Re: [TLS] A question for TLS middle-box/middleware vendors/implementers
"Fossati, Thomas (Nokia - GB/Cambridge, UK)" <thomas.fossati@nokia.com> Sun, 28 January 2018 10:19 UTC
Return-Path: <thomas.fossati@nokia.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1EB9F12E91F for <tls@ietfa.amsl.com>; Sun, 28 Jan 2018 02:19:39 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.902
X-Spam-Level:
X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nokia.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UWC4ezJa8jsQ for <tls@ietfa.amsl.com>; Sun, 28 Jan 2018 02:19:37 -0800 (PST)
Received: from EUR01-VE1-obe.outbound.protection.outlook.com (mail-ve1eur01on0128.outbound.protection.outlook.com [104.47.1.128]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B1B3312E87C for <tls@ietf.org>; Sun, 28 Jan 2018 02:19:36 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nokia.onmicrosoft.com; s=selector1-nokia-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=z71SB+JUeHpD4MpYpMhJhLTk6vAexAe1HWGDrBmiuqA=; b=OzjHcrJyxLF/TkpIJQE1FoUKT44LUJ8sKS/BLdIN5drkQWJYQABC/cCm1q0aoV8RtLLa2eOQmFlW7K7+BOhCkYWEvnwZV+vg5RzZwRillWHHhyZ8HyB5MYJ8DOyyGLMhiRN1C6l2Ov4Ds4AOMVS7LafMyqCmDvKDd+F3sXNxEqM=
Received: from DB3PR07MB0747.eurprd07.prod.outlook.com (10.160.53.12) by DB3PR07MB0524.eurprd07.prod.outlook.com (10.160.44.16) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id 15.20.464.6; Sun, 28 Jan 2018 10:19:33 +0000
Received: from DB3PR07MB0747.eurprd07.prod.outlook.com ([fe80::92d:a5e9:3083:3dbf]) by DB3PR07MB0747.eurprd07.prod.outlook.com ([fe80::92d:a5e9:3083:3dbf%13]) with mapi id 15.20.0464.008; Sun, 28 Jan 2018 10:19:32 +0000
From: "Fossati, Thomas (Nokia - GB/Cambridge, UK)" <thomas.fossati@nokia.com>
To: Yoav Nir <ynir.ietf@gmail.com>
CC: "tls@ietf.org" <tls@ietf.org>, "Fossati, Thomas (Nokia - GB/Cambridge, UK)" <thomas.fossati@nokia.com>
Thread-Topic: [TLS] A question for TLS middle-box/middleware vendors/implementers
Thread-Index: AQHTl4wVsEsS32ldTEGo2Z4sXyi6/aOIG8sAgAD4FYA=
Date: Sun, 28 Jan 2018 10:19:32 +0000
Message-ID: <C5300BCB-190F-432C-9CB2-BE349708176C@nokia.com>
References: <7CC4F5F0-DCC1-420E-B91A-A4D5B9FC5D53@nokia.com> <AC31F5BD-A6CA-4F56-A181-BE84F9EF3F4E@gmail.com>
In-Reply-To: <AC31F5BD-A6CA-4F56-A181-BE84F9EF3F4E@gmail.com>
Accept-Language: en-GB, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/10.9.0.180116
authentication-results: spf=none (sender IP is ) smtp.mailfrom=thomas.fossati@nokia.com;
x-originating-ip: [88.111.107.3]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; DB3PR07MB0524; 7:AdztY99vJ4NadJzV76x6PvoeMt1W9xlTqTixKGEoqXhqevpDGhnWT+1T7D2U3xVkD6ywS0qfYPRbK+N8cP/XVsNy82aVF+SJdFTeDUQh02QoDEame2Gt/nQvD75AMCBaT5UeZkqoU44KU7J83fEnj3Xs1GfDzYC5usKdQdTtCk0JfsZTdeRWWDRgmNbR+OdyiDMi/+zv2UodIzNHyOAYP2kkovgY1phpqGKWvi8ttD3TDBM0+OG9DHAT3/G3ODda
x-ms-exchange-antispam-srfa-diagnostics: SSOS;SSOR;
x-forefront-antispam-report: SFV:SKI; SCL:-1; SFV:NSPM; SFS:(10019020)(346002)(39860400002)(396003)(366004)(39380400002)(376002)(51914003)(189003)(199004)(2906002)(478600001)(97736004)(14454004)(102836004)(53546011)(6506007)(59450400001)(76176011)(7736002)(305945005)(26005)(3846002)(82746002)(86362001)(6116002)(5660300001)(83716003)(105586002)(81166006)(8676002)(8936002)(2900100001)(6436002)(6512007)(53936002)(5250100002)(6486002)(68736007)(33656002)(4326008)(6916009)(66066001)(2950100002)(81156014)(106356001)(36756003)(58126008)(229853002)(316002)(3660700001)(107886003)(3280700002)(54906003)(83506002)(186003)(25786009)(99286004)(6246003)(39060400002); DIR:OUT; SFP:1102; SCL:1; SRVR:DB3PR07MB0524; H:DB3PR07MB0747.eurprd07.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; MX:1; A:1; LANG:en;
x-ms-office365-filtering-ht: Tenant
x-ms-office365-filtering-correlation-id: dad3e91e-1971-423b-357c-08d566389fe0
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(7020095)(4652020)(4534165)(4627221)(201703031133081)(201702281549075)(48565401081)(5600026)(4604075)(3008032)(2017052603307)(7193020); SRVR:DB3PR07MB0524;
x-ms-traffictypediagnostic: DB3PR07MB0524:
x-microsoft-antispam-prvs: <DB3PR07MB05248D06FD84AE6B8E3D5E0780E60@DB3PR07MB0524.eurprd07.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(85827821059158);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(6040501)(2401047)(5005006)(8121501046)(93006095)(93001095)(3231101)(11241501184)(806099)(2400081)(944501161)(3002001)(10201501046)(6055026)(6041288)(20161123558120)(20161123560045)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(20161123562045)(20161123564045)(6072148)(201708071742011); SRVR:DB3PR07MB0524; BCL:0; PCL:0; RULEID:; SRVR:DB3PR07MB0524;
x-forefront-prvs: 05669A7924
received-spf: None (protection.outlook.com: nokia.com does not designate permitted sender hosts)
x-microsoft-antispam-message-info: 4mNPOC5OKskr5cYFJODQHa67rkiIqQZYp5xi5oUN/cCUIKz+6/GpNDSuLUO83eP7YoRLbN6mGGqoOkNq/eagZJUeJdFgyvqPcCq22NG4zfJm5RQcc7aH1oY4ouApyhUO
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="utf-8"
Content-ID: <36B08D6A4BB72445944C30671A1D28F8@eurprd07.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: nokia.com
X-MS-Exchange-CrossTenant-Network-Message-Id: dad3e91e-1971-423b-357c-08d566389fe0
X-MS-Exchange-CrossTenant-originalarrivaltime: 28 Jan 2018 10:19:32.8172 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5d471751-9675-428d-917b-70f44f9630b0
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB3PR07MB0524
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/sVrV9SqGHkYeNsW6b7GbKOMp41E>
Subject: Re: [TLS] A question for TLS middle-box/middleware vendors/implementers
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 28 Jan 2018 10:19:39 -0000
Hi Yoav, Thanks for the answers - much appreciated. On 27/01/2018, 19:31, "Yoav Nir" <ynir.ietf@gmail.com> wrote: > The length field is byte-aligned. So any implementation of a TLS > parser or TLS proxy will do one of two things: > > 1. Consider the MSB to be a must-be-zero bit and drop any length field > that has it set as faulty. > > 2. Ignore text about limits on length and assume the record is that > big. Depending on what field that is, this may cause a drop on some > other sanity check. > > As always there’s option #3 (crash), but the industry is getting > better at avoiding that. > > You seem to want the behaviour that the middlebox masks out the > must-be-zero bits and considers only the relevant length bits. I don’t > think that would pass code review at my former employer. What I was thinking was rather "once handshake is done and client has successfully passed the SNI checks, just blindly copy the byte stream across." I had this specific mental model (that of an HTTPS filter) in my head, which of course is just one of many. If the use case is "check for data exfiltration or covert channels", then the box is probably going to be a fully-fledged interception proxy. In that case the parser can't be sloppy, and the bit will not go through unnoticed (as you correctly note above). But - pardon a naive mind - these look like the kind of boxes that you can't just switch on and forget about. Instead, I'd imagine you need to keep their release cycle aligned with that of the endpoints, especially browsers, which tends to be pretty aggressive. (But yes, one thing is the vendor release cycle, and a completely different one is the network operator's upgrade schedule...) Since you are here, and you have amassed a considerable amount of wisdom in this space, I have a further question: Is, in your opinion, DTLS in a better spot than TLS WRT the use of that bit? Cheers and thanks again
- [TLS] A question for TLS middle-box/middleware ve… Fossati, Thomas (Nokia - GB/Cambridge, UK)
- Re: [TLS] A question for TLS middle-box/middlewar… Yoav Nir
- Re: [TLS] A question for TLS middle-box/middlewar… Fossati, Thomas (Nokia - GB/Cambridge, UK)
- Re: [TLS] A question for TLS middle-box/middlewar… Yoav Nir
- Re: [TLS] A question for TLS middle-box/middlewar… Fossati, Thomas (Nokia - GB/Cambridge, UK)