[TLS] draft-ietf-tls-record-limit-01
Hannes Tschofenig <hannes.tschofenig@gmx.net> Tue, 12 September 2017 12:30 UTC
Return-Path: <hannes.tschofenig@gmx.net>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0508313304A for <tls@ietfa.amsl.com>; Tue, 12 Sep 2017 05:30:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.12
X-Spam-Level:
X-Spam-Status: No, score=-2.12 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RCVD_IN_SORBS_SPAM=0.5, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gu7GV5zZFgNw for <tls@ietfa.amsl.com>; Tue, 12 Sep 2017 05:30:51 -0700 (PDT)
Received: from mout.gmx.net (mout.gmx.net [212.227.15.15]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0D6F513208E for <tls@ietf.org>; Tue, 12 Sep 2017 05:30:50 -0700 (PDT)
Received: from [192.168.91.203] ([131.111.5.141]) by mail.gmx.com (mrgmx002 [212.227.17.190]) with ESMTPSA (Nemesis) id 0M6RiN-1dWuA73p4l-00yNIZ for <tls@ietf.org>; Tue, 12 Sep 2017 14:30:49 +0200
To: "<tls@ietf.org>" <tls@ietf.org>
From: Hannes Tschofenig <hannes.tschofenig@gmx.net>
Openpgp: id=071A97A9ECBADCA8E31E678554D9CEEF4D776BC9
Message-ID: <d146477e-85c1-5b09-490e-ed2f386f0915@gmx.net>
Date: Tue, 12 Sep 2017 14:30:48 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.2.1
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Language: en-US
Content-Transfer-Encoding: 7bit
X-Provags-ID: V03:K0:cXjqwy2jnvRstAQt/56+Mqxz8QMq1sbGVn81JXZg8L2qfYf2IFm NaS1EwLX5cp5um3p/PLaR02k7kFYVQfdkYzvyAptBntELTjhJUuMPz8qCFsb3Uv2QFKv9s1 Zxxa8Pb40NAUndktcBKcyHvaql9/VI2Acav8P8ccyZscmTZkPPA0d/I5eb2myxhBABy0NuI voASOyfZmcCuOlYQYa3mA==
X-UI-Out-Filterresults: notjunk:1;V01:K0:zbpyfzT1338=:Mu/KdAshu2A1Agsv6ezpR2 aXDF/gkuMBo3fDYM4U8PexcrBAueGAhQeiuHTTf6OoVq1MymTVMUnX9q/nlPeIpTNqSZHH/IU 8pdhe34eVwyLVhYp+Eu65aRaGYnE2AK6CMspP4+ymFzzzUkPue+JCg3xNlhXQd50+haZPL4FJ +N4pnxiZEQ/vA5x+RQ/j/NcuEKmW+vu8QCrK2mTuzB2dZysLQN/ECxXI9gp4DC59iTcWODYWm XqScF0xlQWyw8e9BetqxFmdXxM3szeEZwggSZe+ivgg9MHGJ2nuo2HcNi7V/F/drbmU62R8WE JHZm4k8zGzXLXSgLXjL6ZPGOTUWwVCWlZIvsjMJNyMPkrl+GN+pFnse98CE3CAlNSy9+yHr4C Ct4kknEeHBrPUp7Jy5zBJPhDHaGn49Z++gSVY1lLVY92k5IIgtlIonvUXxI02DcnTSH0EdF+3 SVx5UfIUPJeYG5a/EdagIM4b0nqhaE71jMs4NMFK1FFtDJNsN0tt1F5znu9vlaQNC2hAReesS NpnfL+8ch8g/iiD55qfGKCX4cH5iGZ7tol+7qqu/6mfkk8sPfgOalZgTUEtk1DOxQLSPhGkme x8fBR11ct8r+GBNvSxZm6ESmaydUibjG2gj7RKsTqNB28wFsZqBdKohnTry3G2YkDVU9yIvWA S8vwBku/griGWN4GX8S4KeffgrM9DDZDoVxsdGrdmEyf4XgiogMm4LKv032yo0WydK7NoeXSn dQwhbU2UKUXjbgXBTOiIRbR0g4bAkuPYPV2rLgZJ6zYeLWZvm/V+t77QAoYtkyRcOYl4RT3L3 tdzD33P1Qe/uofAvr2AOkgpHR7FhVb0HWmbZGWxz05snmxFRz8=
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/ruxVEGEXmALCl5JjdBPmSoYAiuY>
Subject: [TLS] draft-ietf-tls-record-limit-01
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 12 Sep 2017 12:30:53 -0000
Hi Martin, I have implemented the record size extension into mbed TLS. It can be found at https://github.com/ARMmbed/mbedtls/pull/1088 There is only one problem that remains to be addressed IMHO. This extension was developed to address the problem of devices with small RAM. Application developers have to configure their embedded TLS stack in such a way that the parameters configured with this TLS extensions match the available hardware. The record_size_limit helps a lot already but does not quite to the final goal since it uses an artificial metric for deciding when to fragment records. Currently, a developer has to understand various security concepts to get this right, namely * Ciphersuite negotiated (and the overhead associated with it, such as tag length), * DTLS vs. TLS record layer header differences, * potential compression being applied. Additionally, there is, of course, other header information that needs to be considered in the overall buffer size calculation, such as TCP or UDP, IP and potentially any lower layer headers. I just think that this is too much to ask for from an ordinary developer. Hence, I would suggest to use a different metric so that the developer can be certain that at least from a DTLS/TLS layer there are not records being sent that exceed the indicated threshold. If you think that this idea is worthwhile to entertain then I will make a proposal. Ciao Hannes
- [TLS] draft-ietf-tls-record-limit-01 Hannes Tschofenig
- Re: [TLS] draft-ietf-tls-record-limit-01 Hubert Kario
- Re: [TLS] draft-ietf-tls-record-limit-01 Hannes Tschofenig
- Re: [TLS] draft-ietf-tls-record-limit-01 Martin Thomson
- Re: [TLS] draft-ietf-tls-record-limit-01 Hubert Kario
- Re: [TLS] draft-ietf-tls-record-limit-01 Martin Thomson