Re: [TLS] Keeping TLS extension points working

Sean Turner <sean@sn3rd.com> Tue, 26 July 2016 15:26 UTC

Return-Path: <sean@sn3rd.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 26A0912DD7F for <tls@ietfa.amsl.com>; Tue, 26 Jul 2016 08:26:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.701
X-Spam-Level:
X-Spam-Status: No, score=-2.701 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=sn3rd.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tIW8AlElodwr for <tls@ietfa.amsl.com>; Tue, 26 Jul 2016 08:26:17 -0700 (PDT)
Received: from mail-qt0-x22f.google.com (mail-qt0-x22f.google.com [IPv6:2607:f8b0:400d:c0d::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3D76F12DAD3 for <tls@ietf.org>; Tue, 26 Jul 2016 07:52:49 -0700 (PDT)
Received: by mail-qt0-x22f.google.com with SMTP id w38so8419696qtb.0 for <tls@ietf.org>; Tue, 26 Jul 2016 07:52:49 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sn3rd.com; s=google; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=yUMj+K/3nhFWQA6/9zd/aI7+52d2Mds5vftkjMtb+RU=; b=LtyOa+L3EHg6UxiT8KhahlubTUrmRL2t1YRFQAciv8Mu+Q9f/FLEx3VPmp4/UZnG3d LMYhsdA6MXP67KpC/+j7yaPJXRYeQX0aIiXf0CTtj8RAl9kRrVWQNghFdoZPUzg6P6+R rzkR2U7GJ0idobHEqWyzyUyDAiwW6s9EiYFic=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=yUMj+K/3nhFWQA6/9zd/aI7+52d2Mds5vftkjMtb+RU=; b=JERqCyULYSkuN0kYXjicguMe0gPihBziKnlA/7lRB9IG6LKYvzrx0KAQOcAqfl3zN2 Kqcu2Q/UCnNcJiavc6e0zDjQMak4+BomOHIVlTHtO4f33hKE01Arzi1viPhiEJ5szq/D 0OAAN4dQBZncU5Xgp5A7FkxO5VdfNZdtE+jp9TuTKf/YrkzCWLeIW8zlRSamEhrVH74g NLD4c5VUuCHZ/NjcQ6aGgTJ74cpOM2h705cQg9gOlD0JgD1m8MDA6obsNx+tZ3/JXriV h1cnYvf7EVI5pgBnMh7r2EGGAsEMIRc9oU+y/gg9I+7+BXsCgJ7CzvlwI/s9FDI/AkgA lVig==
X-Gm-Message-State: AEkoouuN3ZiCdNq0HDtEZN7tlsEvJFah+1Eg8h/2lUizWRSpibklD8HcECjC1S3YlCB+lg==
X-Received: by 10.237.37.99 with SMTP id w32mr38312558qtc.59.1469544768242; Tue, 26 Jul 2016 07:52:48 -0700 (PDT)
Received: from [172.16.0.112] ([96.231.220.41]) by smtp.gmail.com with ESMTPSA id c23sm747747qtc.45.2016.07.26.07.52.47 (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Tue, 26 Jul 2016 07:52:47 -0700 (PDT)
Content-Type: text/plain; charset=utf-8
Mime-Version: 1.0 (Mac OS X Mail 9.3 \(3124\))
From: Sean Turner <sean@sn3rd.com>
In-Reply-To: <CAF8qwaCaW2Q+z_JoDqzQZaGCWJ2aqUiyK8_J8_CO4Ck_cqtaSA@mail.gmail.com>
Date: Tue, 26 Jul 2016 10:52:46 -0400
Content-Transfer-Encoding: quoted-printable
Message-Id: <0B0C11B8-CC4A-46C4-A134-881A41005502@sn3rd.com>
References: <CAF8qwaCaW2Q+z_JoDqzQZaGCWJ2aqUiyK8_J8_CO4Ck_cqtaSA@mail.gmail.com>
To: David Benjamin <davidben@chromium.org>
X-Mailer: Apple Mail (2.3124)
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/nFbbkkXs90dPD0K6KT8u5dYexxY>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Keeping TLS extension points working
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 26 Jul 2016 15:26:32 -0000

David,

Technically, IANA makes the assignments we (the IETF/TLS WG) ask them to make via the IANA considerations section.  They enforce the registry policy established when we (the IETF/TLS WG) originally established the registry; the available policies are found in RFC 5226 (and there’s some more rules in RFC 7120).  So, I’m hoping that you could tweak your draft somewhat to be instructional and then suggest some values (this purely procedural dance has worked in the past and it’s what we’re doing for draft-ietf-tls-ecdhe-psk-aead):

0) In s2, replace the two lists with something like:

The draft reservers the following X cipher suite values: Values TBD

The following X values are reserved as both GREASE extension values and GREASE named group values: Values TBD

1) In 5, add a {TBD} sub-column to the 1st column for each value in the tables (apologies for the formatting):

+-------------------------+-------------+---------+-----------------+
|    Value                   | Description | DTLS-OK |    Reference    |
+-------------------------+-------------+---------+-----------------+
| {TBD} {0x0A,0x0A} |   Reserved  |    Y    | (this document) |

And then add something like this to the end of the section:

  The cipher suite numbers listed in the second column in the
  values column are numbers used for cipher suite interoperability
  testing and it's suggested that IANA use these values for assignment.


I’m sure somebody will eventually comment on the following header fields:

0) “Status: Informational” because some of the registries right now require standards track RFCs to do the assignments.  But, everybody should momentarily suspend reality because we’re going to change the registry rules for the registries you are adding values you to be something that would allow an draft intended for “informational” to do the updates, i.e., just leave it alone for now.

1) “Updates: 5246 (if approved)” because typically extension documents don’t “update” the base specification.  If you are suggesting that all implementations must support these values then an updates header makes sense.  Note I’m sure somewhere along the way an extension that isn’t expected to be supported by all implementation has an updates header but what I described is how we’re doing it now.

Cheers,

spt

PS: As chair, I try to deal with/deflect as many of these procedural issues as possible, but if you want to know more please let me know off-list.  This actually goes for anybody on the list.

> On Jul 25, 2016, at 18:32, David Benjamin <davidben@chromium.org> wrote:
> 
> Hi folks,
> 
> I'm not sure how this process usually works, but I would like to reserve a bunch of values in the TLS registries to as part of an idea to keep our extension points working. Here's an I-D:
> https://tools.ietf.org/html/draft-davidben-tls-grease-00
> 
> (The name GREASE is in honor of AGL's rusted vs. well-oiled joints analogy from https://www.imperialviolet.org/2016/05/16/agility.html )
> 
> One problem we repeatedly run into is servers failing to implement TLS's various extension points correctly. The most obvious being version intolerance. When we deployed X25519 in Chrome, we discovered an intolerant implementation. (Thankfully it was rare enough to not warrant a fallback or revert!) It appears that signature algorithms maybe also be gathering rust. Ciphers and extensions seem to have held up, but I would like to ensure they stay that way.
> 
> The root problem here is these broken servers interoperate fine with clients at the time they are deployed. It is only after new values get defined do we notice, by which time it is too late.
> 
> I would like to fix this by reserving a few values in our registries so that clients may advertise random ones and regularly exercise these codepaths in servers. If enough of the client base does this, we can turn a large class of tomorrow's interop failures into today's interop failures. This is important because an bug will not thrive in the ecosystem if it does not work against the current deployment.
> 
> If you were in Berlin, you may recognize this idea from the version negotiation debate. Alas that all happened in the wrong order as I hadn't written this up yet. This idea can't be applied to versioning without giving up on ClientHello.version, but we can start with the rest of the protocol.
> 
> David
> 
> PS: This is actually my first I-D, so apologies if I've messed it up somewhere!
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls