Re: [TLS] Some comments about draft-ietf-tls-applayerprotoneg-01

Andrei Popov <Andrei.Popov@microsoft.com> Mon, 01 July 2013 23:31 UTC

Return-Path: <Andrei.Popov@microsoft.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 240B811E830C for <tls@ietfa.amsl.com>; Mon, 1 Jul 2013 16:31:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.467
X-Spam-Level:
X-Spam-Status: No, score=-0.467 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1, UNRESOLVED_TEMPLATE=3.132]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bwF2iJVhgjrw for <tls@ietfa.amsl.com>; Mon, 1 Jul 2013 16:31:16 -0700 (PDT)
Received: from na01-by2-obe.outbound.protection.outlook.com (mail-by2lp0235.outbound.protection.outlook.com [207.46.163.235]) by ietfa.amsl.com (Postfix) with ESMTP id 9CA0211E82E2 for <tls@ietf.org>; Mon, 1 Jul 2013 16:31:16 -0700 (PDT)
Received: from BL2FFO11FD018.protection.gbl (10.173.161.202) by BL2FFO11HUB030.protection.gbl (10.173.161.54) with Microsoft SMTP Server (TLS) id 15.0.717.3; Mon, 1 Jul 2013 23:31:07 +0000
Received: from TK5EX14MLTC102.redmond.corp.microsoft.com (131.107.125.37) by BL2FFO11FD018.mail.protection.outlook.com (10.173.161.36) with Microsoft SMTP Server (TLS) id 15.0.717.3 via Frontend Transport; Mon, 1 Jul 2013 23:31:07 +0000
Received: from db9outboundpool.messaging.microsoft.com (157.54.51.113) by mail.microsoft.com (157.54.79.180) with Microsoft SMTP Server (TLS) id 14.3.136.1; Mon, 1 Jul 2013 23:30:33 +0000
Received: from mail220-db9-R.bigfish.com (10.174.16.240) by DB9EHSOBE034.bigfish.com (10.174.14.97) with Microsoft SMTP Server id 14.1.225.23; Mon, 1 Jul 2013 23:30:31 +0000
Received: from mail220-db9 (localhost [127.0.0.1]) by mail220-db9-R.bigfish.com (Postfix) with ESMTP id 9C396800EA for <tls@ietf.org.FOPE.CONNECTOR.OVERRIDE>; Mon, 1 Jul 2013 23:30:31 +0000 (UTC)
X-Forefront-Antispam-Report-Untrusted: CIP:157.56.240.21; KIP:(null); UIP:(null); (null); H:BL2PRD0310HT003.namprd03.prod.outlook.com; R:internal; EFV:INT
X-SpamScore: -20
X-BigFish: PS-20(zz9371I148cI542I4015Izz1f42h1ee6h1de0h1fdah2073h1202h1e76h1d1ah1d2ah1fc6hzz1033IL8275dhz31h2a8h668h839h944hd24hf0ah1220h1288h12a5h12a9h12bdh137ah13b6h1441h1504h1537h153bh162dh1631h1758h18e1h1946h19b5h1ad9h1b0ah1d07h1d0ch1d2eh1d3fh1de9h1dfeh1dffh1e1dh17ej9a9j1155h)
Received-SPF: softfail (mail220-db9: transitioning domain of microsoft.com does not designate 157.56.240.21 as permitted sender) client-ip=157.56.240.21; envelope-from=Andrei.Popov@microsoft.com; helo=BL2PRD0310HT003.namprd03.prod.outlook.com ; .outlook.com ;
X-Forefront-Antispam-Report-Untrusted: SFV:NSPM; SFS:(52604005)(13464003)(164054003)(189002)(199002)(377454003)(74366001)(69226001)(79102001)(4396001)(76482001)(77982001)(80022001)(47736001)(65816001)(76796001)(50986001)(31966008)(63696002)(53806001)(47976001)(59766001)(49866001)(56776001)(74876001)(56816003)(74662001)(77096001)(81542001)(76576001)(51856001)(46102001)(74316001)(76786001)(54316002)(83072001)(33646001)(74502001)(47446002)(54356001)(81342001)(74706001)(16406001)(24736002)(3826001); DIR:OUT; SFP:; SCL:1; SRVR:BL2PR03MB196; H:BL2PR03MB194.namprd03.prod.outlook.com; RD:InfoNoRecords; MX:1; A:1; LANG:en;
Received: from mail220-db9 (localhost.localdomain [127.0.0.1]) by mail220-db9 (MessageSwitch) id 1372721428728708_27011; Mon, 1 Jul 2013 23:30:28 +0000 (UTC)
Received: from DB9EHSMHS007.bigfish.com (unknown [10.174.16.232]) by mail220-db9.bigfish.com (Postfix) with ESMTP id ACEFA20045; Mon, 1 Jul 2013 23:30:28 +0000 (UTC)
Received: from BL2PRD0310HT003.namprd03.prod.outlook.com (157.56.240.21) by DB9EHSMHS007.bigfish.com (10.174.14.17) with Microsoft SMTP Server (TLS) id 14.16.227.3; Mon, 1 Jul 2013 23:30:28 +0000
Received: from BL2PR03MB196.namprd03.prod.outlook.com (10.255.230.155) by BL2PRD0310HT003.namprd03.prod.outlook.com (10.255.97.38) with Microsoft SMTP Server (TLS) id 14.16.324.0; Mon, 1 Jul 2013 23:30:23 +0000
Received: from BL2PR03MB194.namprd03.prod.outlook.com (10.255.230.142) by BL2PR03MB196.namprd03.prod.outlook.com (10.255.230.155) with Microsoft SMTP Server (TLS) id 15.0.702.21; Mon, 1 Jul 2013 23:30:21 +0000
Received: from BL2PR03MB194.namprd03.prod.outlook.com ([169.254.14.98]) by BL2PR03MB194.namprd03.prod.outlook.com ([169.254.14.98]) with mapi id 15.00.0702.005; Mon, 1 Jul 2013 23:30:21 +0000
From: Andrei Popov <Andrei.Popov@microsoft.com>
To: Yoav Nir <ynir@checkpoint.com>, "tls@ietf.org list" <tls@ietf.org>
Thread-Topic: Some comments about draft-ietf-tls-applayerprotoneg-01
Thread-Index: AQHOcXYmoV9GvBkxHECtNVUf6mHhEZlQdzOg
Date: Mon, 01 Jul 2013 23:30:20 +0000
Message-ID: <31987392d2a3412f8e3932dc61264c32@BL2PR03MB194.namprd03.prod.outlook.com>
References: <279FAAD4-1FF3-4D9D-939A-10D83E0B036E@checkpoint.com>
In-Reply-To: <279FAAD4-1FF3-4D9D-939A-10D83E0B036E@checkpoint.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [2001:4898:a:2:c085:5cb7:cd84:99c5]
x-forefront-prvs: 089473E5FE
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OrganizationHeadersPreserved: BL2PR03MB196.namprd03.prod.outlook.com
X-FOPE-CONNECTOR: Id%0$Dn%*$RO%0$TLS%0$FQDN%$TlsDn%
X-FOPE-CONNECTOR: Id%59$Dn%IETF.ORG$RO%2$TLS%6$FQDN%corpf5vips-237160.customer.frontbridge.com$TlsDn%
X-FOPE-CONNECTOR: Id%59$Dn%CHECKPOINT.COM$RO%2$TLS%6$FQDN%corpf5vips-237160.customer.frontbridge.com$TlsDn%
X-CrossPremisesHeadersPromoted: TK5EX14MLTC102.redmond.corp.microsoft.com
X-CrossPremisesHeadersFiltered: TK5EX14MLTC102.redmond.corp.microsoft.com
X-Forefront-Antispam-Report: CIP:131.107.125.37; CTRY:US; IPV:CAL; IPV:NLI; EFV:NLI; SFV:NSPM; SFS:(13464003)(199002)(164054003)(189002)(52604005)(377454003)(50986001)(20776003)(47776003)(63696002)(16676001)(33646001)(23726002)(81542001)(46406003)(74316001)(4396001)(6806003)(65816001)(47976001)(47736001)(49866001)(83072001)(51856001)(80022001)(74706001)(79102001)(76482001)(69226001)(56816003)(54316002)(44976004)(81342001)(56776001)(76576001)(76786001)(76796001)(59766001)(50466002)(74366001)(46102001)(74662001)(74876001)(77982001)(47446002)(53806001)(54356001)(74502001)(31966008)(77096001)(24736002)(3826001); DIR:OUT; SFP:; SCL:1; SRVR:BL2FFO11HUB030; H:TK5EX14MLTC102.redmond.corp.microsoft.com; CLIP:131.107.125.37; RD:InfoDomainNonexistent; A:1; MX:1; LANG:en;
X-OriginatorOrg: microsoft.onmicrosoft.com
X-O365ENT-EOP-Header: Message processed by - O365_ENT: Allow from ranges (Engineering ONLY)
X-Forefront-PRVS: 089473E5FE
Subject: Re: [TLS] Some comments about draft-ietf-tls-applayerprotoneg-01
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 01 Jul 2013 23:31:22 -0000

Hi Yoav,

Thanks for reviewing the draft.

Regarding the preference order of the protocol IDs, the language was intended to indicate that most of the time it makes sense for the server to choose according to the server's preferences; however an implementation may have valid reasons to ignore this and go with the client's order of preference (that's why SHOULD is used). We can change the wording, if this is not clear.

As for returning the protocol selection response, the idea is that an extension is optional, and can be ignored (e.g. when disabled, or for some implementation-specific reasons). I would rather retain this flexibility and keep MAY.

The current draft makes a distinction between IANA-registered protocol IDs and those not registered by IANA. The latter can be used privately, for experimentation, etc. We can devise a more elaborate namespace scheme if there is consensus in the WG that this would be desirable. Personally, I would rather keep it simple.

"hide" protocol ID seems to defeat the very purpose of hiding:). Those who are interested in hiding the negotiated protocol, usually don't want the intermediaries to be able to treat different protocols differently. E.g. proxies could easily filter out traffic which includes "hide" protocol ID.

Does it make sense to include a protocol list in the renegotiation handshake? I believe it is possible that one would want to renegotiate to a different application protocol.

Thanks,

Andrei

-----Original Message-----
From: tls-bounces@ietf.org [mailto:tls-bounces@ietf.org] On Behalf Of Yoav Nir
Sent: Tuesday, June 25, 2013 12:33 AM
To: tls@ietf.org list
Subject: [TLS] Some comments about draft-ietf-tls-applayerprotoneg-01

Hi

I have read the draft, and think it is in good shape. There are some quibbles, however.

Section 3.1 says: 
  "ProtocolNameList" contains the list of protocols advertised by the
  client, in descending order of preference.
But section 3.2 says: 
  It is expected that a server will have a list of protocols that it
  supports, in preference order, and will only select a protocol if the
  client supports it.  In that case, the server SHOULD select the most
  highly preferred protocol it supports which is also advertised by the
  client.

It's not clear to me why the order of preference of the client makes any difference if the server chooses a protocol based on its own order of preference. I would remove that last sentence, and leave it up to the implementation whether it enforces its own order of preference (select the most preferred protocol that appears anywhere on the client's list) or the clients' (select the first protocol advertised by the client that you also support).


Section 3.1 has this rather confusing paragraph:
  Servers that receive a client hello containing the
  "application_layer_protocol_negotiation" extension, MAY return a
  suitable protocol selection response to the client.  The server will
  ignore any protocol name that it does not recognize.  A new
  ServerHello extension type
  ("application_layer_protocol_negotiation(16)") MAY be returned to the
  client within the extended ServerHello message.  The "extension_data"
  field of the ("application_layer_protocol_negotiation(16)") extension
  SHALL be structured the same as described above for the client
  "extension_data", except that the "ProtocolNameList" MUST contain
  exactly one "ProtocolName".

First, ClientHello and ServerHello extensions are pretty much the same (yes, I know the formatting sometimes changes), so there's no need to talk about "a new ServerHello extension type". Also, I can't figure out the MAY here. Not returning a response says that the server does not support this extension. A server compliant with this specification MUST send a response (or else a no_application_protocol alert). How about rewriting this as follows:

  Compliant servers that receive a client hello containing the
  "application_layer_protocol_negotiation" extension, MUST return a
  suitable protocol selection response to the client.  The server MUST
  ignore any protocol name that it does not recognize.  A 
  ("application_layer_protocol_negotiation(16)") extension MUST be 
  returned to the client within the ServerHello message.  The 
  "extension_data" field of the extension is structured the same as 
  described above for the client "extension_data", except that the 
  "ProtocolNameList" MUST contain exactly one "ProtocolName".



Section 3.1 also has this:
  Experimental protocol names, which are not registered by IANA, will
  start with the following sequence of bytes: 0x65, 0x78, 0x70 ("exp").
And this is repeated in section 4:
  A namespace will be assigned for experimental protocols, comprising
  byte strings which start with the following sequence of bytes: 0x65,
  0x78, 0x70 ("exp").  Assignments in this namespace do not need IANA
  registration.

I suggest a somewhat different namespace allocation:
 * Names that begin with "X-" (0x58,0x2D) are experiments, like "X-spdy/4"
 * Names that begin with "P-" (0x50,0x2D) are private, and shall have an organizational identifier, plus a protocol, like "P-MSFT-SSTP" or "P-CHKP-SNX"
 * Names that begin with "D-" (0x44,0x2D) denote drafts, and the rest of the byte string has the draft title minus the "draft" qualifier, for example "D-ietf-httpbis-http2-03". Since a slash (0x2F) is never part of the document name, a document that defines >1 protocols may add a slash and an internally-meaningful string, such as "D-ietf-httpbis-http2-03/no-header-compression"
 * IANA shall not assign any byte strings where the second byte is 0x2D. Such byte strings are reserved.



Section 4 says:
  Finally, by managing protocol selection in the clear as part of the
  handshake, ALPN avoids introducing false confidence with respect to
  the the ability to hide the negotiated protocol in advance of
  establishing the connection.  If hiding the protocol is required,
  then renegotiation after connection establishment, which would
  provide true TLS security guarantees, would be a preferred
  methodology.

How about making this more explicit. Add a special protocol called "hide", and have the client propose just that. They could even be using an anon-dh ciphersuite for that handshake. If "hide" is selected, no application data is tolerated within it, and the client MUST immediately renegotiate with a proper list of protocols. 

If both of my previous suggestions are accepted, I would change the initial registry to contain just "http/1.1" and "hide" for starters, as the spdy experiment can be accommodated by "X-" prefix, and the draft versions of HTTP/2.0 can be accommodated by "D-" prefix.



Finally, the end of section 3.1 says this:
  Unlike many other TLS extensions, this extension does not establish
  properties of the session, only of the connection.  When session
  resumption or session tickets [RFC5077] are used, the previous
  contents of this extension are irrelevant and only the values in the
  new handshake messages are considered.

This does not mention renegotiation. Suppose we are already running application data, and the client initiates a renegotiation. Makes no difference if this is of its own accord or because of a HelloRequest sent by the server. Does it make any sense at all to include a protocol list in the renegotiation handshake?

Yoav




_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls