Re: [TLS] draft-dkg-tls-reject-static-dh

Töma Gavrichenkov <ximaera@gmail.com> Sat, 08 December 2018 16:49 UTC

Return-Path: <ximaera@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BC2E9130E3B for <tls@ietfa.amsl.com>; Sat, 8 Dec 2018 08:49:28 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id slVQ1FLKN0tR for <tls@ietfa.amsl.com>; Sat, 8 Dec 2018 08:49:26 -0800 (PST)
Received: from mail-yb1-xb34.google.com (mail-yb1-xb34.google.com [IPv6:2607:f8b0:4864:20::b34]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BF793130DE8 for <tls@ietf.org>; Sat, 8 Dec 2018 08:49:26 -0800 (PST)
Received: by mail-yb1-xb34.google.com with SMTP id f9so54712ybm.13 for <tls@ietf.org>; Sat, 08 Dec 2018 08:49:26 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=trYe0eAPk5mi18jwA26uFPawKF1SAoi0qJlU2TuaNOI=; b=kf31EG98CxgcYW9bh1HKUx3PhdHP6+x+RyjtolNmG2VDu5uPGaRkUd947ZoSw/QyvB +jYvazswv9nakXRW9FKorjGNWdt0vaj3IEObdoVNt2JJacxeGE7Gn/aPHa2gCksDcEUP pMYp56aCCrhP8Lx6lNFsjg1REHUWq1vjjWUsARgqV+8WzIL9dU3JWJJmd46kHJ91chri kBrSC5LKko+X8lzms9eUDyA5vjViqWyub7Nk+L9OBhbvb2cuqZdex4AYz14v7BabN3I+ GtoYJH8dUjWOpItzkmHPYwijl6WX73kfS7ESAU6G1pjaFn5uxOOhmdarIiAovph+y0JM mFGQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=trYe0eAPk5mi18jwA26uFPawKF1SAoi0qJlU2TuaNOI=; b=ru0pDPlbRu4zA7eaMEWGm0gKPqkXP2H20j7xzo3JRo23KNIe7icKzq79rAXxc66naY r/vNIwZ2vaFw2XqOjwf9ABhhI/LyWANp5mQE9DOOE8974fw9/+m4SmRXCHPGOE3zavtM /Us42RAStCYgvw7gewQ6ptSH0kvwNwpG1QO3c5nHcCfS2+C3dAejFK0XmFSOMOSblI9+ I5RnIZoDJB5nKFnx/xvwb8ZKOwMlpkMWcti8PTG4avYOIZpBo/iHOeJrmONoy9/k9cPO 13ztlpEI3CK1I4gXfbE9pccsLon2ao6dT0YAmPigaKYV0ClybBQhYCBtThkRn/jXLjSS 3fYw==
X-Gm-Message-State: AA+aEWbOSy5FWg5glf5sJZrQtq0wrrCz3WAeRefa/kycVz6EX87O2Fqq kY+0x3lVuA4Y3SaLrwebENDdvPiU6Nkj2Ipa/Yzd/MyA
X-Google-Smtp-Source: AFSGD/XjbCxFY+9lSKCLkiwhB/ZEVrc6MAX1L67Bpcvfg4+ig3TQFXICG3g0BhOGXv0ntIrjGs7ozrhRnO0Ic8Rub4c=
X-Received: by 2002:a5b:d06:: with SMTP id y6-v6mr6247754ybp.147.1544287765770; Sat, 08 Dec 2018 08:49:25 -0800 (PST)
MIME-Version: 1.0
References: <9a9be8fb-9667-0c6a-9fac-cc167f94599f@cs.tcd.ie> <1677fd00312.126588f7d311133.5876875696654149093@nerd.ninja> <9D8FEAB5-B06F-42B8-9C3C-B3E8CC4BAEF9@dukhovni.org> <1677fe8d22f.1122a5066314965.3351079353052065811@nerd.ninja>
In-Reply-To: <1677fe8d22f.1122a5066314965.3351079353052065811@nerd.ninja>
From: Töma Gavrichenkov <ximaera@gmail.com>
Date: Sat, 08 Dec 2018 19:49:14 +0300
Message-ID: <CALZ3u+b3dej3RDqNbk4grXFbrhYrhU4NwQkCbgMQavfEsKM_Kg@mail.gmail.com>
To: r@nerd.ninja
Cc: "<tls@ietf.org>" <tls@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/v_CqCy0UOfl_7_bsDaDThuB8Qfw>
Subject: Re: [TLS] draft-dkg-tls-reject-static-dh
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 08 Dec 2018 16:49:29 -0000

On Wed, Dec 5, 2018 at 10:47 PM R duToit <r@nerd.ninja> wrote:
> 2. The DoS (prevention) engineers should also weigh in on this.  Would servers not start reusing TLS 1.3 keyshare values when under DoS attack?

DDoS (mitigation) engineer here,

I'll reiterate the idea I've raised before in quic-wg. The operation
of a server (or a client, because a client could be attacked too)
under a DDoS attack should be as close to a normal way of operation as
possible. Every single case where it's different should be seen as
opening a motivation for an attacker to hunt exactly for that
difference. E.g. if you add RTTs under an attack, then an attacker can
play with jitter, or make your server appear slower for clients than
their server (assuming the attack is ordered by your market
competition).

(This is by the way the reason why fast open wasn't a nice idea from
the DDoS mitigation perspective)

So no. TLS keyshare reuse is visible from the attacker's point of
view, so must not be done under a DDoS attack.

| Töma Gavrichenkov
| gpg: 2deb 97b1 0a3c 151d b67f 1ee5 00e7 94bc 4d08 9191
| mailto: ximaera@gmail.com
| fb: ximaera
| telegram: xima_era
| skype: xima_era
| tel. no: +7 916 515 49 58