Re: [TLS] DoS risks from draft-vkrasnov-tls-jumpstart-00
Martin Thomson <martin.thomson@gmail.com> Fri, 15 May 2015 17:42 UTC
Return-Path: <martin.thomson@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1])
by ietfa.amsl.com (Postfix) with ESMTP id 985311A00B5
for <tls@ietfa.amsl.com>; Fri, 15 May 2015 10:42:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9,
DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1,
FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44])
by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id SoExRWbEtBZo for <tls@ietfa.amsl.com>;
Fri, 15 May 2015 10:42:33 -0700 (PDT)
Received: from mail-yk0-x22a.google.com (mail-yk0-x22a.google.com
[IPv6:2607:f8b0:4002:c07::22a])
(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
(No client certificate requested)
by ietfa.amsl.com (Postfix) with ESMTPS id 4BE5F1A00B0
for <tls@ietf.org>; Fri, 15 May 2015 10:42:33 -0700 (PDT)
Received: by ykec202 with SMTP id c202so36277785yke.2
for <tls@ietf.org>; Fri, 15 May 2015 10:42:32 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113;
h=mime-version:in-reply-to:references:date:message-id:subject:from:to
:cc:content-type;
bh=vrWVV4lTQzdngcklBl+nVXqOR+49WB+wuveXXYC6Iaw=;
b=kx+MfYrLlJnLgLk/2Mq50KeCPOjjAoTOdvVpERgAAt19TjXDazn2hfOmGoZhjwLjRJ
o2TsqmgQtTGyTdkG7AYmzT9SRN09xrpZNZzhXNik6ED0zZ1zwVpPAGjgYFaZjfahAE16
0Xp8UIUa9vhaR7hSpdYa+UhFpQ+AXelyMFrlkn7KpdbAzXIAAQwSso/XBW9IGeXMrhug
Byzx6Y5otU635dK0LuwUOlfF7ObeClCALnFWuOKWT6/3vafFOyGPSpjZV3/pOo4MAMcI
l97P+M70mOssweKxGN6K3K2qLkyfp4eVlDkKwROMUO8Lxe5yodua25XAgFvRt8rOfyjh
2Gyg==
MIME-Version: 1.0
X-Received: by 10.236.20.230 with SMTP id p66mr10689798yhp.181.1431711752682;
Fri, 15 May 2015 10:42:32 -0700 (PDT)
Received: by 10.13.247.71 with HTTP; Fri, 15 May 2015 10:42:32 -0700 (PDT)
In-Reply-To: <CACsn0c=0XMyzQ4DOVYo9sxSfMheHGmQy14txUJMH71Y_nCPLpg@mail.gmail.com>
References: <CACsn0c=0XMyzQ4DOVYo9sxSfMheHGmQy14txUJMH71Y_nCPLpg@mail.gmail.com>
Date: Fri, 15 May 2015 10:42:32 -0700
Message-ID: <CABkgnnWzOTcPPGwC+n+TDZCYQOMaYSogTuxAzsngGydTnkamDw@mail.gmail.com>
From: Martin Thomson <martin.thomson@gmail.com>
To: Watson Ladd <watsonbladd@gmail.com>
Content-Type: text/plain; charset=UTF-8
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/ispfZzxkYre7NIAwsSqxnCiMFoY>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] DoS risks from draft-vkrasnov-tls-jumpstart-00
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working
group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>,
<mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>,
<mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 15 May 2015 17:42:34 -0000
On 14 May 2015 at 19:37, Watson Ladd <watsonbladd@gmail.com> wrote: > There does not appear to be > a cookie mechanism to mitigate this problem. You are absolutely right about this. DTLS does offer a mechanism like this, and it seems likely that it will become part of TLS 1.3, but attempting to retrofit a performance optimization onto TLS 1.2 without that sort of basic DoS mitigation seems unwise. Maybe DTLS 1.3 will use the padding extension to avoid the amplification attack too. One advantage of the cookie mechanism is that it is optional. You can get the performance benefits when the server isn't stressed and still have a fallback in case of high load.
- [TLS] DoS risks from draft-vkrasnov-tls-jumpstart… Watson Ladd
- Re: [TLS] DoS risks from draft-vkrasnov-tls-jumps… Vlad Krasnov
- Re: [TLS] DoS risks from draft-vkrasnov-tls-jumps… Martin Thomson
- Re: [TLS] DoS risks from draft-vkrasnov-tls-jumps… Vlad Krasnov