Re: [TLS] draft-rescorla-tls13-new-flows-01 - Thoughts post-meeting

Michael StJohns <msj@nthpermutation.com> Sun, 16 March 2014 23:47 UTC

Return-Path: <msj@nthpermutation.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 67A801A0210 for <tls@ietfa.amsl.com>; Sun, 16 Mar 2014 16:47:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, J_CHICKENPOX_46=0.6, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ewt5sXRGAPkL for <tls@ietfa.amsl.com>; Sun, 16 Mar 2014 16:47:31 -0700 (PDT)
Received: from mail-ee0-f49.google.com (mail-ee0-f49.google.com [74.125.83.49]) by ietfa.amsl.com (Postfix) with ESMTP id 7DBE01A020B for <tls@ietf.org>; Sun, 16 Mar 2014 16:47:31 -0700 (PDT)
Received: by mail-ee0-f49.google.com with SMTP id c41so3507594eek.36 for <tls@ietf.org>; Sun, 16 Mar 2014 16:47:23 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:message-id:date:from:user-agent:mime-version:to :cc:subject:references:in-reply-to:content-type :content-transfer-encoding; bh=Yv7iKYmqmdDQmSEOmcLAF/NKCBLnW793Cl/lon/lE+A=; b=IKKQOgQzoG3Y0TE72OBGfZBrIdMGo/zWk5afvMV7F0RtkQ0qbiN5LB1KJ24MfQrgDX W9jlyjNFUjjPeVZaAdeRJVLuOjb9I7+5WYAObhoZHWerS7xHLLAEueRmE2NlIi44wLRK Uw2lcYMN1OgFxPrqzs0kLuTs7Eouy8vlGq1krt+MKi1FF7dmQOJDUDiQHTPbsXOHmKkj 46gZZs1kI8VJFpJwSP633g42flsRbRGCEgrHClDLzlxL7HIi+JZ/Wbvmv91D/b2SNLWk UL8p/12/rx/iK0fd+rGKveBaIC9TdV9DpKb75n91KnI8JzTn80QS6ROy2+kDn6SVQXNd rh2g==
X-Gm-Message-State: ALoCoQloTGVy43+j4xL4Q99xe/OlAxyyzHm29dNG0tW2tJ5WG8OAcWdtYcJGRUaMxtwBQC2NVLP7
X-Received: by 10.15.32.206 with SMTP id a54mr20228153eev.51.1395013643222; Sun, 16 Mar 2014 16:47:23 -0700 (PDT)
Received: from [192.168.1.105] (c-68-34-113-195.hsd1.md.comcast.net. [68.34.113.195]) by mx.google.com with ESMTPSA id 46sm35582166ees.4.2014.03.16.16.47.21 for <multiple recipients> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Sun, 16 Mar 2014 16:47:22 -0700 (PDT)
Message-ID: <53263807.9020005@nthpermutation.com>
Date: Sun, 16 Mar 2014 19:47:19 -0400
From: Michael StJohns <msj@nthpermutation.com>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.3.0
MIME-Version: 1.0
To: Erik Nygren <erik+ietf@nygren.org>
References: <5325DDA0.9030006@nthpermutation.com> <CACsn0cmLJJGw5cKmbnUT9tftEd0tn4cJQcf1WN7VQQc1GeO-aA@mail.gmail.com> <53260C51.10407@nthpermutation.com> <CAKC-DJjnyZqBN8d4emetYvdWB281bmfvunjonxTiCRF5-tznMg@mail.gmail.com>
In-Reply-To: <CAKC-DJjnyZqBN8d4emetYvdWB281bmfvunjonxTiCRF5-tznMg@mail.gmail.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/vOLzNJJ7lww7PL_E0j1PU39uerU
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] draft-rescorla-tls13-new-flows-01 - Thoughts post-meeting
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 16 Mar 2014 23:47:33 -0000

On 3/16/2014 5:31 PM, Erik Nygren wrote:
> Pros helping the passive anti-privacy attacker:  they also have server 
> IP address to constrain the problem space by, plus TLS 1.2 SNIs so if 
> there are a 100k hostnames behind the middlebox then that's their 
> search space.
>
> Pros helping the DDoS attacker: they can just send random hash+opaque 
> values.  The middle box needs to then calculate the hash for all of 
> the hostnames (eg, perhaps 100k in the same scenario above).

I don't disagree with any of your points (but there's always a tradeoff 
between DOS protections and negotiation protections), but I wanted to 
focus on the 100K.

The question is - if the SNI is encrypted from the client to the end 
system, how do the end systems communicate with the middle box to pass 
on their key info and keep it up to date - not on a per-box 100K basis, 
but on a 100K times the number of connections per box?

I think what we're getting to is that if we have a system where there is 
a middle box, then neither of these approaches makes a lot of sense for 
the scale you're talking about?

Mike