Re: [TLS] draft-ietf-tls-record-limit-01
Martin Thomson <martin.thomson@gmail.com> Mon, 25 September 2017 02:12 UTC
Return-Path: <martin.thomson@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 85AF7132351 for <tls@ietfa.amsl.com>; Sun, 24 Sep 2017 19:12:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 63coPoyKsPo2 for <tls@ietfa.amsl.com>; Sun, 24 Sep 2017 19:12:11 -0700 (PDT)
Received: from mail-oi0-x22a.google.com (mail-oi0-x22a.google.com [IPv6:2607:f8b0:4003:c06::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4217B126B7E for <tls@ietf.org>; Sun, 24 Sep 2017 19:12:10 -0700 (PDT)
Received: by mail-oi0-x22a.google.com with SMTP id j126so5006650oia.10 for <tls@ietf.org>; Sun, 24 Sep 2017 19:12:10 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=w/TJcxPDyZEgC6LKAv1hj679ttO/AjvsfzY+4MfO/wU=; b=dMNuoK7tVvPXV+4QoezxQxuuIxMU5gA5M2avBCKbFkgPKdck1AVCeZwhB1X6/fSbWt JsR20+1PwxXixNpn2WZbB22KEIwyxKj/06APsF6R2aOBruCAghILi6Q1L42Sxm6Vsd9/ MYwHgTq+GZsN1uqySMBQogBh4m3OciormC8/WkH9ig++YlBnmYj0P0XUXXl7WOlnw3N8 gv2TuRpPHTdXOQW+4W7L0r/FF8Pvqll/yqi8tlEQ/oSwA+d0Ur5Y2aMu+oMuSIwODP+8 XrSFcVQiAW6x+yUDleKdrLkJg4BszASqpJyLKuRV/84xRhg31mlS3Nh5GT+4Bi13wIlb z20A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=w/TJcxPDyZEgC6LKAv1hj679ttO/AjvsfzY+4MfO/wU=; b=SPdn+Fi4x/uhZF73nyB28HvdWCJR+ni2yCeGSMulwQUnV9jGD3ixkN8wc6WjgmiIuI TYYNXqLFbnzSa4zniyNewI+Wf1dmZYpVdfGebq8ykqMpRx78rXHY60Db0CQVPTMrkSPY ioUS+WUKWm9ZfM2bWkwFyng0h1ec1jQoaLz/Sfq0tECJ9ImER8gad9phlD9mHwJy0N4H llPxn8iYnQQ8O4tG21xquTEAhd6n7xFvoa/FYlAwRH5GPN3JO87SH3l4fsIJC0bwQoJ+ AWFF0/ZV9k+1gxNoHAXe1jsGcEoExhVJ/tafGH3N3yEJx3Z6BTYzSVhEzufzOAxVPuNH m/gA==
X-Gm-Message-State: AHPjjUjLflV/P0OeaMzQAOEzpThmSA29iZj0Pp7wgba8ZyserwdKzfu+ MenRkvbbh8asaAQjcCXuVo8FA/3brlDpDxA29oM=
X-Google-Smtp-Source: AOwi7QCbjLv0hwpsKp9/QM6H5sRlroMIsTDNzbEglMFPH/LzcX4rE798hxdgYK4ic/s/9QMFvkQAppQsx9Es85DKrFs=
X-Received: by 10.202.229.203 with SMTP id c194mr7781352oih.92.1506305530065; Sun, 24 Sep 2017 19:12:10 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.157.0.38 with HTTP; Sun, 24 Sep 2017 19:12:09 -0700 (PDT)
In-Reply-To: <591ffde5-6ca6-e9a1-e99e-2ee8bc61708b@gmx.net>
References: <d146477e-85c1-5b09-490e-ed2f386f0915@gmx.net> <2127515.TzRoSAlNJ7@pintsize.usersys.redhat.com> <591ffde5-6ca6-e9a1-e99e-2ee8bc61708b@gmx.net>
From: Martin Thomson <martin.thomson@gmail.com>
Date: Mon, 25 Sep 2017 12:12:09 +1000
Message-ID: <CABkgnnXcv6x1dvLkdBh+46b5CSVZQfuHyz3isbqWGfutwrhroA@mail.gmail.com>
To: Hannes Tschofenig <hannes.tschofenig@gmx.net>
Cc: Hubert Kario <hkario@redhat.com>, "tls@ietf.org" <tls@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/jdceH51tHyohZ0VzUcEk3X0iheQ>
Subject: Re: [TLS] draft-ietf-tls-record-limit-01
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 25 Sep 2017 02:12:13 -0000
Hi Hannes, I appreciate that the way that you calculate the available space is difficult, but I did think very long and hard about this. The current approach makes it easier for someone to *comply* with the size limit and I'd like to retain that property as much as possible. I want people to implement and deploy this extension in every stack even if they don't have a way to set a limit lower than 16k. The only alternative metric I can think of is the size of the ciphertext. The other overheads are either fixed or hard to measure at the (D)TLS layer. Other measures are too situation-dependent, such as whether you need to count TCP headers, and leads to other problems like what you do about TCP header extensions. A change to the length of ciphertext makes it more difficult to implement at the point when you fragment messages generically. And that means more testing. As it is, I replaced a constant (MAX_FRAGMENT_LENGTH) with a variable (recordSizeLimit) and the code was basically done. Requiring calculations here adds risk and you want as many people who are NOT building an implementation for constrained devices to implement this as possible. Yes, if you want byte-accurate numbers, the configuration calculation is going to need: * information about the lower layers of the stack (TCP/UDP/IP) and how much space they need * information about TLS versions for the explicit IV * information about enabled cipher suites and their maximum expansion The good news is that if you use TLS 1.3, all the AEADs have an expansion of 16 octets (unless you are using the truncated CMAC suite, which I have never seen myself) and records add 5 octets. The whole CBC EtM/MtE business is a mess for sure, but I think that we're putting the costs in the right place. As Hubert observes, you can always assume the worst case expansion, which is safe and relatively easy. Note that TLS 1.3 padding is covered, so no concern there. On Thu, Sep 14, 2017 at 12:17 AM, Hannes Tschofenig <hannes.tschofenig@gmx.net> wrote: > Hi Hubert, > > your proposal to include the worst case calculations are indeed another > possibility. It provides more information for the developer than the > current version of the document. > > A few additional remarks: > > On 09/12/2017 08:11 PM, Hubert Kario wrote: >> On Tuesday, 12 September 2017 14:30:48 CEST Hannes Tschofenig wrote: >>> Hi Martin, >>> >>> I have implemented the record size extension into mbed TLS. It can be >>> found at https://github.com/ARMmbed/mbedtls/pull/1088 >>> >>> There is only one problem that remains to be addressed IMHO. This >>> extension was developed to address the problem of devices with small >>> RAM. Application developers have to configure their embedded TLS stack >>> in such a way that the parameters configured with this TLS extensions >>> match the available hardware. >>> >>> The record_size_limit helps a lot already but does not quite to the >>> final goal since it uses an artificial metric for deciding when to >>> fragment records. >>> >>> Currently, a developer has to understand various security concepts to >>> get this right, namely >>> * Ciphersuite negotiated (and the overhead associated with it, such as >>> tag length), >>> * DTLS vs. TLS record layer header differences, >>> * potential compression being applied. >>> >>> Additionally, there is, of course, other header information that needs >>> to be considered in the overall buffer size calculation, such as TCP or >>> UDP, IP and potentially any lower layer headers. >>> >>> I just think that this is too much to ask for from an ordinary developer. >>> >>> Hence, I would suggest to use a different metric so that the developer >>> can be certain that at least from a DTLS/TLS layer there are not records >>> being sent that exceed the indicated threshold. >>> >>> If you think that this idea is worthwhile to entertain then I will make >>> a proposal. >> >> yes, I too found the necessary calculation rather complex and thus hard to get >> right >> >> that being said, if you are ok with "good enough" solutions (for memory >> allocation, for verifying correctness of packets it should be exact), the >> actual receive buffer for encrypted TLS records has to be only 85 bytes longer >> than the value you send to server: >> - max MAC size - 48 bytes >> - max IV size - 16 bytes >> - header size - 5 bytes > ... unless DTLS 1.2 is used where it is 13 bytes. For DTLS 1.3 is most > likely different since we are trying to optimize the record layer format. > >> - max block size for CBC ciphers - 16 bytes >> - max padding - 16 bytes > ... unless TLS/DTLS 1.3 is used where padding is a different meaning. > >> since MAC size is the exact multiple of block size, the padding starts in >> worst possible place if the MAC size is arranged on block boundary. Thus the >> worst case scenario padding length is 16 bytes. Same in case of EtM. > > Ciao > Hannes > > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls
- [TLS] draft-ietf-tls-record-limit-01 Hannes Tschofenig
- Re: [TLS] draft-ietf-tls-record-limit-01 Hubert Kario
- Re: [TLS] draft-ietf-tls-record-limit-01 Hannes Tschofenig
- Re: [TLS] draft-ietf-tls-record-limit-01 Martin Thomson
- Re: [TLS] draft-ietf-tls-record-limit-01 Hubert Kario
- Re: [TLS] draft-ietf-tls-record-limit-01 Martin Thomson