Re: [TLS] draft-thomson-tls-record-limit-00
Martin Thomson <martin.thomson@gmail.com> Wed, 05 April 2017 11:46 UTC
Return-Path: <martin.thomson@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6EC06129415 for <tls@ietfa.amsl.com>; Wed, 5 Apr 2017 04:46:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.699
X-Spam-Level:
X-Spam-Status: No, score=-2.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, TVD_PH_BODY_ACCOUNTS_PRE=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0X1BU-sGQ5k5 for <tls@ietfa.amsl.com>; Wed, 5 Apr 2017 04:46:51 -0700 (PDT)
Received: from mail-qk0-x236.google.com (mail-qk0-x236.google.com [IPv6:2607:f8b0:400d:c09::236]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 27C80127333 for <tls@ietf.org>; Wed, 5 Apr 2017 04:46:51 -0700 (PDT)
Received: by mail-qk0-x236.google.com with SMTP id d10so8131461qke.1 for <tls@ietf.org>; Wed, 05 Apr 2017 04:46:51 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=dBqNecnCT9rDU+I4CkdwSt/l3gdBsylhgCmT+FioQX0=; b=I/bxVQswMwc5hNlpByRQ3BCHoSIJEOjuK93TSivYZRi/YlZkb7EZsxWXp+6qYS8PAz gPUtZoisRv+FwaclcUiD4yVdLJpjwFh2FSKxV9pP8GQaY85A8Q4JcyZ+9c7LddyX/ocd PCjPBc1c6maHy8lry8Orw5tuKJDgKVyOi9b233pclvjT0dArF58bucPtT+R2eTJ1m3Pm fuGLTCEJHAImeJuCNZRRQGiNz4/iEaH88qhxMZAKwKr0SDVVC3I8zVUyjxWUAQNTmJWF NC+12D/ECovBCsH2uEsaCjt5vxinfmLT9ak6Oatm+C0rkbPfXHSxCv1dIymwdvzZR/Sz UrCA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=dBqNecnCT9rDU+I4CkdwSt/l3gdBsylhgCmT+FioQX0=; b=D3CmaSkc1BpJ2vDodfe+npnPxSwSaYgH21H/drC9HFa53ldYKpJykhPrioNe9fGMhR 2P28fFBYfmMmj6ncCuf3KEV4TvgS7SY+olouY4GAG120AkgWbWKLjcUapZa5n8sjZlu3 5JIKh6Sb3CIK7Mme4p849R8iv49AloMqERqUX/1rcECr2xNM77qExK+3G+l2eJ94pHgZ lnZsqhVORBocV735r1YQDSCljsCNS56WxJENW9kLD/4djjaBtnFpZSHUFjytq9kfRVIF es9nzpLgmsUPIHFQ8VyNRES4ecp+zvvcD3izmOx1SaID2utFDvloPmXR5TFbeixrNVeD O1Kg==
X-Gm-Message-State: AFeK/H3WptzHYXAxNGwIpWHXjYwQRl+qQrzhp9b5+5wwZ/WqyIaJq4xaqjSmCAGGbwDxovn2cgbxJeQA4ySb4w==
X-Received: by 10.55.179.66 with SMTP id c63mr18753863qkf.147.1491392810182; Wed, 05 Apr 2017 04:46:50 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.140.27.194 with HTTP; Wed, 5 Apr 2017 04:46:49 -0700 (PDT)
In-Reply-To: <20170328140056.GA1861@bolet.org>
References: <CABkgnnXEVq20HFxHjeH0XXOG5SeWy7YEiUWCN-6Q1gDEeSeEoQ@mail.gmail.com> <20170328140056.GA1861@bolet.org>
From: Martin Thomson <martin.thomson@gmail.com>
Date: Wed, 05 Apr 2017 21:46:49 +1000
Message-ID: <CABkgnnX4vHu_KwRSvDu_dFg-xky-VtP8doa=QnkLoT9JD4zgNA@mail.gmail.com>
To: Thomas Pornin <pornin@bolet.org>
Cc: "tls@ietf.org" <tls@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/t6Ca6VRnsUJLkXAq63-FQYnJa0w>
Subject: Re: [TLS] draft-thomson-tls-record-limit-00
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 05 Apr 2017 11:46:53 -0000
Hi Thomas, Sorry for taking so long to get back to this. https://github.com/martinthomson/tls-record-limit/pull/1 covers the major changes. I decided to add a section covering the expansion issue so that I could do it justice. I was going to write more, then I realized that the dumb approach is probably safest: pad to get to record_size_limit or less, then pad to reach the block size. Attempting to explain what to do in more detail was only making it less clear. I've added a commit that should fix my error. It makes it clear that the problem for constrained servers even more acute: https://github.com/martinthomson/tls-record-limit/commit/5051d510471014f172b On 29 March 2017 at 01:00, Thomas Pornin <pornin@bolet.org> wrote: > On Tue, Mar 28, 2017 at 06:35:24AM -0500, Martin Thomson wrote: >> I just submitted a version of the draft we've discussed a little on >> the list. >> >> I don't think we concluded the discussion about what to do about block >> cipher padding. > > I don't have strong preferences on this, but I would incline toward > using the plaintext length in the extension. In any case, adding a > longer-than-necessary padding in order to defeat traffic analysis does > not make sense if it expands the size beyond the minimal record size for > a full record (i.e. if an endpoint wants to add extra padding bytes to a > record with 16384 bytes of padding, it is only _revealing_ extra > information, not hiding it). > > I suggest altering this paragraph: > > The size limit expressed in the "record_size_limit" extension doesn't > account for expansion due to compression or record protection. It is > expected that a constrained device will disable compression and know > - and account for - the maximum expansion possible due to record > protection based on the cipher suites it offers or selects. Note > that up to 256 octets of padding and padding length can be added to > block ciphers. > > into this: > > The size limit expressed in the "record_size_limit" extension doesn't > account for expansion due to compression or record protection. If > and endpoint advertises a size limit which is lower than the > protocol-defined limit, then the peer SHALL NOT send a record whose > final, protected size exceeds that of the minimal protected size of a > record that contains exactly "record_size_limit" plaintext bytes and > uses no compression. > > For instance, if using TLS 1.2 and a cipher suite that mandates > AES/CBC encryption and HMAC/SHA-256 for protection, and an endpoint > advertises a "record_size_limit" of 700 bytes, then the minimal > protected record size for 700 bytes of plaintext contents is 757 > bytes: > > - 700 bytes of plaintext > - 32 bytes for the HMAC/SHA-256 > - 4 bytes of padding to reach the next multiple of the AES block > size (which is 16 bytes) > - 16 bytes for the explicit IV > - 5 bytes for the record header > > The padding may have length 1 to 256 bytes as per protocol rules; > but in the presence of a "record_size_limit" of 700 bytes expressed > by the peer, an endpoint SHALL refrain from sending records whose > total protected size exceeds 757 bytes. > > It is expected that a constrained device will disable compression; > moreover, the practice of adding a longer-than-minimal padding is > done in order to defeat traffic analysis, and sending records longer > than the minimal size for full records is counterproductive (such a > record would reveal extra information to onlookers, and thus should > be avoided). > > ------------------ > > Another unrelated comment: in section 3, there is the following: > > The "max_fragment_length" extension is also ill-suited to cases where > the capabilities of client and server are asymmetric. The server is > required to select a fragment length that is as small or smaller than > the client offers and both endpoints need to comply with this smaller > limit. > > Actually, it is worse than that: per the wording of RFC 6066, if a > client advertises a length of L bytes, the server must respond with > _exactly_ the same length L; the server is not allowed to select a > smaller length. The relevant RFC text is: > > The "extension_data" field of this extension SHALL contain a > "MaxFragmentLength" whose value is the same as the requested maximum > fragment length. > > and it is reinforced some lines later: > > Similarly, if a client receives a maximum fragment length negotiation > response that differs from the length it requested, it MUST also > abort the handshake with an "illegal_parameter" alert. > > The "max_fragment_length" extension is completely client-driven: it is > used only on the client's initiative, and uses the client's length. The > server's only choice is to accept the will of the client, or reject the > connection. Thus, it handles only the case of constrained clients > talking to big servers, not the other way round. > > > --Thomas Pornin
- [TLS] draft-thomson-tls-record-limit-00 Martin Thomson
- Re: [TLS] draft-thomson-tls-record-limit-00 Thomas Pornin
- Re: [TLS] draft-thomson-tls-record-limit-00 Martin Thomson