On Monday 15 December 2008 07:46:16 Peter Saint-Andre wrote: > Therefore I suggest that we simplify e2e by using > something very close to the original XTLS proposal to set up, use, and > tear down and XTLS tunnel. I've outlined the protocol below.
First, we should use IBB. Sure, it adds complexity with the block sizes and message vs iq, but you want this stuff. The only downside is the extra round trip on startup. If it's that big of a deal, we can make a special extension that lets you IBB + XTLS in one shot. > 1. Initiator sends start request to responder > > <iq from='[email protected]/orchard' > id='xtls_1' > to='[email protected]/balcony' > type='set'> > <start xmlns='urn:xmpp:tmp:xtls'/> > </iq> <iq from='[email protected]/orchard' id='xtls_1' to='[email protected]/balcony' type='set'> <open sid='mySID' block-size='4096' xmlns='http://jabber.org/protocol/ibb'> <start xmlns='urn:xmpp:tmp:xtls'/> </open> </iq> > 2. Responder tells initiator to proceed > > <iq from='[email protected]/balcony' > id='xtls_1' > to='[email protected]/orchard' > type='result'> > <proceed xmlns='urn:xmpp:tmp:xtls'/> > </iq> <iq from='[email protected]/balcony' id='xtls_1' to='[email protected]/orchard' type='result'/> That's not much worse, is it? If XTLS is implemented and we start needing tweaks to the transport, we'll be happy we did it this way. > 3. Initiator and responder complete TLS handshake > 4. One party sends a stanza over the tunnel > 4a. Generate stanza > 4b. Strip off the routing data > 4c. Encrypt and base64-encode it > 4d. Send it over the tunnel It could be that these examples are expanded out for clarity, but I want to stress/confirm that we treat TLS as a bytestream, independent of how it is actually packetized into transporting stanzas. This means that a single transporting stanza might contain multiple message stanzas, and a single message stanza might require multiple transporting stanzas to deliver. Additionally, a transporting stanza may contain both application data (e.g. a message stanza) and TLS data (handshake messages). > 5. One party closes the tunnel > > <iq from='[email protected]/orchard' > id='xtls_10' > to='[email protected]/balcony' > type='set'> > <close xmlns='urn:xmpp:tmp:xtls'/> > </iq> > > 6. Other party acknowledges the close > > <iq from='[email protected]/balcony' > id='xtls_0' > to='[email protected]/orchard' > type='result'> > <closed xmlns='urn:xmpp:tmp:xtls'/> > </iq> Also, for good measure, we should close the TLS layer first. -Justin
