On Tue, May 30, 2017 at 05:38:02PM -0400, Victor Vasiliev wrote: <Snip long message>
A couple points: - Various mechanisms related to conserving IPv4 addresses can result client and server disagreeing about server IP address. Or even the address family. - If one has limited number of replays, distributing those among multiple servers is the most dangerous. - If you rely on sticky loadbalancer, you have to ensure that attacker can't send requests directly to the servers, bypassing the loadbalancer! In some architectures, it is rather easy to accidentially expose the backend servers, even if all the honest connections flow through the loadbalancer. - Binders are computationally random, so if you want to shard on those for strike register, simple mod N scheme distributes the load well. - 0-RTT scope can be written into tickets. The session ticket scope may be larger than that. Routing to datacenters should be relatively sticky. - As noted, this mess with state is just necressary for security if you use 0-RTT. - Could be good idea for clients to blacklist origins for tickets (meaning, use GDHE-CERT and possibly (GDHE-)static-PSK handshakes only) for some time if duplicate accepts are detected during grease testing. That should not cause any servers to actually break from user standpoint, since servers need to support those handshake modes anyway. -Ilari _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls