Re: [TLS] Encryption of TLS 1.3 content type

Michael StJohns <msj@nthpermutation.com> Mon, 28 July 2014 16:02 UTC

Return-Path: <msj@nthpermutation.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 45AA01A035D for <tls@ietfa.amsl.com>; Mon, 28 Jul 2014 09:02:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VHUQzOgjgMzE for <tls@ietfa.amsl.com>; Mon, 28 Jul 2014 09:02:03 -0700 (PDT)
Received: from mail-qa0-f50.google.com (mail-qa0-f50.google.com [209.85.216.50]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C51F11A0322 for <tls@ietf.org>; Mon, 28 Jul 2014 09:02:02 -0700 (PDT)
Received: by mail-qa0-f50.google.com with SMTP id s7so7942985qap.9 for <tls@ietf.org>; Mon, 28 Jul 2014 09:02:00 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:message-id:date:from:user-agent:mime-version:to :subject:references:in-reply-to:content-type :content-transfer-encoding; bh=IIuWkQ8dLR3IOt0Q4dbtUExak/3Z41cXnhkmq+wB1QA=; b=jDiUBcETNhwwx0/kOI/IIS+DnnsDkqhfSP4SORYECimLHDjnFnAq0Rziz0arON5uYP OTbzj9tc8ASKni0cts0vbXbmVpQL/JD87Nc3jkM2DgIudG99Vlak5jsmG6MgViKd2Xqm bgF/KBgVasIZivDMsJl2Fqs06e1OMWBg24skRovHuJwXAUu8UZw84W6Rwj+Z57JHVoDn rhZqL86C+qv4/uAdpYA3uQU55xuPOXu26i4J0RIRkTwJ4zxCes8S3d5O6kWPL+cLcYqX PkI41KOI9sJ3U3C2qBZsqTMkl2pL72osR/pNSnLrt4GSvkBxqDVFdof3mjDB1pHa/P51 d6OA==
X-Gm-Message-State: ALoCoQn69wlDbODDZ/l2H37MUQvRHnT4LVwwYIWbARa58pKzf02d9U1beiz3mzHAKMtPjrhljRLQ
X-Received: by 10.224.114.74 with SMTP id d10mr50021138qaq.33.1406563320767; Mon, 28 Jul 2014 09:02:00 -0700 (PDT)
Received: from [192.168.1.111] (c-68-34-113-195.hsd1.md.comcast.net. [68.34.113.195]) by mx.google.com with ESMTPSA id r2sm30256953qam.35.2014.07.28.09.01.59 for <tls@ietf.org> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Mon, 28 Jul 2014 09:02:00 -0700 (PDT)
Message-ID: <53D673CB.1060703@nthpermutation.com>
Date: Mon, 28 Jul 2014 12:01:15 -0400
From: Michael StJohns <msj@nthpermutation.com>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.6.0
MIME-Version: 1.0
To: tls@ietf.org
References: <9A043F3CF02CD34C8E74AC1594475C738EFB1969@uxcn10-5.UoA.auckland.ac.nz>
In-Reply-To: <9A043F3CF02CD34C8E74AC1594475C738EFB1969@uxcn10-5.UoA.auckland.ac.nz>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/y88kdwo1h7rkAVtl2Z4gpE9JkzY
Subject: Re: [TLS] Encryption of TLS 1.3 content type
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 28 Jul 2014 16:02:20 -0000

On 7/28/2014 12:08 AM, Peter Gutmann wrote:
> Yoav Nir <ynir.ietf@gmail.com> writes:
>
>> I believe that changing the 5-byte record header will cause us trouble.
>> Passive IDS/IPS devices follow TLS streams to detect certain attacks. They
>> will cut connections.
> Is it really up to the TLS WG to break (or at least constrain) our designs
> in order to accomodate broken middleboxes?  They're not going to understand
> any of TLS 1.3 anyway and will need to be updated when it comes along, so why
> keep this legacy header just for them?

It depends on how widespread they are, and how deep they go into the 
packet.  If this is something that consumer NAT routers do, then its a 
big problem.  If this is something that commercial firewalls do, then 
its a big problem.

If TLS1.3 does not work on the networks deployed today,  I would doubt 
that TLS 1.3 would be deployed in any major way in any time less than a 
decade.

I don't know the reality of whether or not this will be a problem, but 
simply saying that it's not our problem is probably not useful. Data 
would be helpful.

Mike


>
> Peter.
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls
>
>