IETF Logo Mail Archive

Re: [TLS] Adam Roach's Yes on draft-ietf-tls-record-limit-02: (with COMMENT)

Martin Thomson <martin.thomson@gmail.com> Wed, 04 April 2018 06:44 UTC

Return-Path: <martin.thomson@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 44A7F126CC4; Tue, 3 Apr 2018 23:44:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zR9G9MoeDILx; Tue, 3 Apr 2018 23:44:37 -0700 (PDT)
Received: from mail-ot0-x236.google.com (mail-ot0-x236.google.com [IPv6:2607:f8b0:4003:c0f::236]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CE8A4124B17; Tue, 3 Apr 2018 23:44:37 -0700 (PDT)
Received: by mail-ot0-x236.google.com with SMTP id o9-v6so22188299otj.5; Tue, 03 Apr 2018 23:44:37 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=1zyJRX6sGnf29H5aZ8sjtf2n4tbW766VKCvoS0rBBFo=; b=e1UjWNtR/rN+DV5yW47err3YwCgG619GdgTeI5RDQiEV7OR4NwUcv0tJmTHnyJygpt Ebd9GcsuDKN2EfbQX/n4cZt7x11goDQmjTGTLMdFF+1Cd4LbynhNuaqvGz62svjJAmxN S8u+5H59J8sq5BoNYbBF3DWTU6FPWDj945oAIFynwxYzvKoXKUeS/D+o3zchR1qINO7U Aj8kH2xpw2ejcwO6nd+JlZ0z5KGc0gr90xk7lLTk4TcrofuinnAQBYaXp4ZUGykn5Ykx dqF903TMzzRfYvsV5K3an3PJCCPAq2LlsCC80xWJ2bD3935NGQcio1tDSCK6yg5Ddw1W s5Fw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=1zyJRX6sGnf29H5aZ8sjtf2n4tbW766VKCvoS0rBBFo=; b=fy6lJoIMpYgEXBrOAuSSg+UfBYNopG5Yh0bFQnw1aPmh+UMhu+ss7LtOr4ljevAy9i LJZ14zoYXU2cRMXZ4O5LagX2pFp9t/8rutnwqJ38/nv83gen21zW8WDPbSfAoov6EZy9 u86ti4QMBEUr/+6TKXAjKfmsBe2lA4gUW1x5FzgtSedVtbP0v9sDvIVuIA8hzX6z6U3K eRC7QCkeW/rBkOBqIWrLLi5IXNGTGrs99f9SwbQRe38PV0tKwMT+mT0doy+v8QslBk+C XYrNeHUV727ntmVrE5LX/k1TQV75Ui8C/ffF1l7ipUmSt0gjMdGBhCRMRZRpPlhvOPfW g1xw==
X-Gm-Message-State: ALQs6tBU+kXMhlZFmFpVIX7e0HxGbPDTfcMgAMkFXJYTFz7wSqOx3OW5 NHffmbGeZFfU9rJr77PyT+x59RT3QNTMKx0y4u0iLv0g
X-Google-Smtp-Source: AIpwx4856qpO9jrhQ0lEUjLsC/S5Dn3mvyhL55w05cJmj8Wmls/KVi4ffZ+GMkQFCRSL/Tj0p/pRuOkL2vklLHbuIgc=
X-Received: by 2002:a9d:2a09:: with SMTP id t9-v6mr1638754ota.392.1522824276882; Tue, 03 Apr 2018 23:44:36 -0700 (PDT)
MIME-Version: 1.0
Received: by 2002:a9d:ac7:0:0:0:0:0 with HTTP; Tue, 3 Apr 2018 23:44:36 -0700 (PDT)
In-Reply-To: <152282152084.23972.5999986320638189748.idtracker@ietfa.amsl.com>
References: <152282152084.23972.5999986320638189748.idtracker@ietfa.amsl.com>
From: Martin Thomson <martin.thomson@gmail.com>
Date: Wed, 04 Apr 2018 16:44:36 +1000
Message-ID: <CABkgnnUuHpHuDpsC9jDS36pw8c4xX-z5ODry1+J0CCPpQWxrYw@mail.gmail.com>
To: Adam Roach <adam@nostrum.com>
Cc: The IESG <iesg@ietf.org>, draft-ietf-tls-record-limit@ietf.org, Sean Turner <sean@sn3rd.com>, tls-chairs <tls-chairs@ietf.org>, "<tls@ietf.org>" <tls@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/hi5yeLBEJ7TkzYbStqqHGEKU2eM>
Subject: Re: [TLS] Adam Roach's Yes on draft-ietf-tls-record-limit-02: (with COMMENT)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 04 Apr 2018 06:44:40 -0000

Hi Adam,

Thanks for the review.  You picked up on something that was a little
sloppy there.

PR: https://github.com/tlswg/tls-record-limit/pull/19

On Wed, Apr 4, 2018 at 3:58 PM, Adam Roach <adam@nostrum.com> wrote:>
Adam Roach has entered the following ballot position for
> §4:
>
>>  MUST NOT send a value higher than the protocol-defined maximum record
>>  size unless explicitly allowed by such a future version or extension.
>
> Presumably, recipients MUST gracefully accept values higher than the maximum
> record size?  That is implied by this text (and the text that follows), but
> given how TLS frequently aborts connections at the first sign of any
> irregularity, it's probably worth saying explicitly.

I thought that the following text was doing precisely that:

> A server MUST NOT enforce this restriction; a client might advertise a higher limit that is enabled by an extension or version the server does not understand.

A client can enforce the restriction, because it knows the entire set
of possible extensions that determine the maximum size.  I'll concede
that it's a little sloppy in that it doesn't explicitly say whether a
client is expected to police the value.  Is that a change you would
like to see?  As in:

> A client MAY abort the handshake with an illegal_parameter alert if the record_size_limit extension includes a value greater than the maximum record size permitted by the negotiated protocol version and extensions.

Note that this wasn't made a MUST because if there is an extension
that raises the limit, the client has to do a second pass over the
extensions and that's awkward.

> §4:
>
>>  a DTLS endpoint that
>>  receives a record larger than its advertised limit MAY either
>>  generate a fatal "record_overflow" alert or discard the record.
>
> I'm concerned about the interaction between the option to discard the record and
> protocols that perform retransmission of lost packets over DTLS (e.g., proposals
> such as draft-rescorla-quic-over-dtls). In the case that an oversized packet is
> simply discarded, retransmissions of that (presumably still oversized) packet
> will take a while to time out (I'm not particularly well-versed in QUIC, but
> assume it has characteristics similar to TCP's ~nine-minute timeout), which
> would result in really bad user experiences.  Is there rationale for this optionality?
> It would seem to be cleaner if the response were simply to always send a fatal
> error.

The problem is that you only want to abort if you decrypt the record.
DTLS doesn't kill connections if it receives junk.  In this case, you
would only want to kill the connection if the record is authentic.
But if you have a record size limit, it's usually because you don't
want to decrypt big records.  So you probably won't bother even trying
to decrypt the big packet, even if you could.

So yes, discard ends up looking like packet loss, akin to the loss you
get when a path doesn't support the MTU.  Except that you don't have
any hope of receiving feedback (inasmuch as ICMP is available to DTLS
anyway...).

Given that it's a protocol error, I'm not all that enthusiastic about
fixing the problem.  Even writing it down seems wrong.  "If an
endpoint violates its negotiated constraints, then it can induce
denial of service on itself."  There's only so much defensive design
we can build in.

FWIW, QUIC has the exact same mechanism built in, but you don't
retransmit packets verbatim, so it could rectify itself if it was a
one-off.  More likely, it would compound when more outstanding data is
available to send in every subsequent packet, perpetuating the use of
over-large packets.

v2.23.0 | Report a Bug | By Email