"TLS" <[email protected]> wrote on 19/11/2015 06:52:29 AM:

> From: [email protected] (Martin Rex)
> To: Yoav Nir <[email protected]>
> Cc: "[email protected]" <[email protected]>
> Date: 19/11/2015 06:53 AM
> Subject: Re: [TLS] Record header size?
> Sent by: "TLS" <[email protected]>
>
> Yoav Nir wrote:
> >> Peter Gutmann <[email protected]> wrote:
> >>
> >> Eric Rescorla <[email protected]> writes:
> >>>
> >>> The concern here is backward compatibility with inspection
> middleboxes which
> >>> expect the length field to be in a particular place.
> >>
> >> Given that the rest of TLS 1.3 is going to break compatibility with
pretty
> >> much everything everywhere, I can't see this as a big concern, may
> >> as well fix it at the same time as everything else is being changed.
> >
> > A sanity check on TLS might involve validating 5-byte record headers
> > with sane length and version fields. A firewall might be out there that
> > verifies this.
>
> The issue is much more about breaking _applications_ on top of TLS
> by changing the existing 5-byte record header.  Padding the header
> to 8 bytes (3 bytes into the original record body) would be OK, though.
>
> With several TLS implementations it is possible to completely seperate
> network communication (of the application) from the processing of
> TLS records (performed by the TLS protocol stack).  For some TLS
> implementations (e.g. Microsoft SChannel) this seems to be the only
> possible mode of operation.

We have the same kind of IO separation and I have observed a few times that
some products either interleave/multiplex TLS records with other
application data flow or route/buffer TLS traffic based on TLS record
header checking.  Padding the header to 8 bytes, as above, would probably
be OK.

-Mick

_______________________________________________
TLS mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/tls

Reply via email to