IETF Logo Mail Archive

Re: [TLS] New draft: draft-ietf-tls-tls13-14.txt

Benjamin Kaduk <bkaduk@akamai.com> Wed, 13 July 2016 00:41 UTC

Return-Path: <bkaduk@akamai.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 56A4012D0E1 for <tls@ietfa.amsl.com>; Tue, 12 Jul 2016 17:41:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.988
X-Spam-Level:
X-Spam-Status: No, score=-3.988 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RP_MATCHES_RCVD=-1.287, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=akamai.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id D3k9sgPTwHTo for <tls@ietfa.amsl.com>; Tue, 12 Jul 2016 17:41:03 -0700 (PDT)
Received: from prod-mail-xrelay07.akamai.com (prod-mail-xrelay07.akamai.com [23.79.238.175]) by ietfa.amsl.com (Postfix) with ESMTP id 3ACC712D541 for <tls@ietf.org>; Tue, 12 Jul 2016 17:41:03 -0700 (PDT)
Received: from prod-mail-xrelay07.akamai.com (localhost.localdomain [127.0.0.1]) by postfix.imss70 (Postfix) with ESMTP id B140F4336DF; Wed, 13 Jul 2016 00:41:02 +0000 (GMT)
Received: from prod-mail-relay10.akamai.com (prod-mail-relay10.akamai.com [172.27.118.251]) by prod-mail-xrelay07.akamai.com (Postfix) with ESMTP id 88C1C4336D8; Wed, 13 Jul 2016 00:41:02 +0000 (GMT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=akamai.com; s=a1; t=1468370462; bh=EMLE3HfVeEbeY9CQiJm3SUKKeByTMyAp0XPE0vnnxj0=; l=4577; h=To:References:Cc:From:Date:In-Reply-To:From; b=I+zviFpfrFue8n5TqLgK/CcbVSHwk7FNb2JBl8lNPIwlSioR3IMx01SHS//Zz08Vk UIhVgpODy5/0El/a0bC17q5kJBQma2UORZYEbupRXHuHqJTHBJgv8rq7RVAMWnOT3U 8g4bAkFxfS/90pMVfe71qBRDe36aaK6xVJ/z0Ixw=
Received: from [172.19.0.25] (bos-lpczi.kendall.corp.akamai.com [172.19.0.25]) by prod-mail-relay10.akamai.com (Postfix) with ESMTP id 496841FC9B; Wed, 13 Jul 2016 00:41:02 +0000 (GMT)
To: Ilari Liusvaara <ilariliusvaara@welho.com>
References: <CABcZeBMiLmwBeuLt=v4qdcJwe5rdsK_9R4-2TUXYC=sttmwH-g@mail.gmail.com> <20160712041624.GA30472@LK-Perkele-V2.elisa-laajakaista.fi> <57855399.70201@akamai.com> <20160712210732.GB32363@LK-Perkele-V2.elisa-laajakaista.fi>
From: Benjamin Kaduk <bkaduk@akamai.com>
X-Enigmail-Draft-Status: N1110
Message-ID: <57858E1E.6040701@akamai.com>
Date: Tue, 12 Jul 2016 19:41:02 -0500
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.8.0
MIME-Version: 1.0
In-Reply-To: <20160712210732.GB32363@LK-Perkele-V2.elisa-laajakaista.fi>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/txUd3UvmZ2YekC7Kh1Mrnjelie4>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] New draft: draft-ietf-tls-tls13-14.txt
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 13 Jul 2016 00:41:06 -0000

On 07/12/2016 04:07 PM, Ilari Liusvaara wrote:
> On Tue, Jul 12, 2016 at 03:31:21PM -0500, Benjamin Kaduk wrote:
>> On 07/11/2016 11:16 PM, Ilari Liusvaara wrote:
>>
>> Requiring filtering would prevent the client from learning when the
>> server supports new schemes, but having the server not filter would
>> likely end up with the server "always" sending a big pile of stuff even
>> if the client has no idea that those schemes even exist.  So, on the
>> balance, I would go with filtering.
> What would the client do with unknown groups anyway? Dump a message
> to log?
>  

Basically.  One could contrive an example where the client software knew
about something but didn't normally send it, but that seems too
contrived to care about.

>
>>> Good luck with that...
>> It would be good to not repeat the mistake that is the 5-minute replay
>> window in Kerberos.  (So, shall we make "small tolerance" a concrete
>> value or otherwise give guidance?  5 seconds?  4xRTT? other?
>> But, IIRC, this check does not require absolute time agreement between
>> peers, only that their clocks advance at a similar rate.  If your clock
>> steps because you slept your laptop and you have to fall back to a full
>> handshake, oh well.
> In one piece of code I wrote, I pulled +-15s maximum (config can have
> tighter limits) out of thin air...
>
> And, actually, since failing 0-RTT time check is just 1-RTT delay
> (since in proper implementations it is not a fatal error).
>  

Right, so we can be relatively stringent in our guidance.

>
>>>> #### Replay Properties {#replay-time}
>>>>
>>>> There are several potential sources of error that make an exact
>>>> measurement of time difficult.  Variations in client and server clocks
>>>> are likely to be minimal, outside of gross time corrections.  Network
>>>> propagation delays are most likely causes of a mismatch in legitimate
>>>> values for elapsed time.  Both the NewSessionTicket and ClientHello
>>>> messages might be retransmitted and therefore delayed, which might be
>>>> hidden by TCP.
>>> I don't think variations in clocks are minimal...
>> Just to check: you mean the rate at which clocks advance, and not the
>> absolute number reported as the time?
> Correct. I should check the computers I have for what the tickrate
> approximately is (one curious observation: rebooting computer changes
> the tickrate(!)). I think I estimated 140ms/day drift for one of
> those (the others can be way worse). 
>
> However, the rate of change of the rate (2nd derivate of time reported
> relative to "true time" (one can for all practical purposes ignore
> SR and GR here)) should be small.
>  

Hmm, I would expect this second derivative to be sensitive to things
like the temperature of the oscillator (and thus not always small).

>>> I wonder what 95% timeskew interval per day is...
>>>
>>> (Oh, and have fun with leap seconds!)
>> It only matters how big the skew is relative to the acceptance window
>> and how long the ticket is valid for.  Which brings us back to what the
>> acceptance window is measured in...
> IIRC, maximum ticket validity is 7 days (but for some crappier clocks,
> that can be lots of drift).
>
> But likely TCP delays and such can cause bigger errors than slightly-
> bad clocks.

Hence my question about whether some multiple of (estimated) RTT would
be reasonable.

>> You would have an explicit whitelist of all (including encrypted)
>> extensions for the server, so that it chokes when a client starts
>> sending a new one?  Or just that it would not be considered for further
>> processing [and potential inclusion in ServerHello]?
> The opposite way: I would have client choke if server sends it extension
> outside those lists (TLS 1.3 clients are already supposed to choke if
> server sends them extension they don't know about, this is only extending
> it to per-messages lists).

That certainly makes sense.  I thought you also wanted a whitelist for
the server to use, and wasn't sure how that would work.

>>> This seems really obsolete. The timers have not been 18.2Hz for years, and
>>> applications running on operating systems damn better use OS services for
>>> random numbers, given that anything else is fraught with peril.
>>>
>> Sadly, there is a vocal minority of software implementors that insist
>> that the OS service is too slow and write their own.  But I agree this
>> section needs some work; I may be able to contribute some text.
> I think "SHOULD" would be suitable.
>  

Sure.

-Ben

v2.23.0 | Report a Bug | By Email