Re: [TLS] ALPN with 0-RTT Data
David Benjamin <davidben@chromium.org> Wed, 12 October 2016 20:02 UTC
Return-Path: <davidben@google.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CA4011295A1 for <tls@ietfa.amsl.com>; Wed, 12 Oct 2016 13:02:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.695
X-Spam-Level:
X-Spam-Status: No, score=-5.695 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RP_MATCHES_RCVD=-2.996, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=chromium.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RsgL8TTX-e9y for <tls@ietfa.amsl.com>; Wed, 12 Oct 2016 13:02:04 -0700 (PDT)
Received: from mail-it0-x234.google.com (mail-it0-x234.google.com [IPv6:2607:f8b0:4001:c0b::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 10820129573 for <tls@ietf.org>; Wed, 12 Oct 2016 13:02:04 -0700 (PDT)
Received: by mail-it0-x234.google.com with SMTP id o19so64786470ito.1 for <tls@ietf.org>; Wed, 12 Oct 2016 13:02:04 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=WBRtmaFzSMH4zpi+RTt8zAf1YSxnVDiqMimR40KeUfM=; b=HaUOGbeqqOKxkHWn9Fz3YpGT7ildak3EudJTU8wvZJdC4spUG5bkTB/S0h+MkY0Ogd CZEvKWqnngfMK1gzR7uvWGK/c6xo9zPiid9oAhS8uyOXaaW8y/x3e2Xmp2lrj04gChrr OaxWqwNH9ZGSfLP26jwhkIqofv9PilUpE2hPo=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=WBRtmaFzSMH4zpi+RTt8zAf1YSxnVDiqMimR40KeUfM=; b=SfH4SMCEQ/lMMYa7YF22iz2y+TmaiJpiGIR9aTuZYJC4TXONKYNlhKqw2WpFzuv/FA b+S832pTMC44a6zqRclWzbOXZwI41zaom4MzWbatClDo2Ji/Vv2YA14OcBSTSpXD7X6l J4jovhCMKrldiAQF/zyzq5cMmPN86dq2AC26IobaMXBz72QFDT6EJIK+03yidRUX57mJ SYpqmjJIk+vmCtRv3Bzd41eECp4NLhc8J01O3HUwUFG/7BBcdn+EZU23y0db/7401f2M yqBQsXFFICW+TUXK6xK4MWfaEIKl5NzPPyUc+02etKSRzxA3ZhEFhg7sxUg3MRY7pkxx TBXQ==
X-Gm-Message-State: AA6/9Rm5Bv+DCehbGcU3D/Vhuhn4gkzpjUJhFUBG035WkSkpEIzKo3/ADN3p/liHWjgrnsWR3UZJ+JnL9arkm52y
X-Received: by 10.36.210.70 with SMTP id z67mr4253502itf.67.1476302523177; Wed, 12 Oct 2016 13:02:03 -0700 (PDT)
MIME-Version: 1.0
References: <MWHPR15MB118283AEF96DAD58FD3F6FF3AFDD0@MWHPR15MB1182.namprd15.prod.outlook.com>
In-Reply-To: <MWHPR15MB118283AEF96DAD58FD3F6FF3AFDD0@MWHPR15MB1182.namprd15.prod.outlook.com>
From: David Benjamin <davidben@chromium.org>
Date: Wed, 12 Oct 2016 20:01:52 +0000
Message-ID: <CAF8qwaAj=Dzs+DBoTVkFTCLz07HhtgmGp7YjsmzZx6BBSU+Zmw@mail.gmail.com>
To: Kyle Nekritz <knekritz@fb.com>, "tls@ietf.org" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="94eb2c05d07e79f1b5053eb077fa"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/r4P0CuR3c-LNtGFZckR-tuhLGdY>
Subject: Re: [TLS] ALPN with 0-RTT Data
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 12 Oct 2016 20:02:06 -0000
My interpretation was: 1. Client and server remember the previous selected ALPN protocol in the session. 2. The client may offer whatever ALPN protocols it likes. It does not need to match the previous offer list, though it presumably will unless you've got a persistent session cache or so. 3. The client assumes that session's ALPN protocol was selected for purposes of minting 0-RTT data. 4. The server must decline 0-RTT if it choses a different ALPN protocol. This can be implemented by just doing ALPN negotiation as normal and declining 0-RTT if the result does not match. (If client and server prefs have not changed, 0-RTT will work. If prefs have changed, 0-RTT will miss but future sessions will start being 0-RTT-able. I think this is probably the sanest behavior.) 5. The client performs the usual checks on the selected ALPN protocol (must be one of the advertised ones). In addition, it enforces that, if 0-RTT was accepted, the protocol must match the session one. Pinning on the most preferred one causes awkward transitions when the most preferred ALPN protocol is not the same as the most commonly deployed one. If we ever define, say, h3, we want that one in front of h2 presumably, but we wouldn't want to lose 0-RTT against all the h2 servers out there. I don't think we should be reorder preferences based on the sessions we are offering. That makes it much harder to reason about the behavior of preference lists. David On Wed, Oct 12, 2016 at 3:49 PM Kyle Nekritz <knekritz@fb.com> wrote: Currently the draft specifies that the ALPN must be "the same" as in the connection that established the PSK used with 0-RTT, and that the server must check that the selected ALPN matches what was previously used. I find this unclear if 1) the client should select and offer one (and only one) application protocol 2) the client can offer multiple protocols, but use the most preferred one offered for 0-RTT data 3) the client must send the exact same ALPN extension as in the previous connection, but must use the ALPN previously selected by the server (even if it was not the client's first offer). To clarify this we can instead * allow the client to offer whatever ALPN extension it wants * define that the 0-RTT data uses the client's most preferred application protocol offer (and the server must pick this ALPN if it accepts 0-RTT), similar to using the first PSK offer if multiple are offered * recommend that the client uses the same application protocol that was used on the previous connection. PR: https://github.com/tlswg/tls13-spec/pull/681 Kyle _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
- [TLS] ALPN with 0-RTT Data Kyle Nekritz
- Re: [TLS] ALPN with 0-RTT Data David Benjamin
- Re: [TLS] ALPN with 0-RTT Data Eric Rescorla
- Re: [TLS] ALPN with 0-RTT Data Kyle Nekritz
- Re: [TLS] ALPN with 0-RTT Data David Benjamin