IETF Logo Mail Archive

Re: [TLS] draft-ietf-tls-esni feedback

Rob Sayre <sayrer@gmail.com> Mon, 21 October 2019 18:26 UTC

Return-Path: <sayrer@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3E0C2120111 for <tls@ietfa.amsl.com>; Mon, 21 Oct 2019 11:26:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CDjzsRwebJJw for <tls@ietfa.amsl.com>; Mon, 21 Oct 2019 11:26:04 -0700 (PDT)
Received: from mail-io1-xd2d.google.com (mail-io1-xd2d.google.com [IPv6:2607:f8b0:4864:20::d2d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 496C012010F for <tls@ietf.org>; Mon, 21 Oct 2019 11:26:04 -0700 (PDT)
Received: by mail-io1-xd2d.google.com with SMTP id b136so17136593iof.3 for <tls@ietf.org>; Mon, 21 Oct 2019 11:26:04 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=CHTMO0EtmA4p37x7glUxybOUkx9suCGBUIhFKmBz0pg=; b=eSMxKYoHUxSqIpraavxhW7A964W1YRYchrHZN1DWJXCJy8dtaN8kaRcZ4brnmJ25fd 2EDKYSxqVh81hx80ZmHKia3OS8l1Slk/5BcJZZIu5pBJN/YXociyj2ZTA4OCtLlokr7F BNQCuCAj6J5Ne6ytLu4UAyZT0y1yGvlB6SF3BDEnLKdd6RVKEJ8WSPkrB47XqWGmf7/7 foPbO8UMndHfpo81WnluJpHzaEw4ntpynWnRj7uCymhZlujlb5coPN0cBa41eVS1DFbg z5guIOLNjdFyLvJDx/s2uZ3k5Mzj/Chy+eh10l40gNdswjDa6o5uMhrVv5Gl8f8bl/hv UNhg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=CHTMO0EtmA4p37x7glUxybOUkx9suCGBUIhFKmBz0pg=; b=QdtWVEvI2MkJ9AXE1sYRaoZHaMElWqRxqVMu8OiDC1vP+vYC69OtYGKoCshZsGeTUs QTOria1EJJEPv0O2cITO0Bkr0Rlrt0H38OIgpX/bLBlG4OWz3MD4rYbkbogHwbq5IWBJ 7KFa5T3+2OGKst8B5JXEuRhYP7NewUGE0ljUUnQ38xVq4VuLU9UcvkcQX34gILUwRoNh NLjHc2psUWm77WcXNoHEKUiDDvOmAXjuSA9VFRAcUa/Zi09kIJqBcuacKdOKgu14LNJu RyN4Z5zW5vTVo9mQducxsX4pEYn7F8prMtHYAvf1BenMoTOlAzJAKM4x68K/Z4XZ0MwG nLbw==
X-Gm-Message-State: APjAAAXX1A+dYH6THiemzQBbGsUDOvQ2GJlUqK5lv13nT0NaefPcd1Xr Cry9QpEPvOrlKAzFqza7RhBHjRCdMEuem/fAH4s=
X-Google-Smtp-Source: APXvYqzRImIg1bsqt0eZXwRm98nhTTN3knOOZKOJY+zqRzEPZpzAaq2TTE9K5tL8vuoqFh5IpNJ2uddu/XvSFxyL7oI=
X-Received: by 2002:a05:6602:21c2:: with SMTP id c2mr12202298ioc.189.1571682363474; Mon, 21 Oct 2019 11:26:03 -0700 (PDT)
MIME-Version: 1.0
References: <CAChr6Sw3f7du3JYxfcWSZje1zjDzsRBQyDjob-AvzjWeZzKW7g@mail.gmail.com> <CABcZeBPbw_KOo_ieSqkksYPeLtb9DufBz628oFPYc_Ue4S9iww@mail.gmail.com> <CAChr6SwB+7Jt2TLJSQh3q=Roizdt2=9jCBa9nq8KRxRo=86uZQ@mail.gmail.com> <CABcZeBNBtDK7q175tseEUiCVds=khj4xXYJZRf7GU9VGNDJ_Tg@mail.gmail.com> <CAChr6Sz6xHtFWjOKrLp3sp9MpC-SoU9Sx=vk22ditjShA7B=Kg@mail.gmail.com> <CABcZeBOnE+gyNu7GarAfO0bptoPfzQQ=VKeWLdpJBDM=E4yhzg@mail.gmail.com> <CAChr6SxWE66jPRbnBRtwNSn3L+uNFkoFBbYNOBAkKDN05qotoA@mail.gmail.com> <CABcZeBOy8ogJrmFajxX1pqjqgnE61gE=c3CWz+pp34NWHmGKbw@mail.gmail.com>
In-Reply-To: <CABcZeBOy8ogJrmFajxX1pqjqgnE61gE=c3CWz+pp34NWHmGKbw@mail.gmail.com>
From: Rob Sayre <sayrer@gmail.com>
Date: Mon, 21 Oct 2019 11:25:52 -0700
Message-ID: <CAChr6SzLkLTuzHByAMhOduKbidNpE6FOu6BLfVp0OWWEPCNFOQ@mail.gmail.com>
To: Eric Rescorla <ekr@rtfm.com>
Cc: "TLS@ietf.org" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000f986b505956fd0d7"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/peQIW7syGhdz7U16G64TIVKXYBI>
Subject: Re: [TLS] draft-ietf-tls-esni feedback
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 21 Oct 2019 18:26:06 -0000

On Mon, Oct 21, 2019 at 11:09 AM Eric Rescorla <ekr@rtfm.com> wrote:

>
>
> On Mon, Oct 21, 2019 at 10:55 AM Rob Sayre <sayrer@gmail.com> wrote:
>
>> On Mon, Oct 21, 2019 at 9:45 AM Eric Rescorla <ekr@rtfm.com> wrote:
>>
>>>
>>>
>>> On Mon, Oct 21, 2019 at 7:56 AM Rob Sayre <sayrer@gmail.com> wrote:
>>>
>>>> Sorry if I'm being dense here. Couldn't "zeros" have a length? Maybe
>>>> you just mean it would be superfluous.
>>>>
>>>
>>> Yes, that is what I mean.
>>>
>>
>> OK. To be clear, I understand why there is padding in the spec. I don't
>> understand three aspects:
>>
>> 1) Where did the number 260 come from? It also seems to conflict with the
>> "multiples of 16" advice in the previous sentence.
>>
>
> I believe it was large enough to fit the maximum plausible label size, but
> I'd have to go look at the relevant issue.
>

I have not tested this, but I wondered about IDNA-encoded domain names as I
read. Is their encoded form always under 255? So, it might be
worthwhile for the draft to explain where 260 came from.



>
>
> 2) Why does the server set the padding amount? If clients were allowed to
>> vary it with different amounts of zeros, wouldn't that be more anonymous?
>>
>
> No. You want padding to be set to be the longest size that you would send
> to any origin in the anonymity group, and the server knows this. Many
> client padding strategies leak information over time and it's hard to know
> how to construct one that doesn't unless you know the max. For instance,
> consider what happens if the anonymity group consists of "a.example" and "
> thisisaverylongname.example.com" and the client always pads to the next
> 16.
>

I thought the "padded_length" field might be more useful as a minimum. I
agree with you about narrowly-padded messages.


None of this stuff signals a flaw in the draft from an interoperability
>> perspective--I was able to follow it as a non-expert in TLS and get things
>> working. But I still have questions about why things are specified this way.
>>
>
> Generally speaking, these issues were aired on the list or in Github
> issues, so the best way to answer them is to go look at the history
>

I don't agree with this. These questions all concern MUST or SHOULD
requirements in the draft. There should be rationales for the requirements
that aren't obvious. Especially the "SHOULD" ones.

thanks,
Rob

v2.23.0 | Report a Bug | By Email