IETF Logo Mail Archive

Re: [TLS] Record header size?

Eric Rescorla <ekr@rtfm.com> Tue, 17 November 2015 21:10 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 419D91A882B for <tls@ietfa.amsl.com>; Tue, 17 Nov 2015 13:10:24 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.277
X-Spam-Level:
X-Spam-Status: No, score=-1.277 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7bTlN3aqk24R for <tls@ietfa.amsl.com>; Tue, 17 Nov 2015 13:10:19 -0800 (PST)
Received: from mail-yk0-x236.google.com (mail-yk0-x236.google.com [IPv6:2607:f8b0:4002:c07::236]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 376F51A8821 for <tls@ietf.org>; Tue, 17 Nov 2015 13:10:19 -0800 (PST)
Received: by ykdv3 with SMTP id v3so29455906ykd.0 for <tls@ietf.org>; Tue, 17 Nov 2015 13:10:18 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm_com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; bh=eeqE+I/L90636DnQE0G+480rleXMFBL4khP1Tjz/hHg=; b=W9hDWqYcHbmPjiXU/GFkZIIZduetqOtxYq5gUOOGTlWwOquOJ5AX8gm/JHrr+nwq67 koFWNii9s/mBu83yO7JDc2P2vu2ykoHXoqUIivf9ZsO1P6QR55N5rcSbER8qxcwu3GF6 wSOeA/ukDZoYAuCEsrw8p5HLN2rnYdEGf/jN0BjbwR7CSN+YNc5+4bkRw8Kt1FR0I0wk z1IxtebtJWfyLkAkooshwOHS/ZSZr2ufTEkXQ6qW0fZ/n2j7g7oAcbu26P6OZRcjU9ZC ljaAuY9taKdZ0dKZyDLvIFzanjjtf1vWgMLIjuzRoDiNO+hOy5jphRmx8yY/7VfsjIy5 OgkA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=eeqE+I/L90636DnQE0G+480rleXMFBL4khP1Tjz/hHg=; b=YgzgS9NAxU/vqSrEQtiAiwEiTLoPUuZRi7PcRJWy1pNyI8iTQOA+vnSIfbxQE99jvG d5a60cD/J3Wwsg5ueqetukXPv9gejd0QXeNenhFtvw/5jZRESHZUrnL+1VbHOImp40E7 QaHAoa5jYUeoGLqvRotqd9qmu4Ay5OWOTCtM0hObCGss8TIr/ciNnRcfiCsrDATkOxbr dJ+eIP36e1WGykT/UZhBMi7aVCe2+VvoiCtWNbTYm1VrvoeELgBNCDxfhbzoPVWZJAe3 W8ZgFDMWreLKBEBPWCLj9i2JnOHuAqthIJphf1YX8fK5jUIqT2bUwlolf43ucJ6at2Us egDQ==
X-Gm-Message-State: ALoCoQnWE4w92nQEQioEOphZWijkJpePzPcW9fwOMFR8jfluFW6a+u0bMGb4U9N1c7GUaovfhAiD
X-Received: by 10.13.197.194 with SMTP id h185mr35074951ywd.12.1447794618428; Tue, 17 Nov 2015 13:10:18 -0800 (PST)
MIME-Version: 1.0
Received: by 10.13.221.203 with HTTP; Tue, 17 Nov 2015 13:09:39 -0800 (PST)
In-Reply-To: <D5A18321-BA89-4047-91A0-D0259E70F0D9@akamai.com>
References: <C5F506DC-F814-4C0B-AFAA-86CF790817A7@akamai.com> <CABcZeBP5QPQAXKvM_oEAzex0-vrVWMvOW0yZuamvF5hxAHtmtw@mail.gmail.com> <87egfoe4n2.fsf@alice.fifthhorseman.net> <D5A18321-BA89-4047-91A0-D0259E70F0D9@akamai.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Tue, 17 Nov 2015 13:09:39 -0800
Message-ID: <CABcZeBP8YSnv16Goa4-5ZVRS5eyq1N9-Qe1GwkV=A6EmWWE86w@mail.gmail.com>
To: "Short, Todd" <tshort@akamai.com>
Content-Type: multipart/alternative; boundary="001a114edd4af0a2b20524c2f355"
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/zTWp59paH91L1_HvDxjuatPdtlA>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Record header size?
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 17 Nov 2015 21:10:24 -0000

Can you expand on the alignment issues some more?

Thinking through how typical software stacks work, you first read
the record header into some buffer to figure out how long the record
is and then you read the record payload into a buffer, which may
not even be the same buffer. For instance, in NSS, there are
two buffers, one for the header and one for the body:

https://dxr.mozilla.org/mozilla-central/source/security/nss/lib/ssl/ssl3gthr.c#53
https://dxr.mozilla.org/mozilla-central/source/security/nss/lib/ssl/sslimpl.h#377

In a system like this, there's nothing stopping the body from being 4-byte
aligned, whatever the alignment of the header is. I'd be interested in
hearing
about the design you have in mind.

-Ekr








On Tue, Nov 17, 2015 at 12:59 PM, Short, Todd <tshort@akamai.com> wrote:

> I would say that 32-bits would be optimal, since that is the typical
> word-size of processors that need alignment. 2-bytes isn’t much better than
> 5-bytes in this regard.
> --
> -Todd Short
> // tshort@akamai.com
> // "One if by land, two if by sea, three if by the Internet."
>
> On Nov 17, 2015, at 3:45 PM, Daniel Kahn Gillmor <dkg@fifthhorseman.net>
> wrote:
>
> On Tue 2015-11-17 12:09:30 -0500, Eric Rescorla wrote:
>
> The concern here is backward compatibility with inspection middleboxes
> which
> expect the length field to be in a particular place. We agreed in Seattle
> to
> wait for early deployment experience before modifying the header to move
> the length.
>
>
> In particular, if we're going to make a change to the TLS record header,
> the change would be to remove the version and the type entirely, leaving
> only two octets of length on each record.  Is a two-octet offset going
> to be problematic?
>
>         --dkg
>
>
>

v2.23.0 | Report a Bug | By Email