IETF Logo Mail Archive

[TLS] should we say anything about ECH in the face of fragmentation?

Stephen Farrell <stephen.farrell@cs.tcd.ie> Fri, 15 March 2024 21:23 UTC

Return-Path: <stephen.farrell@cs.tcd.ie>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D1E16C14F5F8 for <tls@ietfa.amsl.com>; Fri, 15 Mar 2024 14:23:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.007
X-Spam-Level:
X-Spam-Status: No, score=-2.007 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=cs.tcd.ie
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tA6pQyS375mG for <tls@ietfa.amsl.com>; Fri, 15 Mar 2024 14:23:35 -0700 (PDT)
Received: from EUR03-DBA-obe.outbound.protection.outlook.com (mail-dbaeur03on2097.outbound.protection.outlook.com [40.107.104.97]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DCD55C14F5F3 for <tls@ietf.org>; Fri, 15 Mar 2024 14:23:34 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=DOLmtUN8vSyCWxDBENo1SM+weZoQj7QIZrZYKUzg2BN5b47TigRVjbyrYVlLPQ27RxQbBjMThweE3x79Z8dPwQKvIBasTZBmLSM3/pb5IapGl9hQC1aKJsekro+upqMeMcFNNYp+tPIqtNvdsg4tNyeTnGsF4C7nFq3BGlRvcDrcvkbPeJy6BeHDk/PlvGDd5UlMV1UuBEQji9nnr0Dfg0v+ajeQbvRpZ57v4WJpwOylcqcu+UfUnMA9Ub8vdkwlqq/3h+UHGGUryp7X2GhUeiE5AS0PLYcu1lv2aiqd3UnFFGJ3onKX1ps3aB1dqdkhajVQEA4gyl1VOtxqYV/Q2g==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=W261QWqdAKPJOwBwM7XgrhWpcNEYq2nF5x1cBn/zxSc=; b=aGNieRCDB+xnmpjPhBYcCVMYPex3cGjW0vNn//Myr0uys8y9Il5zbjMFzCT7+qph6ZjNbLaGkeS6oHHl96DvdvmsfGnO1nsnh1CS8I3qcqyutgipTh85KuZCFoMI4WEMekWSaZ+cTA5Qfzbt2PoitCYXCe/xDMPmSGO4EJ/yeRtpeBElvrsUosgmGxPOjc+zQXVebzuCsUDz072IeIBKulCDwbYMCONaG1KSKh9uyHTe74FKsHDuYhXGGbWmeZcUABVrMoRi/94Z9R2BRqfuUKkNdyAF9FwNjSU3MfKYxNJssaFedl7MRkd8CXHhQq4gKnkRgZ+nZR8TumWsRLM9/Q==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cs.tcd.ie; dmarc=pass action=none header.from=cs.tcd.ie; dkim=pass header.d=cs.tcd.ie; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cs.tcd.ie; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=W261QWqdAKPJOwBwM7XgrhWpcNEYq2nF5x1cBn/zxSc=; b=LVgbH8ro9iaLA8CMVdOkYwCt4cgUo/cN02Vof1u/QVLCwtgWAKJld6HiRfXA9JWC8YKJf5eaXSCjggPgsxT6SisClHpVSUw8mWawplya4r6O4wydwl0OMXoaDUBWnJl6mWoq6QjrX9wkzxnAJ7Z2fEzn9spg0lu+pYA5Hjt0jVVLWxTMhwWRD2fVjrYhMsgUHb2jaQCd/1wvzAMOO2AzemXpstANQR2Xld3taDAYNsfy3PbGj6wluJcUcktA5DEXyG2puTLf4tNAKUd4yao7ZITkHncaGuqfLigvgcaCBEPb3utzolCnbRJKjtXbzEFLmzW5CkfJQMe9dgCjQDQS4w==
Authentication-Results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=cs.tcd.ie;
Received: from AM6PR02MB5112.eurprd02.prod.outlook.com (2603:10a6:20b:90::21) by AS4PR02MB8031.eurprd02.prod.outlook.com (2603:10a6:20b:4e2::22) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7362.36; Fri, 15 Mar 2024 21:23:31 +0000
Received: from AM6PR02MB5112.eurprd02.prod.outlook.com ([fe80::b95f:2e63:65e2:c45b]) by AM6PR02MB5112.eurprd02.prod.outlook.com ([fe80::b95f:2e63:65e2:c45b%2]) with mapi id 15.20.7386.022; Fri, 15 Mar 2024 21:23:31 +0000
Message-ID: <71dfb248-1f03-4066-a8cf-6e5439d7db94@cs.tcd.ie>
Date: Fri, 15 Mar 2024 21:23:22 +0000
User-Agent: Mozilla Thunderbird
Content-Language: en-US
To: "tls@ietf.org" <tls@ietf.org>
From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Autocrypt: addr=stephen.farrell@cs.tcd.ie; keydata= xjMEY9GzphYJKwYBBAHaRw8BAQdAo6JvjmSbxHdQWPZdvciQYsHhM1NxQBU398Mmimoy4p7N M1N0ZXBoZW4gRmFycmVsbCAoMjU1MTkpIDxzdGVwaGVuLmZhcnJlbGxAY3MudGNkLmllPsKQ BBMWCAA4FiEEMG54R8tZDyZFrDOn5Njp+ZeoM90FAmPRs6YCGwMFCwkIBwIGFQoJCAsCBBYC AwECHgECF4AACgkQ5Njp+ZeoM93bogEA25ElRyX0wwg+kGEN1AoL60MoZfvQZ/VtmXY6IC5j +csBAIBpkL5ySuzJK2zLNZn9qQGht8IaUcA7cvDcLvS2uHUEzjgEY9GzphIKKwYBBAGXVQEF AQEHQILCPWOwW36e8D3pY8GmvvtItIT+A5uV80ist+WokVsQAwEIB8J4BBgWCAAgFiEEMG54 R8tZDyZFrDOn5Njp+ZeoM90FAmPRs6YCGwwACgkQ5Njp+ZeoM92bcAEA8R+8cpqRUIS+SoAN iO05xE6O/wEx8/e88BqzAYki3SoBAOQdwiPX+MQrAxkWD8xxOsdMOAtxYKpkD1n8aPJUw6QJ
Content-Type: multipart/signed; micalg="pgp-sha256"; protocol="application/pgp-signature"; boundary="------------UuZCnWQitGXTwKd1L6CVW46k"
X-ClientProxiedBy: SY5P300CA0092.AUSP300.PROD.OUTLOOK.COM (2603:10c6:10:248::18) To DB7PR02MB5113.eurprd02.prod.outlook.com (2603:10a6:10:77::15)
MIME-Version: 1.0
X-MS-Exchange-MessageSentRepresentingType: 1
X-MS-PublicTrafficType: Email
X-MS-TrafficTypeDiagnostic: AM6PR02MB5112:EE_|AS4PR02MB8031:EE_
X-MS-Office365-Filtering-Correlation-Id: 786c36be-288f-406d-7104-08dc45362990
X-MS-Exchange-SharedMailbox-RoutingAgent-Processed: True
X-TCD-Routed-via-EOP: Routed via EOP
X-TCD-ROUTED: Passed-Transport-Routing-Rules
X-MS-Exchange-SenderADCheck: 1
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: xm6G/KbVJpKEohGLoVW7OZZcYjbYRnTUhcxbwCq9WtzV6Ax80DPcwk1B+ks5x1xlDfN1tQKRsRBIMQNmFDXYyaTEgNZruQyeaFP7SyruE/+48F9iUUnGCpY1mRD1JmNrv33x+ueVTVwch52vVWNf4J8NqhZBNlhLy2XYjiMvZYCPx0WklRPqGPTDJZcT+e8UuJt2UXYNLTAtKXKbKKk7lnDncOmmjFXzvEbwXsftEOVGJbHBh+ahsKA2ItDtochIe8yCQMDFrsdC6FRqjG9W/OzBuDJpWJdGh3QRpfjcJx0lvCz3yBCp9phI8TxaPkKbfYW+f8gwmoMdB4fq0LSlbIcx9HVJVXqoLegJemH/W76b51L/dE18RDQ5N2uQ2DvSpa4E5WsvMSqXpz0wLlSLgnNcrD16835/nang1BZs7+Yyb1SIuWaXtIecBPOSvvxbWmiwbjvhiSIwAEgSmnyIp51gss68B2Z8HU77q/wGXLk1WGqnKalIAWFJQjhs87m5yiesfh2XB7qNqMl1KA4QoIhwBC+5r+UmYT/MqhJ1PDso/ZXZjqmZ+BQ2vv6reME5DppGu5yKiuVvHolidod8IxwQ30rAWrmMw6d7bwZR8n/BdldBSr9d0RIrdGgt7OiqG3Uc5FZ+8X9D15kH4uwiJmaEUodEsLcuy0Q0IhRJVdg=
X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:AM6PR02MB5112.eurprd02.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230031)(376005)(1800799015)(366007); DIR:OUT; SFP:1102;
X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1
X-MS-Exchange-AntiSpam-MessageData-0: 9m41s/sgbWlUUD/Y4H9u906hxDPzIRDBCvD1FpCPrpE8t0loxJw4essKGBYDgGj3nXVC5AqUvbcdaU3tg4k1gIqztiTxvJElMQV/vZneHYvcZ4yChJO7+/eUAQ5BEjbNXGU0wv0WpkIM6/VPDo4QLzMd07y4dRaLfMhcQXmCp/qmDZo5IeXkgA22imnhwBDLPspAl24mlYtaAI7m1lmuibGKqDDNBMZvi2JdIjo+Oxz1cZVHRncepHZsbC4EgaOuZbSx3ALDCZGhPHQcCCzZWCJgUMcg47ZNKdvhqoPXQfSxZs0SduWw48/eATQ5d5/VMioOU2m7PeN+0Y2VZDp096KjGk8uQPBlGt2uJ8RP7n1DM8cju4qDF1nL/ZL8hKgo4hycusOOwP/YBm8PlpDe7wN8oD5yeFiSo2eHG0ml6erkGSzfrpGf0lSYgauI+hK8jQ5gW4LAynXs/EVFbailvz9SXhgp0eehgbqIg0+vszReLeB/DEKshbc8LjBGYrUBmk6e3LDYCsirY9h8gaGsuCpADIpFzdbJ8niwyKkpO02Nzvg8awL2+Qj6s0xPcNAosQ4L6NIBjVYPqXJm200Dfk7b8q5u6+8jBuS0PFt1x4C8BuinRwQlUzCP1/0YJqxgcw1+cbJLxIfMWdWX6xaZlam/UvQB96zfbXbEfKVixFmJC9iZS4RBEsP0HBu3IWNUc3XuEIv45Jls8QDN6o5c0ocMAqYzFfHf0dwz6zBpgxCVsTNHv8TaqAfYB/AkJ0f8at0rTTb3M0uLxXMHm96c4f975MYMdYgjvxKUzKkg/YIHBaYQsjQgkexNH/ChCxnVnNbaitZmNcPSDgyEHwKRZxYmDltdIn65GmRQzzsS8Cp4C4Mf3ZOwBbUvBmJPyQuzKTF9VZUnCCMs4ScZU6145TIQt31lFuOUSjj9Li3LG7q8XN5q5wrWYiWxAewey7cE/iEbo26pfI63sueM4klFUDGmlg7EleAwBTvzg+Ve7hM2lNkq5LXEKMqwS4l2Gfai+ioEJc4rLExF3ZWCeM4D75h4x30pN1mulAt+iZZoc9DO3mPlD2/XIBkcXaS2BD/0gEUoue16CeIo40CZMQ6Oi16qOOe870daDV097tKHMlAyVMNLS3L/UcVJn5LiSuAy+mONZ0D2MkMS0Cor5JVk2zhK5YF7Y2M3DcUn4mZgGBHX+x1LRqC49goi5gPdfhdm4hTNnmHNc+hNCm1FsIL/ry2UowuoeIs0OiFGnpAWFqDnam6JOEVDrAMCGMz+zRdfYJiz20nMAoPvw+QRRpM9HDyeR1/ihqro0BZSTFBH+3RaSDtq0UaRWW0c0p+gUJWsV6oMZIpGM6w7GMPEltnkHunb2hHFqWo+BM43DgGt5dsjVRG84DCcPHN93cCPqv4wBEMegeFl/b0Of3b1/aZRrXoPzXZwutCjkFhMkF6GRNqAE4GgDj45FgEPIsbd3knv7jzqHsXy3WhzvJcgVF5N3UtTbZonvdgdAvAvFQ1x7eA11fjJYsEeCMjFDew/cKdI/EMHGKHAD3L3A8cvM3zfMVZiLdn3Ylk0traklFFnxgNhlQSbRiKZjzoxMAcjFyxXa9tqOAAXJg1qs0o3n/iw9GNdcs8NCVhfADd4tyPuIUhZOLcIq7mTCJCXTJTL/M38
X-OriginatorOrg: cs.tcd.ie
X-MS-Exchange-CrossTenant-Network-Message-Id: 786c36be-288f-406d-7104-08dc45362990
X-MS-Exchange-CrossTenant-AuthSource: DB7PR02MB5113.eurprd02.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 15 Mar 2024 21:23:31.5546 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: d595be8d-b306-45f4-8064-9e5b82fbe52b
X-MS-Exchange-CrossTenant-MailboxType: HOSTED
X-MS-Exchange-CrossTenant-UserPrincipalName: CMAWtFLJecoLYoOhq+NVBXOTCQLJ6148bcnwFMWnVafwFI5y949qGauus6t5Izal
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AS4PR02MB8031
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/qKS605WCBFP_BI_CiqwzgG-iud8>
Subject: [TLS] should we say anything about ECH in the face of fragmentation?
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 15 Mar 2024 21:23:39 -0000

Hiya,

I think the outcome here is maybe most likely to do nothing but
since the WGLC is ongoing I figured it best to bring it up in
case others have better ideas.

I got a mail yesterday from someone who had played with the nginx
"stream module" setup ECH-split-mode PoC stuff we've done and found
a difference in how IP fragmentation affected that configuration,
depending on whether or not ECH was enabled.

The pcaps I've seen show fragmentation of the CH after 588 octets.

In the ECH-using case, nginx aborts the connection as it sees a
malformed outer CH. In the non-ECH case, nginx can decide how to
forward the packets as it can decode into the partially rx'd CH
and see the SNI (which is what's used to decide where to fwd the
connection). I don't (yet) know what'd happen if fragmentation
happened in the middle of the SNI in the non-ECH case. (I'd bet
it'd not be good though:-)

The reason for the difference is relatively obvious but I guess
could be stated in the draft: an ECH split-mode front-end can't
decrypt the ECH until it's seen the entire CH, due to the use of
the ClientHelloOuterAAD as aad.

I've not yet thought about whether it'd make sense to try to
buffer up partially rx'd fragments to see if those eventually
do turn out to be a nicely encoded outer CH - I suspect that
may be more of a footgun than useful;-(

I think all the exact same things would happen with our haproxy
split-mode PoC, so this isn't an nginx specific issue.

Cheers,
S.

v2.23.0 | Report a Bug | By Email