Re: [TLS] Mirja Kühlewind's No Objection on draft-ietf-tls-grease-03: (with COMMENT)

Mirja Kuehlewind <ietf@kuehlewind.net> Thu, 22 August 2019 07:48 UTC

Return-Path: <ietf@kuehlewind.net>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 761A81201E0; Thu, 22 Aug 2019 00:48:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Level:
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DUkKPcwXCJ4f; Thu, 22 Aug 2019 00:48:46 -0700 (PDT)
Received: from wp513.webpack.hosteurope.de (wp513.webpack.hosteurope.de [IPv6:2a01:488:42:1000:50ed:8223::]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 298C3120169; Thu, 22 Aug 2019 00:48:46 -0700 (PDT)
Received: from 200116b82c40a900448e91e6d3aed04e.dip.versatel-1u1.de ([2001:16b8:2c40:a900:448e:91e6:d3ae:d04e]); authenticated by wp513.webpack.hosteurope.de running ExIM with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) id 1i0hpm-00061l-8n; Thu, 22 Aug 2019 09:48:38 +0200
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.11\))
From: Mirja Kuehlewind <ietf@kuehlewind.net>
In-Reply-To: <CAF8qwaD95ROS2KetzpGGHBRL4L1mgTcs1pw4D5qwR49O-+pjhw@mail.gmail.com>
Date: Thu, 22 Aug 2019 09:48:37 +0200
Cc: draft-ietf-tls-grease@ietf.org, Benjamin Kaduk <kaduk@mit.edu>, tls-chairs <tls-chairs@ietf.org>, The IESG <iesg@ietf.org>, Sean Turner <sean@sn3rd.com>, "<tls@ietf.org>" <tls@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <98ECFB35-5D77-433F-A902-B96E5EB3F33A@kuehlewind.net>
References: <156588205271.15865.9243229289426203471.idtracker@ietfa.amsl.com> <20190815152405.GS88236@kduck.mit.edu> <44BDC996-0E18-48BE-A700-C49A101330F8@kuehlewind.net> <CAF8qwaC7CvyrzrS=SWD9OT9Eq6BGirha2cjut5P-Wz5bz6NQAg@mail.gmail.com> <6BD4AC5B-BA54-4BED-8B9B-ECA298E8BF0F@kuehlewind.net> <CAF8qwaBmrgzBPF-FrdO1md8pAAG_M1mR4feW0t3amxfc10oy9A@mail.gmail.com> <FE02C127-99E9-4C43-BC9C-1C94A56870F1@kuehlewind.net> <CAF8qwaD95ROS2KetzpGGHBRL4L1mgTcs1pw4D5qwR49O-+pjhw@mail.gmail.com>
To: David Benjamin <davidben=40google.com@dmarc.ietf.org>
X-Mailer: Apple Mail (2.3445.104.11)
X-bounce-key: webpack.hosteurope.de;ietf@kuehlewind.net;1566460126;08214a05;
X-HE-SMSGID: 1i0hpm-00061l-8n
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/hw9NWoune_5s0QTsF8UblgQGxpc>
Subject: Re: [TLS] Mirja Kühlewind's No Objection on draft-ietf-tls-grease-03: (with COMMENT)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 22 Aug 2019 07:48:49 -0000

Thanks!

> On 21. Aug 2019, at 23:34, David Benjamin <davidben=40google.com@dmarc.ietf.org> wrote:
> 
> On Mon, Aug 19, 2019 at 3:51 AM Mirja Kuehlewind <ietf@kuehlewind.net> wrote:
> Hi David,
> 
> 
> > On 16. Aug 2019, at 18:16, David Benjamin <davidben=40google.com@dmarc.ietf..org> wrote:
> > 
> > On Fri, Aug 16, 2019 at 3:39 AM Mirja Kuehlewind <ietf@kuehlewind.net> wrote:
> > > >> One comment/question: I think I didn't quite understand what a client is
> > > >> supposed to do if the connection fails with use of greasing values...? The
> > > >> security considerations seems to indicate that you should not try to re-connect
> > > >> without use of grease but rather just fail completely...? Also should you cache
> > > >> the information that greasing failed maybe?
> > > > 
> > > > I'll let the authors chime in, but I think the sense of the security
> > > > considerations is more that we are preventing the fallback from being
> > > > needed "in production due to "real" negotiation failures.  Falling back on
> > > > GREASE failure is not as bad, provided that you follow-up with the failing
> > > > peer out of band to try to get it fixed.
> > > > I don't know how much value there would be in caching the grease-intolerate
> > > > status; ideally it would almost-never happen.
> > > 
> > > Okay, then I think it would be nice to say something more in the document, about fallback at least.
> > > 
> > > Ben's description is right. If deploying a new TLS feature results in too many interop failures with existing buggy servers, that feature becomes difficult to deploy and there is a lot of pressure to apply some sort of mitigation like a fallback. That's no good. GREASE's goal is to avoid the interop failures to begin with. The text was not meant to imply that you should do any sort of fallback.
> > > 
> > > What change did you have in mind? The current text says:
> > > 
> > > > Historically, when interoperability problems arise in deploying new TLS features, implementations have used a fallback retry on error with the feature disabled. This allows an active attacker to silently disable the new feature. By preventing a class of such interoperability problems, GREASE reduces the need for this kind of fallback.
> > > 
> > > That reads to me as describing historical fallbacks, rather than recommending new ones. (Indeed you shouldn't do fallbacks. Fallbacks are bad.. They break downgrade protection.)
> > 
> > I was thinking about adding some new text somewhere else in the document that give a recommendation if you should fallback on grease and when.
> > 
> > I mean, the answer to that is "don't" and "never", just as is unstatedly true for any other TLS extension. TLS's downgrade protection doesn't work if you do fallbacks. While downgrading from GREASE doesn't matter per se, it defeats the purpose, so the usual rules for TLS apply.
> 
> 
> For me this wasn’t clear because this is not just a “normal” extension. If you want to be sure that it is clear to everybody, you should write it down in the draft. However, that my view and this was a just a comment to consider, so the authors (and group) need to decide.
> 
> Fair enough. I've added the following to that paragraph in my local copy.
> 
>      Implementations SHOULD
>      NOT retry with GREASE disabled on connection failure. While allowing an
>      attacker to disable GREASE is unlikely to have immediate security
>      consequences, such a fallback would prevent GREASE from defending against
>      extensibility failures.
> 
> I'll upload it as -04 after all the comments come in.