IETF Logo Mail Archive

Re: [TLS] Getting started, clock not set yet

Peter Gutmann <pgut001@cs.auckland.ac.nz> Wed, 17 August 2022 15:51 UTC

Return-Path: <pgut001@cs.auckland.ac.nz>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9C25EC1522DC for <tls@ietfa.amsl.com>; Wed, 17 Aug 2022 08:51:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.907
X-Spam-Level:
X-Spam-Status: No, score=-6.907 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id W9twq6jYhvh3 for <tls@ietfa.amsl.com>; Wed, 17 Aug 2022 08:51:18 -0700 (PDT)
Received: from au-smtp-delivery-117.mimecast.com (au-smtp-delivery-117.mimecast.com [103.96.21.117]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 59ED6C1522C9 for <tls@ietf.org>; Wed, 17 Aug 2022 08:51:17 -0700 (PDT)
Received: from AUS01-ME3-obe.outbound.protection.outlook.com (mail-me3aus01lp2235.outbound.protection.outlook.com [104.47.71.235]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id au-mta-111-o-mmF5QtMoSlZBfzcZ7nOg-1; Thu, 18 Aug 2022 01:51:15 +1000
X-MC-Unique: o-mmF5QtMoSlZBfzcZ7nOg-1
Received: from SY4PR01MB6251.ausprd01.prod.outlook.com (2603:10c6:10:10b::10) by MEYPR01MB7869.ausprd01.prod.outlook.com (2603:10c6:220:17f::11) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5525.10; Wed, 17 Aug 2022 15:51:13 +0000
Received: from SY4PR01MB6251.ausprd01.prod.outlook.com ([fe80::9ce9:9bf2:308b:8a40]) by SY4PR01MB6251.ausprd01.prod.outlook.com ([fe80::9ce9:9bf2:308b:8a40%4]) with mapi id 15.20.5504.028; Wed, 17 Aug 2022 15:51:13 +0000
From: Peter Gutmann <pgut001@cs.auckland.ac.nz>
To: Kyle Rose <krose@krose.org>
CC: Hal Murray <halmurray+tls@sonic.net>, "tls@ietf.org" <tls@ietf.org>
Thread-Topic: [TLS] Getting started, clock not set yet
Thread-Index: AQHYsCRpUrhIAc5JOEq2Ame6pq4OrK2v6+4AgANKXLGAAANCgIAAA8+pgAAArQCAAAO6pQ==
Date: Wed, 17 Aug 2022 15:51:13 +0000
Message-ID: <SY4PR01MB6251708691A913890F737ECFEE6A9@SY4PR01MB6251.ausprd01.prod.outlook.com>
References: <krose@krose.org> <CAJU8_nWC+GRZFm02trAgB_bmUfkNF9bMfUHenVRNojydzi1NNw@mail.gmail.com> <20220814212506.A6A1A28C1CA@107-137-68-211.lightspeed.sntcca.sbcglobal.net> <CAJU8_nUZCR3ihGBj101n8zd6e9+nqFR0NW=u6EgpqDwKX+=aUg@mail.gmail.com> <SY4PR01MB6251E83F8D285B2EAEA86CF5EE6A9@SY4PR01MB6251.ausprd01.prod.outlook.com> <CAJU8_nWU9RnBVgUBPKShwZ=XyT+Q=rm-xhiOMPBWymOuWQ26mg@mail.gmail.com> <SY4PR01MB62513521F1522D0BCBE02379EE6A9@SY4PR01MB6251.ausprd01.prod.outlook.com> <CAJU8_nW_g1RO2yUkEOUgdMhfoMBEwGW7w7CrpxsVXFH4Q2b19w@mail.gmail.com>
In-Reply-To: <CAJU8_nW_g1RO2yUkEOUgdMhfoMBEwGW7w7CrpxsVXFH4Q2b19w@mail.gmail.com>
Accept-Language: en-NZ, en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels:
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: fe9d583e-647d-42b5-6ece-08da80684fd0
x-ms-traffictypediagnostic: MEYPR01MB7869:EE_
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0
x-microsoft-antispam-message-info: qRNWavL+o1ETdtobYiiIfDO3TfyjFHFh3TDojgX0z1ZtrorR7iE6Bs/hhuFFhAYJL0vEzY5TtJW1sVv5Mle7tIiGGT0Yp5UdzlUUseJZILG6qpcAUpzxiCU5oEX7ar2tqOWDwcOm6yZ/RFERchx8+bQWolO0+LMW0pNpVx+I6ApTs2z/gdMek6BY5vORs7n9VmTOP/8pobbAbWJmFGwctL2o6mdJXBy/3oCaY0d5qHnvml1zRCgXkipka2xa+LbKHOVK9LGTbdaZnxHZkdz425XnyoAFkR9WVO+GYhhW+u0pWitm0iRNBoCLoaO25vVtN4PNN25scdUA0mvm7vT2SvNwnbTSJDHNSlPvdW2/EEStrAxwDc/NHzN1IAOqqDImjpYk5tkhmu3JlnV3i4P0q+qcSO9SDYlamPi9boDrQVQGeEixIC9rujFsgpd5MOcmPG45IlSafLZHw47UJHE7OI4dUa8fqbDZOujY+4+tfA56rs1jwXaXp6MyztITDnMNUlHoq/2vW/LaRsVSy0rBLnTaiV4LvCKGn62loz0XMPg92S9Uk/+Fecq41KOVnm8j0jBtQX+1mAPQEukk6P6rB4NNNYJwjs9rchbHggN4Rql3kBI4oetQ1c56a3JpoEU3F3H5pHbUabvTiRXKMf1goSOmXFUuHZ2lMmrGh4qqdhIMjc9/Y1pmiK8wTYUU5MYb/zYYLR8u2dfnzyfasglwITMRDi2VKSij0dKwpETPmBieXdKK+BuH6ZNz7edLNPuAW3CGm+UusfOle488daMothv9lkaFdVeNqeZYwOy2Z/6qsFuKQwsYnH3ZQi/i4cDD
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:SY4PR01MB6251.ausprd01.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230016)(4636009)(396003)(366004)(376002)(346002)(39860400002)(136003)(7696005)(33656002)(52536014)(2906002)(8936002)(5660300002)(86362001)(55016003)(4744005)(26005)(66476007)(71200400001)(41300700001)(186003)(38070700005)(9686003)(6506007)(122000001)(6916009)(478600001)(83380400001)(38100700002)(64756008)(316002)(786003)(8676002)(66556008)(4326008)(54906003)(76116006)(66446008)(66946007); DIR:OUT; SFP:1101
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: X7oVzZujxblZ1QqZsUB3mm+ZxrItFBDQERdSCpbY9Exz5+c8TWO+66AdNUPOq8J667488wYp93UXsrK90+PAWYtkz4B4jf0ahW/qES3L4LMELvoXuqUw75dGLM23uVFtG998HNs2HuadsCzC0IANxLTPuwHHxPeCFXMLVKfG78ygYfel7MxjdrwvyL4jAPT9p0jyWkU+oTf69Q+0REy6e6YeGtBI+0Tt7WF+vd1EF/+0erR0yttLNbVJom4nR+al78pBkWZiEI1d8rSQBExNP7pWxwwdF95pvhO4QfKQE8/cu2mAQTpbUMdSHZe0yfpHsIbfe62RBZaWeZMF43iDto/YIEbghZ/Q+zWnPEJWzoIRxOgLLs7jrIRLWN1W3FVkfCybJ0E0eRIz72vaqebsO1Zi9d0e7A2EhynhHEQiDSo9ixqNeH7W5bFbwtg5fXtj9ePasqd5UyNMzPCglEdAAfBy242+cxgTALCB6Z2Fo8XHKFvu3FbJRxLufRIN1S+uLEfkVGVbTJmNI48dVDKKeLMeb4EpNG5IWlXR+rST7cxwNdGpqGVkvaNIpDcwyVEilb8HSihOWNex9aB3tAfKSgoM1JP6KVhG0OPXyO8GpQahyKRLO9Cu6H7l8Vs2y3ahyzSJoCyyueos46xpR/DEI1LjOcSOO6KNzHQ/IaT+XNN3uAdLWOCRpgS0PiI5jaOmhWYI2jvrENDeqqaSmqu6JBBf5DZnElmSLkMrAgbPRT3x3d8M4BebHVq5Ewmbx/Xxt7O9ffThftiGvAQObphzYl97YwR9UDHG3BaM8jbKRgFGmLIaEW77Vx62HVTVy3/5Cz4J4pwEkH9TFPvqc2hA/eSEP4WYEjjdGU9qjvO1LW/6+wx60wUypozoHDWLMEEFEZPMhbGTzPt+HmvduVs2pim5l8sIWd7awxnGjhwJwtmdUMtdnDthMSMLYN6etFEZBJbzskKxKA3iObgaYK/apNj1JjoaF0JLaHX4Tp1A8wf3nyfrfmwN3MNBGZhPW5XzYekWOAKX1b5ER+xwq3PkXAQ0S1BrQktDB9U1pg+QJZ6vmxMYvq6Yk4ptyrG331WSJCB/GrWkSFV4J8KR0a20CvErTlkQz9jLDbhK2a7VsUjNa9rycffsGYnOG+6Q4JGPMt5r9SPcSvmzutzaUQ6Jd3lL0lBbG7ctLkbz+Qw9KDZ/cXCom1oKi3ET009Tem3dvjZ4uGxtX+531AYE/wrebRpokDcguJ16heki1tD7z3C1xpnLtUSD4eTdr/HLRY9QLcie5iq8FNhgQ3vKDKapbm8Q0U2Ax/W/3YeEinAiTOvRAm3GHfCHlKGlJuhNWKctuV9l+LOxwtJQrtCXb0aVMxgEoO2paonJo6xEFLpcakVUXP3Lucf4tKfqfeQ2kr0/Vt7NaUDEUXNdFl8lAyyKZEfnNe9WYujzAsTr+d2S6I3HVho/ODxgxJVU3tDxwKQXpcQX7Kts8wjvrRMf/mZZxU0D3wekPnQ6KpCubGum740AnkRnA9NiFm00tBmCDDxGX6uO29pfQVMRRQu6LGr5iTNT6y6vIyrvZfpw4sjEod6B5XkPD2LG0cWGQxVXmcZ9
MIME-Version: 1.0
X-OriginatorOrg: cs.auckland.ac.nz
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: SY4PR01MB6251.ausprd01.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: fe9d583e-647d-42b5-6ece-08da80684fd0
X-MS-Exchange-CrossTenant-originalarrivaltime: 17 Aug 2022 15:51:13.0204 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: d1b36e95-0d50-42e9-958f-b63fa906beaa
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: e0wftUQmH8OgMtVwdfk/78cgt8GPY+0jumDWVAlPTMr8N+qeujst/00/tmtjrO7Dgwnjimq2USct0t18mNflacypyOikDTBJzJE04H93mNI=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MEYPR01MB7869
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: cs.auckland.ac.nz
Content-Language: en-NZ
Content-Type: text/plain; charset="WINDOWS-1252"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/mpKDj4ut0hKxTNP4QX6JaeDwZs0>
Subject: Re: [TLS] Getting started, clock not set yet
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 17 Aug 2022 15:51:20 -0000

Kyle Rose <krose@krose.org> writes:

>A large attack surface can't be avoided with the MTI for these protocols.

It can be vastly reduced by only implementing the MTI rather than every
possible bell and whistle in existence.  Also since an RTU (remote terminal
unit) doesn't need to talk to every single piece of broken software on the
planet but only what the master station it's talking to is running, all you
need is whatever the de facto universal standard config is, either DH+RSA+AES
or P256 ECDH/ECDSA+AES and nothing else, no suite negotiation, no extensions,
nothing.

And that goes all the way up and down the protocol stack.  TCP options,
fragmentation, UDP, ICMP, packet reordering, most flow control and congestion
avoidance, none of that's there.  Fuzzing these things is mostly a waste of
time because there's no alternate code paths or corner cases to discover in
the fuzzing.  Makes them remarkably resistant to attack because there's very
little there to attack.

Peter.

v2.23.0 | Report a Bug | By Email