Re: [TLS] Solving HRR woes in ECH
Stephen Farrell <stephen.farrell@cs.tcd.ie> Fri, 26 March 2021 15:10 UTC
Return-Path: <stephen.farrell@cs.tcd.ie>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1FD363A20D0 for <tls@ietfa.amsl.com>; Fri, 26 Mar 2021 08:10:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, NICE_REPLY_A=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cs.tcd.ie
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XsCd0-47rJ5E for <tls@ietfa.amsl.com>; Fri, 26 Mar 2021 08:10:18 -0700 (PDT)
Received: from mercury.scss.tcd.ie (mercury.scss.tcd.ie [134.226.56.6]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6AE1B3A20C9 for <tls@ietf.org>; Fri, 26 Mar 2021 08:10:18 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mercury.scss.tcd.ie (Postfix) with ESMTP id BE223BE3E; Fri, 26 Mar 2021 15:10:14 +0000 (GMT)
X-Virus-Scanned: Debian amavisd-new at scss.tcd.ie
Received: from mercury.scss.tcd.ie ([127.0.0.1]) by localhost (mercury.scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UwW7iCskeBaD; Fri, 26 Mar 2021 15:10:12 +0000 (GMT)
Received: from [10.244.2.242] (95-45-153-252-dynamic.agg2.phb.bdt-fng.eircom.net [95.45.153.252]) by mercury.scss.tcd.ie (Postfix) with ESMTPSA id 3E29EBE1C; Fri, 26 Mar 2021 15:10:12 +0000 (GMT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cs.tcd.ie; s=mail; t=1616771412; bh=gySr8bvcPa83+W5vnWZTCUieAOfp1auMkUjlF75Dofc=; h=To:Cc:References:From:Subject:Date:In-Reply-To:From; b=GIqGlic832XnSayEI9IFXXqXmuWtg1PIJy13vwM+OvEJzhymMDfnySWmAWp0SIAay ktmfZAjled7YSWuQl3TUUTf1iF0NZEpt4QLTuO26cET4WNee9NIv/lpqnNg/QMPMgl JXojD/2NqxGXSS8tUpOP75vMpI8KyV4c2DzNgFPY=
To: Ben Schwartz <bemasc=40google.com@dmarc.ietf.org>, Nick Sullivan <nick=40cloudflare.com@dmarc.ietf.org>
Cc: tls@ietf.org, Christopher Patton <cpatton=40cloudflare.com@dmarc.ietf.org>
References: <CAG2Zi20utVzjUnTAWcRSxbhjexhJLvZ9aHT--nn_5jk82MRt=g@mail.gmail.com> <CAFDDyk_0NdYvaXgnUp21DkxTogUJrhN4xwEtnVNTkXvhzKKOGw@mail.gmail.com> <CAHbrMsA4ng7nJj-O+H0uhC6qULsP7jgiFD8gT-S6Lcmfq+k9Ow@mail.gmail.com>
From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Message-ID: <c9df2a3a-dd87-ea30-49cb-c69ea4f2ef20@cs.tcd.ie>
Date: Fri, 26 Mar 2021 15:10:11 +0000
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.7.1
MIME-Version: 1.0
In-Reply-To: <CAHbrMsA4ng7nJj-O+H0uhC6qULsP7jgiFD8gT-S6Lcmfq+k9Ow@mail.gmail.com>
Content-Type: multipart/signed; micalg="pgp-sha256"; protocol="application/pgp-signature"; boundary="zo0ZTmAYEpGrQGZn7wQGl0BbupoBUL7wG"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/l-W1UwqYsJHIQ533AFjvjIUnGZI>
Subject: Re: [TLS] Solving HRR woes in ECH
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 26 Mar 2021 15:10:23 -0000
Hiya, On 26/03/2021 13:44, Ben Schwartz wrote: > This seems like a reasonable suggestion to me, so long as the value is > purely a "hint", as you seem to be proposing. I would suggest structuring > it as an ECHConfig extension. This would avoid the need for multiple > points of integration between TLS and DNS, support the use of HRR hints in > other ECH use cases that don't involve DNS, and help to exercise the > ECHConfig extension mechanism. (I'm not stating an opinion on the PR yet but...) If there is to be some new data included in SVCB/HTTPS RR values then that ought be structured bearing in mind who produces which bits of data. An ECHConfig is a binary blob mostly produced by the client-facing server, whereas TLS parameters for the backend server are not produced at the same place. Including the latter as an ECHConfig.extension is not therefore a good design IMO. Justifying those (IMO:-) unnecessary ECHConfig extensions is also not a goal. Information about the backend's TLS preferences, if published in the DNS, ought be outside the ech value in HTTPS RRs. If we wanted to publish information about the client-facing server's TLS preferences in the backend's zone file, then that could be put into the ECHConfig all right. (It's a pity that we didn't split out the ECHConfigs from different client-facing servers in SVCB/HTTPS to make all that easier isn't it?) Cheers, S. > > On Thu, Mar 25, 2021 at 9:28 PM Nick Sullivan <nick= > 40cloudflare.com@dmarc.ietf.org> wrote: > >> Hi Chris, >> >> HRR in ECH does seem challenging. This may be tangential to the PR you >> linked, but there may be a way to reduce the likelihood of HRR by moving >> even more of the handshake negotiation into DNS. The HTTPS RR is already >> used for some types of negotiation (ALPN and ECH key), so why can't it be >> extended further to advertise to the client what the server is willing to >> support for cryptographic negotiations? >> >> For example, the HTTPS record could additionally contain the server's >> supported supported_groups and cipher_suites. With this information, a >> client could know which key_share extensions a server is likely to accept >> and adjust its clienthello accordingly. A client who typically sends two >> key_shares (P256 and x25519) for maximal compatibility could then reduce >> the size of its client hello (no need to send redundant key_shares) or even >> prevent an HRR flow altogether in the case that the default key_shares or >> cipher_suites are not supported by the server. >> >> This tweak wouldn't remove the need for HRR completely -- it could be >> necessary when changing server configuration, for example -- but it could >> remove the need for HRR in the common case. >> >> Nick >> >> On Thu, Mar 25, 2021 at 8:05 PM Christopher Patton <cpatton= >> 40cloudflare.com@dmarc.ietf.org> wrote: >> >>> Hi all, >>> >>> One of the open issues for ECH is how it interacts with HelloRetryRequest >>> (HRR). The central difficulty is that a client may advertise different >>> preferences for HRR-sensitive parameters in the ClientHelloInner and >>> ClientHelloOuter. And because the HRR path has no explicit signal of which >>> ClientHello was used, the client may not be able to know how to respond. >>> The following PR solves this problem by adding to HRR an explicit signal of >>> which ClientHello was used: >>> https://github.com/tlswg/draft-ietf-tls-esni/pull/407 >>> >>> The design was originally proposed by David Benjamin in the issue >>> referenced by the PR. Along the way, It also solves a handful of other HRR >>> issues that have been identified. >>> >>> One consequence of this particular solution is that real ECH usage >>> "sticks out" if the server responds with an HRR. In particular, signaling >>> which ClientHello was used also signals whether ECH was accepted. However, >>> the solution is designed to mitigate "don't stick out" attacks that attempt >>> to trigger the HRR codepath by fiddling with bits on the wire. The >>> distinguisher only arises when HRR happens organically. >>> >>> Feedback is appreciated! >>> >>> Best, >>> Chris P. >>> _______________________________________________ >>> TLS mailing list >>> TLS@ietf.org >>> https://www.ietf.org/mailman/listinfo/tls >>> >> _______________________________________________ >> TLS mailing list >> TLS@ietf.org >> https://www.ietf.org/mailman/listinfo/tls >> > > > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls >
- [TLS] Solving HRR woes in ECH Christopher Patton
- Re: [TLS] Solving HRR woes in ECH Nick Sullivan
- Re: [TLS] Solving HRR woes in ECH Carrick Bartle
- Re: [TLS] Solving HRR woes in ECH Ben Schwartz
- Re: [TLS] Solving HRR woes in ECH Stephen Farrell
- Re: [TLS] Solving HRR woes in ECH Christopher Patton
- Re: [TLS] Solving HRR woes in ECH Eric Rescorla
- Re: [TLS] Solving HRR woes in ECH Eric Rescorla
- [TLS] key_share hints in DNS David Benjamin