Re: [TLS] ESNI robustness and GREASE PRs - client tracking concerns?
David Benjamin <davidben@chromium.org> Tue, 18 December 2018 21:01 UTC
Return-Path: <davidben@google.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 61FEB13116F for <tls@ietfa.amsl.com>; Tue, 18 Dec 2018 13:01:22 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.563
X-Spam-Level:
X-Spam-Status: No, score=-9.563 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.065, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=chromium.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HMTehWFb6U07 for <tls@ietfa.amsl.com>; Tue, 18 Dec 2018 13:01:20 -0800 (PST)
Received: from mail-qt1-x829.google.com (mail-qt1-x829.google.com [IPv6:2607:f8b0:4864:20::829]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 87F4F130F63 for <tls@ietf.org>; Tue, 18 Dec 2018 13:01:20 -0800 (PST)
Received: by mail-qt1-x829.google.com with SMTP id k12so19833538qtf.7 for <tls@ietf.org>; Tue, 18 Dec 2018 13:01:20 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=bx59bhQ2TBaV/YyV35eP8+MxkiyW60b9k3kyyPx3jwU=; b=UnWjXC96vYumoMYlR73JXP+T+MKqusunWWRZutsa8gtJdO5MBEEo1hTViDiLAudfmR ZDbsn/G5GNOFvZ/KaWAUr+OEf7YXCgo65xS/eRLeo3kqCb7QGy25Qowwn6tXmy83t8/l DbbbDh66DCC8ztY71Lza76pPB0K5023cpR2bE=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=bx59bhQ2TBaV/YyV35eP8+MxkiyW60b9k3kyyPx3jwU=; b=cEZLXAXuRv3gNsGAdh7kd6OuKuDGkN/NeDXtgHia7GDrKTNbIZxzdNjLPPKTqo4HUV PnssO4RytR30+Gb+l2WvL6gFlzTft/wHp5aJIwY+WHCsNq5GtwTxa2f6wnB5eCrVcGIX 80M5SkC48xNoxhhT/4myc1ZUzh2K2V8s8prXWLIEsd6qE69i8wyeJ6GyZ6MOhLtG+yYt AiU4r6yt6NawYzOQHt/ScWVHN6TJ4/weK4oVUvl+pP6RDQzRnxuK387iifn7e9/2TVpq IN1Ee34QRzUMpnBkaV+xccNH9exDfE2XPKg3HHEvtyg9OtjbTa5IjKIpLI091DAiuPb1 YQ/g==
X-Gm-Message-State: AA+aEWb6fs5PHqRp24E7vhablxsPfjpDbziaKbZVHaPo1Hxd7NkvHbNl thRvChRFqwT7O8z5XCONu1Yc6J9BWcEq6Dk71dsY/ETygQ==
X-Google-Smtp-Source: AFSGD/XSp0lVyWT9kW+JNoi1miMJuhxA5BZ6bOld5hS/KYuAaOaTMJnb53xTGVy3Tb+dzrvoaSldvKWX6WbmETYE/+I=
X-Received: by 2002:a0c:a545:: with SMTP id y63mr18502401qvy.119.1545166879223; Tue, 18 Dec 2018 13:01:19 -0800 (PST)
MIME-Version: 1.0
References: <CAF8qwaAh-eCLOR3YX3KoVWPe8=uquO+9wwbiSYpOyxvizBSeEg@mail.gmail.com> <20181218044251.bk7em26vvvcamq24@bamsoftware.com> <CAF8qwaA0UZrKA_Vn0hLan9Tb498PKq5roXpLEq2+7dU80qjjFg@mail.gmail.com> <20181218072727.GT79754@straasha.imrryr.org>
In-Reply-To: <20181218072727.GT79754@straasha.imrryr.org>
From: David Benjamin <davidben@chromium.org>
Date: Tue, 18 Dec 2018 15:01:07 -0600
Message-ID: <CAF8qwaCAW2Ag_xAzOFdxkC9Vco0auOhVo0w9VquLo8+mKvjQ=A@mail.gmail.com>
To: tls@ietf.org
Content-Type: multipart/alternative; boundary="000000000000f4f808057d5232a0"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/xOMaHIWymT-ul49V9mXgwEoWBFA>
Subject: Re: [TLS] ESNI robustness and GREASE PRs - client tracking concerns?
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 18 Dec 2018 21:01:22 -0000
On Tue, Dec 18, 2018 at 1:27 AM Viktor Dukhovni <ietf-dane@dukhovni.org> wrote: > On Tue, Dec 18, 2018 at 12:45:22AM -0600, David Benjamin wrote: > > > An earlier iteration even placed the retry on the same connection, which > > makes the analog clearer. (Doing it in the same connection is rather a > > mess, so we bounce to a new one.) > > Any concern about the possibility that the reason the key did not > work was that the particular server had unexpected keys, but > reconnecting might land on a different server, with yet another set > of keys? (Which is to say that I am concerned, but perhaps you're > not?). > That's a good point. This probably means the client needs to allow for a handful of iterations before giving up, which is a bit of a nuisance. > Also connection re-establishment has considerable cost, additional > TCP roundtrips on top of the extra TLS roundtrips. > Agreed. The other cost is that it cannot be implemented entirely within the TLS stack, since most TLS stacks do not establish connections. (Though ESNI already needs caller involvement anyway to get the ESNI keys out of DNS, and the perf overhead can be fine if you believe it's rare.) Is the HRR idea being explored in the parallel thread not viable? > [ That'd be fine by me, one less thing to worry about, but it did > seem worth exploring at first blush... The suggestion of using it > as a fallback when there are either no keys in DNS, or they don't > work also seems like it could be viable. ] > I actually still need to fully digest in that thread. I hadn't even realized when I sent this how much the two had in common, or I would have acknowledged it in the mail. Sorry about that. I imagine my email probably looked odd to you. I'm glad to see we had similar ideas! There might be some version that works? We never came up with a formulation we really liked, and the single-connection version made a lot of things simpler. Some of the nuisances with doing it together: - Sticking two full handshakes on the same connection introduces several new key changes, which will frustrate QUIC and DTLS. - Joining two handshakes at the ServerHello or so frustrates existing analysis, split mode, and any servers with SNI-dependent cipher parameters. (Everyone seems to keep asking their hosting providers for silly little checkboxes to configure TLS parameters.) David
- [TLS] ESNI robustness and GREASE PRs David Benjamin
- Re: [TLS] ESNI robustness and GREASE PRs Stephen Farrell
- Re: [TLS] ESNI robustness and GREASE PRs - client… David Fifield
- Re: [TLS] ESNI robustness and GREASE PRs Kazuho Oku
- Re: [TLS] ESNI robustness and GREASE PRs - client… David Benjamin
- Re: [TLS] ESNI robustness and GREASE PRs - client… David Fifield
- Re: [TLS] ESNI robustness and GREASE PRs - client… Viktor Dukhovni
- Re: [TLS] ESNI robustness and GREASE PRs Ilari Liusvaara
- Re: [TLS] ESNI robustness and GREASE PRs David Benjamin
- Re: [TLS] ESNI robustness and GREASE PRs - client… David Benjamin
- Re: [TLS] ESNI robustness and GREASE PRs Ilari Liusvaara
- Re: [TLS] ESNI robustness and GREASE PRs David Benjamin
- Re: [TLS] ESNI robustness and GREASE PRs David Benjamin
- Re: [TLS] ESNI robustness and GREASE PRs - client… Ilari Liusvaara