXT1/rVt2peV42yqDdbmlOgW+iz OGk74iSgw89xVQ9IO/Vt1/M2tqLu/RAcdpRIFUeY0FKEgGl03EpRv7f2s6QhsPZwtCI4 +0bA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=6dj53Ax+i516RFxfPNJe2KQDY+TQI/T56sp8b2EXzYQ=; b=SsJvV0ggbBdzP8E0povZJJjfYG9ub858P6w5B+JszPGztPJ1UGUt0cLOLQA/2EIRYs NbGV+d1DlBbn5NqgAMmEb1qHDNgTW0NCz3u4Jltjyo/sTETtzAqfVG6jlWkfBujcNyO4 TxnqytR/nYV9DLf4rdtgASGBx04b0+cnFPRlyqkufRYU4xHYDdoS9v/MX+GpUoAMvqYP 9V+M9zArr4H2j0crJl0xQQhUvQjRe9S0LbIqfl9x1QAyHGLkhkz1Dw0ZZSdGjglc5PDn 3quBp6c+yJlnoVEScfdAGpf8yt5rRNOcrD49bfgp4EG+570cgHaAU21np9arJd1XYsCL TpVw==
X-Gm-Message-State: AMCzsaX6HZ+J/v1R5/FQMyKoNRHXLeFML/nWFP5J4B+N8mkEcIhARwZ7 qeoHKs02BFcjVP1b48Vhm9j1EC/23KxXh0ZSjZc=
X-Google-Smtp-Source: ABhQp+S1ofJ7E+SdpuZ4E5Y5JwseNSzbijl7Yhfk2S7Ub8I0/BKgxRLEtd8PxMjMnjhl1QmZ/Gtp8Xq2zCoTaXdd/ls=
X-Received: by 10.157.87.75 with SMTP id x11mr1362853oti.112.1508197345507; Mon, 16 Oct 2017 16:42:25 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.157.72.178 with HTTP; Mon, 16 Oct 2017 16:42:24 -0700 (PDT)
In-Reply-To: <CABcZeBPXB6cOSztzDHtKSWUCJrgET+9cF_rAiiE8CYCUSY_uLA@mail.gmail.com>
References: <CABcZeBPXB6cOSztzDHtKSWUCJrgET+9cF_rAiiE8CYCUSY_uLA@mail.gmail.com>
From: Martin Thomson <martin.thomson@gmail.com>
Date: Tue, 17 Oct 2017 10:42:24 +1100
Message-ID: <CABkgnnXT7nv9aNQh12deeitF1CurENpxgUicn9GHjMbojcEvJg@mail.gmail.com>
To: Eric Rescorla <ekr@rtfm.com>, "Fossati, Thomas (Nokia - GB)" <thomas.fossati@nokia.com>
Cc: "tls@ietf.org" <tls@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/hO-sCRazz6lJjx7YB4deXdwPmXs>
Subject: Re: [TLS] Connection ID Draft
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 16 Oct 2017 23:42:29 -0000

Going back to the start, it seems like there is an implied problem
with the draft in that connections with the identifier are hard to
distinguish from connections without.  Is that the main problem?

I can't see how an explicit marking helps.  If we admit the
possibility that some connections will not support this new feature,
then the recipient of packets is forced to identify those connections
by 5-tuple.  That's invariant.  Mixed deployments have some
challenges, but it's not completely unworkable.

My conclusion is that peers without connection ID support monopolize
the 5-tuple that they use, so that other connections can't migrate to
that 5-tuple.  They also cannot migrate to another 5-tuple.
Otherwise, things work out.

To reach that point, you have to realize that a mixed deployment has
to use 5-tuple as a primary key.  Packets that come in on a new
5-tuple are matched to connections opportunistically on what might or
might not be a connection ID.  If it is, then great (better make sure
you ask for the same length ID from all peers, or match on
prefixes...).  If it isn't, then the ciphertext will be read as a
connection ID, but even if it does identify a connection it will fail
to decrypt.

Thomas mentioned a heuristic, but I don't think that we need that.
The only case that is difficult, and it's one that you might not care
about, is one where a connection migrates to the same 5-tuple as an
another connection.  There, you will match to an existing connection
and find that the packet doesn't decrypt.  If the connection that you
have associated with the 5-tuple supports and uses a connection ID,
you can recover without trial decryption.  Otherwise, you just have to
drop the packet when it doesn't decrypt.  (You could look up all the
connections without connection IDs and use trial decryption, but why
bother spending the effort and undermine the strength of your ciphers
in that way.)

You can only truly dispense with the 5-tuple mapping if you can
guarantee that all of your clients support connection ID; at which
point you can drop that table and route on connection ID alone.

Packet inspection boxes will have maintain state, I don't see a way
around that.  The point here being that you need state to know how
long the connection ID is, as well as how long it is.

The middlebox issue is somewhat more interesting.  If it is *your*
middlebox, then there might be a case for routing connections with a
connection ID differently.  Based on the above, I would have said that
it might be better to only deploy that sort of configuration when you
can insist on receiving a connection ID.  An explicit marking helps,
but the cost is pretty high if we care about saving bits.

My suggestion for the middlebox is to use a longer connection ID and
include a MAC inside the connection ID.  It ends up being a longer
connection ID than the one QUIC uses, but it would allow the stateless
routing middlebox to identify packets with and without a connection ID
without any explicit marking.  That doesn't require any change to the
design.



On Fri, Oct 13, 2017 at 10:13 AM, Eric Rescorla <ekr@rtfm.com> wrote:
> Hi folks,
>
> I have just posted a first cut at a connection ID draft.
> https://tools.ietf.org/html/draft-rescorla-tls-dtls-connection-id-00
>
> Comments welcome.
>
> -Ekr
>
>
>
>
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls
>

v2.23.0 | Report a Bug | By Email