Re: [TLS] Keeping TLS extension points working

[David Benjamin]

I've finally gotten to uploading
https://tools.ietf.org/html/draft-davidben-tls-grease-01 which hopefully
resolves the procedural issues (thanks again!). I've also revised the text
slightly after some off-list feedback about the risks of non-deterministic
failures.

I didn't add text about what middleboxes are allowed to do since I wasn't
sure what text would be useful. Looking at all the changes we've done in
TLS 1.3, they can do is syntax-check the ClientHello. Anything beyond that
we've been considering fair game to change. TLS 1.3's ServerHello is not
compatible with TLS 1.2's ServerHello. The first message may even not be
ServerHello and instead HelloRetryRequest.

David

On Wed, Jul 27, 2016 at 4:02 PM Sean Turner  wrote:

>
> > On Jul 26, 2016, at 11:11, David Benjamin  wrote:
> >
> > 1) “Updates: 5246 (if approved)” because typically extension documents
> don’t “update” the base specification.  If you are suggesting that all
> implementations must support these values then an updates header makes
> sense.  Note I’m sure somewhere along the way an extension that isn’t
> expected to be supported by all implementation has an updates header but
> what I described is how we’re doing it now.
> >
> > I wasn't sure and mimicked RFC 7507 and RFC 7685 which both did this.
> >
> > I expect that all servers will "support" this specification in so far as
> it says nothing useful for servers. TLS servers are supposed to ignore
> unknown values. I would certainly like for as many clients to do it as
> possible so the ecosystem effects work out, but I certainly don't intend
> for it to be any kind of requirement. (I suppose the text says MAY so
> existing clients also "support" it by default.)
> >
> > Is it better to remove that line in this case? Happy to do whatever
> works.
>
> I’d probably lean towards removing it.
>
> spt
___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

Re: [TLS] Keeping TLS extension points working

[David Benjamin]

On Wed, Aug 3, 2016 at 8:52 AM Raja ashok <raja.as...@huawei.com> wrote:

> Hi David & Steven,
>
>
>
> Here our intension is to find out buggy server which implemented a cipher
> suite support with wrong value other than specified in RFC.
>
> -  If that wrong value usage in that buggy server collides with
> any real cipher suite on the period of deployment means, the bug would have
> identified immediately with some other non buggy client.
>
> -  If that wrong value is in the range of unspecified value, then
> that bug thrives and it will come out only after several years when IANA
> assigns that value to some new cipher suite.
>
As ecosystem problems go, this is very tame one. I don't think the
complexity cost of a retry (which is not compatible with existing servers
anyway) far outweighs the ecosystem costs of that particular bug.

Should an implementation, say, copy-and-paste the wrong value for some
cipher suite and use an unallocated one then, yes, if widespread we will
have difficulties using cipher suite value. But then we can simply pick a
different one and document that that value has been lost.

Moreover, making all values into GREASE values will not catch this bug. The
probability of hitting this wrong value randomly is around 1/2^16 which is
well in the noise. Flaky failures won't do any good to prevent bugs.

In contrast, intolerance to *anything* unknown is a huge problem for
deployment. Then we simply can't deploy new things. (At least not without
fallbacks and such which have security consequences, among other problems.)

In this case, can you please tell me why we decided only few values as
> GREASE value {0x0A0A, 0x1A1A, ..}. Whether chrome browser has found a real
> buggy web server which supports these values ?
>
Ultimately the values need to get reserved so people don't try to use them
for real ones. I picked a small-ish number so that people maintaining the
registries would not become too unhappy at me. :-)

Chrome has yet to ship code which does this. I figured I ought to write
something up and send it to this list before squatting on quite so many
values in the registry. For the moment, this idea is merely a spec.

David

Regards,
>
> R Ashok
> --
>
> Raja Ashok VK
> 华为技术有限公司 Huawei Technologies Co., Ltd.
> [image: image001.jpg]
>
> Phone:
> Fax:
> Mobile:
> Email:
> Huawei Technologies Co., Ltd.
> Bangalore, India
> http://www.huawei.com
>
> --
>
> 本邮件及其附件含有华为公司的保密信息，仅限于发送给上面地址中列出的个人或群组。禁
> 止任何其他人以任何形式使用（包括但不限于全部或部分地泄露、复制、或散发）本邮件中
> 的信息。如果您错收了本邮件，请您立即电话或邮件通知发件人并删除本邮件！
> This e-mail and its attachments contain confidential information from
> HUAWEI, which
> is intended only for the person or entity whose address is listed above.
> Any use of the
> information contained herein in any way (including, but not limited to,
> total or partial
> disclosure, reproduction, or dissemination) by persons other than the
> intended
> recipient(s) is prohibited. If you receive this e-mail in error, please
> notify the sender by
> phone or email immediately and delete it!
>
> *From:* David Benjamin [mailto:david...@chromium.org]
> *Sent:* 02 August 2016 19:30
> *To:* Steven Valdez; Raja ashok; tls@ietf.org
> *Subject:* Re: [TLS] Keeping TLS extension points working
>
>
>
> To expand on that a little, since it seems comments (a) and (b) are really
> the same one:
>
>
>
> The purpose of having an explicitly reserved list (b) is precisely so we
> do not have to do a second handshake (a). The purpose here is to ensure we
> exercise the little-used codepaths, not introduce new ones. This is
> intended to be an extremely minimal mechanism. Clients add a tiny bit of
> code to their ClientHello and no server code changes at all. (Note that
> every MUST in the document is just reiterating what TLS already requires.)
>
>
>
> David
>
>
>
> On Tue, Aug 2, 2016 at 9:47 AM Steven Valdez <sval...@google.com> wrote:
>
> a) It seems like if an implementation has updated to be able to handle a
> specific GREASE alert, it should be able to handle not sending an invalid
> cipher suite. In general, its probably cleaner for the connection to
> fatally shutdown and then restart if the server is behaving that poorly.
> Servers that are sending back non-existent ciphers are also potentially
> broken in other ways, and I don't know whether a client should trust that
> it can reset any handshake state correctly if it were to try doing a
> "warning" alert.
>
>
>
> b) The reasoning behind having an explicit list is so that implementations
> don't send a value that ends up being defined as some other valid value.
> Otherwise its possible that some implemen

Re: [TLS] Keeping TLS extension points working

[Raja ashok]

Hi David & Steven,

Here our intension is to find out buggy server which implemented a cipher suite 
support with wrong value other than specified in RFC.

-  If that wrong value usage in that buggy server collides with any 
real cipher suite on the period of deployment means, the bug would have 
identified immediately with some other non buggy client.

-  If that wrong value is in the range of unspecified value, then that 
bug thrives and it will come out only after several years when IANA assigns 
that value to some new cipher suite.

In this case, can you please tell me why we decided only few values as GREASE 
value {0x0A0A, 0x1A1A, ..}. Whether chrome browser has found a real buggy web 
server which supports these values ?

Regards,
R Ashok

Raja Ashok VK
华为技术有限公司 Huawei Technologies Co., Ltd.
[Company_logo]

Phone:
Fax:
Mobile:
Email:
Huawei Technologies Co., Ltd.
Bangalore, India
http://www.huawei.com

本邮件及其附件含有华为公司的保密信息，仅限于发送给上面地址中列出的个人或群组。禁
止任何其他人以任何形式使用（包括但不限于全部或部分地泄露、复制、或散发）本邮件中
的信息。如果您错收了本邮件，请您立即电话或邮件通知发件人并删除本邮件！
This e-mail and its attachments contain confidential information from HUAWEI, 
which
is intended only for the person or entity whose address is listed above. Any 
use of the
information contained herein in any way (including, but not limited to, total 
or partial
disclosure, reproduction, or dissemination) by persons other than the intended
recipient(s) is prohibited. If you receive this e-mail in error, please notify 
the sender by
phone or email immediately and delete it!
From: David Benjamin [mailto:david...@chromium.org]
Sent: 02 August 2016 19:30
To: Steven Valdez; Raja ashok; tls@ietf.org
Subject: Re: [TLS] Keeping TLS extension points working

To expand on that a little, since it seems comments (a) and (b) are really the 
same one:

The purpose of having an explicitly reserved list (b) is precisely so we do not 
have to do a second handshake (a). The purpose here is to ensure we exercise 
the little-used codepaths, not introduce new ones. This is intended to be an 
extremely minimal mechanism. Clients add a tiny bit of code to their 
ClientHello and no server code changes at all. (Note that every MUST in the 
document is just reiterating what TLS already requires.)

David

On Tue, Aug 2, 2016 at 9:47 AM Steven Valdez 
<sval...@google.com<mailto:sval...@google.com>> wrote:
a) It seems like if an implementation has updated to be able to handle a 
specific GREASE alert, it should be able to handle not sending an invalid 
cipher suite. In general, its probably cleaner for the connection to fatally 
shutdown and then restart if the server is behaving that poorly. Servers that 
are sending back non-existent ciphers are also potentially broken in other 
ways, and I don't know whether a client should trust that it can reset any 
handshake state correctly if it were to try doing a "warning" alert.

b) The reasoning behind having an explicit list is so that implementations 
don't send a value that ends up being defined as some other valid value. 
Otherwise its possible that some implementations will update to include GREASE 
values, but they might not update immediately upon new values being assigned by 
IANA, which means that there will be periods of times that some clients might 
send "fake" values that collide with real values, confusing the peer 
implementation into believing they actually support something that they don't 
and resulting in more intolerance issues between outdated GREASE clients and 
newly updated servers, with this intolerance being firmly the GREASE clients 
fault. The hardcoded list gets around this by making sure GREASE never overlaps 
with an actual value, though at the trade-off that badly designed 
implementations could choose to just hard-code ignore the GREASE codepoints.

On Tue, Aug 2, 2016 at 2:59 AM Raja ashok 
<raja.as...@huawei.com<mailto:raja.as...@huawei.com>> wrote:
Hi Benjamin,

I have gone through the GREASE mechanism which you proposed in your new draft. 
It’s really a nice idea for finding a buggy server before it thrives.

I am having few doubts on this, which are listed below.

a)  What should be the behaviour of client incase if a buggy server 
responded for a GREASE value ?

-  Consider a client sends a GREASE cipher value at first place and 
followed by valid cipher suites, in its client hello.

-  If a buggy server selects that cipher then it will response server 
hello with that GREASE cipher value. At this case if client sends FATAL alert 
then both side TLS and TCP needs to be closed and client needs to recreate a 
new TCP connection, and then restart TLS handshake without GREASE cipher value.

-  Instead of this we can make client to send warning alert (with new 
TLS alert code GREASE_CIPHER_VALUE_SELECTED(111)) and restart TLS handshake by 
sending client hello again.

Re: [TLS] Keeping TLS extension points working

[David Benjamin]

To expand on that a little, since it seems comments (a) and (b) are really
the same one:

The purpose of having an explicitly reserved list (b) is precisely so we do
not have to do a second handshake (a). The purpose here is to ensure we
exercise the little-used codepaths, not introduce new ones. This is
intended to be an extremely minimal mechanism. Clients add a tiny bit of
code to their ClientHello and no server code changes at all. (Note that
every MUST in the document is just reiterating what TLS already requires.)

David

On Tue, Aug 2, 2016 at 9:47 AM Steven Valdez  wrote:

> a) It seems like if an implementation has updated to be able to handle a
> specific GREASE alert, it should be able to handle not sending an invalid
> cipher suite. In general, its probably cleaner for the connection to
> fatally shutdown and then restart if the server is behaving that poorly.
> Servers that are sending back non-existent ciphers are also potentially
> broken in other ways, and I don't know whether a client should trust that
> it can reset any handshake state correctly if it were to try doing a
> "warning" alert.
>
> b) The reasoning behind having an explicit list is so that implementations
> don't send a value that ends up being defined as some other valid value.
> Otherwise its possible that some implementations will update to include
> GREASE values, but they might not update immediately upon new values being
> assigned by IANA, which means that there will be periods of times that some
> clients might send "fake" values that collide with real values, confusing
> the peer implementation into believing they actually support something that
> they don't and resulting in more intolerance issues between outdated GREASE
> clients and newly updated servers, with this intolerance being firmly the
> GREASE clients fault. The hardcoded list gets around this by making sure
> GREASE never overlaps with an actual value, though at the trade-off that
> badly designed implementations could choose to just hard-code ignore the
> GREASE codepoints.
>
> On Tue, Aug 2, 2016 at 2:59 AM Raja ashok  wrote:
>
>> Hi Benjamin,
>>
>>
>>
>> I have gone through the GREASE mechanism which you proposed in your new
>> draft. It’s really a nice idea for finding a buggy server before it thrives.
>>
>>
>>
>> I am having few doubts on this, which are listed below.
>>
>> a)  What should be the behaviour of client incase if a buggy server
>> responded for a GREASE value ?
>>
>> -  Consider a client sends a GREASE cipher value at first place
>> and followed by valid cipher suites, in its client hello.
>>
>> -  If a buggy server selects that cipher then it will response
>> server hello with that GREASE cipher value. At this case if client sends
>> FATAL alert then both side TLS and TCP needs to be closed and client needs
>> to recreate a new TCP connection, and then restart TLS handshake without
>> GREASE cipher value.
>>
>> -  Instead of this we can make client to send warning alert
>> (with new TLS alert code GREASE_CIPHER_VALUE_SELECTED(111)) and restart TLS
>> handshake by sending client hello again.
>>
>> -  If a server receives this new warning, then it should be
>> ready to receive new client hello to restart handshake.
>>
>>
>>
>> SERVER
>> CLIENT
>>
>> CH (GREASE Cipher value & Valid Cipher value)  -->
>>
>>
>> <---  SH (GREASE cipher value)
>>
>> Fatal alert>
>>
>> TCP (SYN)>
>>
>>
>> <
>> TCP(SYN ACK)
>>
>> TCP (ACK)>
>>
>> CH (Valid cipher
>> value)  --->
>>
>> Scenario 1 : Sending FATAL alert for server
>> selecting GREASE value
>>
>>
>>
>> SERVER
>> CLIENT
>>
>> CH (GREASE Cipher value & Valid Cipher value)  --->
>>
>>
>> <---  SH (GREASE cipher value)
>>
>> Warning alert >
>>
>> CH (Valid cipher
>> value)  --->
>>
>> Scenario 2 : Sending WARNING alert for server
>> selecting GREASE value
>>
>>
>>
>> -  I hope sending warning msg and restarting TLS handshake will
>> be efficient.
>>
>> -  TLS Server must notify the application, whenever it receives
>> a GREASE warning alert.
>>
>>
>>
>> b)  Why only few values are specified as GREASE value ? Basically
>> all value which are not specified by IANA should be considered as GREASE
>> value right ?
>>
>> -  Basically client should maintain the list of values (cipher
>> suite, extensions) specified by IANA. The range of values.
>>
>> -  For example IANA specified cipher suite values are
>> {{0x,0x005C}, {0x0060,0x006D}, {0x0084, 

Re: [TLS] Keeping TLS extension points working

[Geoffrey Keating]

Hubert Kario  writes:

> On Thursday, 28 July 2016 06:12:48 CEST Watson Ladd wrote:
> > On Thu, Jul 28, 2016 at 3:28 AM, Hubert Kario  wrote:
> > > On Wednesday, 27 July 2016 09:50:18 CEST Wan-Teh Chang wrote:
> > >> Another source of interop failures is the firewall devices that do
> > >> anomaly detection.
> > > 
> > > how about adding a section that explicitly says what they are allowed to
> > > do, and what they should not do?
> > 
> > This is what parsing is for.
> 
> yes, and bugs in parsing may very well be exploitable
>  
> > > in other words, how they can still provide added value without breaking
> > > TLS in the future
> > 
> > Maybe they can't, and you shouldn't buy those products.
> 
> pragmatist would say that double checking is defence in depth
> 
> and whatever we think, doesn't change the fact that people do make them 
> because people do buy them, so at least we can tell them how they can play 
> nice

I don't think 'playing nice' is the point of these devices; the
concept is that unusual is bad, and so should be blocked.  They don't
just block new or unknown features, but sometimes also known features
being used in unusual combinations.  I've seen these devices raise a
security alert because of a ciphersuite list which contained only
ciphersuites used by browsers, but not in the expected
combination/order---at least, that's what I think it was.

___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

Re: [TLS] Keeping TLS extension points working

[Watson Ladd]

On Thu, Jul 28, 2016 at 3:28 AM, Hubert Kario  wrote:
> On Wednesday, 27 July 2016 09:50:18 CEST Wan-Teh Chang wrote:
>> On Mon, Jul 25, 2016 at 3:32 PM, David Benjamin 
> wrote:
>> > Hi folks,
>> >
>> > I'm not sure how this process usually works, but I would like to reserve a
>> > bunch of values in the TLS registries to as part of an idea to keep our
>> > extension points working. Here's an I-D:
>> > https://tools.ietf.org/html/draft-davidben-tls-grease-00
>> >
>> > (The name GREASE is in honor of AGL's rusted vs. well-oiled joints analogy
>> > from https://www.imperialviolet.org/2016/05/16/agility.html )
>> >
>> > One problem we repeatedly run into is servers failing to implement TLS's
>> > various extension points correctly. The most obvious being version
>> > intolerance. When we deployed X25519 in Chrome, we discovered an
>> > intolerant
>> > implementation. (Thankfully it was rare enough to not warrant a fallback
>> > or
>> > revert!) It appears that signature algorithms maybe also be gathering
>> > rust.
>> > Ciphers and extensions seem to have held up, but I would like to ensure
>> > they stay that way.
>> >
>> > The root problem here is these broken servers interoperate fine with
>> > clients at the time they are deployed. It is only after new values get
>> > defined do we notice, by which time it is too late.
>> >
>> > I would like to fix this by reserving a few values in our registries so
>> > that clients may advertise random ones and regularly exercise these
>> > codepaths in servers. If enough of the client base does this, we can turn
>> > a large class of tomorrow's interop failures into today's interop
>> > failures. This is important because an bug will not thrive in the
>> > ecosystem if it does not work against the current deployment.
>>
>> Hi David,
>>
>> In general I like your idea. Thank you for writing up a proposal.
>>
>> Another source of interop failures is the firewall devices that do
>> anomaly detection. Some of them will abort TLS handshakes if they see
>> unknown TLS protocol versions or extensions in ClientHello. (They all
>> seem to allow unknown cipher suite values.) I suspect they will treat
>> the GREASE cipher suite, extension, and named group values as "normal"
>> and continue to abort the handshake if they see truly new values. I
>> can only hope that these network security devices are updated
>> regularly.
>
> how about adding a section that explicitly says what they are allowed to do,
> and what they should not do?
>
> i.e. it is acceptable for them to reject messages that are malformed (data in
> client hello past extensions field, odd sizes for arrays that contain just
> double-byte values, etc.) but not "undefined" extensions or "undefined" values
> in them

This is what parsing is for.

>
> in other words, how they can still provide added value without breaking TLS in
> the future

Maybe they can't, and you shouldn't buy those products.

> --
> Regards,
> Hubert Kario
> Senior Quality Engineer, QE BaseOS Security team
> Web: www.cz.redhat.com
> Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic
>
> ___
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls
>



-- 
"Man is born free, but everywhere he is in chains".
--Rousseau.

___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

Re: [TLS] Keeping TLS extension points working

[Hubert Kario]

On Wednesday, 27 July 2016 09:50:18 CEST Wan-Teh Chang wrote:
> On Mon, Jul 25, 2016 at 3:32 PM, David Benjamin  
wrote:
> > Hi folks,
> > 
> > I'm not sure how this process usually works, but I would like to reserve a
> > bunch of values in the TLS registries to as part of an idea to keep our
> > extension points working. Here's an I-D:
> > https://tools.ietf.org/html/draft-davidben-tls-grease-00
> > 
> > (The name GREASE is in honor of AGL's rusted vs. well-oiled joints analogy
> > from https://www.imperialviolet.org/2016/05/16/agility.html )
> > 
> > One problem we repeatedly run into is servers failing to implement TLS's
> > various extension points correctly. The most obvious being version
> > intolerance. When we deployed X25519 in Chrome, we discovered an
> > intolerant
> > implementation. (Thankfully it was rare enough to not warrant a fallback
> > or
> > revert!) It appears that signature algorithms maybe also be gathering
> > rust.
> > Ciphers and extensions seem to have held up, but I would like to ensure
> > they stay that way.
> > 
> > The root problem here is these broken servers interoperate fine with
> > clients at the time they are deployed. It is only after new values get
> > defined do we notice, by which time it is too late.
> > 
> > I would like to fix this by reserving a few values in our registries so
> > that clients may advertise random ones and regularly exercise these
> > codepaths in servers. If enough of the client base does this, we can turn
> > a large class of tomorrow's interop failures into today's interop
> > failures. This is important because an bug will not thrive in the
> > ecosystem if it does not work against the current deployment.
> 
> Hi David,
> 
> In general I like your idea. Thank you for writing up a proposal.
> 
> Another source of interop failures is the firewall devices that do
> anomaly detection. Some of them will abort TLS handshakes if they see
> unknown TLS protocol versions or extensions in ClientHello. (They all
> seem to allow unknown cipher suite values.) I suspect they will treat
> the GREASE cipher suite, extension, and named group values as "normal"
> and continue to abort the handshake if they see truly new values. I
> can only hope that these network security devices are updated
> regularly.

how about adding a section that explicitly says what they are allowed to do, 
and what they should not do?

i.e. it is acceptable for them to reject messages that are malformed (data in 
client hello past extensions field, odd sizes for arrays that contain just 
double-byte values, etc.) but not "undefined" extensions or "undefined" values 
in them

in other words, how they can still provide added value without breaking TLS in 
the future
-- 
Regards,
Hubert Kario
Senior Quality Engineer, QE BaseOS Security team
Web: www.cz.redhat.com
Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic

signature.asc
Description: This is a digitally signed message part.
___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

Re: [TLS] Keeping TLS extension points working

[Adam Langley]

On Wed, Jul 27, 2016 at 9:50 AM, Wan-Teh Chang  wrote:
> Another source of interop failures is the firewall devices that do
> anomaly detection. Some of them will abort TLS handshakes if they see
> unknown TLS protocol versions or extensions in ClientHello. (They all
> seem to allow unknown cipher suite values.) I suspect they will treat
> the GREASE cipher suite, extension, and named group values as "normal"
> and continue to abort the handshake if they see truly new values. I
> can only hope that these network security devices are updated
> regularly.

Sadly there's very little that we can do to address aggressively bad
devices. None the less, there are several instances of unintentional
bugs in implementations that have caused problems with new-feature
deployment that I believe could have been caught with this proposal.
As ever, bugs are much less costly when found earlier and I believe
that applies equally to the developer and the world as a whole.

I have mind the cases of extension intolerance that we've thankfully
mostly managed to drive out now (because new extensions have been
added for other reasons) and the bug that led to the padding extension
(RFC 7685).

On the other hand, we've seen what's happened to the version field,
which is moving too slowly to resist rusting.


Cheers

AGL

-- 
Adam Langley a...@imperialviolet.org https://www.imperialviolet.org

___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

Re: [TLS] Keeping TLS extension points working

[Sean Turner]

David,

Technically, IANA makes the assignments we (the IETF/TLS WG) ask them to make 
via the IANA considerations section.  They enforce the registry policy 
established when we (the IETF/TLS WG) originally established the registry; the 
available policies are found in RFC 5226 (and there’s some more rules in RFC 
7120).  So, I’m hoping that you could tweak your draft somewhat to be 
instructional and then suggest some values (this purely procedural dance has 
worked in the past and it’s what we’re doing for draft-ietf-tls-ecdhe-psk-aead):

0) In s2, replace the two lists with something like:

The draft reservers the following X cipher suite values: Values TBD

The following X values are reserved as both GREASE extension values and GREASE 
named group values: Values TBD

1) In 5, add a {TBD} sub-column to the 1st column for each value in the tables 
(apologies for the formatting):

+-+-+-+-+
|Value   | Description | DTLS-OK |Reference|
+-+-+-+-+
| {TBD} {0x0A,0x0A} |   Reserved  |Y| (this document) |

And then add something like this to the end of the section:

  The cipher suite numbers listed in the second column in the
  values column are numbers used for cipher suite interoperability
  testing and it's suggested that IANA use these values for assignment.


I’m sure somebody will eventually comment on the following header fields:

0) “Status: Informational” because some of the registries right now require 
standards track RFCs to do the assignments.  But, everybody should momentarily 
suspend reality because we’re going to change the registry rules for the 
registries you are adding values you to be something that would allow an draft 
intended for “informational” to do the updates, i.e., just leave it alone for 
now.

1) “Updates: 5246 (if approved)” because typically extension documents don’t 
“update” the base specification.  If you are suggesting that all 
implementations must support these values then an updates header makes sense.  
Note I’m sure somewhere along the way an extension that isn’t expected to be 
supported by all implementation has an updates header but what I described is 
how we’re doing it now.

Cheers,

spt

PS: As chair, I try to deal with/deflect as many of these procedural issues as 
possible, but if you want to know more please let me know off-list.  This 
actually goes for anybody on the list.

> On Jul 25, 2016, at 18:32, David Benjamin  wrote:
> 
> Hi folks,
> 
> I'm not sure how this process usually works, but I would like to reserve a 
> bunch of values in the TLS registries to as part of an idea to keep our 
> extension points working. Here's an I-D:
> https://tools.ietf.org/html/draft-davidben-tls-grease-00
> 
> (The name GREASE is in honor of AGL's rusted vs. well-oiled joints analogy 
> from https://www.imperialviolet.org/2016/05/16/agility.html )
> 
> One problem we repeatedly run into is servers failing to implement TLS's 
> various extension points correctly. The most obvious being version 
> intolerance. When we deployed X25519 in Chrome, we discovered an intolerant 
> implementation. (Thankfully it was rare enough to not warrant a fallback or 
> revert!) It appears that signature algorithms maybe also be gathering rust. 
> Ciphers and extensions seem to have held up, but I would like to ensure they 
> stay that way.
> 
> The root problem here is these broken servers interoperate fine with clients 
> at the time they are deployed. It is only after new values get defined do we 
> notice, by which time it is too late.
> 
> I would like to fix this by reserving a few values in our registries so that 
> clients may advertise random ones and regularly exercise these codepaths in 
> servers. If enough of the client base does this, we can turn a large class of 
> tomorrow's interop failures into today's interop failures. This is important 
> because an bug will not thrive in the ecosystem if it does not work against 
> the current deployment.
> 
> If you were in Berlin, you may recognize this idea from the version 
> negotiation debate. Alas that all happened in the wrong order as I hadn't 
> written this up yet. This idea can't be applied to versioning without giving 
> up on ClientHello.version, but we can start with the rest of the protocol.
> 
> David
> 
> PS: This is actually my first I-D, so apologies if I've messed it up 
> somewhere!
> ___
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls

___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

Re: [TLS] Keeping TLS extension points working

[Hubert Kario]

On Monday, 25 July 2016 23:32:41 CEST David Benjamin wrote:
> On Mon, Jul 25, 2016 at 7:23 PM Viktor Dukhovni 
> 
> wrote:
> > On Mon, Jul 25, 2016 at 10:32:29PM +, David Benjamin wrote:
> > > I'm not sure how this process usually works, but I would like to reserve
> > 
> > a
> > 
> > > bunch of values in the TLS registries to as part of an idea to keep our
> > > extension points working. Here's an I-D:
> > > 
> > > https://tools.ietf.org/html/draft-davidben-tls-grease-00
> > 
> > To really make this work, it would be necessary to expand the
> > reserved pool gradually, rather than all at once, so that servers
> > can't hard-code just the initially reserved pool, and still fail
> > with new "real" extensions later.
> 
> My hope is that, especially with the values allocated sparsely, after
> getting interop failure once or twice from unknown values, the servers will
> quickly figure it out. I'm assuming the implementations simply made
> mistakes or weren't paying enough attention to the specification rather
> than being actively malicious.
> 
> But, you are right, one failure mode here is implementations may
> "accidentally" hard-code the reserved pool... somehow.

Then we have "pet-projects" of which the primary/only developer walks away/
changes jobs well after it was tightly integrated with already deployed 
systems, code that is passed over to interns as nobody either has time, 
inclination or knows much about  anyway[1]...

Thus I don't think it solves the problem even for non malicious programmers

While the idea of code points that MUST NOT be negotiated by servers is not 
bad one from testing perspective, we already have few values like this 
(0x00,0x14 for cipher, 15 for supported groups, just of the top of my head). 
And for a test suite any value not defined by IANA already has this function 
(and you do need to test all those values to search for undocumented features, 
backdoors, etc. anyway).

 1 - talking purely hypothetically here, even if I wanted, I wouldn't know 
where to point fingers in realm of TLS implementations
-- 
Regards,
Hubert Kario
Senior Quality Engineer, QE BaseOS Security team
Web: www.cz.redhat.com
Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic

signature.asc
Description: This is a digitally signed message part.
___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

Re: [TLS] Keeping TLS extension points working

[David Benjamin]

On Tue, Jul 26, 2016 at 6:56 AM Hubert Kario  wrote:

> On Monday, 25 July 2016 22:32:29 CEST David Benjamin wrote:
> > I would like to fix this by reserving a few values in our registries so
> > that clients may advertise random ones and regularly exercise these
> > codepaths in servers. If enough of the client base does this, we can
> turn a
> > large class of tomorrow's interop failures into today's interop failures.
> > This is important because an bug will not thrive in the ecosystem if it
> > does not work against the current deployment.
>
> What prevents an implementation from ignoring values from just those
> reserved
> ranges and continuing to be intolerant to other values? After all, if they
> are
> reserved for this, they just need to ignore those values (as no "real"
> extension/value will ever use them) to "resolve the problem".
>

Nothing. Just as nothing prevents an implementation from taking every
ClientHello current browsers send (variable parts like client_random
normalized), hard-coding their SHA-256 hashes, and rejecting anything that
doesn't match.

The point is to catch honest mistakes, not to avoid servers that are
maliciously trying to mess up the ecosystem.

We can certainly increase the pool over time as Viktor suggested if
special-casing these becomes a problem. I don't expect it to be, but we'll
see. Whereas not ignoring unknown values has empirically been a problem.

David
___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

Re: [TLS] Keeping TLS extension points working

[Hubert Kario]

On Monday, 25 July 2016 22:32:29 CEST David Benjamin wrote:
> I would like to fix this by reserving a few values in our registries so
> that clients may advertise random ones and regularly exercise these
> codepaths in servers. If enough of the client base does this, we can turn a
> large class of tomorrow's interop failures into today's interop failures.
> This is important because an bug will not thrive in the ecosystem if it
> does not work against the current deployment.

What prevents an implementation from ignoring values from just those reserved 
ranges and continuing to be intolerant to other values? After all, if they are 
reserved for this, they just need to ignore those values (as no "real" 
extension/value will ever use them) to "resolve the problem".

-- 
Regards,
Hubert Kario
Senior Quality Engineer, QE BaseOS Security team
Web: www.cz.redhat.com
Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic

signature.asc
Description: This is a digitally signed message part.
___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

Re: [TLS] Keeping TLS extension points working

[David Benjamin]

On Mon, Jul 25, 2016 at 7:23 PM Viktor Dukhovni 
wrote:

> On Mon, Jul 25, 2016 at 10:32:29PM +, David Benjamin wrote:
>
> > I'm not sure how this process usually works, but I would like to reserve
> a
> > bunch of values in the TLS registries to as part of an idea to keep our
> > extension points working. Here's an I-D:
> >
> > https://tools.ietf.org/html/draft-davidben-tls-grease-00
>
> To really make this work, it would be necessary to expand the
> reserved pool gradually, rather than all at once, so that servers
> can't hard-code just the initially reserved pool, and still fail
> with new "real" extensions later.


My hope is that, especially with the values allocated sparsely, after
getting interop failure once or twice from unknown values, the servers will
quickly figure it out. I'm assuming the implementations simply made
mistakes or weren't paying enough attention to the specification rather
than being actively malicious.

But, you are right, one failure mode here is implementations may
"accidentally" hard-code the reserved pool... somehow.


> Add a new code point every year
> for 5-10 years, and eventually servers will have extension tolerance.
>

To clarify, this is about making sure new implementations don't ossify the
whatever set of named groups (etc.) they observe, not flushing intolerance
out of existing ones. For existing ones, it'd be equally difficult to
deploy, say, GREASE for named groups as it'd be to deploy a new named group
to begin with. (Fortunately, we successfully deployed a new named group
just this year, so this is the perfect time to do that.)

David
___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

Re: [TLS] Keeping TLS extension points working

[Viktor Dukhovni]

On Mon, Jul 25, 2016 at 10:32:29PM +, David Benjamin wrote:

> I'm not sure how this process usually works, but I would like to reserve a
> bunch of values in the TLS registries to as part of an idea to keep our
> extension points working. Here's an I-D:
>
> https://tools.ietf.org/html/draft-davidben-tls-grease-00

To really make this work, it would be necessary to expand the
reserved pool gradually, rather than all at once, so that servers
can't hard-code just the initially reserved pool, and still fail
with new "real" extensions later.  Add a new code point every year
for 5-10 years, and eventually servers will have extension tolerance.

-- 
Viktor.

___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

Re: [TLS] Keeping TLS extension points working

[David Benjamin]

On Mon, Jul 25, 2016 at 6:32 PM David Benjamin 
wrote:

> Hi folks,
>
> I'm not sure how this process usually works, but I would like to reserve a
> bunch of values in the TLS registries to as part of an idea to keep our
> extension points working. Here's an I-D:
> https://tools.ietf.org/html/draft-davidben-tls-grease-00
>
> (The name GREASE is in honor of AGL's rusted vs. well-oiled joints analogy
> from https://www.imperialviolet.org/2016/05/16/agility.html )
>
> One problem we repeatedly run into is servers failing to implement TLS's
> various extension points correctly. The most obvious being version
> intolerance. When we deployed X25519 in Chrome, we discovered an intolerant
> implementation. (Thankfully it was rare enough to not warrant a fallback or
> revert!)
>

Er, I lost a sentence here, sorry.

I meant that, in addition to version intolerance other extension points
have also gathered rust. The X25519 trouble was an example of named curve
intolerance, not version. (Someone forgot a default in their switch-case.)


> It appears that signature algorithms maybe also be gathering rust. Ciphers
> and extensions seem to have held up, but I would like to ensure they stay
> that way.
>
> The root problem here is these broken servers interoperate fine with
> clients at the time they are deployed. It is only after new values get
> defined do we notice, by which time it is too late.
>
> I would like to fix this by reserving a few values in our registries so
> that clients may advertise random ones and regularly exercise these
> codepaths in servers. If enough of the client base does this, we can turn a
> large class of tomorrow's interop failures into today's interop failures.
> This is important because an bug will not thrive in the ecosystem if it
> does not work against the current deployment.
>
> If you were in Berlin, you may recognize this idea from the version
> negotiation debate. Alas that all happened in the wrong order as I hadn't
> written this up yet. This idea can't be applied to versioning without
> giving up on ClientHello.version, but we can start with the rest of the
> protocol.
>
> David
>
> PS: This is actually my first I-D, so apologies if I've messed it up
> somewhere!
>
___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls