Re: [TLS] Adoption call for draft-sy-tls-resumption-group
Victor Vasiliev <vasilvv@google.com> Fri, 26 April 2019 06:46 UTC
Return-Path: <vasilvv@google.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1A3C01200BA for <tls@ietfa.amsl.com>; Thu, 25 Apr 2019 23:46:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -17.5
X-Spam-Level:
X-Spam-Status: No, score=-17.5 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, ENV_AND_HDR_SPF_MATCH=-0.5, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xT4dO9Eqy3CT for <tls@ietfa.amsl.com>; Thu, 25 Apr 2019 23:46:04 -0700 (PDT)
Received: from mail-lj1-x22e.google.com (mail-lj1-x22e.google.com [IPv6:2a00:1450:4864:20::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8ED15120106 for <TLS@ietf.org>; Thu, 25 Apr 2019 23:46:03 -0700 (PDT)
Received: by mail-lj1-x22e.google.com with SMTP id y6so1841738ljd.12 for <TLS@ietf.org>; Thu, 25 Apr 2019 23:46:03 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=qPa6qA4zSYe27l+e/Q99MUqesoMLEJ6q5wCvGD2rzXY=; b=qfHfVFAj4T1WYDlscwUxsqGiYzkHGqevZ398NQ0QY1GtFd36WfMBZrFPAHl7ek7GYO qrBaFU/o+LUeJRp0Ic1+3fQwcztjcPZl6z9XnKqF0xKG82leXKpvLnujkMyW43mJsV57 vHR0r94F4a85KeQ28MTs3lhzmX2zZFY7Bs4/vd0umSYMaSiW5gKL9XPQxBMD+G7KDroy GZzspUFVnchpWfAzxoOqd2E+OGP1gsQXg3yvesIllU044Jibamjs9hmrq37o4vimoEos r6F+U6dtPlFsaKZ7oKrTONCw3/4R8PRDWPAl4NuVsDa+vYlZ7tqttsalE/+KIUU32zg6 pvCg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=qPa6qA4zSYe27l+e/Q99MUqesoMLEJ6q5wCvGD2rzXY=; b=kHjxHyBDldjoYuDhn7mlVFKQRKRQ4R/rT//8PVBU/rrTErR64mNeWcCV1l2+7Ti8Zr ybiKqlgF48GF+bAvQrw6AOKzKSzmGL3w1MQTNCCJFkzRylk8VRBtSw4UAbXHCJpZ/snu fpYf69tPOiUSWzdFgDfag8BjiBpC4/mGf/kWDD+eBXmphmgpy+S47Gk2selXxN02J8YS En6aIgwFBBKw/XkblKVLOI8aEFaGGGDv/OaWKfXLixM3Sr5Q6ebatSSZyylO3XCwvgpi 0HEOR909ik7qIH4fF715iHthtQ5m3qbbPxd457xsVfolGtwgmdxFIo3N1ZH2PdSob2eM g3JA==
X-Gm-Message-State: APjAAAVQ3SpxXgIueUAHeWrh4Bf1qBtmkd3qiHxOuPChXK1b826UrO2N cZY+moequKgJu1N5KV4v547dbifPdScQSyxYkPeJk5hiFhA=
X-Google-Smtp-Source: APXvYqzx1TvAPg3eJ3kjIDa9nbNzCf2kyMDIKpo2W527e6jVEEWp8XpDFMK+Js0ilmbnv1k7no7e/tcpShdJW6R0MgY=
X-Received: by 2002:a2e:8496:: with SMTP id b22mr4302038ljh.9.1556261161068; Thu, 25 Apr 2019 23:46:01 -0700 (PDT)
MIME-Version: 1.0
References: <4f21da8a-a30c-4255-9400-aab3a599fb9b@www.fastmail.com>
In-Reply-To: <4f21da8a-a30c-4255-9400-aab3a599fb9b@www.fastmail.com>
From: Victor Vasiliev <vasilvv@google.com>
Date: Fri, 26 Apr 2019 02:45:49 -0400
Message-ID: <CAAZdMaf6Fs6fEQoF_uS63d2rMFZwbqsugz7O9weSDxgdOLNU=w@mail.gmail.com>
To: Christopher Wood <caw@heapingbits.net>
Cc: "TLS@ietf.org" <TLS@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000af59270587694987"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/yv79s_72YGXrXY333V4mzz5_3o4>
Subject: Re: [TLS] Adoption call for draft-sy-tls-resumption-group
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 26 Apr 2019 06:46:06 -0000
Hello everyone, I believe that the problem this draft addresses is important, and I believe the working group should take on this work. For various operational reasons, websites often use different IPs for different resources they need to fetch. Resumption across different SNI values could allow them to use 0-RTT, reducing penalty for new connections they have to make. A particular case I want to address is a situation when there is a CDN (say cdn.example.com) that has multiple shards (say shard101.cdn.example.com and shard102.cdn.example.com), and the client gets load balanced to a specific shard based on requested resource. In the current situation, unless shard101 and shard102 share the same physical IP, they'd have to pay connection startup cost for each request. Cross-domain resumption would allow 0-RTT to the second shard accessed, provided all shards have a wildcard certificate. >From the technical standpoint, I agree with Martin that a NewSessionTicket extension would be a better fit, but this is something that we can figure out later without much trouble. The policy questions (when *should* the client resume?) are more difficult here, and there are multiple aspects to this. One is, as Martin pointed out, is clarifying the notion of server identity from application perspective in cross-domain scenario. Another is ensuring that the linkability properties are not altered in ways we don't understand. On the surface, one can argue that this is semantically the same procedure as HTTP/2 connection pooling, but without the IP match requirement. This is good, because we can build on the analysis of an existing mechanism. Still, in practice, this might open us up to attacks that with the IP match were impractical. We should ensure that the document describes things we've learned from connection pooling, too. As I've said before, I am happy to help with this draft. -- Victor. On Fri, Apr 12, 2019 at 7:36 PM Christopher Wood <caw@heapingbits.net> wrote: > At TLS@IETF104, there was interest in the room to adopt > draft-sy-tls-resumption-group as a WG item. The draft can be found here: > > https://datatracker.ietf.org/doc/draft-sy-tls-resumption-group/ > > This email starts the call for adoption. It will run until April 26, 2019. > Please indicate whether or not you would like to see this draft > adopted. > > Thanks, > Chris, Joe, and Sean > > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls >
- [TLS] Adoption call for draft-sy-tls-resumption-g… Christopher Wood
- Re: [TLS] Adoption call for draft-sy-tls-resumpti… Martin Thomson
- Re: [TLS] Adoption call for draft-sy-tls-resumpti… Erik Sy
- Re: [TLS] Adoption call for draft-sy-tls-resumpti… Martin Thomson
- Re: [TLS] Adoption call for draft-sy-tls-resumpti… Victor Vasiliev
- Re: [TLS] Adoption call for draft-sy-tls-resumpti… Erik Sy
- Re: [TLS] Adoption call for draft-sy-tls-resumpti… Christopher Wood