Re: [TLS] PR#1091: Changes to provide middlebox robustness

Eric Rescorla <ekr@rtfm.com> Wed, 22 November 2017 18:15 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 43C95129AB2 for <tls@ietfa.amsl.com>; Wed, 22 Nov 2017 10:15:35 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.598
X-Spam-Level:
X-Spam-Status: No, score=-2.598 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6qvBZQlkF9jc for <tls@ietfa.amsl.com>; Wed, 22 Nov 2017 10:15:32 -0800 (PST)
Received: from mail-yw0-x234.google.com (mail-yw0-x234.google.com [IPv6:2607:f8b0:4002:c05::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 511EA126E3A for <tls@ietf.org>; Wed, 22 Nov 2017 10:15:32 -0800 (PST)
Received: by mail-yw0-x234.google.com with SMTP id q37so7505127ywa.12 for <tls@ietf.org>; Wed, 22 Nov 2017 10:15:32 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=fCEOzRixk8UIGzSLT8RlfaY6/Ervgy8TpuB00e0LIFw=; b=kBx9MdKpL8WOQL9BLdH1Mg2E5pexreXmcAAlc2hnDE7L2kYohSG4qFFV+KEuYvaXWB WpzCKwE0VC5yRSiTa0+AFssMYQA7gddnLnyXIw7PBhqOQR4qz4Ig2Q9s2enB2BdZssi6 hTFXojYaNX8x5FT5v/tsYDeUEzFTKCuYtwRG0HTAM0OfG6zOCgYJOpRqKrAEuSfb0RqP KSu0WB67tHTR6BQDLcrEipp+WAzMw8sgkj74H9EeclWjUM0MD7hZBT/4dcBLww2QtZF8 hbDJAqPwYUuzE/Ym7bAMjpvNkK4mDE9es57bm+H63v9s7G+vb6xPgbr3qvyWmWHXqRVw NsSQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=fCEOzRixk8UIGzSLT8RlfaY6/Ervgy8TpuB00e0LIFw=; b=kbZBtsaKNARWotpQbTHSSwQ9LwtQfEgXj7/Yrw7Wlpp8VFHBm1JmQHPt/CXuGndNF/ 7UnwqFyDQetkAWwr85qNh9p3hL3C/H7cFtI/7FaBRyDWe6sJhAmcjqVwuLcZzyAemaDu i9UEfaZ+TcRZAES236IDL2k0IvxzDeir/Fp9+97vwSbTsJh5MF0f0crnUkfNpp0wtBDF 0/LFvM8mGXgdC/B4aTeq39DDFhktzeuXTaGhfXh1GPRNg81/uLXu8JG7pvf2FDHiqp8M cTR5ncD3josWqSdyZQGcWNiRdQjbQxnr02h7/WCcWoDeVW/dwPvJGobzwCtbgRoC1Ety DSiQ==
X-Gm-Message-State: AJaThX5HoFrMPIypau+VWHi6KsGwknwx7dybDx4WudDxDoQ3Hm2HMoTS QignTkt8uefgnYMpzYNC+VNBUhm+KyTpUl5saB/bZA==
X-Google-Smtp-Source: AGs4zMaew/KxhHh29dUwKd3Svf3khG+QyviCKctyntqxMGo3IRS95VMWSCTuyQMYM5jV5/lczWxLQN60wXVSJS/Q/o4=
X-Received: by 10.129.154.22 with SMTP id r22mr13859228ywg.296.1511374531258; Wed, 22 Nov 2017 10:15:31 -0800 (PST)
MIME-Version: 1.0
Received: by 10.129.123.132 with HTTP; Wed, 22 Nov 2017 10:14:50 -0800 (PST)
In-Reply-To: <MWHPR1801MB206198CC227AB64BEBFC92E6C3200@MWHPR1801MB2061.namprd18.prod.outlook.com>
References: <CABcZeBNm4bEMx0L6Kx-v7R+Tog9WLXxQLwTwjutapRWWW_x9+w@mail.gmail.com> <389abe54-41d3-30e9-4cca-caa8b1469ae7@iki.fi> <CAF8qwaC8bJhKoZBraoqM9qTStQxAkouV5=qXXurX8yPMDppV3A@mail.gmail.com> <MWHPR1801MB206198CC227AB64BEBFC92E6C3200@MWHPR1801MB2061.namprd18.prod.outlook.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Wed, 22 Nov 2017 10:14:50 -0800
Message-ID: <CABcZeBNbBqFddrHrnGNAqCm0M3p7=waWwSX6PJPAcw2jjfKNvA@mail.gmail.com>
To: Yuhong Bao <yuhongbao_386@hotmail.com>
Cc: David Benjamin <davidben@chromium.org>, Tapio Sokura <tapio.sokura@iki.fi>, "tls@ietf.org" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="94eb2c0bb4e80f0502055e964eb9"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/qzQX0GQJXYDBv5WARjMNA7kEzzw>
Subject: Re: [TLS] PR#1091: Changes to provide middlebox robustness
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 22 Nov 2017 18:15:35 -0000

On Wed, Nov 22, 2017 at 9:52 AM, Yuhong Bao <yuhongbao_386@hotmail.com>;
wrote:

> The real question is if getting into an arms race with middleboxes is even
> a good idea IMO.
>

I don't think of it this way. As David says, the problem here is that
middleboxes are misbehaving (i.e., not conforming to the TLS version
semantics) and aren't upgrading fast enough. If they actually were
upgrading quickly (what you would have to do to get in an arms race) then
they could also handle TLS 1.3 properly and we would be in far better shape.

-Ekr




>
> ________________________________________
> From: TLS <tls-bounces@ietf.org>; on behalf of David Benjamin <
> davidben@chromium.org>;
> Sent: Wednesday, November 22, 2017 5:02:15 AM
> To: Tapio Sokura
> Cc: tls@ietf.org
> Subject: Re: [TLS] PR#1091: Changes to provide middlebox robustness
>
> As a source of some of those numbers, someone interested in actually
> deploying TLS 1.3, and, most importantly, someone who would have to deal
> with the fallout of that deployment, I can unequivocally say those are not
> "very good" figures. They are completely implausible by orders of
> magnitude. TLS 1.3, the secure upgrade to TLS 1.2, is not even close to
> being deployable today.
>
> Unchanged, deployment would require a unsecured version fallback, the same
> one that gave POODLE. An attacker could silently downgrade us to TLS 1.2.
> That ServerHello.random anti-downgrade signal would have been purely
> wishful thinking and never implemented. I think this would be a huge step
> back. A de facto fallback would also send the same signal as tweaking the
> protocol. There isn't enough incentive for middleboxes to ship updates or
> for administrators to deploy those updates when doing nothing works just
> fine. For 21 years, since SSL 3.0, we didn't really change TLS's handshake
> and left it all unencrypted. In retrospect, it's probably to be expected
> the network latched onto it. Ignoring the problem won't erase those 21
> years.
>
> These changes are certainly ugly, but they are only ugly. They have no
> impact on security, unlike the fallback which does. There is a complexity
> impact, but, having implemented it, the impact is actually quite small.
> Making the first server message more uniform between versions and
> HelloRetryRequest is even a small convenience.
>
> This is indeed baggage, but that is not new. When I think of the
> consequences of buggy middleboxes, I am actually less concerned that our
> first roundtrip needs to look a little funny, and more that we are wasting
> three bytes in front of *every* record (PR762). That we have entirely lost
> TCP and my colleagues on QUIC needed to start over on UDP for improvements.
> That even then QUIC ran into ossification later on. That every protocol
> change is risky and requires endless experimentation. That the reality of
> engineering on the Internet appears to be: if it was observable over time,
> it has ossified.
>
> I share the justified frustration with this picture, but it's reality.
> There are two questions now:
>
> 1) What we do need to do to deploy a change today? (Our handshake
> versioning joints have rusted shut, and we need to break them free.)
> 2) How do we avoid needing to do worse tomorrow? (We've got it moving
> again, and we want to keep it that way.)
>
> PR1091 seems to answer (1). (2) is harder. We need to think about how to
> avoid ossification. Writing versioning invariants[*] clearly is an easy
> step, but text alone isn't enough. Reducing unencrypted portions is also
> obvious and valuable in itself, but TLS has a bootstrapping problem here.
> We also need to think more in the direction of GREASE, but perhaps further
> as GREASE itself only tried to prevent buggy endpoints.
>
> This is a difficult question we won't fully explore immediately, and
> solving it is not going to magic away (1) anyway. So I think our first step
> is clear: get through the accumulated rust.
>
> David
>
> [*] TLS's versioning rules are quite restrictive. We promise you can parse
> newer ClientHellos. Everything after that is fair game to change. If you
> produced the ClientHello, you can reasonably assume the peer won't send you
> anything that will confuse you. If you are forwarding a ClientHello you did
> not produce, you MUST NOT process the response in any way. It will contain
> incompatible messages in the future. Alas, reality shows that the network
> did not observe these rules.
>
> On Tue, Nov 21, 2017 at 9:41 PM Tapio Sokura <tapio.sokura@iki.fi<mailto:
> tapio.sokura@iki.fi>>; wrote:
> Hello,
>
> On 6.11.2017 20:19, Eric Rescorla wrote:
> > Once you do this, the middleboxes seem to mostly ignore everything
> > after the CCS, so the rest of the handshake proceeds smoothly.
> >
> > This is all a bit nasty, but none of it changes the cryptographic
> > computations or the state machine (because you just ignore CCS).
>
> The discussion in Singapore on middlebox issues during the WG session
> woke me up on this. I don't post much on this list, but here I have to
> say that this dance to work around middleboxes looks seriously like
> putting the cart before the horse.
>
> I'm not arguing that the cryptographic properties/security of TLS 1.3 is
> affected by these changes. I'm saying that this messing around with
> making 1.3 look like 1.2 adds unnecessary complexity that will just hurt
> everyone in the long run. In the short term you get a few % more
> successful 1.3 handshakes, but once it's in the spec, it will bother
> implementers for years to come.
>
> Sometimes you have to let some things break to be able to move forward.
> If over 90% (the figures presented in Singapore) of TLS 1.3 handshakes
> already go through without 1.2 emulation / middlebox compensation in the
> protocol, I find that a very good number for this point in time.
>
> It's the middleboxes that should adapt to be 1.3 compatible, not the
> other way around. This is not sending a good signal to the industry.
>
> Sorry if I'm beating a dead horse (behind the cart). But my
> interpretation of the comments made during the WG session indicate that
> if there's consensus on incorporating these middlebox compatibility
> changes, it's a very rough consensus.
>
>    Tapio
>
> _______________________________________________
> TLS mailing list
> TLS@ietf.org<mailto:TLS@ietf.org>
> https://www.ietf.org/mailman/listinfo/tls
>
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls
>