[TLS] TLS Client Puzzles
Erik Nygren <erik+ietf@nygren.org> Thu, 02 July 2015 21:40 UTC
Return-Path: <nygren@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0FA8D1A8740 for <tls@ietfa.amsl.com>; Thu, 2 Jul 2015 14:40:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.277
X-Spam-Level:
X-Spam-Status: No, score=-1.277 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id A63uMZ-bXo-N for <tls@ietfa.amsl.com>; Thu, 2 Jul 2015 14:40:21 -0700 (PDT)
Received: from mail-ie0-x231.google.com (mail-ie0-x231.google.com [IPv6:2607:f8b0:4001:c03::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4FEAE1A872B for <tls@ietf.org>; Thu, 2 Jul 2015 14:40:21 -0700 (PDT)
Received: by ieqy10 with SMTP id y10so65851786ieq.0 for <tls@ietf.org>; Thu, 02 Jul 2015 14:40:20 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:date:message-id:subject:from:to:content-type; bh=nLGBQZdJQzOkMKNLYuSpbnhPHM5I42/ZiZRZqIBnpa8=; b=dJ8RFANhYNM0V5X8TQIYuEFANbdb118McSQyUUc4rsIc1LwWG7CFHwM/J3rKWMSoTj /Nx2va/jutU4FzaN5sRQsqL6WRl1wHMZv54okDzBGi9CYdtO7tzegwYwmCxDcPAbWyY2 Z3Fx7P9JW+OtAqmN0tUwz5S0p9hqrKT/HECxxh4kfhSwrzgdm2LLI32Hb+sgVLZLxlAE vtUp2QHQxB5JGNVGDyNzrQ9ffT9AkiMaAhKMClh06mKJxkaUP5OTDpMzotAL8hlIOlD6 hCExOzYS70X+KCs5qaOCA1RiMQvJKjQ4YZqU2ruvivM9WTFjdJPxHAsghuyJBnoIl19A nCtA==
MIME-Version: 1.0
X-Received: by 10.107.32.73 with SMTP id g70mr51215829iog.23.1435873220817; Thu, 02 Jul 2015 14:40:20 -0700 (PDT)
Sender: nygren@gmail.com
Received: by 10.79.104.193 with HTTP; Thu, 2 Jul 2015 14:40:20 -0700 (PDT)
Date: Thu, 02 Jul 2015 17:40:20 -0400
X-Google-Sender-Auth: cINjHuPIYXdkiXFliR39zRVlN5E
Message-ID: <CAKC-DJjfq_Lw6ovX=sVFt3=4q_4CYo_N79PZFx+LrGj7DbLK+w@mail.gmail.com>
From: Erik Nygren <erik+ietf@nygren.org>
To: "tls@ietf.org" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="001a1140407844fc8e0519eb4947"
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/qHyFCgO22_q-ejx7G882Q8nK5y4>
Subject: [TLS] TLS Client Puzzles
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 02 Jul 2015 21:40:23 -0000
Following a discussion last year in Denver, I've written up a proposal for a TLS Client Puzzles extension. It is specific to TLS 1.3 in that it is constructed using the HelloRetryRequest request flow (although it could be adapted to HelloVerifyRequest with prior versions of DTLS). The puzzles here are placeholders meant as a starting-point for discussion (and also take in some feedback from discussions on this list last year) and will likely evolve. Erik ---------- Forwarded message ---------- From: <internet-drafts@ietf.org> Date: Thu, Jul 2, 2015 at 5:30 PM Subject: New Version Notification for draft-nygren-tls-client-puzzles-00.txt To: Erik Nygren <erik+ietf@nygren.org> A new version of I-D, draft-nygren-tls-client-puzzles-00.txt has been successfully submitted by Erik Nygren and posted to the IETF repository. Name: draft-nygren-tls-client-puzzles Revision: 00 Title: TLS Client Puzzles Extension Document date: 2015-07-02 Group: Individual Submission Pages: 12 URL: https://www.ietf.org/internet-drafts/draft-nygren-tls-client-puzzles-00.txt Status: https://datatracker.ietf.org/doc/draft-nygren-tls-client-puzzles/ Htmlized: https://tools.ietf.org/html/draft-nygren-tls-client-puzzles-00 Abstract: Client puzzles allow a TLS server to defend itself against asymmetric DDoS attacks. In particular, it allows a server to request clients perform a selected amount of computation prior to the server performing expensive cryptographic operations. This allows servers to employ a layered defense that represents an improvement over pure rate-limiting strategies. Client puzzles are implemented as an extension to TLS 1.3 [I-D.ietf-tls-tls13] wherein a server can issue a HelloRetryRequest containing the puzzle as an extension. The client must then resend its ClientHello with the puzzle results in the extension. Please note that it may take a couple of minutes from the time of submission until the htmlized version and diff are available at tools.ietf.org. The IETF Secretariat
- [TLS] TLS Client Puzzles Erik Nygren
- Re: [TLS] TLS Client Puzzles Yoav Nir
- Re: [TLS] TLS Client Puzzles Erik Nygren
- Re: [TLS] TLS Client Puzzles Douglas Stebila
- Re: [TLS] TLS Client Puzzles Jeffrey Walton
- Re: [TLS] TLS Client Puzzles Tony Arcieri
- Re: [TLS] TLS Client Puzzles Erik Nygren
- Re: [TLS] TLS Client Puzzles Watson Ladd
- Re: [TLS] TLS Client Puzzles Brian Sniffen
- Re: [TLS] TLS Client Puzzles Watson Ladd
- Re: [TLS] TLS Client Puzzles Brian Sniffen
- Re: [TLS] TLS Client Puzzles Watson Ladd
- Re: [TLS] TLS Client Puzzles Dave Garrett
- Re: [TLS] TLS Client Puzzles Brian Sniffen
- Re: [TLS] TLS Client Puzzles Martin Thomson
- Re: [TLS] TLS Client Puzzles Jeffrey Walton
- Re: [TLS] TLS Client Puzzles Martin Thomson