[tcpinc] draft-bittau-tcpinc-tcpcrypt-04 session cache behavior
Kyle Rose <krose@krose.org> Mon, 02 November 2015 03:52 UTC
Return-Path: <krose@krose.org>
X-Original-To: tcpinc@ietfa.amsl.com
Delivered-To: tcpinc@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A93B51B336A for <tcpinc@ietfa.amsl.com>; Sun, 1 Nov 2015 19:52:09 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.378
X-Spam-Level:
X-Spam-Status: No, score=-1.378 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id exBtKDkMpZhW for <tcpinc@ietfa.amsl.com>; Sun, 1 Nov 2015 19:52:08 -0800 (PST)
Received: from mail-io0-x22d.google.com (mail-io0-x22d.google.com [IPv6:2607:f8b0:4001:c06::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 19F661B3363 for <tcpinc@ietf.org>; Sun, 1 Nov 2015 19:52:08 -0800 (PST)
Received: by ioll68 with SMTP id l68so133210285iol.3 for <tcpinc@ietf.org>; Sun, 01 Nov 2015 19:52:07 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=krose.org; s=google; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; bh=9R877i4D06dWJZESl/XMExsx+Hifbs/2FQTEiRZIToc=; b=E/eOn9s8QzE2ALzuh64e0GnAGh1QGleej7BH/U3Drb+X+rICzSHIyoIafcbRvkxHyq zMz7sviSIMeGVBH/GvGY+gY35GQ9dmh+RqK7XX1fTW8f635RjyPUZLCqdSt0FwN79566 ggkAuN6g570pIbq7ywAg/og/50NmA0qhx1jWo=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:content-type; bh=9R877i4D06dWJZESl/XMExsx+Hifbs/2FQTEiRZIToc=; b=UQN2F/sXYx4ZL6B82p9+W9D092GlfJ2fFRuNc51zF+PCrVNOyaypmCwP9I5fl67iGw QPxlRkL2Z8Z3f+29QecqGxVMHU7aqfVWwwM1y4jX9LF6jWwt1XdMlbiI6QzSP/iRlOqG Bb64Z1CsPn38UqC7CiHOYt5nKYdGH/fXC2r2XL6a5GRtOJQb1KVAXQQI3/dUozunnY4k gKrLXb1QSlQSwrYx1mtBR0AP8M7c1GPWSzMo2c/OIg/UhmYwAy7lGoHxaKTA3zA0VMTG SsCpSyo2kv08ewt5id7sQSh1ab7HTekn/rXkkyg7ts1o8NRBcvZgcQhrQ1IdgQBDziHp o5lw==
X-Gm-Message-State: ALoCoQl0WvJiFMrE9xMAdqXUgQO/MlM3z/iShuAWvkgTlntIW3U2ZDctrVGw9Qqx/miSky1TnwvW
MIME-Version: 1.0
X-Received: by 10.107.37.3 with SMTP id l3mr1344980iol.156.1446436327347; Sun, 01 Nov 2015 19:52:07 -0800 (PST)
Received: by 10.79.31.130 with HTTP; Sun, 1 Nov 2015 19:52:07 -0800 (PST)
X-Originating-IP: [166.171.249.17]
Received: by 10.79.31.130 with HTTP; Sun, 1 Nov 2015 19:52:07 -0800 (PST)
In-Reply-To: <CAJU8_nVeTB=+t+OZJzj7da9mmn0J1afjP-HGXw63TkykVMLM9w@mail.gmail.com>
References: <CAJU8_nVeTB=+t+OZJzj7da9mmn0J1afjP-HGXw63TkykVMLM9w@mail.gmail.com>
Date: Sun, 01 Nov 2015 22:52:07 -0500
Message-ID: <CAJU8_nWH4G-GZSTQt+1sr8cOVXGVq5TJSQEn0Hxu2oK1zv2FHQ@mail.gmail.com>
From: Kyle Rose <krose@krose.org>
To: tcpinc <tcpinc@ietf.org>
Content-Type: multipart/alternative; boundary="001a1140ed047b7901052386b368"
Archived-At: <http://mailarchive.ietf.org/arch/msg/tcpinc/z2I_xK0-RCGMR0kyA_ge4yJgqWQ>
Subject: [tcpinc] draft-bittau-tcpinc-tcpcrypt-04 session cache behavior
X-BeenThere: tcpinc@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Discussion list for adding encryption to TCP." <tcpinc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tcpinc>, <mailto:tcpinc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tcpinc/>
List-Post: <mailto:tcpinc@ietf.org>
List-Help: <mailto:tcpinc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tcpinc>, <mailto:tcpinc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 02 Nov 2015 03:52:09 -0000
If a client opens two connections to a previously-known server in a short period of time, what is the intended behavior of implementations? If one session resumption attempt uses SID[i] and another SID[i+1], then if they arrive out of order, should the server ignore (or simply not recognize) SID[i+1] and initiate a new key agreement, but then accept SID[i] when it eventually arrives? What, then, should happen on the client? Should the client use SID[i+2] for the next connection to this server, or will it use a different SID based on the new key agreement? Or, alternatively, should one connection use SID[i], and the next not send a TCPCRYPT_RESUME because the previous handshake has not yet been completed? I know this isn't specified in the draft because it's out-of-scope for the protocol spec, but I think it's worth puzzling out how clients would actually do this in the wild because this is likely to be a common case. One way to resolve this is for clients only to ever have one SID[I] for a given ss[] chain in-flight in a handshake, and request a new key agreement otherwise; but to keep multiple chains for a given server cached so the number of key agreements required over the session cache lifetime is bounded by the maximum number of simultaneous handshake attempts rather than by the total number of handshakes minus epsilon as it could otherwise be in the pessimal case. I will note that I'm not sure how this would work in the case of server farms all responding for the same IP. Without state sharing, it seems like session resumption wouldn't work at all without client stickiness, which is one advantage of TLS's session ticket mechanism; but then with session tickets and similar constructs you run into replay issues for early data on 0RT connections. Kyle