IETF Logo Mail Archive

Re: [TLS] Solving HRR woes in ECH

Ben Schwartz <bemasc@google.com> Fri, 26 March 2021 13:44 UTC

Return-Path: <bemasc@google.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0B4E13A1F13 for <tls@ietfa.amsl.com>; Fri, 26 Mar 2021 06:44:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -17.598
X-Spam-Level:
X-Spam-Status: No, score=-17.598 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, ENV_AND_HDR_SPF_MATCH=-0.5, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yHmuzz4NqZB7 for <tls@ietfa.amsl.com>; Fri, 26 Mar 2021 06:44:46 -0700 (PDT)
Received: from mail-wr1-x42b.google.com (mail-wr1-x42b.google.com [IPv6:2a00:1450:4864:20::42b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1162E3A1F2A for <tls@ietf.org>; Fri, 26 Mar 2021 06:44:43 -0700 (PDT)
Received: by mail-wr1-x42b.google.com with SMTP id j7so5734067wrd.1 for <tls@ietf.org>; Fri, 26 Mar 2021 06:44:43 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=YLAtd8mydvfntiDWdUB503P7gJyCgjjgW2d4sg8k5WE=; b=pKT6PSynWJ3cDXEqEZ33MfLuDtmKSv10JKjQKxXgOWaBIZjRk9lAjsT1oVKJtXRe90 P8Ye0dj1gQprtv4PvaI/Z2knlPW3P/EOakOPZVQvmDYMEpEW45CpMqTVLiscDWVEK1k1 rtNjwo4vgTGIl8bGNNHMzVlby7aKL9EK/qlDIkhWT5Fkjz1w3/iDTzz5Y0BujQsGeMXo nL3JxiTpvz/OuRZoaVGuxL6MVp2EZBL4lQIqKazZ4ZwoqoQzNtKD7ohRBNiNhDX7/ToM cOQ5hGiPYuwb3SaAurpqZRK9R5KOoGRQbe4Ivn1kxLHVDvu219mW+55fRUmIlnPJL4dJ l6ow==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=YLAtd8mydvfntiDWdUB503P7gJyCgjjgW2d4sg8k5WE=; b=Kw/ZZN6WOvTPQk1/Mt/l/iG08fl9wgnXVEMOGTiD73EnD4IgFfV9JZF6wTE92BswBx yAh+0oJiUS3Zfq+CctSyFlhYJx4FyurqDmEgkLvYPorgn03aVTbo0hB/P07j5OZ5r+l3 O1hHoNFmFC+9mMuoYwcatSdHjBbq6gZDS0lxWoVE9wtmQClOOPC1UvmP5RnGVE5SP9pw f7FfL225x+R2/333LPIDfv+SvzfmhQ8wLtuBNGcrZrpI1vKbjQaLYnIxVbkvaYbt5nUH M8b0YM+8gRuZ3zog63zo85eZoDc/KGrDYLHiI6mLTCf5hD7QRvf8vlnEGV+JrPiwCAHD s6qA==
X-Gm-Message-State: AOAM532smlI433VRHkBT+cakiUGyQxgJNXOBS0CZFyK0UqaajlYkObY1 xWA4Cb3VVS9luwnU1Vhl8w1x5Hb7bkGTWAxUOvtCzarFCls=
X-Google-Smtp-Source: ABdhPJzIY0j6foNlEBRHZIhPYYkdguoC9rp1aqYkz0o6D0jgX8Jqaop+TebMwO2F7wdgQSOqzRvvDUWHUem4KnoSeVE=
X-Received: by 2002:adf:ee0a:: with SMTP id y10mr13986804wrn.177.1616766280954; Fri, 26 Mar 2021 06:44:40 -0700 (PDT)
MIME-Version: 1.0
References: <CAG2Zi20utVzjUnTAWcRSxbhjexhJLvZ9aHT--nn_5jk82MRt=g@mail.gmail.com> <CAFDDyk_0NdYvaXgnUp21DkxTogUJrhN4xwEtnVNTkXvhzKKOGw@mail.gmail.com>
In-Reply-To: <CAFDDyk_0NdYvaXgnUp21DkxTogUJrhN4xwEtnVNTkXvhzKKOGw@mail.gmail.com>
From: Ben Schwartz <bemasc@google.com>
Date: Fri, 26 Mar 2021 09:44:28 -0400
Message-ID: <CAHbrMsA4ng7nJj-O+H0uhC6qULsP7jgiFD8gT-S6Lcmfq+k9Ow@mail.gmail.com>
To: Nick Sullivan <nick=40cloudflare.com@dmarc.ietf.org>
Cc: Christopher Patton <cpatton=40cloudflare.com@dmarc.ietf.org>, "<tls@ietf.org>" <tls@ietf.org>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-256"; boundary="000000000000e1a68b05be70bb4f"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/w8AEA-pQZFVOWsWH4HuwpwNSa70>
Subject: Re: [TLS] Solving HRR woes in ECH
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 26 Mar 2021 13:44:49 -0000

This seems like a reasonable suggestion to me, so long as the value is
purely a "hint", as you seem to be proposing.  I would suggest structuring
it as an ECHConfig extension.  This would avoid the need for multiple
points of integration between TLS and DNS, support the use of HRR hints in
other ECH use cases that don't involve DNS, and help to exercise the
ECHConfig extension mechanism.

On Thu, Mar 25, 2021 at 9:28 PM Nick Sullivan <nick=
40cloudflare.com@dmarc.ietf.org> wrote:

> Hi Chris,
>
> HRR in ECH does seem challenging. This may be tangential to the PR you
> linked, but there may be a way to reduce the likelihood of HRR by moving
> even more of the handshake negotiation into DNS. The HTTPS RR is already
> used for some types of negotiation (ALPN and ECH key), so why can't it be
> extended further to advertise to the client what the server is willing to
> support for cryptographic negotiations?
>
> For example, the HTTPS record could additionally contain the server's
> supported supported_groups and cipher_suites. With this information, a
> client could know which key_share extensions a server is likely to accept
> and adjust its clienthello accordingly. A client who typically sends two
> key_shares (P256 and x25519) for maximal compatibility could then reduce
> the size of its client hello (no need to send redundant key_shares) or even
> prevent an HRR flow altogether in the case that the default key_shares or
> cipher_suites are not supported by the server.
>
> This tweak wouldn't remove the need for HRR completely -- it could be
> necessary when changing server configuration, for example -- but it could
> remove the need for HRR in the common case.
>
> Nick
>
> On Thu, Mar 25, 2021 at 8:05 PM Christopher Patton <cpatton=
> 40cloudflare.com@dmarc.ietf.org> wrote:
>
>> Hi all,
>>
>> One of the open issues for ECH is how it interacts with HelloRetryRequest
>> (HRR). The central difficulty is that a client may advertise different
>> preferences for HRR-sensitive parameters in the ClientHelloInner and
>> ClientHelloOuter. And because the HRR path has no explicit signal of which
>> ClientHello was used, the client may not be able to know how to respond.
>> The following PR solves this problem by adding to HRR an explicit signal of
>> which ClientHello was used:
>> https://github.com/tlswg/draft-ietf-tls-esni/pull/407
>>
>> The design was originally proposed by David Benjamin in the issue
>> referenced by the PR. Along the way, It also solves a handful of other HRR
>> issues that have been identified.
>>
>> One consequence of this particular solution is that real ECH usage
>> "sticks out" if the server responds with an HRR. In particular, signaling
>> which ClientHello was used also signals whether ECH was accepted. However,
>> the solution is designed to mitigate "don't stick out" attacks that attempt
>> to trigger the HRR codepath by fiddling with bits on the wire. The
>> distinguisher only arises when HRR happens organically.
>>
>> Feedback is appreciated!
>>
>> Best,
>> Chris P.
>> _______________________________________________
>> TLS mailing list
>> TLS@ietf.org
>> https://www.ietf.org/mailman/listinfo/tls
>>
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls
>

v2.23.0 | Report a Bug | By Email